marko/Gitea-HelmChart
1
0
Fork 0
mirror of https://gitea.com/gitea/helm-chart.git synced 2024-06-30 21:40:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

Rewrite init script (#178)

Browse Source 
These changes rewrite the init script to be error aware, informative and have a bit more security awareness.

During rewrite several hidden bugs could be identified and fixed, such as:

- LDAP configuration options interpreted by the shell before passed to command
- Finding multiple ldap ids instead of one during lookup when their names are almost identical
e.g. `_my-ldap-auth` and `my-ldap-auth`
- Properly filter auth sources by their types to prevent unintended type converting attempts that fail

In addition to that the script is a bit cleaner. Some commands do not exist anymore and would cause false-positive errors during script execution.

Helps for: #149

Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/178
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-committed-by: justusbunsi <justusbunsi@noreply.gitea.io>
This commit is contained in:
justusbunsi 2021-06-30 04:09:16 +08:00 committed by techknowlogick
parent 6a6eb35106
commit 9059229acb
4 changed files with 130 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -356,6 +356,14 @@ gitea:
existingSecret: gitea-ldap-secret existingSecret: gitea-ldap-secret
``` ```
:warning: Some options are just flags and therefore don't any values. If they are defined in `gitea.ldap` configuration, they will be passed to the gitea cli without any value. Affected options:
- notActive | not-active
- skipTlsVerify | skip-tls-verify
- allowDeactivateAll | allow-deactivate-all
- synchronizeUsers | synchronize-users
- attributesInBind | attributes-in-bind
### OAuth2 Settings ### OAuth2 Settings
Like the admin user, OAuth2 settings can be updated and disabled but not deleted. Deleting OAuth2 settings has to be done in the ui. Like the admin user, OAuth2 settings can be updated and disabled but not deleted. Deleting OAuth2 settings has to be done in the ui.

7
templates/_helpers.tpl
View File

@ -116,6 +116,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- $_ := set .Values.gitea.ldap "bindPassword" "" -}} {{- $_ := set .Values.gitea.ldap "bindPassword" "" -}}
{{- end -}} {{- end -}}
{{- $flags := list "not-active" "skip-tls-verify" "allow-deactivate-all" "synchronize-users" "attributes-in-bind" -}}
{{- range $key, $val := .Values.gitea.ldap -}} {{- range $key, $val := .Values.gitea.ldap -}}
{{- if and (ne $key "enabled") (ne $key "existingSecret") -}} {{- if and (ne $key "enabled") (ne $key "existingSecret") -}}
{{- if eq ($key | kebabcase) "bind-dn" -}} {{- if eq ($key | kebabcase) "bind-dn" -}}
@ -124,8 +125,10 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_PASSWORD}" | quote ) -}} {{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_PASSWORD}" | quote ) -}}
{{- else if eq $key "port" -}} {{- else if eq $key "port" -}}
{{- printf "--%s %d " ($key | kebabcase) ($val | int) -}} {{- printf "--%s %d " ($key | kebabcase) ($val | int) -}}
{{- else if (has ($key | kebabcase) $flags) -}}
{{- printf "--%s " ($key | kebabcase) -}}
{{- else -}} {{- else -}}
{{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}} {{- printf "--%s %s " ($key | kebabcase) ($val | squote) -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
@ -134,7 +137,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- define "gitea.oauth_settings" -}} {{- define "gitea.oauth_settings" -}}
{{- range $key, $val := .Values.gitea.oauth -}} {{- range $key, $val := .Values.gitea.oauth -}}
{{- if ne $key "enabled" -}} {{- if ne $key "enabled" -}}
{{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}} {{- printf "--%s %s " ($key | kebabcase) ($val | squote) -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}

121
templates/gitea/init.yaml
View File

@ -6,8 +6,11 @@ metadata:
{{- include "gitea.labels" . | nindent 4 }} {{- include "gitea.labels" . | nindent 4 }}
type: Opaque type: Opaque
stringData: stringData:
init_gitea.sh: |- init_directory_structure.sh: |-
#!/bin/bash #!/usr/bin/env bash
set -euo pipefail
{{- if .Values.initPreScript }} {{- if .Values.initPreScript }}
# BEGIN: initPreScript # BEGIN: initPreScript
{{- with .Values.initPreScript -}} {{- with .Values.initPreScript -}}
@ -16,6 +19,8 @@ stringData:
# END: initPreScript # END: initPreScript
{{- end }} {{- end }}
set -x
{{- if not .Values.image.rootless }} {{- if not .Values.image.rootless }}
chown 1000:1000 /data chown 1000:1000 /data
{{- end }} {{- end }}
@ -31,44 +36,90 @@ stringData:
# Copy config file to writable volume # Copy config file to writable volume
cp /etc/gitea/conf/app.ini /data/gitea/conf/app.ini cp /etc/gitea/conf/app.ini /data/gitea/conf/app.ini
chmod a+rwx /data/gitea/conf/app.ini chmod a+rwx /data/gitea/conf/app.ini
configure_gitea.sh: |-
#!/usr/bin/env bash
set -euo pipefail
{{- if include "db.servicename" . }} {{- if include "db.servicename" . }}
# Wait for database to become avialble # Connection retry inspired by https://gist.github.com/dublx/e99ea94858c07d2ca6de
nc -v -w2 -z {{ include "db.servicename" . }} {{ include "db.port" . }} && \ function test_db_connection() {
local RETRY=0
local MAX=30
echo 'Wait for database to become avialable...'
until [ "${RETRY}" -ge "${MAX}" ]; do
nc -vz -w2 {{ include "db.servicename" . }} {{ include "db.port" . }} && break
RETRY=$[${RETRY}+1]
echo "...not ready yet (${RETRY}/${MAX})"
done
if [ "${RETRY}" -ge "${MAX}" ]; then
echo "Database not reachable after '${MAX}' attempts!"
exit 1
fi
}
test_db_connection
{{- end }} {{- end }}
{{- if not .Values.image.rootless }}
su git -c ' \ echo '==== BEGIN GITEA CONFIGURATION ===='
{{- end }}
set -x; \ gitea migrate
gitea migrate; \
{{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }} {{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }}
gitea admin create-user --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \ function configure_admin_user() {
|| \ local ACCOUNT_ID=$(gitea admin user list --admin | grep -e "\s\+${GITEA_ADMIN_USERNAME}\s\+" | awk -F " " "{printf \$1}")
gitea admin change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" \ if [[ -z "${ACCOUNT_ID}" ]]; then
|| \ echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..."
gitea admin user create --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \ gitea admin user create --admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }} --must-change-password=false
|| \ echo '...created.'
gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}"; \ else
echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}"
echo '...password sync done.'
fi
}
configure_admin_user
{{- end }} {{- end }}
{{- if .Values.gitea.ldap.enabled }} {{- if .Values.gitea.ldap.enabled }}
gitea admin auth add-ldap \ function configure_ldap() {
{{- include "gitea.ldap_settings" . | nindent 6 }} \ local LDAP_NAME={{ (printf "%s" .Values.gitea.ldap.name) | squote }}
|| \ local GITEA_AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " " "{print \$1}")
( \
export GITEA_AUTH_ID=$(gitea admin auth list | grep {{ .Values.gitea.ldap.name | quote }} | awk -F " " "{print \$1}"); \ if [[ -z "${GITEA_AUTH_ID}" ]]; then
gitea admin auth update-ldap --id ${GITEA_AUTH_ID} \ echo "No ldap configuration found with name '${LDAP_NAME}'. Installing it now..."
{{- include "gitea.ldap_settings" . | nindent 6 }} \ gitea admin auth add-ldap {{- include "gitea.ldap_settings" . | indent 1 }}
) \ echo '...installed.'
else
echo "Existing ldap configuration with name '${LDAP_NAME}': '${GITEA_AUTH_ID}'. Running update to sync settings..."
gitea admin auth update-ldap --id "${GITEA_AUTH_ID}" {{- include "gitea.ldap_settings" . | indent 1 }}
echo '...sync settings done.'
fi
}
configure_ldap
{{- end }} {{- end }}
{{- if .Values.gitea.oauth.enabled }} {{- if .Values.gitea.oauth.enabled }}
gitea admin auth add-oauth \ function configure_oauth() {
{{- include "gitea.oauth_settings" . | nindent 6 }} \ local OAUTH_NAME={{ (printf "%s" .Values.gitea.oauth.name) | squote }}
|| \ local AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " " "{print \$1}")
( \
export GITEA_AUTH_ID=$(gitea admin auth list | grep {{ .Values.gitea.oauth.name | quote }} | awk -F " " "{print \$1}"); \ if [[ -z "${AUTH_ID}" ]]; then
gitea admin auth update-oauth --id ${GITEA_AUTH_ID} \ echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..."
{{- include "gitea.oauth_settings" . | nindent 6 }} \ gitea admin auth add-oauth {{- include "gitea.oauth_settings" . | indent 1 }}
) \ echo '...installed.'
{{- end }} else
{{- if not .Values.image.rootless }} echo "Existing oauth configuration with name '${OAUTH_NAME}': '${AUTH_ID}'. Running update to sync settings..."
' gitea admin auth update-oauth --id "${AUTH_ID}" {{- include "gitea.oauth_settings" . | indent 1 }}
echo '...sync settings done.'
fi
}
configure_oauth
{{- end }} {{- end }}
echo '==== END GITEA CONFIGURATION ===='

35
templates/gitea/statefulset.yaml
View File

@ -38,9 +38,38 @@ spec:
securityContext: securityContext:
fsGroup: 1000 fsGroup: 1000
initContainers: initContainers:
- name: init - name: init-directories
image: "{{ include "gitea.image" . }}" image: "{{ include "gitea.image" . }}"
command: ["/usr/sbin/init_gitea.sh"] command: ["/usr/sbin/init_directory_structure.sh"]
env:
- name: GITEA_APP_INI
value: /data/gitea/conf/app.ini
- name: GITEA_CUSTOM
value: /data/gitea
- name: GITEA_WORK_DIR
value: /data
- name: GITEA_TEMP
value: /tmp/gitea
{{- if .Values.statefulset.env }}
{{- toYaml .Values.statefulset.env | nindent 12 }}
{{- end }}
volumeMounts:
- name: init
mountPath: /usr/sbin
- name: temp
mountPath: /tmp
- name: config
mountPath: /etc/gitea/conf
- name: data
mountPath: /data
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
- name: configure-gitea
image: "{{ include "gitea.image" . }}"
command: ["/usr/sbin/configure_gitea.sh"]
securityContext:
runAsUser: 1000
env: env:
- name: GITEA_APP_INI - name: GITEA_APP_INI
value: /data/gitea/conf/app.ini value: /data/gitea/conf/app.ini
@ -92,8 +121,6 @@ spec:
mountPath: /usr/sbin mountPath: /usr/sbin
- name: temp - name: temp
mountPath: /tmp mountPath: /tmp
- name: config
mountPath: /etc/gitea/conf
- name: data - name: data
mountPath: /data mountPath: /data
{{- if .Values.extraVolumeMounts }} {{- if .Values.extraVolumeMounts }}