[Feature Request] Add must-change-password possibility #137
Labels
No Label
has
backport
in progress
invalid
kind
breaking
kind
bug
kind
build
kind
dependency
kind
deployment
kind
docs
kind
enhancement
kind
feature
kind
lint
kind
proposal
kind
question
kind
refactor
kind
security
kind
testing
kind
translation
kind
ui
need
backport
priority
critical
priority
low
priority
maybe
priority
medium
reviewed
duplicate
reviewed
invalid
reviewed
wontfix
skip-changelog
status
blocked
status
needs-feedback
status
needs-reviews
status
wip
upstream
gitea
upstream
other
No Milestone
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: gitea/helm-chart#137
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
It would be great to have the must-change-password parameter in the values.yaml file so the password at the file is only for first startup.
Example:
values.yaml
I got your point on this; it's not necessary to update the admin user if nothing changes.
Do you have any problems caused by always updating the account? Would be good to know.
I have no problems but thought that it qould be good, for security reason, that there is a prompt that you need to change the admin password after first start bracuse it is written in plain text at the values.yaml file.
You can reference an existing Kubernetes secret that stores
password
andusername
instead of inline values. https://gitea.com/gitea/helm-chart#admin-user? So you mean passing this option to the cli when creating the admin account. Thought you meant an indicator for the chart to not run
gitea admin user change-password
. Although this should be skipped with that option enabled.The hint with the secret is correct but I'm using Terraform as IaC and the therefore the password would be in plain text in the repo too :-D but will have a look at this.
For the function I thought more about like the normal cli version: https://docs.gitea.io/en-us/command-line/#:~:text=--must-change-password%3A%20If%20provided%2C%20the%20created%20user%20will%20be%20required%20to%20choose%20a%20newer%20password%20after%20the%20initial%20login
I'm not familiar with Terraform. For other IaC solutions like Flux (for GitOps) there are ways to store the Kubernetes secret resource encrypted inside the repo and decrypt them in the cluster on creation to have them as "common" secrets.
Let me think about your idea. This could lead us to something improvements where we probably could get rid of the default password in values.yaml.?
@justusbunsi @steled this was implemented with 169. We can now create secrets in kubernetes and use that secret on values.yaml file here
Ah, nice... I like the approach with the
existingSecret
.The
must-change-password: true
was just an idea... Don't put to much time in this I think theexistingSecret
implementation is good enough.