Generic way for configuring Gitea app.ini #240
No reviewers
Labels
No Label
has
backport
in progress
invalid
kind
breaking
kind
bug
kind
build
kind
dependency
kind
deployment
kind
docs
kind
enhancement
kind
feature
kind
lint
kind
proposal
kind
question
kind
refactor
kind
security
kind
testing
kind
translation
kind
ui
need
backport
priority
critical
priority
low
priority
maybe
priority
medium
reviewed
duplicate
reviewed
invalid
reviewed
wontfix
skip-changelog
status
blocked
status
needs-feedback
status
needs-reviews
status
wip
upstream
gitea
upstream
other
No Milestone
No Assignees
5 Participants
Notifications
Due Date
No due date set.
Depends on
#244 Rework OAuth sources
gitea/helm-chart
Reference: gitea/helm-chart#240
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "justusbunsi/helm-chart:feature/rework-sensitive-ini-settings"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
With the result of PR #239 it is much easier to provide additional values to the app.ini configuration from different sources.
These changes adds an additionalConfigSources field where the users can define such sources. This enables the users to choose
on their own whether to store values in values.yaml or load them from Kuberetes Secrets or ConfigMaps.
Currently, I just wrote down my thoughts without implementing it, because I need a second opinion on what the users should actually define and how. Both ways require some structure for the references Kubernetes resources:
GITEA__LOG_0x2E_CONSOLE__STDERR=false
The first approach would keep prefixing with
GITEA_
to the Helm Chart as well as converting.
into0x2E
. The second one is easier for the Helm Chart but more complex for the users.@luhahn & @lunny, shall I proceed with the first approach? Details here.
EDIT: After chatting with Luhahn, I'll proceed with the current approach (the first one).
119d7352b7
to5def46b650
Just realized that this fixes neither #174 nor the mentioned oauth topic since these values are not configured inside app.ini. ?♂️But I think it is still a neat addition to the chart giving more flexibility about how to configure Gitea.See PR comment.
WIP: Rework sensitive ini settingsto WIP: Generic way for configuring Gitea5def46b650
to6ead599695
@ -162,8 +206,15 @@ stringData:
{{- end }}
{{- end }}
env2ini::load_additional_config_sources
The functions I wrote above gives us the possibility to completely rewrite the
config.yaml
file content. We could split scripts from data and use a ConfigMap for the script instead of Secret. The values that are currently rendered by the Helm template engine could be written to a separate Kubernetes Secret which then gets processed along with the additional config sources.I think it's out of scope for this PR but I really like the idea of separating user input from Chart script logic.
? I had time to implement this as well.
Hi @lord-kyron and @volker.raschek. You've opened several issues in the past asking for options to securely pass sensitive data to the Gitea app.ini. This PR provides a really generic way to craft the app.ini from various sources.
Feel free to check it out and experiment with it. I'd be happy for any user feedback. Detailed description on how to use it can be found here.
⚠️ This PR is based on different open PRs and contains some breaking changes, so it is considered bloody edge. Please have a look at #244 and #248.
WIP: Generic way for configuring Giteato Generic way for configuring Gitea@ -13,0 +20,4 @@
# xargs echo -n trims all whitespaces and a trailing new line
local setting=$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)
local value=$(awk -F '=' '{print $NF}' <<< "${line}" | xargs echo -n)
TODO: Proper handling for values with
=
and"
inside.df3539a056
tob206414764
Some thoughts for reviewers
@ -13,0 +32,4 @@
fi
local value=''
local regex="^${setting}(\s*)=(\s*)(.*)"
Users can have spaces around the
=
character in their config sources. Just like it is possible withinapp.ini
. This regex takes this into account when stripping the setting name from the line to parse.@ -13,0 +37,4 @@
value="${BASH_REMATCH[3]}"
else
env2ini::log ' ! invalid setting'
exit 1
I've decided to let the script fail in case any line is not processable. That way the user is required to fix their configuration before the currently applied breaks somehow. Open for discussion here.
Generic way for configuring Giteato Generic way for configuring Gitea app.ini@ -164,0 +53,4 @@
env2ini::log " + '${setting}'"
if [[ -z "${section}" ]]; then
export "ENV_TO_INI____${setting^^}=${value}" # '^^' makes the variable content uppercase
____
ensures that global settings inside app.ini are actually taken into account and stored at the correct ini level.This broke with the switch to
environment-to-ini
tool.The latest changes align the processing for inline sources with additional sources. Therefore I've added another Kubernetes secret where the inline sources are stored the same way as additional sources requires it.
Logging helps to understand what setting is used for the final
app.ini
and from which source it came. In case of duplicate settings, there is a (natural) override mechanism:values.yaml
over default Helm Chartvalues.yaml
settingsThe already ensured persistence for "secret" settings remains untouched.
LGTM, already tested a bunch of values
7bcfd26322
tob486175eca
b486175eca
toe3d01dd8f6
e3d01dd8f6
toc33e34e956
Ok. Kept it in sync with head branch the last 24 hours. ?
Hello !
I will try this PR in the afternoon.
Having reviewed the changes, I find the following benefits :
From a very first sight, it seems there is a typo in commit
30e4f75b
(line 302-304).Those lines are volume mounts in a volume section with the wrong indentation. It breaks templating when defining extra volume mounts in values.yaml.
Awesome.
Good catch. Fixed.
looks good to me