Generic way for configuring Gitea app.ini #240
No reviewers
luhahn
lotherk
wxiaoguang
Labels
No Label
has
backport
in progress
invalid
kind
breaking
kind
bug
kind
build
kind
dependency
kind
deployment
kind
docs
kind
enhancement
kind
feature
kind
lint
kind
proposal
kind
question
kind
refactor
kind
security
kind
testing
kind
translation
kind
ui
need
backport
priority
critical
priority
low
priority
maybe
priority
medium
reviewed
duplicate
reviewed
invalid
reviewed
wontfix
skip-changelog
status
blocked
status
needs-feedback
status
needs-reviews
status
wip
upstream
gitea
upstream
other
No Milestone
No Assignees
5 Participants
Notifications
Due Date
No due date set.
Depends on
#244 Rework OAuth sources
gitea/helm-chart
Reference: gitea/helm-chart#240
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "justusbunsi/helm-chart:feature/rework-sensitive-ini-settings"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
With the result of PR #239 it is much easier to provide additional values to the app.ini configuration from different sources.
These changes adds an additionalConfigSources field where the users can define such sources. This enables the users to choose
on their own whether to store values in values.yaml or load them from Kuberetes Secrets or ConfigMaps.
Currently, I just wrote down my thoughts without implementing it, because I need a second opinion on what the users should actually define and how. Both ways require some structure for the references Kubernetes resources:
GITEA__LOG_0x2E_CONSOLE__STDERR=falseThe first approach would keep prefixing with
GITEA_to the Helm Chart as well as converting.into0x2E. The second one is easier for the Helm Chart but more complex for the users.@luhahn & @lunny, shall I proceed with the first approach? Details here.
EDIT: After chatting with Luhahn, I'll proceed with the current approach (the first one).
119d7352b7to5def46b650Just realized that this fixes neither #174 nor the mentioned oauth topic since these values are not configured inside app.ini. ?♂️But I think it is still a neat addition to the chart giving more flexibility about how to configure Gitea.See PR comment.
WIP: Rework sensitive ini settingsto WIP: Generic way for configuring Gitea5def46b650to6ead599695@ -162,8 +206,15 @@ stringData:{{- end }}{{- end }}env2ini::load_additional_config_sourcesThe functions I wrote above gives us the possibility to completely rewrite the
config.yamlfile content. We could split scripts from data and use a ConfigMap for the script instead of Secret. The values that are currently rendered by the Helm template engine could be written to a separate Kubernetes Secret which then gets processed along with the additional config sources.I think it's out of scope for this PR but I really like the idea of separating user input from Chart script logic.
? I had time to implement this as well.
Hi @lord-kyron and @volker.raschek. You've opened several issues in the past asking for options to securely pass sensitive data to the Gitea app.ini. This PR provides a really generic way to craft the app.ini from various sources.
Feel free to check it out and experiment with it. I'd be happy for any user feedback. Detailed description on how to use it can be found here.
⚠️ This PR is based on different open PRs and contains some breaking changes, so it is considered bloody edge. Please have a look at #244 and #248.
WIP: Generic way for configuring Giteato Generic way for configuring Gitea@ -13,0 +20,4 @@# xargs echo -n trims all whitespaces and a trailing new linelocal setting=$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)local value=$(awk -F '=' '{print $NF}' <<< "${line}" | xargs echo -n)TODO: Proper handling for values with
=and"inside.df3539a056tob206414764Some thoughts for reviewers
@ -13,0 +32,4 @@filocal value=''local regex="^${setting}(\s*)=(\s*)(.*)"Users can have spaces around the
=character in their config sources. Just like it is possible withinapp.ini. This regex takes this into account when stripping the setting name from the line to parse.@ -13,0 +37,4 @@value="${BASH_REMATCH[3]}"elseenv2ini::log ' ! invalid setting'exit 1I've decided to let the script fail in case any line is not processable. That way the user is required to fix their configuration before the currently applied breaks somehow. Open for discussion here.
Generic way for configuring Giteato Generic way for configuring Gitea app.ini@ -164,0 +53,4 @@env2ini::log " + '${setting}'"if [[ -z "${section}" ]]; thenexport "ENV_TO_INI____${setting^^}=${value}" # '^^' makes the variable content uppercase____ensures that global settings inside app.ini are actually taken into account and stored at the correct ini level.This broke with the switch to
environment-to-initool.The latest changes align the processing for inline sources with additional sources. Therefore I've added another Kubernetes secret where the inline sources are stored the same way as additional sources requires it.
Logging helps to understand what setting is used for the final
app.iniand from which source it came. In case of duplicate settings, there is a (natural) override mechanism:values.yamlover default Helm Chartvalues.yamlsettingsThe already ensured persistence for "secret" settings remains untouched.
LGTM, already tested a bunch of values
7bcfd26322tob486175ecab486175ecatoe3d01dd8f6e3d01dd8f6toc33e34e956Ok. Kept it in sync with head branch the last 24 hours. ?
Hello !
I will try this PR in the afternoon.
Having reviewed the changes, I find the following benefits :
From a very first sight, it seems there is a typo in commit
30e4f75b(line 302-304).Those lines are volume mounts in a volume section with the wrong indentation. It breaks templating when defining extra volume mounts in values.yaml.
Awesome.
Good catch. Fixed.
looks good to me