Consider environment variables during app.ini creation #298
No reviewers
Labels
No Label
has
backport
in progress
invalid
kind
breaking
kind
bug
kind
build
kind
dependency
kind
deployment
kind
docs
kind
enhancement
kind
feature
kind
lint
kind
proposal
kind
question
kind
refactor
kind
security
kind
testing
kind
translation
kind
ui
need
backport
priority
critical
priority
low
priority
maybe
priority
medium
reviewed
duplicate
reviewed
invalid
reviewed
wontfix
skip-changelog
status
blocked
status
needs-feedback
status
needs-reviews
status
wip
upstream
gitea
upstream
other
No Milestone
No Assignees
4 Participants
Notifications
Due Date
No due date set.
Depends on
#299 Remove db connection check
gitea/helm-chart
Reference: gitea/helm-chart#298
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "use-env-variables"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR improves the handling and injection into app.ini of user defined environment variables via env-to-ini script.
Fixes #297
19810563b1
tofa7aaff3c3
@ -359,0 +367,4 @@
described in detail on the [env-to-ini](https://github.com/go-gitea/gitea/tree/main/contrib/environment-to-ini)
page.
Note that the Prefix on this helm chart is "ENV_TO_INI"
We should explicitly mention the override order
inline values.yaml -> additionalConfigSources -> existing environment variables prefixed with ENV_TO_INI
.@ -359,0 +374,4 @@
```yaml
statefulset:
env:
Reusing the existing
env
key would risk exposing sensitive data to the runtime container after generating the desiredapp.ini
. as this key is added to all containers. Additionally, my first thought was: The Gitea image interprets such environment variables and injects them into theapp.ini
. Luckily, we use a dedicated prefix which prevents such modification. It might create confusion with the prefixGITEA__
in a long run though. Data disclosure remains a problem in my opinion.What about having a dedicated
gitea.additionalConfigFromEnvs
next togitea.additionalConfigSources
which only gets loaded into the init container generating theapp.ini
? That way it would also be kind of grouped with the other config sources.@ -64,0 +69,4 @@
# If the env variable already exists, we keep its value ${existing_var:-default_value}
# '^^' makes the variable content uppercase
nested_subst_tmp=ENV_TO_INI__${masked_section^^}__${setting^^}
export "ENV_TO_INI__${masked_section^^}__${setting^^}=${!nested_subst_tmp:-$value}"
I see an unresolved issue with
env2ini::generate_initial_secrets
which generates values that must not change for existing installations (whether existing Helm Chart installation or migrating an existing environment to use the Helm Chart). Prior to that PR it was not an issue and expected behavior to override the default values fromenv2ini::generate_initial_secrets
. Now it is possible to provided such values via environment variables that are being overridden by this method before even processed.Maybe it could help to read all existing
ENV_TO_INI
variables into a file prior to any environmental change and restore these values after injecting the other configuration sources to the environment variables. That way it would also be ensured that such externally defined variables would override any other value set during processing.It would also eliminate the need to use nested substitution. ?
The processing could look like this:
Would also be a replacement for #279.
fa7aaff3c3
to9c5213da41
9c5213da41
tob623d8a419
b623d8a419
to4b6faf8720
4b6faf8720
to3de5f6f4ef
3de5f6f4ef
to84ea4fc5c5
@luhahn Just a minor thing: Currently your README changes have a forced line-breaking at 80 chars or similar.
This makes it hard to review single sentences and probably also does not go well with https://gitea.com/gitea/helm-chart/src/branch/master/.markdownlint.yaml.
I wonder if a simple markdownlint check should be added to drone to automate this?
EDIT: Apparently there's already a check in the drone yaml:
@pat-s I agree this is not the most readable setting right now. Would be another PR to globally change the line length for Markdown Lint.
@ -104,12 +104,18 @@ stringData:
env2ini::log "...Initial secrets generated\n"
}
env | grep "ENV_TO_INI" >> /tmp/existing-envs
Better use
>
instead of>>
. The directory/tmp
is an emptyDir mount. An error within this init container would cause the file content to be appended over and over again. It's probably better to just freshly create the file.@ -111,2 +114,4 @@
env2ini::load_config_sources '/env-to-ini-mounts/additionals/'
# load existing envs to override auto generated envs
source /tmp/existing-envs
I've noticed two different things that need to be handled:
source
are not fully correct. It won't work for unescaped special characters.=
,"
,'
,<
,>
and others will break the init container because reading the existing environment variables usingenv
won't generate a line with proper bash syntax. Imagine having a complex database password with special characters. We could do similar line-by-line processing as we already do with foradditionalConfigSources
. Most of the edge cases (maybe all) are already handled by it. Suggestion below./tmp
is an emptyDir mount which is shared across containers, this file should be removed after loading its content to prevent leaving sensitive data behind.Suggestion:
This is a slightly modified version of
env2ini::read_config_to_env
. It does not require section handling as these sections are already included in the environment variable name.The processing could be:
e1fb479852
to549922a6b5
549922a6b5
to70dd892559
Improve user defined Environment variablesto Consider environment variables during app.ini creationLGTM. Awesome addition. ?