Support for configuring Gitea from the main container #632

New Issue

Open

opened 2024-03-19 10:34:58 +00:00 by NotAndD · 4 comments

NotAndD commented 2024-03-19 10:34:58 +00:00

Copy Link

Hey everyone!

I was trying to install Gitea on a k8s cluster with Istio injection enabled and using a MySQL database which is hosted inside the cluster itself. Istio adds a sidecar to Pods which handle all the network traffic, handling transparent mutual TLS communication and more, but it has the side effect of creating issues when trying in-cluster network communication from init containers if mTLS is required (plus, MySQL is a server-first protocol so there are a few other issues).

Since the Chart uses a init container to configure Gitea, interacting with the database, I found no way to have it working when Istio is enforcing mTLS to the MySQL database and I had to modify the chart to run /usr/sbin/configure_gitea.sh inside the main container before the main entrypoint.

Wanted to ask if I can provide a pull request for this, or if this issue was already analyzed and there's an alternative solution?

Hey everyone! I was trying to install Gitea on a k8s cluster with Istio injection enabled and using a MySQL database which is hosted inside the cluster itself. Istio adds a sidecar to Pods which handle all the network traffic, handling transparent mutual TLS communication and more, but it has the side effect of creating issues when trying in-cluster network communication from init containers if mTLS is required (plus, MySQL is a server-first protocol so there are a few other issues). Since the Chart uses a init container to configure Gitea, interacting with the database, I found no way to have it working when Istio is enforcing mTLS to the MySQL database and I had to modify the chart to run `/usr/sbin/configure_gitea.sh` inside the main container before the main entrypoint. Wanted to ask if I can provide a pull request for this, or if this issue was already analyzed and there's an alternative solution?

justusbunsi commented 2024-03-19 12:29:39 +00:00

Member

Copy Link

Hi. Thanks for reaching out. There are known issues with using this Helm Chart in pair with Istio. I've filed an issue to rethink the init container usage (#332). Unfortunately, none of us maintainers had enough time yet to redesign the init container usage. It comes with a necessary redesign of the app.ini creation and updating. The app.ini creation needs to be migrated out of the init container phase first, so that Gitea can properly start. Then it can be fine tuned and customized. There are 2 open WIP PRs regarding app.ini redesign: #450 and #544.

If you want to help redesign the init container usage, you are very welcome.

Hi. Thanks for reaching out. There are known issues with using this Helm Chart in pair with Istio. I've filed an issue to rethink the init container usage (#332). Unfortunately, none of us maintainers had enough time yet to redesign the init container usage. It comes with a necessary redesign of the app.ini creation and updating. The app.ini creation needs to be migrated out of the init container phase first, so that Gitea can properly start. Then it can be fine tuned and customized. There are 2 open WIP PRs regarding app.ini redesign: #450 and #544. If you want to help redesign the init container usage, you are very welcome.

NotAndD commented 2024-03-20 10:21:24 +00:00

Author

Copy Link

Actually, I found out an existing solution for this, which solves the problem without requiring any change to the Gitea Helm chart.

Starting from Kubernetes 1.28 a new feature gate was introduced, called SidecarContainers, which is now in beta and enabeld by default in 1.29 version. When enabled, sidecar containers can be scheduled as init containers. This is already supported by Istio under an env variable for now.

I tested it out and it works without issues, configure-gitea can run as init container because Istio sidecar is already available.

Actually, I found out an existing solution for this, which solves the problem without requiring any change to the Gitea Helm chart. Starting from Kubernetes 1.28 a new feature gate was introduced, called `SidecarContainers`, which is now in beta and enabeld by default in 1.29 version. When enabled, sidecar containers can be scheduled as init containers. This is already supported by Istio under an env variable for now. I tested it out and it works without issues, `configure-gitea` can run as init container because Istio sidecar is already available.

justusbunsi commented 2024-03-20 17:43:58 +00:00

Member

Copy Link

That's a neat way. Thanks for sharing and glad you found a solution.

(Moving away from init containers will still be done at some point. Istio was not the main reason for that. 🙂)

That's a neat way. Thanks for sharing and glad you found a solution. (Moving away from init containers will still be done at some point. Istio was not the main reason for that. 🙂)

justusbunsi commented 2024-03-20 17:45:22 +00:00

Member

Copy Link

Do you mind adding your solution to the docs? I guess there will be others having similar issues in the future.

Do you mind adding your solution to the docs? I guess there will be others having similar issues in the future.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

app-ini-recreation

fix-env-to-ini

clean-app-ini

gitea-ha

v10.1.4

v10.1.3

v10.1.2

v10.1.1

v10.1.0

v10.0.2

v10.0.1

v10.0.0

v9.6.1

v9.6.0

v9.5.1

v9.5.0

v9.4.0

v9.3.0

v9.2.1

v9.2.0

v9.1.0

v9.0.4

v9.0.3

v9.0.2

v9.0.1

v9.0.0

v8.3.0

v8.2.0

v8.1.0

v8.0.3

v8.0.2

v8.0.1

v8.0.0

v7.0.4

v7.0.3

v7.0.2

v7.0.1

v7.0.0

v6.0.5

v6.0.4

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.9

v5.0.8

v5.0.7

v5.0.6

v5.0.5

v5.0.4

v5.0.3

v5.0.2

v5.0.1

v5.0.0

v4.1.1

v4.1.0

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.0

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.11

v2.1.10

v2.1.9

v2.1.8

v2.1.7

v2.1.6

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.0

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.9

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

Labels

Clear labels   

has

backport

  

in progress

  

invalid

  

kind

breaking

  

kind

bug

  

kind

build

  

kind

dependency

  

kind

deployment

  

kind

docs

  

kind

enhancement

  

kind

feature

  

kind

lint

  

kind

proposal

  

kind

question

  

kind

refactor

  

kind

security

  

kind

testing

  

kind

translation

  

kind

ui

  

need

backport

  

priority

critical

  

priority

low

  

priority

maybe

  

priority

medium

  

reviewed

duplicate

  

reviewed

invalid

  

reviewed

wontfix

  

skip-changelog

  

status

blocked

  

status

needs-feedback

  

status

needs-reviews

  

status

wip

  

upstream

gitea

  

upstream

other

No Label

has

backport

in progress

invalid

kind

breaking

kind

bug

kind

build

kind

dependency

kind

deployment

kind

docs

kind

enhancement

kind

feature

kind

lint

kind

proposal

kind

question

kind

refactor

kind

security

kind

testing

kind

translation

kind

ui

need

backport

priority

critical

priority

low

priority

maybe

priority

medium

reviewed

duplicate

reviewed

invalid

reviewed

wontfix

skip-changelog

status

blocked

status

needs-feedback

status

needs-reviews

status

wip

upstream

gitea

upstream

other

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: gitea/helm-chart#632

No description provided.