Enable SSH clone #72

New Issue

Shadow53 · 2020-11-29T05:20:28Z

Shadow53 commented

2020-11-29 05:20:28 +00:00

I'm fairly new to kubernetes, but I'm not seeing an option to enable using git-over-SSH to clone/push/pull/etc. Am I missing something? Is it intentionally missing? If so, is there a way I can enable it?

luhahn commented

2020-11-30 07:28:22 +00:00

I don't really understand. You can clone via https/ssh by default.
The only problem would be that your clone url won't be correct.

You can nodePort the ssh port. You can use ingress and a load balancer, there are many options.

Please see https://docs.gitea.io/en-us/config-cheat-sheet/ for configuration of SSH_PORT, SSH_DOMAIN and SSH_LISTEN_PORT.

You can configure those values in:

gitea:
	config:
    	server:
        	SSH_LISTEN_PORT:

I don't really understand. You can clone via https/ssh by default. The only problem would be that your clone url won't be correct. You can nodePort the ssh port. You can use ingress and a load balancer, there are many options. Please see https://docs.gitea.io/en-us/config-cheat-sheet/ for configuration of SSH_PORT, SSH_DOMAIN and SSH_LISTEN_PORT. You can configure those values in: ```yaml gitea: config: server: SSH_LISTEN_PORT: ```

Shadow53 commented

2020-12-01 06:07:26 +00:00

As I said, I'm new to Kubernetes. This is my values.yaml file, with sensitive information changed to [REDACTED]. I have ingress-nginx set up, and Gitea and Drone are both automatically available through it.

replicaCount: 1

clusterDomain: cluster.local

image:
  repository: gitea/gitea
  version: 1.12.6
  pullPolicy: Always

imagePullSecrets: []

service:
  http:
    type: ClusterIP
    port: 3000
    annotations:
      app: gitea
  ssh:
    type: ClusterIP
    port: 22
    annotations:
      app: gitea

ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/issuer: "letsencrypt-prod"
  hosts:
    - git.shadow53.com
  tls:
   - secretName: chart-gitea-tls
     hosts:
       - git.shadow53.com
nodeSelector: {}

tolerations: []

affinity: {}

statefulset:
  env: []
  terminationGracePeriodSeconds: 60

persistence:
  enabled: true
  size: 10Gi
  accessModes:
    - ReadWriteOnce

gitea:
  admin:
    username: Shadow53
    password: [REDACTED]
    email: "shadow53@shadow53.com"

  ldap:
    enabled: false
    name: ""
    securityProtocol: ""
    host: ""
    port: ""
    userSearchBase: ""
    userFilter: ""
    adminFilter: ""
    emailAttribute: ""
    bindDn: ""
    bindPassword: ""
    usernameAttribute: ""

  config:
    APP_NAME: "Gitea: Git with a cup of tea"
    RUN_MODE: prod

    admin:
      DISABLE_REGULAR_ORG_CREATION: true
    
    mailer:
        ENABLED: true
        HOST: mail.shadow53.com
        FROM: '"Shadow53 Gitea" <no-reply@shadow53.com>'
        USER: no-reply@shadow53.com
        PASSWD: [REDACTED]
     
    repository:
      MAX_CREATION_LIMIT: 0

    server:
     ENABLE_LETSENCRYPT: true
      LETSENCRRYPT_ACCEPTTOS: true
      LETSENCRYPT_EMAIL: admin@shadow53.com
      LFS_START_SERVER: true
      SSH_PORT: 22
      #SSH_DOMAIN: git.shadow53.com
      #START_SSH_SERVER: true
      #BUILTIN_SSH_SERVER_USER: git
  
    security:
      PASSWORD_COMPLEXITY: lower,upper,digit
      PASSWORD_CHECK_PWN: true
      MIN_PASSWORD_LENGTH: 14

    service:
      REGISTER_EMAIL_CONFIRM: true
      ENABLE_NOTIFY_MAIL: true
      DEFAULT_KEEP_EMAIL_PRIVATE: true
      ENABLE_CAPTCHA: true
      CAPTCHA_TYPE: hcaptcha
      HCAPTCHA_SITEKEY: [REDACTED]
      HCAPTCHA_SECRET: [REDACTED]

  podAnnotations: {}

  database:
    builtIn:
      postgresql:
        enabled: true
      mysql:
        enabled: false
      mariadb:
        enabled: false

  cache:
    builtIn:
      enabled: true
memcached:
  service:
    port: 11211

postgresql:
  global:
    postgresql:
      postgresqlDatabase: gitea
      postgresqlUsername: gitea
      postgresqlPassword: gitea
      servicePort: 5432
  persistence:
    size: 10Gi

mysql:
  root:
    password: gitea
  db:
    user: gitea
    password: gitea
    name: gitea
  service:
    port: 3306
  persistence:
    size: 10Gi

mariadb:
  auth:
    database: gitea
    username: gitea
    password: gitea
    rootPassword: gitea
  primary:
    service:
      port: 3306
    persistence:
      size: 10Gi

With these settings, Gitea starts but is not accessible via SSH. If I enable any one of the commented-out SSH settings, the pod fails to start with status CrashLoopBackOff.

The reason why I asked if SSH was enabled by default is because the helm ingress.yaml file seems to only reference HTTP and not SSH.

Is there any other direction you can give? I'm not sure if the issue lies in the Gitea configuration, the helm chart, or my own inexperience.

As I said, I'm new to Kubernetes. This is my `values.yaml` file, with sensitive information changed to `[REDACTED]`. I have `ingress-nginx` set up, and Gitea and Drone are both automatically available through it. ```yaml replicaCount: 1 clusterDomain: cluster.local image: repository: gitea/gitea version: 1.12.6 pullPolicy: Always imagePullSecrets: [] service: http: type: ClusterIP port: 3000 annotations: app: gitea ssh: type: ClusterIP port: 22 annotations: app: gitea ingress: enabled: true annotations: kubernetes.io/ingress.class: nginx cert-manager.io/issuer: "letsencrypt-prod" hosts: - git.shadow53.com tls: - secretName: chart-gitea-tls hosts: - git.shadow53.com nodeSelector: {} tolerations: [] affinity: {} statefulset: env: [] terminationGracePeriodSeconds: 60 persistence: enabled: true size: 10Gi accessModes: - ReadWriteOnce gitea: admin: username: Shadow53 password: [REDACTED] email: "shadow53@shadow53.com" ldap: enabled: false name: "" securityProtocol: "" host: "" port: "" userSearchBase: "" userFilter: "" adminFilter: "" emailAttribute: "" bindDn: "" bindPassword: "" usernameAttribute: "" config: APP_NAME: "Gitea: Git with a cup of tea" RUN_MODE: prod admin: DISABLE_REGULAR_ORG_CREATION: true mailer: ENABLED: true HOST: mail.shadow53.com FROM: '"Shadow53 Gitea" <no-reply@shadow53.com>' USER: no-reply@shadow53.com PASSWD: [REDACTED] repository: MAX_CREATION_LIMIT: 0 server: ENABLE_LETSENCRYPT: true LETSENCRRYPT_ACCEPTTOS: true LETSENCRYPT_EMAIL: admin@shadow53.com LFS_START_SERVER: true SSH_PORT: 22 #SSH_DOMAIN: git.shadow53.com #START_SSH_SERVER: true #BUILTIN_SSH_SERVER_USER: git security: PASSWORD_COMPLEXITY: lower,upper,digit PASSWORD_CHECK_PWN: true MIN_PASSWORD_LENGTH: 14 service: REGISTER_EMAIL_CONFIRM: true ENABLE_NOTIFY_MAIL: true DEFAULT_KEEP_EMAIL_PRIVATE: true ENABLE_CAPTCHA: true CAPTCHA_TYPE: hcaptcha HCAPTCHA_SITEKEY: [REDACTED] HCAPTCHA_SECRET: [REDACTED] podAnnotations: {} database: builtIn: postgresql: enabled: true mysql: enabled: false mariadb: enabled: false cache: builtIn: enabled: true memcached: service: port: 11211 postgresql: global: postgresql: postgresqlDatabase: gitea postgresqlUsername: gitea postgresqlPassword: gitea servicePort: 5432 persistence: size: 10Gi mysql: root: password: gitea db: user: gitea password: gitea name: gitea service: port: 3306 persistence: size: 10Gi mariadb: auth: database: gitea username: gitea password: gitea rootPassword: gitea primary: service: port: 3306 persistence: size: 10Gi ``` With these settings, Gitea starts but is not accessible via SSH. If I enable any one of the commented-out SSH settings, the pod fails to start with status `CrashLoopBackOff`. The reason why I asked if SSH was enabled by default is because the helm [ingress.yaml](https://gitea.com/gitea/helm-chart/src/branch/master/templates/gitea/ingress.yaml) file seems to only reference HTTP and not SSH. Is there any other direction you can give? I'm not sure if the issue lies in the Gitea configuration, the helm chart, or my own inexperience.

luhahn commented

2020-12-01 08:55:02 +00:00

Yeah, ingress is not able to forward ssh ports. You'll need to use a load balancer.
I'm using metallb for this task. You'll need to add something like this to your ssh service in your gitea values:

service:
  ssh:
    type: LoadBalancer
    port: 22
    annotations:
      metallb.universe.tf/allow-shared-ip: "{{ ndo_context }}"

Yeah, ingress is not able to forward ssh ports. You'll need to use a load balancer. I'm using metallb for this task. You'll need to add something like this to your ssh service in your gitea values: ```yaml service: ssh: type: LoadBalancer port: 22 annotations: metallb.universe.tf/allow-shared-ip: "{{ ndo_context }}" ```

Shadow53 commented

2020-12-02 05:16:18 +00:00

Okay, I'm not sure what happened, but I had to helm uninstall and helm install again to get the change to type: LoadBalancer to actually take. It created a new DigitalOcean load balancer different from the one used for HTTP(S), with a different IP, so I copied the port mappings over to the preexisting one and git seems to be working now. ?‍♂️

I suppose this means that my issue is resolved, but maybe something can be added to the README to indicate that type: LoadBalancer is needed to access SSH externally?

Okay, I'm not sure what happened, but I had to `helm uninstall` and `helm install` again to get the change to `type: LoadBalancer` to actually take. It created a new DigitalOcean load balancer different from the one used for HTTP(S), with a different IP, so I copied the port mappings over to the preexisting one and git seems to be working now. ?‍♂️ I suppose this means that my issue is resolved, but maybe something can be added to the README to indicate that `type: LoadBalancer` is needed to access SSH externally?

luhahn commented

2020-12-07 09:02:23 +00:00

I will extend the readme in the next few days

luhahn referenced this issue

2020-12-08 09:38:25 +00:00

Fix admin user creation for gitea 1.13.0, chart version 2.1.0 #80

luhahn commented

2020-12-10 09:23:12 +00:00

#80 was merged including some hints for load balancers

luhahn closed this issue

2020-12-10 09:23:13 +00:00

Sign in to join this conversation.