2021-06-10 11:13:33 +00:00 · 2021-06-09 14:00:57 +00:00 · 2021-06-09 14:43:08 +00:00
5 changed files with 93 additions and 6 deletions
--- a/README.md
+++ b/README.md
@ -262,6 +262,25 @@ You cannot use `admin` as username.
      email: "gi@tea.com"
 ```

+You can also use an existing Secret to configure the admin user:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-admin-secret
+type: Opaque
+stringData:
+  username: MyAwesomeGiteaAdmin
+  password: AReallyAwesomeGiteaPassword
+```
+
+```yaml
+gitea:
+    admin:
+      existingSecret: gitea-admin-secret
+```
+
 ### LDAP Settings

 Like the admin user the LDAP settings can be updated, but also disabled or deleted.
@ -306,6 +325,26 @@ kebab-case:
      bind-password: JustAnotherBindPw
      username-attribute: CN
 ```
+
+You can also use an existing secret to set the bindDn and bindPassword:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-ldap-secret
+type: Opaque
+stringData:
+  bindDn: CN=ldap read,OU=Spezial,DC=example,DC=com
+  bindPassword: JustAnotherBindPw
+```
+
+```yaml
+gitea:
+    ldap:
+      existingSecret: gitea-ldap-secret
+```
+
 ### OAuth2 Settings

 Like the admin user the OAuth2 settings can be updated but also disabled or deleted.
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@ -108,9 +108,21 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}

 {{- define "gitea.ldap_settings" -}}
+{{- if or (not (hasKey .Values.gitea.ldap "bindDn")) (not (hasKey .Values.gitea.ldap "bind-dn")) -}}
+{{- $_ := set .Values.gitea.ldap "bindDn" "" -}}
+{{- end -}}
+
+{{- if or (not (hasKey .Values.gitea.ldap "bindPassword")) (not (hasKey .Values.gitea.ldap "bind-password")) -}}
+{{- $_ := set .Values.gitea.ldap "bindPassword" "" -}}
+{{- end -}}
+
 {{- range $key, $val := .Values.gitea.ldap -}}
-{{- if ne $key "enabled" -}}
-{{- if eq $key "port" -}}
+{{- if and (ne $key "enabled") (ne $key "existingSecret") -}}
+{{- if eq  ($key | kebabcase) "bind-dn" -}}
+{{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_BIND_DN}" | quote ) -}}
+{{- else if eq ($key | kebabcase) "bind-password" -}}
+{{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_PASSWORD}" | quote ) -}}
+{{- else if eq $key "port" -}}
 {{- printf "--%s %d " ($key | kebabcase) ($val | int) -}}
 {{- else -}}
 {{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}}
--- a/templates/gitea/init.yaml
+++ b/templates/gitea/init.yaml
@ -41,13 +41,13 @@ stringData:
    set -x; \
    gitea migrate; \
    {{- if and .Values.gitea.admin.username .Values.gitea.admin.password }}
-    gitea admin create-user --username  {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }} --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
+    gitea admin create-user --username  "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
    || \
-    gitea admin change-password --username {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }} \
+    gitea admin change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" \
    || \
-    gitea admin user create --username  {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }} --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
+    gitea admin user create --username  "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
    || \
-    gitea admin user change-password --username {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }}; \
+    gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}"; \
    {{- end }}
    {{- if .Values.gitea.ldap.enabled }}
    gitea admin auth add-ldap \
--- a/templates/gitea/statefulset.yaml
+++ b/templates/gitea/statefulset.yaml
@ -50,6 +50,40 @@ spec:
              value: /data
            - name: GITEA_TEMP
              value: /tmp/gitea
+            {{- if .Values.gitea.ldap.existingSecret }}
+            - name: GITEA_LDAP_BIND_DN
+              valueFrom:
+                secretKeyRef:
+                  key:  bindDn
+                  name: {{ .Values.gitea.ldap.existingSecret }}
+            - name: GITEA_LDAP_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key:  bindPassword
+                  name: {{ .Values.gitea.ldap.existingSecret }}
+            {{- else }}
+            - name: GITEA_LDAP_BIND_DN
+              value: {{ .Values.gitea.ldap.bindDn | quote }}
+            - name: GITEA_ADMIN_PASSWORD
+              value: {{ .Values.gitea.ldap.bindPassword | quote }}
+            {{- end }}
+            {{- if .Values.gitea.admin.existingSecret }}
+            - name: GITEA_ADMIN_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  key:  username
+                  name: {{ .Values.gitea.admin.existingSecret }}
+            - name: GITEA_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key:  password
+                  name: {{ .Values.gitea.admin.existingSecret }}
+            {{- else }}
+            - name: GITEA_ADMIN_USERNAME
+              value: {{ .Values.gitea.admin.username | quote }}
+            - name: GITEA_ADMIN_PASSWORD
+              value: {{ .Values.gitea.admin.password | quote }}
+            {{- end }}
            {{- if .Values.statefulset.env }}
            {{- toYaml .Values.statefulset.env | nindent 12 }}
            {{- end }}
--- a/values.yaml
+++ b/values.yaml
@ -127,6 +127,7 @@ initPreScript: ""

 gitea:
  admin:
+    #existingSecret: gitea-admin-secret
    username: gitea_admin
    password: r8sA8CPHD9!bt6d
    email: "gitea@local.domain"
@ -140,6 +141,7 @@ gitea:

  ldap:
    enabled: false
+    #existingSecret: gitea-ldap-secret
    #name:
    #securityProtocol:
    #host: