Rewrite init script #178

justusbunsi · 2021-06-12T18:32:57Z

justusbunsi commented

2021-06-12 18:32:57 +00:00

These changes rewrite the init script to be error aware, informative and have a bit more security awareness.

During rewrite several hidden bugs could be identified and fixed, such as:

LDAP configuration options interpreted by the shell before passed to command
Finding multiple ldap ids instead of one during lookup when their names are almost identical
e.g. _my-ldap-auth and my-ldap-auth
Properly filter auth sources by their types to prevent unintended type converting attempts that fail

In addition to that the script is a bit cleaner. Some commands do not exist anymore and would cause false-positive errors during script execution.

Helps for: #149

These changes rewrite the init script to be error aware, informative and have a bit more security awareness. During rewrite several hidden bugs could be identified and fixed, such as: - LDAP configuration options interpreted by the shell before passed to command - Finding multiple ldap ids instead of one during lookup when their names are almost identical e.g. `_my-ldap-auth` and `my-ldap-auth` - Properly filter auth sources by their types to prevent unintended type converting attempts that fail In addition to that the script is a bit cleaner. Some commands do not exist anymore and would cause false-positive errors during script execution. Helps for: #149

justusbunsi commented

2021-06-12 18:35:51 +00:00

I've tested all changes for every possibility I could think of (probably not all ?). Even switching between both available images (root, rootless) to verify interoperability.

Some things (not really related to my changes) didn't work (properly):

Using not-active, skip-tls-verify, allow-deactivate-all, synchronize-users and attributes-in-bind for LDAP configuration. They are boolean values and would be passed like --not-active '' which breaks the command for some reason.
~~Same for use-custom-urls for OAuth command.~~ (Edit: incorrect statement)

~~Should I open separate issues for this or do we fix boolean option passing in this PR as well since they would break the init script?~~ (Edit: Yes, fix in this PR as well.)

I've tested all changes for every possibility I could think of (probably not all ?). Even switching between both available images (root, rootless) to verify interoperability. Some things (not really related to my changes) didn't work (properly): Using _not-active_, _skip-tls-verify_, _allow-deactivate-all_, _synchronize-users_ and _attributes-in-bind_ for LDAP configuration. They are boolean values and would be passed like `--not-active ''` which breaks the command for some reason. ~~Same for `use-custom-urls` for OAuth command.~~ (Edit: incorrect statement) ~~Should I open separate issues for this or do we fix boolean option passing in this PR as well since they would break the init script?~~ (Edit: Yes, fix in this PR as well.)

justusbunsi reviewed 2021-06-12 18:37:38 +00:00

templates/gitea/statefulset.yaml Outdated

						
				@ -42,0 +49,4 @@

				            - name: GITEA_WORK_DIR

				              value: /data

				            - name: GITEA_TEMP

				              value: /tmp/gitea

justusbunsi commented

2021-06-12 18:37:38 +00:00

Should we include .Values.statefulset.env into init-directories init container since initPreScript execution takes place here and someone could reference custom environment variables?

Should we include `.Values.statefulset.env` into `init-directories` init container since `initPreScript` execution takes place here and someone could reference custom environment variables?

justusbunsi marked this conversation as resolved

justusbunsi commented

2021-06-14 17:06:40 +00:00

I just re-read the issue #149 and am sure that this PR will not fully fix it. The repeated failure on init container due to unavailable db is done and the script is more verbose. But right now no credentials are used for the db check.