diff --git a/README.md b/README.md index caa3050..fe7aeee 100644 --- a/README.md +++ b/README.md @@ -37,6 +37,35 @@ helm install gitea gitea-charts/gitea - Helm 3.0+ - PV provisioner for persistent data support +## Chart upgrade to 5.0.0 + +:warning: The most recent `5.0.0` update brings some major and breaking changes. +Please note the following changes in the Chart to upgrade successfully. :warning: + +### App.ini generation + +The app.ini generation has changed and now utilizes the environment-to-ini +script provided by newer Gitea versions. + +:boom: The Helm Chart now requires Gitea versions of at least 1.11.0. + +This change ensures, that the app.ini is now persistent. + +#### Secret Key generation + +Gitea secret keys (SECRET_KEY, INTERNAL_TOKEN, JWT_SECRET) are now generated +automatically in certain situations: + +- New install: By default the secrets are created automatically. If you provide + secrets via `gitea.config` they will be used instead of automatic generation. +- Existing installs: The secrets won't be deployed, neither via + configuration nor via auto generation. We explicitly prevent to set new secrets. + +:rotating_light: It would be possible to set new secret keys manually by entering +the running container and rewriting the app.ini by hand. However, this it is +not advisable to do so for existing installations. Certain settings like +_LDAP_ would not be readable anymore. + ## Chart upgrade from 3.x.x to 4.0.0 :warning: The most recent `4.0.0` update brings some breaking changes. Please note @@ -523,48 +552,48 @@ gitea: ### Others -| Parameter | Description | Default | -| ------------------------------------------| -------------------------------------------------------- | ------- | -| statefulset.terminationGracePeriodSeconds | How long to wait until forcefully kill the pod | `60` | -| statefulset.env | Additional environment variables to pass to containers | `[]` | -| extraVolumes | Additional volumes to mount to the Gitea statefulset | `{}` | -| extraVolumeMounts | Additional volume mounts for the Gitea containers | `{}` | -| initPreScript | Bash script copied verbatim to start of init container | | -| securityContext | Run as a specific securityContext | `{}` | -| schedulerName | Use an alternate scheduler, e.g. "stork" | | +| Parameter | Description | Default | +| ------------------------------------------- | -------------------------------------------------------------------- | ------- | +| `statefulset.terminationGracePeriodSeconds` | How long to wait until forcefully kill the pod | `60` | +| `statefulset.env` | Additional environment variables to pass to containers | `[]` | +| `extraVolumes` | Additional volumes to mount to the Gitea statefulset | `{}` | +| `extraVolumeMounts` | Additional volume mounts for the Gitea containers | `{}` | +| `initPreScript` | Bash script copied verbatim to start of init container | | +| `securityContext` | Run as a specific securityContext | `{}` | +| `schedulerName` | Use an alternate scheduler, e.g. "stork" | | ### Image -| Parameter | Description | Default | -| -----------------| ----------------------------------------------------------------------------------------- | ------------- | -| image.repository | Image to start for this pod | `gitea/gitea` | -| image.tag | [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated) | `1.14.6` | -| image.pullPolicy | Image pull policy | `Always` | -| image.rootless | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher | `false` | +| Parameter | Description | Default | +| ------------------ | ----------------------------------------------------------------------------------------- | ------------- | +| `image.repository` | Image to start for this pod | `gitea/gitea` | +| `image.tag` | [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated) | `1.14.6` | +| `image.pullPolicy` | Image pull policy | `Always` | +| `image.rootless` | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher | `false` | ### Persistence -| Parameter | Description | Default | -| ------------------------- | ---------------------------------------------------------- | ------- | -| persistence.enabled | Enable persistence for Gitea | `true` | -| persistence.existingClaim | Use an existing claim to store repository information | | -| persistence.size | Size for persistence to store repo information | `10Gi` | -| persistence.accessModes | AccessMode for persistence | | -| persistence.storageClass | Storage class for repository persistence | | -| persistence.labels | Labels for the persistence volume claim to be created | `{}` | -| persistence.annotations | Annotations for the persistence volume claim to be created | `{}` | +| Parameter | Description | Default | +| --------------------------- | ---------------------------------------------------------- | ------- | +| `persistence.enabled` | Enable persistence for Gitea | `true` | +| `persistence.existingClaim` | Use an existing claim to store repository information | | +| `persistence.size` | Size for persistence to store repo information | `10Gi` | +| `persistence.accessModes` | AccessMode for persistence | | +| `persistence.storageClass` | Storage class for repository persistence | | +| `persistence.labels` | Labels for the persistence volume claim to be created | `{}` | +| `persistence.annotations` | Annotations for the persistence volume claim to be created | `{}` | ### Ingress -| Parameter | Description | Default | -| ---------------------------------- | ---------------------------------------------- | ----------------- | -| ingress.enabled | enable ingress | `false` | -| ingress.annotations | add ingress annotations | | -| ingress.hosts[0].host | add hosts for ingress | `git.example.com` | -| ingress.hosts[0].paths[0].path | add path for each ingress host | `/` | -| ingress.hosts[0].paths[0].pathType | add ingress path type | `Prefix` | -| ingress.tls | add ingress tls settings | `[]` | -| ingress.className | add ingress class name. Only used in k8s 1.19+ | | +| Parameter | Description | Default | +| ------------------------------------ | ---------------------------------------------- | ----------------- | +| `ingress.enabled` | enable ingress | `false` | +| `ingress.annotations` | add ingress annotations | | +| `ingress.hosts[0].host` | add hosts for ingress | `git.example.com` | +| `ingress.hosts[0].paths[0].path` | add path for each ingress host | `/` | +| `ingress.hosts[0].paths[0].pathType` | add ingress path type | `Prefix` | +| `ingress.tls` | add ingress tls settings | `[]` | +| `ingress.className` | add ingress class name. Only used in k8s 1.19+ | | ### Service diff --git a/templates/gitea/config.yaml b/templates/gitea/config.yaml index 416d495..3eca2a0 100644 --- a/templates/gitea/config.yaml +++ b/templates/gitea/config.yaml @@ -6,7 +6,10 @@ metadata: {{- include "gitea.labels" . | nindent 4 }} type: Opaque stringData: - app.ini: |- + config_environment.sh: |- + #!/usr/bin/env bash + set -euo pipefail + {{- if not (hasKey .Values.gitea.config "cache") -}} {{- $_ := set .Values.gitea.config "cache" dict -}} {{- end -}} @@ -31,6 +34,10 @@ stringData: {{- $_ := set .Values.gitea.config "repository" dict -}} {{- end -}} + {{- if not (hasKey .Values.gitea.config "oauth2") -}} + {{- $_ := set .Values.gitea.config "oauth2" dict -}} + {{- end -}} + {{- /* repository default settings */ -}} {{- if not .Values.gitea.config.repository.ROOT -}} {{- $_ := set .Values.gitea.config.repository "ROOT" "/data/git/gitea-repositories" -}} @@ -132,17 +139,34 @@ stringData: {{- end -}} {{- end -}} - {{- /* autogenerate app.ini */ -}} + {{- if not (hasKey .Values.gitea.config.security "INTERNAL_TOKEN") }} + export ENV_TO_INI__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN) + {{- end }} + {{- if not (hasKey .Values.gitea.config.security "SECRET_KEY") }} + export ENV_TO_INI__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY) + {{- end }} + {{- if not (hasKey .Values.gitea.config.oauth2 "JWT_SECRET") }} + export ENV_TO_INI__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET) + {{- end }} + + {{- /* autogenerate app.ini environment values */ -}} {{- range $key, $value := .Values.gitea.config }} {{- if kindIs "map" $value }} {{- if gt (len $value) 0 }} - - [{{ $key }}] {{- range $n_key, $n_value := $value }} - {{ $n_key | upper }} = {{ $n_value }} + export ENV_TO_INI__{{ $key | upper | replace "." "_0X2E_" | replace "-" "_0X2D_" }}__{{ $n_key | upper }}={{ $n_value }} {{- end }} {{- end }} {{- else }} - {{ $key | upper }} = {{ $value }} + export ENV_TO_INI__{{ $key | upper | replace "." "_0X2E_" | replace "-" "_0X2D_" }}__{{ $key | upper }}={{ $value }} {{- end }} {{- end }} + + # safety to prevent rewrite of secret keys if an app.ini already exists + if [ -f ${GITEA_APP_INI} ]; then + unset ENV_TO_INI__SECURITY__INTERNAL_TOKEN + unset ENV_TO_INI__SECURITY__SECRET_KEY + unset ENV_TO_INI__OAUTH2__JWT_SECRET + fi + + environment-to-ini -o $GITEA_APP_INI -p ENV_TO_INI diff --git a/templates/gitea/init.yaml b/templates/gitea/init.yaml index c40ef7b..1ce50c4 100644 --- a/templates/gitea/init.yaml +++ b/templates/gitea/init.yaml @@ -33,9 +33,6 @@ stringData: chown 1000:1000 "${GITEA_TEMP}" chmod ug+rwx "${GITEA_TEMP}" - # Copy config file to writable volume - cp /etc/gitea/conf/app.ini /data/gitea/conf/app.ini - chmod a+rwx /data/gitea/conf/app.ini configure_gitea.sh: |- #!/usr/bin/env bash diff --git a/templates/gitea/statefulset.yaml b/templates/gitea/statefulset.yaml index 1ddd529..3b006b2 100644 --- a/templates/gitea/statefulset.yaml +++ b/templates/gitea/statefulset.yaml @@ -60,8 +60,31 @@ spec: mountPath: /usr/sbin - name: temp mountPath: /tmp + - name: data + mountPath: /data + {{- if .Values.extraVolumeMounts }} + {{- toYaml .Values.extraVolumeMounts | nindent 12 }} + {{- end }} + - name: init-app-ini + image: "{{ include "gitea.image" . }}" + command: ["/usr/sbin/config_environment.sh"] + env: + - name: GITEA_APP_INI + value: /data/gitea/conf/app.ini + - name: GITEA_CUSTOM + value: /data/gitea + - name: GITEA_WORK_DIR + value: /data + - name: GITEA_TEMP + value: /tmp/gitea + {{- if .Values.statefulset.env }} + {{- toYaml .Values.statefulset.env | nindent 12 }} + {{- end }} + volumeMounts: - name: config - mountPath: /etc/gitea/conf + mountPath: /usr/sbin + - name: temp + mountPath: /tmp - name: data mountPath: /data {{- if .Values.extraVolumeMounts }} @@ -236,10 +259,11 @@ spec: - name: init secret: secretName: {{ include "gitea.fullname" . }}-init - defaultMode: 0777 + defaultMode: 110 - name: config secret: secretName: {{ include "gitea.fullname" . }} + defaultMode: 110 {{- if .Values.extraVolumes }} {{- toYaml .Values.extraVolumes | nindent 8 }} {{- end }}