Generic way for configuring Gitea app.ini #240
Merged
luhahn
merged 8 commits from justusbunsi/helm-chart:feature/rework-sensitive-ini-settings into master 8 months ago
No Assignees
5 Participants
Notifications
Due Date
No due date set.
Depends on
#244 Rework OAuth sources
gitea/helm-chart
Reference: gitea/helm-chart#240
Loading…
Reference in new issue
There is no content yet.
Delete Branch 'justusbunsi/helm-chart:feature/rework-sensitive-ini-settings'
Deleting a branch is permanent. It CANNOT be undone. Continue?
With the result of PR #239 it is much easier to provide additional values to the app.ini configuration from different sources.
These changes adds an additionalConfigSources field where the users can define such sources. This enables the users to choose
on their own whether to store values in values.yaml or load them from Kuberetes Secrets or ConfigMaps.
Currently, I just wrote down my thoughts without implementing it, because I need a second opinion on what the users should actually define and how. Both ways require some structure for the references Kubernetes resources:
GITEA__LOG_0x2E_CONSOLE__STDERR=falseThe first approach would keep prefixing with
GITEA_to the Helm Chart as well as converting.into0x2E. The second one is easier for the Helm Chart but more complex for the users.@luhahn & @lunny, shall I proceed with the first approach? Details here.
EDIT: After chatting with Luhahn, I'll proceed with the current approach (the first one).
119d7352b7to5def46b6509 months agoJust realized that this fixes neither #174 nor the mentioned oauth topic since these values are not configured inside app.ini. 🤦♂️But I think it is still a neat addition to the chart giving more flexibility about how to configure Gitea.See PR comment.
WIP: Rework sensitive ini settingsto WIP: Generic way for configuring Gitea 9 months ago5def46b650to6ead5996959 months ago{{- end }}{{- end }}env2ini::load_additional_config_sourcesThe functions I wrote above gives us the possibility to completely rewrite the
config.yamlfile content. We could split scripts from data and use a ConfigMap for the script instead of Secret. The values that are currently rendered by the Helm template engine could be written to a separate Kubernetes Secret which then gets processed along with the additional config sources.I think it's out of scope for this PR but I really like the idea of separating user input from Chart script logic.
😆 I had time to implement this as well.
Hi @lord-kyron and @volker.raschek. You've opened several issues in the past asking for options to securely pass sensitive data to the Gitea app.ini. This PR provides a really generic way to craft the app.ini from various sources.
Feel free to check it out and experiment with it. I'd be happy for any user feedback. Detailed description on how to use it can be found here.
⚠️ This PR is based on different open PRs and contains some breaking changes, so it is considered bloody edge. Please have a look at #244 and #248.
WIP: Generic way for configuring Giteato Generic way for configuring Gitea 9 months ago# xargs echo -n trims all whitespaces and a trailing new linelocal setting=$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)local value=$(awk -F '=' '{print $NF}' <<< "${line}" | xargs echo -n)TODO: Proper handling for values with
=and"inside.df3539a056tob2064147648 months agoSome thoughts for reviewers
filocal value=''local regex="^${setting}(\s*)=(\s*)(.*)"Users can have spaces around the
=character in their config sources. Just like it is possible withinapp.ini. This regex takes this into account when stripping the setting name from the line to parse.value="${BASH_REMATCH[3]}"elseenv2ini::log ' ! invalid setting'exit 1I've decided to let the script fail in case any line is not processable. That way the user is required to fix their configuration before the currently applied breaks somehow. Open for discussion here.
Generic way for configuring Giteato Generic way for configuring Gitea app.ini 8 months agoenv2ini::log " + '${setting}'"if [[ -z "${section}" ]]; thenexport "ENV_TO_INI____${setting^^}=${value}" # '^^' makes the variable content uppercase____ensures that global settings inside app.ini are actually taken into account and stored at the correct ini level.This broke with the switch to
environment-to-initool.The latest changes align the processing for inline sources with additional sources. Therefore I've added another Kubernetes secret where the inline sources are stored the same way as additional sources requires it.
Logging helps to understand what setting is used for the final
app.iniand from which source it came. In case of duplicate settings, there is a (natural) override mechanism:values.yamlover default Helm Chartvalues.yamlsettingsThe already ensured persistence for "secret" settings remains untouched.
LGTM, already tested a bunch of values
7bcfd26322tob486175eca8 months agob486175ecatoe3d01dd8f68 months agoe3d01dd8f6toc33e34e9568 months agoOk. Kept it in sync with head branch the last 24 hours. 😉
Hello !
I will try this PR in the afternoon.
Having reviewed the changes, I find the following benefits :
From a very first sight, it seems there is a typo in commit
30e4f75b(line 302-304).Those lines are volume mounts in a volume section with the wrong indentation. It breaks templating when defining extra volume mounts in values.yaml.
Awesome.
Good catch. Fixed.
looks good to me
7b0a1c7ae6into master 8 months agoReviewers
7b0a1c7ae6.