gitea/helm-chart
45
54
Fork 127
Code Issues 30 Pull Requests 8 Actions Releases 87 Activity

Generic way for configuring Gitea app.ini #240

Merged
luhahn merged 8 commits from justusbunsi/helm-chart:feature/rework-sensitive-ini-settings into master 2021-12-22 10:44:05 +00:00
Conversation 7 Commits 8 Files Changed 6 +70 -4
4 changed files with 70 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 30e4f75b81 - Show all commits

6
README.md
View File

@ -289,11 +289,9 @@ or update.
```yaml
gitea:
additionalConfigSources:
- name: oauth
secret:
- secret:
secretName: gitea-app-ini-oauth
- name: some-additionals
configMap:
- configMap:
name: gitea-app-ini-plaintext
```

51
templates/gitea/config.yaml
View File

@ -10,6 +10,50 @@ stringData:
#!/usr/bin/env bash
set -euo pipefail
function env2ini::log() {
echo "${1}"
}
function env2ini::read_config_to_env() {
local section="${1}"
local line="${2}"
# xargs echo -n trims all whitespaces and a trailing new line
local setting=$(awk -F '=' '{print $1}' <<< "${line}" | xargs echo -n)
local value=$(awk -F '=' '{print $NF}' <<< "${line}" | xargs echo -n)
justusbunsi marked this conversation as resolved Outdated
justusbunsi commented 2021-12-17 19:13:37 +00:00
Outdated
Review
Copy Link

TODO: Proper handling for values with = and " inside.

TODO: Proper handling for values with `=` and `"` inside.
if [[ -z "${setting}" ]]; then
env2ini::log " ? unprocessable line '${line}'"
return
fi
env2ini::log " + '${setting}' to '${section}'"
local masked_section="${section//./_0X2E_}" # // instructs to replace all matches
masked_section="${masked_section//-/_0X2D_}"
export "ENV_TO_INI__${masked_section^^}__${setting^^}=${value}"
justusbunsi marked this conversation as resolved Outdated
justusbunsi commented 2021-12-18 17:52:47 +00:00
Outdated
Review
Copy Link

Users can have spaces around the = character in their config sources. Just like it is possible within app.ini. This regex takes this into account when stripping the setting name from the line to parse.

Users can have spaces around the `=` character in their config sources. Just like it is possible within `app.ini`. This regex takes this into account when stripping the setting name from the line to parse.
}
function env2ini::process_config_file() {
local config_file="${1}"
local section="$(basename "${config_file}")"
justusbunsi marked this conversation as resolved Outdated
justusbunsi commented 2021-12-18 17:55:39 +00:00
Outdated
Review
Copy Link

I've decided to let the script fail in case any line is not processable. That way the user is required to fix their configuration before the currently applied breaks somehow. Open for discussion here.

I've decided to let the script fail in case any line is not processable. That way the user is required to fix their configuration before the currently applied breaks somehow. Open for discussion here.
env2ini::log "=== Found additional source: ${config_file} ==="
while read -r line; do
env2ini::read_config_to_env "${section}" "${line}"
done < "${config_file}"
}
function env2ini::load_additional_config_sources() {
while read -d '' configFile; do
env2ini::process_config_file "${configFile}"
done < <(find /env-to-ini-mounts/ -type l -not -name '..data' -print0)
env2ini::log "=== All additional config sources processed ==="
}
justusbunsi marked this conversation as resolved Outdated
justusbunsi commented 2021-12-19 17:40:22 +00:00
Outdated
Review
Copy Link

____ ensures that global settings inside app.ini are actually taken into account and stored at the correct ini level.

This broke with the switch to environment-to-ini tool.

`____` ensures that global settings inside app.ini are actually taken into account and stored at the correct ini level. This broke with the switch to `environment-to-ini` tool.
{{- if not (hasKey .Values.gitea.config "cache") -}}
{{- $_ := set .Values.gitea.config "cache" dict -}}
{{- end -}}
@ -162,8 +206,15 @@ stringData:
{{- end }}
{{- end }}
env2ini::load_additional_config_sources
justusbunsi marked this conversation as resolved Outdated
justusbunsi commented 2021-11-20 15:56:52 +00:00
Outdated
Review
Copy Link

The functions I wrote above gives us the possibility to completely rewrite the config.yaml file content. We could split scripts from data and use a ConfigMap for the script instead of Secret. The values that are currently rendered by the Helm template engine could be written to a separate Kubernetes Secret which then gets processed along with the additional config sources.

I think it's out of scope for this PR but I really like the idea of separating user input from Chart script logic.

The functions I wrote above gives us the possibility to completely rewrite the `config.yaml` file content. We could split scripts from data and use a ConfigMap for the script instead of Secret. The values that are currently rendered by the Helm template engine could be written to a separate Kubernetes Secret which then gets processed along with the additional config sources. I think it's out of scope for this PR but I really like the idea of separating user input from Chart script logic.
justusbunsi commented 2021-12-19 17:55:39 +00:00
Outdated
Review
Copy Link

? I had time to implement this as well.

? I had time to implement this as well.
# safety to prevent rewrite of secret keys if an app.ini already exists
if [ -f ${GITEA_APP_INI} ]; then
env2ini::log 'An app.ini file already exists. To prevent overwriting secret keys, these settings are dropped and remain unchanged:'
env2ini::log ' -> security.INTERNAL_TOKEN'
env2ini::log ' -> security.SECRET_KEY'
env2ini::log ' -> oauth2.JWT_SECRET'
unset ENV_TO_INI__SECURITY__INTERNAL_TOKEN
unset ENV_TO_INI__SECURITY__SECRET_KEY
unset ENV_TO_INI__OAUTH2__JWT_SECRET

11
templates/gitea/statefulset.yaml
View File

@ -97,6 +97,10 @@ spec:
{{- if .Values.persistence.subPath }}
subPath: {{ .Values.persistence.subPath }}
{{- end }}
{{- range $idx, $value := .Values.gitea.additionalConfigSources }}
- name: additional-config-sources-{{ $idx }}
mountPath: "/env-to-ini-mounts/{{ $idx }}/"
{{- end }}
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
@ -284,8 +288,15 @@ spec:
{{- if .Values.extraVolumes }}
{{- toYaml .Values.extraVolumes | nindent 8 }}
{{- end }}
{{- range $idx, $value := .Values.gitea.additionalConfigSources }}
- name: additional-config-sources-{{ $idx }}
{{- toYaml $value | nindent 10 }}
{{- end }}
- name: temp
emptyDir: {}
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
- name: data
persistentVolumeClaim:

6
values.yaml
View File

@ -205,6 +205,12 @@ gitea:
# security:
# PASSWORD_COMPLEXITY: spec
additionalConfigSources: []
# - secret:
# secretName: gitea-app-ini-oauth
# - configMap:
# name: gitea-app-ini-plaintext
podAnnotations: {}
database: