diff --git a/README.md b/README.md index f220d31..3b5efd0 100644 --- a/README.md +++ b/README.md @@ -87,6 +87,13 @@ gitea: podAnnotations: {} ``` +### Multiple OAuth authentication sources + +With `5.0.0` of this Chart it is now possible to configure Gitea with multiple +OAuth sources. As a result, you need to update an existing OAuth configuration +in your customized `values.yaml` by replacing the object with settings to a list +of settings objects. See [OAuth2 Settings](#oauth-settings) section for details. + ## Chart upgrade from 3.x.x to 4.0.0 :warning: The most recent `4.0.0` update brings some breaking changes. Please note @@ -521,20 +528,42 @@ deleted. Deleting OAuth2 settings has to be done in the ui. All OAuth2 values, which are documented [here](https://docs.gitea.io/en-us/command-line/#admin), are available. +Multiple OAuth2 sources can be configured with additional OAuth list items. + ```yaml gitea: oauth: - enabled: true - name: 'MyAwesomeGiteaOAuth' - provider: 'openidConnect' - key: 'hello' - secret: 'world' - autoDiscoverUrl: 'https://gitea.example.com/.well-known/openid-configuration' - #useCustomUrls: - #customAuthUrl: - #customTokenUrl: - #customProfileUrl: - #customEmailUrl: + - name: 'MyAwesomeGiteaOAuth' + provider: 'openidConnect' + key: 'hello' + secret: 'world' + autoDiscoverUrl: 'https://gitea.example.com/.well-known/openid-configuration' + #useCustomUrls: + #customAuthUrl: + #customTokenUrl: + #customProfileUrl: + #customEmailUrl: +``` + +You can also use an existing secret to set the `key` and `secret`: + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: gitea-oauth-secret +type: Opaque +stringData: + key: hello + secret: world +``` + +```yaml +gitea: + oauth: + - name: 'MyAwesomeGiteaOAuth' + existingSecret: gitea-oauth-secret + ... ``` ### Metrics and profiling diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 26c6aa0..e25f816 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -138,9 +138,20 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} {{- define "gitea.oauth_settings" -}} -{{- range $key, $val := .Values.gitea.oauth -}} -{{- if ne $key "enabled" -}} -{{- printf "--%s %s " ($key | kebabcase) ($val | squote) -}} +{{- $idx := index . 0 }} +{{- $values := index . 1 }} + +{{- if not (hasKey $values "key") -}} +{{- $_ := set $values "key" (printf "${GITEA_OAUTH_KEY_%d}" $idx) -}} +{{- end -}} + +{{- if not (hasKey $values "secret") -}} +{{- $_ := set $values "secret" (printf "${GITEA_OAUTH_SECRET_%d}" $idx) -}} +{{- end -}} + +{{- range $key, $val := $values -}} +{{- if and (ne $key "enabled") (ne $key "existingSecret") -}} +{{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}} {{- end -}} {{- end -}} {{- end -}} diff --git a/templates/gitea/init.yaml b/templates/gitea/init.yaml index 1ce50c4..8137d67 100644 --- a/templates/gitea/init.yaml +++ b/templates/gitea/init.yaml @@ -104,23 +104,27 @@ stringData: configure_ldap - {{- if .Values.gitea.oauth.enabled }} function configure_oauth() { - local OAUTH_NAME={{ (printf "%s" .Values.gitea.oauth.name) | squote }} + {{- if .Values.gitea.oauth }} + {{- range $idx, $value := .Values.gitea.oauth }} + local OAUTH_NAME={{ (printf "%s" $value.name) | squote }} local AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " " "{print \$1}") if [[ -z "${AUTH_ID}" ]]; then echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..." - gitea admin auth add-oauth {{- include "gitea.oauth_settings" . | indent 1 }} + gitea admin auth add-oauth {{- include "gitea.oauth_settings" (list $idx $value) | indent 1 }} echo '...installed.' else echo "Existing oauth configuration with name '${OAUTH_NAME}': '${AUTH_ID}'. Running update to sync settings..." - gitea admin auth update-oauth --id "${AUTH_ID}" {{- include "gitea.oauth_settings" . | indent 1 }} + gitea admin auth update-oauth --id "${AUTH_ID}" {{- include "gitea.oauth_settings" (list $idx $value) | indent 1 }} echo '...sync settings done.' fi + {{- end }} + {{- else }} + echo 'no oauth configuration... skipping.' + {{- end }} } configure_oauth - {{- end }} echo '==== END GITEA CONFIGURATION ====' diff --git a/templates/gitea/statefulset.yaml b/templates/gitea/statefulset.yaml index 66dd287..6542296 100644 --- a/templates/gitea/statefulset.yaml +++ b/templates/gitea/statefulset.yaml @@ -20,7 +20,9 @@ spec: {{- range $idx, $value := .Values.gitea.ldap }} checksum/ldap_{{ $idx }}: {{ include "gitea.ldap_settings" (list $idx $value) | sha256sum }} {{- end }} - checksum/oauth: {{ include "gitea.oauth_settings" . | sha256sum }} + {{- range $idx, $value := .Values.gitea.oauth }} + checksum/oauth_{{ $idx }}: {{ include "gitea.oauth_settings" (list $idx $value) | sha256sum }} + {{- end }} {{- with .Values.gitea.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -140,6 +142,22 @@ spec: {{- end }} {{- end }} {{- end }} + {{- if .Values.gitea.oauth }} + {{- range $idx, $value := .Values.gitea.oauth }} + {{- if $value.existingSecret }} + - name: GITEA_OAUTH_KEY_{{ $idx }} + valueFrom: + secretKeyRef: + key: key + name: {{ $value.existingSecret }} + - name: GITEA_OAUTH_SECRET_{{ $idx }} + valueFrom: + secretKeyRef: + key: secret + name: {{ $value.existingSecret }} + {{- end }} + {{- end }} + {{- end }} {{- if .Values.gitea.admin.existingSecret }} - name: GITEA_ADMIN_USERNAME valueFrom: diff --git a/values.yaml b/values.yaml index 5740b7f..d22ca52 100644 --- a/values.yaml +++ b/values.yaml @@ -181,18 +181,19 @@ gitea: # usernameAttribute: # publicSSHKeyAttribute: - oauth: - enabled: false - #name: - #provider: - #key: - #secret: - #autoDiscoverUrl: - #useCustomUrls: - #customAuthUrl: - #customTokenUrl: - #customProfileUrl: - #customEmailUrl: + # Either specify inline `key` and `secret` or refer to them via `existingSecret` + oauth: [] + # - name: 'OAuth 1' + # provider: + # key: + # secret: + # existingSecret: + # autoDiscoverUrl: + # useCustomUrls: + # customAuthUrl: + # customTokenUrl: + # customProfileUrl: + # customEmailUrl: config: {} # APP_NAME: "Gitea: Git with a cup of tea"