From 2882c6f8db5899e500cb3d9536e5c5736404881c Mon Sep 17 00:00:00 2001 From: justusbunsi Date: Sat, 13 Nov 2021 13:12:47 +0100 Subject: [PATCH 1/2] Add support for multiple OAuth sources --- README.md | 30 +++++++++++++++++++----------- templates/_helpers.tpl | 5 ++++- templates/gitea/init.yaml | 14 +++++++++----- templates/gitea/statefulset.yaml | 4 +++- values.yaml | 23 +++++++++++------------ 5 files changed, 46 insertions(+), 30 deletions(-) diff --git a/README.md b/README.md index f220d31..a4c2ffb 100644 --- a/README.md +++ b/README.md @@ -87,6 +87,13 @@ gitea: podAnnotations: {} ``` +### Multiple OAuth authentication sources + +With `5.0.0` of this Chart it is now possible to configure Gitea with multiple +OAuth sources. As a result, you need to update an existing OAuth configuration +in your customized `values.yaml` by replacing the object with settings to a list +of settings objects. See [OAuth2 Settings](#oauth-settings) section for details. + ## Chart upgrade from 3.x.x to 4.0.0 :warning: The most recent `4.0.0` update brings some breaking changes. Please note @@ -521,20 +528,21 @@ deleted. Deleting OAuth2 settings has to be done in the ui. All OAuth2 values, which are documented [here](https://docs.gitea.io/en-us/command-line/#admin), are available. +Multiple OAuth2 sources can be configured with additional OAuth list items. + ```yaml gitea: oauth: - enabled: true - name: 'MyAwesomeGiteaOAuth' - provider: 'openidConnect' - key: 'hello' - secret: 'world' - autoDiscoverUrl: 'https://gitea.example.com/.well-known/openid-configuration' - #useCustomUrls: - #customAuthUrl: - #customTokenUrl: - #customProfileUrl: - #customEmailUrl: + - name: 'MyAwesomeGiteaOAuth' + provider: 'openidConnect' + key: 'hello' + secret: 'world' + autoDiscoverUrl: 'https://gitea.example.com/.well-known/openid-configuration' + #useCustomUrls: + #customAuthUrl: + #customTokenUrl: + #customProfileUrl: + #customEmailUrl: ``` ### Metrics and profiling diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 26c6aa0..3cc9fb9 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -138,7 +138,10 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} {{- define "gitea.oauth_settings" -}} -{{- range $key, $val := .Values.gitea.oauth -}} +{{- $idx := index . 0 }} +{{- $values := index . 1 }} + +{{- range $key, $val := $values -}} {{- if ne $key "enabled" -}} {{- printf "--%s %s " ($key | kebabcase) ($val | squote) -}} {{- end -}} diff --git a/templates/gitea/init.yaml b/templates/gitea/init.yaml index 1ce50c4..8137d67 100644 --- a/templates/gitea/init.yaml +++ b/templates/gitea/init.yaml @@ -104,23 +104,27 @@ stringData: configure_ldap - {{- if .Values.gitea.oauth.enabled }} function configure_oauth() { - local OAUTH_NAME={{ (printf "%s" .Values.gitea.oauth.name) | squote }} + {{- if .Values.gitea.oauth }} + {{- range $idx, $value := .Values.gitea.oauth }} + local OAUTH_NAME={{ (printf "%s" $value.name) | squote }} local AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " " "{print \$1}") if [[ -z "${AUTH_ID}" ]]; then echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..." - gitea admin auth add-oauth {{- include "gitea.oauth_settings" . | indent 1 }} + gitea admin auth add-oauth {{- include "gitea.oauth_settings" (list $idx $value) | indent 1 }} echo '...installed.' else echo "Existing oauth configuration with name '${OAUTH_NAME}': '${AUTH_ID}'. Running update to sync settings..." - gitea admin auth update-oauth --id "${AUTH_ID}" {{- include "gitea.oauth_settings" . | indent 1 }} + gitea admin auth update-oauth --id "${AUTH_ID}" {{- include "gitea.oauth_settings" (list $idx $value) | indent 1 }} echo '...sync settings done.' fi + {{- end }} + {{- else }} + echo 'no oauth configuration... skipping.' + {{- end }} } configure_oauth - {{- end }} echo '==== END GITEA CONFIGURATION ====' diff --git a/templates/gitea/statefulset.yaml b/templates/gitea/statefulset.yaml index 66dd287..052cd50 100644 --- a/templates/gitea/statefulset.yaml +++ b/templates/gitea/statefulset.yaml @@ -20,7 +20,9 @@ spec: {{- range $idx, $value := .Values.gitea.ldap }} checksum/ldap_{{ $idx }}: {{ include "gitea.ldap_settings" (list $idx $value) | sha256sum }} {{- end }} - checksum/oauth: {{ include "gitea.oauth_settings" . | sha256sum }} + {{- range $idx, $value := .Values.gitea.oauth }} + checksum/oauth_{{ $idx }}: {{ include "gitea.oauth_settings" (list $idx $value) | sha256sum }} + {{- end }} {{- with .Values.gitea.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} diff --git a/values.yaml b/values.yaml index 5740b7f..6dec7c5 100644 --- a/values.yaml +++ b/values.yaml @@ -181,18 +181,17 @@ gitea: # usernameAttribute: # publicSSHKeyAttribute: - oauth: - enabled: false - #name: - #provider: - #key: - #secret: - #autoDiscoverUrl: - #useCustomUrls: - #customAuthUrl: - #customTokenUrl: - #customProfileUrl: - #customEmailUrl: + oauth: [] + # - name: 'OAuth 1' + # provider: + # key: + # secret: + # autoDiscoverUrl: + # useCustomUrls: + # customAuthUrl: + # customTokenUrl: + # customProfileUrl: + # customEmailUrl: config: {} # APP_NAME: "Gitea: Git with a cup of tea" -- 2.40.1 From 7a8fe820bf87a99d3d2e8ef96333607e579c7d86 Mon Sep 17 00:00:00 2001 From: justusbunsi Date: Fri, 19 Nov 2021 23:49:16 +0100 Subject: [PATCH 2/2] Allow reading sensitive OAuth settings from secret Closes: #242 --- README.md | 21 +++++++++++++++++++++ templates/_helpers.tpl | 12 ++++++++++-- templates/gitea/statefulset.yaml | 16 ++++++++++++++++ values.yaml | 2 ++ 4 files changed, 49 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a4c2ffb..3b5efd0 100644 --- a/README.md +++ b/README.md @@ -545,6 +545,27 @@ gitea: #customEmailUrl: ``` +You can also use an existing secret to set the `key` and `secret`: + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: gitea-oauth-secret +type: Opaque +stringData: + key: hello + secret: world +``` + +```yaml +gitea: + oauth: + - name: 'MyAwesomeGiteaOAuth' + existingSecret: gitea-oauth-secret + ... +``` + ### Metrics and profiling A Prometheus `/metrics` endpoint on the `HTTP_PORT` and `pprof` profiling diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 3cc9fb9..e25f816 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -141,9 +141,17 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- $idx := index . 0 }} {{- $values := index . 1 }} +{{- if not (hasKey $values "key") -}} +{{- $_ := set $values "key" (printf "${GITEA_OAUTH_KEY_%d}" $idx) -}} +{{- end -}} + +{{- if not (hasKey $values "secret") -}} +{{- $_ := set $values "secret" (printf "${GITEA_OAUTH_SECRET_%d}" $idx) -}} +{{- end -}} + {{- range $key, $val := $values -}} -{{- if ne $key "enabled" -}} -{{- printf "--%s %s " ($key | kebabcase) ($val | squote) -}} +{{- if and (ne $key "enabled") (ne $key "existingSecret") -}} +{{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}} {{- end -}} {{- end -}} {{- end -}} diff --git a/templates/gitea/statefulset.yaml b/templates/gitea/statefulset.yaml index 052cd50..6542296 100644 --- a/templates/gitea/statefulset.yaml +++ b/templates/gitea/statefulset.yaml @@ -142,6 +142,22 @@ spec: {{- end }} {{- end }} {{- end }} + {{- if .Values.gitea.oauth }} + {{- range $idx, $value := .Values.gitea.oauth }} + {{- if $value.existingSecret }} + - name: GITEA_OAUTH_KEY_{{ $idx }} + valueFrom: + secretKeyRef: + key: key + name: {{ $value.existingSecret }} + - name: GITEA_OAUTH_SECRET_{{ $idx }} + valueFrom: + secretKeyRef: + key: secret + name: {{ $value.existingSecret }} + {{- end }} + {{- end }} + {{- end }} {{- if .Values.gitea.admin.existingSecret }} - name: GITEA_ADMIN_USERNAME valueFrom: diff --git a/values.yaml b/values.yaml index 6dec7c5..d22ca52 100644 --- a/values.yaml +++ b/values.yaml @@ -181,11 +181,13 @@ gitea: # usernameAttribute: # publicSSHKeyAttribute: + # Either specify inline `key` and `secret` or refer to them via `existingSecret` oauth: [] # - name: 'OAuth 1' # provider: # key: # secret: + # existingSecret: # autoDiscoverUrl: # useCustomUrls: # customAuthUrl: -- 2.40.1