Rework OAuth sources #244
51
README.md
51
README.md
|
|
@ -87,6 +87,13 @@ gitea:
|
|||
podAnnotations: {}
|
||||
```
|
||||
|
||||
### Multiple OAuth authentication sources
|
||||
|
||||
With `5.0.0` of this Chart it is now possible to configure Gitea with multiple
|
||||
OAuth sources. As a result, you need to update an existing OAuth configuration
|
||||
in your customized `values.yaml` by replacing the object with settings to a list
|
||||
of settings objects. See [OAuth2 Settings](#oauth-settings) section for details.
|
||||
|
||||
## Chart upgrade from 3.x.x to 4.0.0
|
||||
|
||||
:warning: The most recent `4.0.0` update brings some breaking changes. Please note
|
||||
|
|
@ -521,20 +528,42 @@ deleted. Deleting OAuth2 settings has to be done in the ui. All OAuth2 values,
|
|||
which are documented [here](https://docs.gitea.io/en-us/command-line/#admin), are
|
||||
available.
|
||||
|
||||
Multiple OAuth2 sources can be configured with additional OAuth list items.
|
||||
|
||||
```yaml
|
||||
gitea:
|
||||
oauth:
|
||||
enabled: true
|
||||
name: 'MyAwesomeGiteaOAuth'
|
||||
provider: 'openidConnect'
|
||||
key: 'hello'
|
||||
secret: 'world'
|
||||
autoDiscoverUrl: 'https://gitea.example.com/.well-known/openid-configuration'
|
||||
#useCustomUrls:
|
||||
#customAuthUrl:
|
||||
#customTokenUrl:
|
||||
#customProfileUrl:
|
||||
#customEmailUrl:
|
||||
- name: 'MyAwesomeGiteaOAuth'
|
||||
provider: 'openidConnect'
|
||||
key: 'hello'
|
||||
secret: 'world'
|
||||
autoDiscoverUrl: 'https://gitea.example.com/.well-known/openid-configuration'
|
||||
#useCustomUrls:
|
||||
#customAuthUrl:
|
||||
#customTokenUrl:
|
||||
#customProfileUrl:
|
||||
#customEmailUrl:
|
||||
```
|
||||
|
||||
You can also use an existing secret to set the `key` and `secret`:
|
||||
|
||||
```yaml
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: gitea-oauth-secret
|
||||
type: Opaque
|
||||
stringData:
|
||||
key: hello
|
||||
secret: world
|
||||
```
|
||||
|
||||
```yaml
|
||||
gitea:
|
||||
oauth:
|
||||
- name: 'MyAwesomeGiteaOAuth'
|
||||
existingSecret: gitea-oauth-secret
|
||||
...
|
||||
```
|
||||
|
||||
### Metrics and profiling
|
||||
|
|
|
|||
|
|
@ -138,9 +138,20 @@ app.kubernetes.io/instance: {{ .Release.Name }}
|
|||
{{- end -}}
|
||||
|
||||
{{- define "gitea.oauth_settings" -}}
|
||||
{{- range $key, $val := .Values.gitea.oauth -}}
|
||||
{{- if ne $key "enabled" -}}
|
||||
{{- printf "--%s %s " ($key | kebabcase) ($val | squote) -}}
|
||||
{{- $idx := index . 0 }}
|
||||
|
justusbunsi marked this conversation as resolved
Outdated
|
||||
{{- $values := index . 1 }}
|
||||
|
||||
{{- if not (hasKey $values "key") -}}
|
||||
{{- $_ := set $values "key" (printf "${GITEA_OAUTH_KEY_%d}" $idx) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if not (hasKey $values "secret") -}}
|
||||
{{- $_ := set $values "secret" (printf "${GITEA_OAUTH_SECRET_%d}" $idx) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- range $key, $val := $values -}}
|
||||
{{- if and (ne $key "enabled") (ne $key "existingSecret") -}}
|
||||
{{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
|
|
|||
|
|
@ -104,23 +104,27 @@ stringData:
|
|||
|
||||
configure_ldap
|
||||
|
||||
{{- if .Values.gitea.oauth.enabled }}
|
||||
function configure_oauth() {
|
||||
local OAUTH_NAME={{ (printf "%s" .Values.gitea.oauth.name) | squote }}
|
||||
{{- if .Values.gitea.oauth }}
|
||||
{{- range $idx, $value := .Values.gitea.oauth }}
|
||||
local OAUTH_NAME={{ (printf "%s" $value.name) | squote }}
|
||||
local AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " " "{print \$1}")
|
||||
|
||||
if [[ -z "${AUTH_ID}" ]]; then
|
||||
echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..."
|
||||
gitea admin auth add-oauth {{- include "gitea.oauth_settings" . | indent 1 }}
|
||||
gitea admin auth add-oauth {{- include "gitea.oauth_settings" (list $idx $value) | indent 1 }}
|
||||
echo '...installed.'
|
||||
else
|
||||
echo "Existing oauth configuration with name '${OAUTH_NAME}': '${AUTH_ID}'. Running update to sync settings..."
|
||||
gitea admin auth update-oauth --id "${AUTH_ID}" {{- include "gitea.oauth_settings" . | indent 1 }}
|
||||
gitea admin auth update-oauth --id "${AUTH_ID}" {{- include "gitea.oauth_settings" (list $idx $value) | indent 1 }}
|
||||
echo '...sync settings done.'
|
||||
fi
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
echo 'no oauth configuration... skipping.'
|
||||
{{- end }}
|
||||
}
|
||||
|
||||
configure_oauth
|
||||
{{- end }}
|
||||
|
||||
echo '==== END GITEA CONFIGURATION ===='
|
||||
|
|
|
|||
|
|
@ -20,7 +20,9 @@ spec:
|
|||
{{- range $idx, $value := .Values.gitea.ldap }}
|
||||
checksum/ldap_{{ $idx }}: {{ include "gitea.ldap_settings" (list $idx $value) | sha256sum }}
|
||||
{{- end }}
|
||||
checksum/oauth: {{ include "gitea.oauth_settings" . | sha256sum }}
|
||||
{{- range $idx, $value := .Values.gitea.oauth }}
|
||||
checksum/oauth_{{ $idx }}: {{ include "gitea.oauth_settings" (list $idx $value) | sha256sum }}
|
||||
{{- end }}
|
||||
{{- with .Values.gitea.podAnnotations }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
|
|
@ -140,6 +142,22 @@ spec:
|
|||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.gitea.oauth }}
|
||||
{{- range $idx, $value := .Values.gitea.oauth }}
|
||||
{{- if $value.existingSecret }}
|
||||
- name: GITEA_OAUTH_KEY_{{ $idx }}
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: key
|
||||
name: {{ $value.existingSecret }}
|
||||
- name: GITEA_OAUTH_SECRET_{{ $idx }}
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: secret
|
||||
name: {{ $value.existingSecret }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.gitea.admin.existingSecret }}
|
||||
- name: GITEA_ADMIN_USERNAME
|
||||
valueFrom:
|
||||
|
|
|
|||
25
values.yaml
25
values.yaml
|
|
@ -181,18 +181,19 @@ gitea:
|
|||
# usernameAttribute:
|
||||
# publicSSHKeyAttribute:
|
||||
|
||||
oauth:
|
||||
enabled: false
|
||||
#name:
|
||||
#provider:
|
||||
#key:
|
||||
#secret:
|
||||
#autoDiscoverUrl:
|
||||
#useCustomUrls:
|
||||
#customAuthUrl:
|
||||
#customTokenUrl:
|
||||
#customProfileUrl:
|
||||
#customEmailUrl:
|
||||
# Either specify inline `key` and `secret` or refer to them via `existingSecret`
|
||||
oauth: []
|
||||
# - name: 'OAuth 1'
|
||||
# provider:
|
||||
# key:
|
||||
# secret:
|
||||
# existingSecret:
|
||||
# autoDiscoverUrl:
|
||||
# useCustomUrls:
|
||||
# customAuthUrl:
|
||||
# customTokenUrl:
|
||||
# customProfileUrl:
|
||||
# customEmailUrl:
|
||||
|
||||
config: {}
|
||||
# APP_NAME: "Gitea: Git with a cup of tea"
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user
we could add oauth password/secret key deployment via existing secrets like in the ldap settings. Otherwise idx won't be needed here.