fix: correctly handle tls ingress #94
No reviewers
Labels
No Label
has
backport
in progress
invalid
kind
breaking
kind
bug
kind
build
kind
dependency
kind
deployment
kind
docs
kind
enhancement
kind
feature
kind
lint
kind
proposal
kind
question
kind
refactor
kind
security
kind
testing
kind
translation
kind
ui
need
backport
priority
critical
priority
low
priority
maybe
priority
medium
reviewed
duplicate
reviewed
invalid
reviewed
wontfix
skip-changelog
status
blocked
status
needs-feedback
status
needs-reviews
status
wip
upstream
gitea
upstream
other
No Milestone
No Assignees
5 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: gitea/helm-chart#94
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "huww98/helm-chart:fix-tls-ingress"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This ensures that the the protocol in
ROOT_URL
ishttps
when configuring TLS in ingress resource. Furthermore, we cannot rely on(index .Values.ingress.tls 0).hosts
as it is used for certificates and may contain wildcards.We also don't need to check .Values.ingress.hosts again, because we already set it to
.Values.gitea.config.server.DOMAIN
.Fixes: #307
Sorry, It does not work, I will make another attempt soon.
6f96c17363
to7487fb72ce
7487fb72ce
to7c5c95a615
I've tested it locally this time.
With values.yaml:
it generate:
Sorry, for not responding so long, wasn't available during the holidays. I'll take a look at this issue today.
I don't really understand why this PR is needed. The protocol will already be set in the config if you enable tls.
It only defaults to http. But you can set it manually.
This is already included and will be integrated in the ROOT_URL
Please check again if this PR really is needed.
@luhahn previously, the
ROOT_URL
is not set correctly. forvalues.yaml
from above comment, it generateROOT_URL = http://mydomain.com
, which is wrong in 2 aspect:https
, instead ofhttp
, if TLS is enabled.git.mydomain.com
(.Values.ingress.hosts[0]), instead ofmydomain.com
(.Values.ingress.tls[0].hosts[0]), regardless whether TLS is enabled.See my comment, I worry that this could be a breaking change, if someone is using only ingress to define the ROOT_URL
@ -52,3 +46,1 @@
{{- else -}}
{{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL .Values.gitea.config.server.DOMAIN) -}}
{{- end -}}
{{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" (include "public_protocol" .) .Values.gitea.config.server.DOMAIN) -}}
This change would be okay for domain. But if you're using the current functionality this would be a breaking change. For example, im not using the domain part, just configuring everything via ingress. We should keep the ingress part if no gitea.config.server.DOMAIN is set.
We could alter the current version so that your change would be asked first, and if no domain is set we default to ingress hosts.
That should not be a breaking change, we have set
.Values.gitea.config.server.DOMAIN
to consider values from ingress earlier in this file (Line 40). So your config should just works.4a26e17afd
to60298cdad7
@luhahn Sorry, I don't recieve the notification. This should not be a breaking change. See my reply above. And I have rebased it on the master.
60298cdad7
to300c52ec79
@huww98 There are quite some conflicts again unfortunately. Are you planning to continue/finish this?
@pat-s I have the feeling that this PR won't be finished by the original author. It's open for 2 years now and it looks like this PR got out of everyone's sight.
We really need to ensure that the ROOT_URL is set correctly. Especially with the newer versions of Gitea throwing errors to the frontend in case of mismatches.
If no one is against it I will close this PR next weekend (to give some response chances) and propose another PR based on this one.
cc: @luhahn
300c52ec79
tofe3dfb099c
Rebased. Hopes the review process can be faster, or there will be only endless conflicts.
Probably closing #307.
Hi @huww98. Thanks for your patience and for tackling this issue. I am currently evaluating unit testing for this Helm Chart, so I was curious if your changes would still pass the current main line test cases. You can find the test cases in my fork in a branch including usage instructions. I've included the test results in this comment as collapsed section.
Your changes do fix the wildcard tls + protocol issue for
ROOT_URL
which can be seen in the last test case (7). It's currently failing because it is designed to success on main line.But it seems the current changes do not allow overwriting the
ROOT_URL
anymore (test case 5 of 7). That should still be possible.@luhahn is right about this PR currently being a breaking change. The default settings rendering changed (test case 2 of 7). As we don't know how many users profit from the current "ingress-is-disabled-but-I-use-its-host-value-anyway" logic. There are two ways of handling this:
ROOT_URL
andDOMAIN
.I'd prefer the first option, TBH.
Unit test results
I've also noticed an edge case which isn't considered in main line and not in this PR: Enabled ingress but hosts spec explicitly set to empty array. This leads to a templating error. I've added a commented test case to the test suite covering it. I don't think it's scope of this PR, but important to be aware of.
I agree and also would prefer the first option.
fe3dfb099c
todabeddae98
Thanks for your review and detailed explanation. I was mislead by the
if .Values.ingress.enabled
branch in the original version, and was not aware of this use case.Now I removed the check for enabled ingress. And verified the default settings rendering is not changed.
Sorry for the delay.
I'm curious if one would set DOMAIN and ROOT_URL to be inconsistent for any reason?
Thanks for hanging on so long, LGTM :)
? it. Thank you for your patience.
I've updated the PR description.