From 985d21c009addd61c8e3e78029fc509fc23df5b2 Mon Sep 17 00:00:00 2001 From: James Blair Date: Mon, 17 Jul 2023 11:44:04 +1200 Subject: [PATCH] Start updating gitea for 1.20.0. --- gitea/templates/config.yaml | 24 +++++----- gitea/templates/init.yaml | 17 +++++++- gitea/templates/statefulset.yaml | 75 +++++++++++++++++++++++++++++++- gitea/values.yaml | 8 ++++ 4 files changed, 109 insertions(+), 15 deletions(-) diff --git a/gitea/templates/config.yaml b/gitea/templates/config.yaml index bcc7c4d..19b5a72 100644 --- a/gitea/templates/config.yaml +++ b/gitea/templates/config.yaml @@ -53,14 +53,14 @@ stringData: env2ini::log " + '${setting}'" if [[ -z "${section}" ]]; then - export "ENV_TO_INI____${setting^^}=${value}" # '^^' makes the variable content uppercase + export "GITEA____${setting^^}=${value}" # '^^' makes the variable content uppercase return fi local masked_section="${section//./_0X2E_}" # '//' instructs to replace all matches masked_section="${masked_section//-/_0X2D_}" - export "ENV_TO_INI__${masked_section^^}__${setting^^}=${value}" # '^^' makes the variable content uppercase + export "GITEA__${masked_section^^}__${setting^^}=${value}" # '^^' makes the variable content uppercase } function env2ini::reload_preset_envs() { @@ -134,15 +134,15 @@ stringData: # - initially used to set up Gitea # Anyway, they won't harm existing app.ini files - export ENV_TO_INI__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN) - export ENV_TO_INI__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY) - export ENV_TO_INI__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET) - export ENV_TO_INI__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET) + export GITEA__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN) + export GITEA__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY) + export GITEA__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET) + export GITEA__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET) env2ini::log "...Initial secrets generated\n" } - env | (grep ENV_TO_INI || [[ $? == 1 ]]) > /tmp/existing-envs + env | (grep GITEA || [[ $? == 1 ]]) > /tmp/existing-envs # MUST BE CALLED BEFORE OTHER CONFIGURATION env2ini::generate_initial_secrets @@ -163,10 +163,10 @@ stringData: env2ini::log ' - oauth2.JWT_SECRET' env2ini::log ' - server.LFS_JWT_SECRET' - unset ENV_TO_INI__SECURITY__INTERNAL_TOKEN - unset ENV_TO_INI__SECURITY__SECRET_KEY - unset ENV_TO_INI__OAUTH2__JWT_SECRET - unset ENV_TO_INI__SERVER__LFS_JWT_SECRET + unset GITEA__SECURITY__INTERNAL_TOKEN + unset GITEA__SECURITY__SECRET_KEY + unset GITEA__OAUTH2__JWT_SECRET + unset GITEA__SERVER__LFS_JWT_SECRET fi - environment-to-ini -o $GITEA_APP_INI -p ENV_TO_INI + environment-to-ini -o $GITEA_APP_INI \ No newline at end of file diff --git a/gitea/templates/init.yaml b/gitea/templates/init.yaml index 00af29b..e8ea51b 100644 --- a/gitea/templates/init.yaml +++ b/gitea/templates/init.yaml @@ -6,6 +6,11 @@ metadata: {{- include "gitea.labels" . | nindent 4 }} type: Opaque stringData: + configure_gpg_environment.sh: |- + #!/usr/bin/env bash + set -eu + + gpg --batch --import /raw/private.asc init_directory_structure.sh: |- #!/usr/bin/env bash @@ -26,7 +31,7 @@ stringData: {{- end }} mkdir -p /data/git/.ssh chmod -R 700 /data/git/.ssh - [ ! -d /data/gitea ] && mkdir -p /data/gitea/conf + [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf # prepare temp directory structure mkdir -p "${GITEA_TEMP}" @@ -35,6 +40,14 @@ stringData: {{- end }} chmod ug+rwx "${GITEA_TEMP}" + {{ if .Values.signing.enabled -}} + if [ ! -d "${GNUPGHOME}" ]; then + mkdir -p "${GNUPGHOME}" + chmod 700 "${GNUPGHOME}" + chown 1000:1000 "${GNUPGHOME}" + fi + {{- end }} + configure_gitea.sh: |- #!/usr/bin/env bash @@ -113,4 +126,4 @@ stringData: configure_oauth - echo '==== END GITEA CONFIGURATION ====' + echo '==== END GITEA CONFIGURATION ====' \ No newline at end of file diff --git a/gitea/templates/statefulset.yaml b/gitea/templates/statefulset.yaml index a8395b8..8106c99 100644 --- a/gitea/templates/statefulset.yaml +++ b/gitea/templates/statefulset.yaml @@ -39,6 +39,12 @@ spec: {{- if .Values.schedulerName }} schedulerName: "{{ .Values.schedulerName }}" {{- end }} + {{- if (or .Values.serviceAccount.create .Values.serviceAccount.name) }} + serviceAccountName: {{ include "gitea.serviceAccountName" . }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" + {{- end }} {{- include "gitea.images.pullSecrets" . | nindent 6 }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} @@ -59,6 +65,10 @@ spec: {{- if .Values.statefulset.env }} {{- toYaml .Values.statefulset.env | nindent 12 }} {{- end }} + {{- if .Values.signing.enabled }} + - name: GNUPGHOME + value: {{ .Values.signing.gpgHome }} + {{- end }} volumeMounts: - name: init mountPath: /usr/sbin @@ -72,6 +82,8 @@ spec: {{- include "gitea.init-additional-mounts" . | nindent 12 }} securityContext: {{- toYaml .Values.containerSecurityContext | nindent 12 }} + resources: + {{- toYaml .Values.initContainers.resources | nindent 12 }} - name: init-app-ini image: "{{ include "gitea.image" . }}" imagePullPolicy: {{ .Values.image.pullPolicy }} @@ -110,6 +122,40 @@ spec: {{- include "gitea.init-additional-mounts" . | nindent 12 }} securityContext: {{- toYaml .Values.containerSecurityContext | nindent 12 }} + resources: + {{- toYaml .Values.initContainers.resources | nindent 12 }} + {{- if .Values.signing.enabled }} + - name: configure-gpg + image: "{{ include "gitea.image" . }}" + command: ["/usr/sbin/configure_gpg_environment.sh"] + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{- /* By default this container runs as user 1000 unless otherwise stated */ -}} + {{- $csc := deepCopy .Values.containerSecurityContext -}} + {{- if not (hasKey $csc "runAsUser") -}} + {{- $_ := set $csc "runAsUser" 1000 -}} + {{- end -}} + {{- toYaml $csc | nindent 12 }} + env: + - name: GNUPGHOME + value: {{ .Values.signing.gpgHome }} + volumeMounts: + - name: init + mountPath: /usr/sbin + - name: data + mountPath: /data + {{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + - name: gpg-private-key + mountPath: /raw + readOnly: true + {{- if .Values.extraVolumeMounts }} + {{- toYaml .Values.extraVolumeMounts | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.initContainers.resources | nindent 12 }} + {{- end }} - name: configure-gitea image: "{{ include "gitea.image" . }}" command: ["/usr/sbin/configure_gitea.sh"] @@ -130,6 +176,10 @@ spec: value: /data - name: GITEA_TEMP value: /tmp/gitea + {{- if .Values.image.rootless }} + - name: HOME + value: /data/gitea/git + {{- end }} {{- if .Values.gitea.ldap }} {{- range $idx, $value := .Values.gitea.ldap }} {{- if $value.existingSecret }} @@ -198,6 +248,8 @@ spec: subPath: {{ .Values.persistence.subPath }} {{- end }} {{- include "gitea.init-additional-mounts" . | nindent 12 }} + resources: + {{- toYaml .Values.initContainers.resources | nindent 12 }} terminationGracePeriodSeconds: {{ .Values.statefulset.terminationGracePeriodSeconds }} containers: - name: {{ .Chart.Name }} @@ -209,6 +261,10 @@ spec: value: {{ .Values.gitea.config.server.SSH_LISTEN_PORT | quote }} - name: SSH_PORT value: {{ .Values.gitea.config.server.SSH_PORT | quote }} + {{- if not .Values.image.rootless }} + - name: SSH_LOG_LEVEL + value: {{ .Values.gitea.ssh.logLevel | quote }} + {{- end }} - name: GITEA_APP_INI value: /data/gitea/conf/app.ini - name: GITEA_CUSTOM @@ -219,6 +275,10 @@ spec: value: /tmp/gitea - name: TMPDIR value: /tmp/gitea + {{- if .Values.image.rootless }} + - name: HOME + value: /data/gitea/git + {{- end }} {{- if .Values.signing.enabled }} - name: GNUPGHOME value: {{ .Values.signing.gpgHome }} @@ -268,6 +328,10 @@ spec: subPath: {{ .Values.persistence.subPath }} {{- end }} {{- include "gitea.container-additional-mounts" . | nindent 12 }} + {{- with .Values.global.hostAliases }} + hostAliases: + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -305,6 +369,15 @@ spec: {{- end }} - name: temp emptyDir: {} + {{- if .Values.signing.enabled }} + - name: gpg-private-key + secret: + secretName: {{ include "gitea.gpg-key-secret-name" . }} + items: + - key: privateKey + path: private.asc + defaultMode: 0100 + {{- end }} {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }} - name: data persistentVolumeClaim: @@ -339,4 +412,4 @@ spec: resources: requests: storage: {{ .Values.persistence.size | quote }} - {{- end }} + {{- end }} \ No newline at end of file diff --git a/gitea/values.yaml b/gitea/values.yaml index 252532b..3f4dc7d 100644 --- a/gitea/values.yaml +++ b/gitea/values.yaml @@ -72,6 +72,14 @@ ingress: hosts: - gitea.jamma.dev +serviceAccount: + create: false + name: "" + automountServiceAccountToken: false + imagePullSecrets: [] + annotations: {} + labels: {} + resources: limits: cpu: 1