Rework app.ini generation (#239)

App ini is now generated by environment-to-ini This should prevent some of the problems we had earlier with persisting the app.ini Co-authored-by: Lucas Hahn <lucas.hahn@novum-rgi.de> Reviewed-on: gitea/helm-chart#239 Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.io> Reviewed-by: Andrew Thornton <art27@cantab.net> Co-authored-by: luhahn <luhahn@noreply.gitea.io> Co-committed-by: luhahn <luhahn@noreply.gitea.io>
2021-11-20 05:15:45 +08:00
parent 82763f109b
commit 0461fa92a9
4 changed files with 118 additions and 44 deletions
--- a/README.md
+++ b/README.md
@@ -37,6 +37,35 @@ helm install gitea gitea-charts/gitea
 - Helm 3.0+ 
 - PV provisioner for persistent data support 
 
+## Chart upgrade to 5.0.0 
+ 
+:warning: The most recent `5.0.0` update brings some major and breaking changes. 
+Please note the following changes in the Chart to upgrade successfully. :warning: 
+ 
+### App.ini generation 
+ 
+The app.ini generation has changed and now utilizes the environment-to-ini 
+script provided by newer Gitea versions. 
+ 
+:boom: The Helm Chart now requires Gitea versions of at least 1.11.0. 
+ 
+This change ensures, that the app.ini is now persistent. 
+ 
+#### Secret Key generation 
+ 
+Gitea secret keys (SECRET_KEY, INTERNAL_TOKEN, JWT_SECRET) are now generated 
+automatically in certain situations: 
+ 
+- New install: By default the secrets are created automatically. If you provide 
+ secrets via `gitea.config` they will be used instead of automatic generation. 
+- Existing installs: The secrets won't be deployed, neither via 
+ configuration nor via auto generation. We explicitly prevent to set new secrets. 
+ 
+:rotating_light: It would be possible to set new secret keys manually by entering 
+the running container and rewriting the app.ini by hand. However, this it is 
+not advisable to do so for existing installations. Certain settings like 
+_LDAP_ would not be readable anymore. 
+ 
 ## Chart upgrade from 3.x.x to 4.0.0 
 
 :warning: The most recent `4.0.0` update brings some breaking changes. Please note 
@@ -523,48 +552,48 @@ gitea:
 
 ### Others 
 
-| Parameter | Description | Default | 
-| ------------------------------------------| -------------------------------------------------------- | ------- | 
-| statefulset.terminationGracePeriodSeconds | How long to wait until forcefully kill the pod | `60` | 
-| statefulset.env | Additional environment variables to pass to containers | `[]` | 
-| extraVolumes | Additional volumes to mount to the Gitea statefulset | `{}` | 
-| extraVolumeMounts | Additional volume mounts for the Gitea containers | `{}` | 
-| initPreScript | Bash script copied verbatim to start of init container | | 
-| securityContext | Run as a specific securityContext | `{}` | 
-| schedulerName | Use an alternate scheduler, e.g. "stork" | | 
+| Parameter  | Description  | Default | 
+| ------------------------------------------- | -------------------------------------------------------------------- | ------- | 
+| `statefulset.terminationGracePeriodSeconds` | How long to wait until forcefully kill the pod  | `60` | 
+| `statefulset.env` | Additional environment variables to pass to containers  | `[]` | 
+| `extraVolumes` | Additional volumes to mount to the Gitea statefulset  | `{}` | 
+| `extraVolumeMounts` | Additional volume mounts for the Gitea containers  | `{}` | 
+| `initPreScript` | Bash script copied verbatim to start of init container  | | 
+| `securityContext` | Run as a specific securityContext  | `{}` | 
+| `schedulerName` | Use an alternate scheduler, e.g. "stork"  | | 
 
 ### Image 
 
-| Parameter | Description | Default | 
-| -----------------| ----------------------------------------------------------------------------------------- | ------------- | 
-| image.repository | Image to start for this pod | `gitea/gitea` | 
-| image.tag | [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated) | `1.14.6` | 
-| image.pullPolicy | Image pull policy | `Always` | 
-| image.rootless | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher | `false` | 
+| Parameter  | Description | Default | 
+| ------------------ | ----------------------------------------------------------------------------------------- | ------------- | 
+| `image.repository` | Image to start for this pod | `gitea/gitea` | 
+| `image.tag` | [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated) | `1.14.6` | 
+| `image.pullPolicy` | Image pull policy | `Always` | 
+| `image.rootless` | Wether or not to pull the rootless version of Gitea, only works on Gitea 1.14.x or higher | `false` | 
 
 ### Persistence 
 
-| Parameter | Description | Default | 
-| ------------------------- | ---------------------------------------------------------- | ------- | 
-| persistence.enabled | Enable persistence for Gitea | `true` | 
-| persistence.existingClaim | Use an existing claim to store repository information | | 
-| persistence.size | Size for persistence to store repo information | `10Gi` | 
-| persistence.accessModes | AccessMode for persistence | | 
-| persistence.storageClass | Storage class for repository persistence | | 
-| persistence.labels | Labels for the persistence volume claim to be created | `{}` | 
-| persistence.annotations | Annotations for the persistence volume claim to be created | `{}` | 
+| Parameter  | Description | Default | 
+| --------------------------- | ---------------------------------------------------------- | ------- | 
+| `persistence.enabled` | Enable persistence for Gitea | `true` | 
+| `persistence.existingClaim` | Use an existing claim to store repository information | | 
+| `persistence.size` | Size for persistence to store repo information | `10Gi` | 
+| `persistence.accessModes` | AccessMode for persistence | | 
+| `persistence.storageClass` | Storage class for repository persistence | | 
+| `persistence.labels` | Labels for the persistence volume claim to be created | `{}` | 
+| `persistence.annotations` | Annotations for the persistence volume claim to be created | `{}` | 
 
 ### Ingress 
 
-| Parameter | Description | Default | 
-| ---------------------------------- | ---------------------------------------------- | ----------------- | 
-| ingress.enabled | enable ingress | `false` | 
-| ingress.annotations | add ingress annotations | | 
-| ingress.hosts[0].host | add hosts for ingress | `git.example.com` | 
-| ingress.hosts[0].paths[0].path | add path for each ingress host | `/` | 
-| ingress.hosts[0].paths[0].pathType | add ingress path type | `Prefix` | 
-| ingress.tls | add ingress tls settings | `[]` | 
-| ingress.className | add ingress class name. Only used in k8s 1.19+ | | 
+| Parameter  | Description | Default | 
+| ------------------------------------ | ---------------------------------------------- | ----------------- | 
+| `ingress.enabled` | enable ingress | `false` | 
+| `ingress.annotations` | add ingress annotations | | 
+| `ingress.hosts[0].host` | add hosts for ingress | `git.example.com` | 
+| `ingress.hosts[0].paths[0].path` | add path for each ingress host | `/` | 
+| `ingress.hosts[0].paths[0].pathType` | add ingress path type | `Prefix` | 
+| `ingress.tls` | add ingress tls settings | `[]` | 
+| `ingress.className` | add ingress class name. Only used in k8s 1.19+ | | 
 
 ### Service 
 
--- a/templates/gitea/config.yaml
+++ b/templates/gitea/config.yaml
@@ -6,7 +6,10 @@ metadata:
 {{- include "gitea.labels" . | nindent 4 }} 
 type: Opaque 
 stringData: 
- app.ini: |- 
+ config_environment.sh: |- 
+ #!/usr/bin/env bash 
+ set -euo pipefail 
+ 
 {{- if not (hasKey .Values.gitea.config "cache") -}} 
 {{- $_ := set .Values.gitea.config "cache" dict -}} 
 {{- end -}} 
@@ -31,6 +34,10 @@ stringData:
 {{- $_ := set .Values.gitea.config "repository" dict -}} 
 {{- end -}} 
 
+ {{- if not (hasKey .Values.gitea.config "oauth2") -}} 
+ {{- $_ := set .Values.gitea.config "oauth2" dict -}} 
+ {{- end -}} 
+ 
 {{- /* repository default settings */ -}} 
 {{- if not .Values.gitea.config.repository.ROOT -}} 
 {{- $_ := set .Values.gitea.config.repository "ROOT" "/data/git/gitea-repositories" -}} 
@@ -132,17 +139,34 @@ stringData:
 {{- end -}} 
 {{- end -}} 
 
- {{- /* autogenerate app.ini */ -}} 
+ {{- if not (hasKey .Values.gitea.config.security "INTERNAL_TOKEN") }} 
+ export ENV_TO_INI__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN) 
+ {{- end }} 
+ {{- if not (hasKey .Values.gitea.config.security "SECRET_KEY") }} 
+ export ENV_TO_INI__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY) 
+ {{- end }} 
+ {{- if not (hasKey .Values.gitea.config.oauth2 "JWT_SECRET") }} 
+ export ENV_TO_INI__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET) 
+ {{- end }} 
+ 
+ {{- /* autogenerate app.ini environment values */ -}} 
 {{- range $key, $value := .Values.gitea.config }} 
 {{- if kindIs "map" $value }} 
 {{- if gt (len $value) 0 }} 
- 
- [{{ $key }}] 
 {{- range $n_key, $n_value := $value }} 
- {{ $n_key | upper }} = {{ $n_value }} 
+ export ENV_TO_INI__{{ $key | upper | replace "." "_0X2E_" | replace "-" "_0X2D_" }}__{{ $n_key | upper }}={{ $n_value }} 
 {{- end }} 
 {{- end }} 
 {{- else }} 
- {{ $key | upper }} = {{ $value }} 
+ export ENV_TO_INI__{{ $key | upper | replace "." "_0X2E_" | replace "-" "_0X2D_" }}__{{ $key | upper }}={{ $value }} 
 {{- end }} 
 {{- end }} 
+ 
+ # safety to prevent rewrite of secret keys if an app.ini already exists 
+ if [ -f ${GITEA_APP_INI} ]; then 
+ unset ENV_TO_INI__SECURITY__INTERNAL_TOKEN 
+ unset ENV_TO_INI__SECURITY__SECRET_KEY 
+ unset ENV_TO_INI__OAUTH2__JWT_SECRET 
+ fi 
+ 
+ environment-to-ini -o $GITEA_APP_INI -p ENV_TO_INI 
--- a/templates/gitea/init.yaml
+++ b/templates/gitea/init.yaml
@@ -33,9 +33,6 @@ stringData:
 chown 1000:1000 "${GITEA_TEMP}" 
 chmod ug+rwx "${GITEA_TEMP}" 
 
- # Copy config file to writable volume 
- cp /etc/gitea/conf/app.ini /data/gitea/conf/app.ini 
- chmod a+rwx /data/gitea/conf/app.ini 
 configure_gitea.sh: |- 
 #!/usr/bin/env bash 
 
--- a/templates/gitea/statefulset.yaml
+++ b/templates/gitea/statefulset.yaml
@@ -60,8 +60,31 @@ spec:
 mountPath: /usr/sbin 
 - name: temp 
 mountPath: /tmp 
+ - name: data 
+ mountPath: /data 
+ {{- if .Values.extraVolumeMounts }} 
+ {{- toYaml .Values.extraVolumeMounts | nindent 12 }} 
+ {{- end }} 
+ - name: init-app-ini 
+ image: "{{ include "gitea.image" . }}" 
+ command: ["/usr/sbin/config_environment.sh"] 
+ env: 
+ - name: GITEA_APP_INI 
+ value: /data/gitea/conf/app.ini 
+ - name: GITEA_CUSTOM 
+ value: /data/gitea 
+ - name: GITEA_WORK_DIR 
+ value: /data 
+ - name: GITEA_TEMP 
+ value: /tmp/gitea 
+ {{- if .Values.statefulset.env }} 
+ {{- toYaml .Values.statefulset.env | nindent 12 }} 
+ {{- end }} 
+ volumeMounts: 
 - name: config 
- mountPath: /etc/gitea/conf 
+ mountPath: /usr/sbin 
+ - name: temp 
+ mountPath: /tmp 
 - name: data 
 mountPath: /data 
 {{- if .Values.extraVolumeMounts }} 
@@ -236,10 +259,11 @@ spec:
 - name: init 
 secret: 
 secretName: {{ include "gitea.fullname" . }}-init 
- defaultMode: 0777 
+ defaultMode: 110 
 - name: config 
 secret: 
 secretName: {{ include "gitea.fullname" . }} 
+ defaultMode: 110 
 {{- if .Values.extraVolumes }} 
 {{- toYaml .Values.extraVolumes | nindent 8 }} 
 {{- end }}