lunny/helm-chart
1
0
Fork 0
Code Issues 36 Pull Requests 14 Actions Packages Projects Releases 93 Wiki Activity

Enable admin user password creation/update mode in values (#677)

Browse Source 
### Description of the change

This enables sane modes for forcing reset, as well as providing more options to users of the chart by giving them the flexibility to set the mode for password creation/modification as part of init whether the user exists or not.

### Benefits

The new default should revert to the behavior before #673 became an issue, while also providing more flexibility for users who want to be able to manage their initial admin user password out-of-band after creating it the first time.

### Possible drawbacks

None that I can think of.

### Applicable issues

- fixes #673

### Additional information

See the discussion in #675 as well

### Checklist

- [X] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)

Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/677
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.com>
Co-authored-by: James Harmison <jharmison@gmail.com>
Co-committed-by: James Harmison <jharmison@gmail.com>
This commit is contained in:
James Harmison 2024-07-07 09:59:29 +00:00 committed by justusbunsi
parent 6226e4eaea
commit 1dbf171ad3
5 changed files with 67 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
README.md
View File

@ -569,6 +569,20 @@ gitea:
existingSecret: gitea-admin-secret existingSecret: gitea-admin-secret
``` ```
Whether you use the existing Secret or specify a user name and password, there are three modes for how the admin user password is created or set.
- `keepUpdated` (the default) will set the admin user password, and reset it to the defined value every time the pod is recreated.
- `initialOnlyNoReset` will set the admin user password when creating it, but never try to update the password.
- `initialOnlyRequireReset` will set the admin user password when creating it, never update it, and require that the password be changed at the initial login.
These modes can be set like the following:
```yaml
gitea:
admin:
passwordMode: initialOnlyRequireReset
```
### LDAP Settings ### LDAP Settings
Like the admin user the LDAP settings can be updated. Like the admin user the LDAP settings can be updated.
@ -985,22 +999,23 @@ To comply with the Gitea helm chart definition of the digest parameter, a "custo
### Gitea ### Gitea
| Name | Description | Value | | Name | Description | Value |
| -------------------------------------- | ------------------------------------------------------------------------- | -------------------- | | -------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | -------------------- |
| `gitea.admin.username` | Username for the Gitea admin user | `gitea_admin` | | `gitea.admin.username` | Username for the Gitea admin user | `gitea_admin` |
| `gitea.admin.existingSecret` | Use an existing secret to store admin user credentials | `nil` | | `gitea.admin.existingSecret` | Use an existing secret to store admin user credentials | `nil` |
| `gitea.admin.password` | Password for the Gitea admin user | `r8sA8CPHD9!bt6d` | | `gitea.admin.password` | Password for the Gitea admin user | `r8sA8CPHD9!bt6d` |
| `gitea.admin.email` | Email for the Gitea admin user | `gitea@local.domain` | | `gitea.admin.email` | Email for the Gitea admin user | `gitea@local.domain` |
| `gitea.metrics.enabled` | Enable Gitea metrics | `false` | | `gitea.admin.passwordMode` | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated` |
| `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor | `false` | | `gitea.metrics.enabled` | Enable Gitea metrics | `false` |
| `gitea.ldap` | LDAP configuration | `[]` | | `gitea.metrics.serviceMonitor.enabled` | Enable Gitea metrics service monitor | `false` |
| `gitea.oauth` | OAuth configuration | `[]` | | `gitea.ldap` | LDAP configuration | `[]` |
| `gitea.config.server.SSH_PORT` | SSH port for rootlful Gitea image | `22` | | `gitea.oauth` | OAuth configuration | `[]` |
| `gitea.config.server.SSH_LISTEN_PORT` | SSH port for rootless Gitea image | `2222` | | `gitea.config.server.SSH_PORT` | SSH port for rootlful Gitea image | `22` |
| `gitea.additionalConfigSources` | Additional configuration from secret or configmap | `[]` | | `gitea.config.server.SSH_LISTEN_PORT` | SSH port for rootless Gitea image | `2222` |
| `gitea.additionalConfigFromEnvs` | Additional configuration sources from environment variables | `[]` | | `gitea.additionalConfigSources` | Additional configuration from secret or configmap | `[]` |
| `gitea.podAnnotations` | Annotations for the Gitea pod | `{}` | | `gitea.additionalConfigFromEnvs` | Additional configuration sources from environment variables | `[]` |
| `gitea.ssh.logLevel` | Configure OpenSSH's log level. Only available for root-based Gitea image. | `INFO` | | `gitea.podAnnotations` | Annotations for the Gitea pod | `{}` |
| `gitea.ssh.logLevel` | Configure OpenSSH's log level. Only available for root-based Gitea image. | `INFO` |
### LivenessProbe ### LivenessProbe

8
templates/_helpers.tpl
View File

@ -400,3 +400,11 @@ https
{{- define "gitea.serviceAccountName" -}} {{- define "gitea.serviceAccountName" -}}
{{ .Values.serviceAccount.name | default (include "gitea.fullname" .) }} {{ .Values.serviceAccount.name | default (include "gitea.fullname" .) }}
{{- end -}} {{- end -}}
{{- define "gitea.admin.passwordMode" -}}
{{- if has .Values.gitea.admin.passwordMode (tuple "keepUpdated" "initialOnlyNoReset" "initialOnlyRequireReset") -}}
{{ .Values.gitea.admin.passwordMode }}
{{- else -}}
{{ printf "gitea.admin.passwordMode must be set to one of 'keepUpdated', 'initialOnlyNoReset', or 'initialOnlyRequireReset'. Received: '%s'" .Values.gitea.admin.passwordMode | fail }}
{{- end -}}
{{- end -}}

2
templates/gitea/deployment.yaml
View File

@ -243,6 +243,8 @@ spec:
- name: GITEA_ADMIN_PASSWORD - name: GITEA_ADMIN_PASSWORD
value: {{ .Values.gitea.admin.password | quote }} value: {{ .Values.gitea.admin.password | quote }}
{{- end }} {{- end }}
- name: GITEA_ADMIN_PASSWORD_MODE
value: {{ include "gitea.admin.passwordMode" $ }}
{{- if .Values.deployment.env }} {{- if .Values.deployment.env }}
{{- toYaml .Values.deployment.env | nindent 12 }} {{- toYaml .Values.deployment.env | nindent 12 }}
{{- end }} {{- end }}

28
templates/gitea/init.yaml
View File

@ -109,13 +109,33 @@ stringData:
local ACCOUNT_ID=$(echo "${actual_user_table}" | grep -E "\s+${GITEA_ADMIN_USERNAME}\s+" | awk -F " " "{printf \$1}") local ACCOUNT_ID=$(echo "${actual_user_table}" | grep -E "\s+${GITEA_ADMIN_USERNAME}\s+" | awk -F " " "{printf \$1}")
if [[ -z "${ACCOUNT_ID}" ]]; then if [[ -z "${ACCOUNT_ID}" ]]; then
local -a create_args
create_args=(--admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }})
if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = initialOnlyRequireReset ]]; then
create_args+=(--must-change-password=true)
else
create_args+=(--must-change-password=false)
fi
echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..." echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..."
gitea admin user create --admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }} --must-change-password=false gitea admin user create "${create_args[@]}"
echo '...created.' echo '...created.'
else else
echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..." if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = keepUpdated ]]; then
gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
echo '...password sync done.' # See https://gitea.com/gitea/helm-chart/issues/673
# --must-change-password argument was added to change-password, defaulting to true, counter to the previous behavior
# which acted as if it were provided with =false. If the argument is present in this version of gitea, then we
# should add it to prevent requiring frequent admin password resets.
local -a change_args
change_args=(--username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}")
if gitea admin user change-password --help | grep -qF -- '--must-change-password'; then
change_args+=(--must-change-password=false)
fi
gitea admin user change-password "${change_args[@]}"
echo '...password sync done.'
else
echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist, but update mode is set to '${GITEA_ADMIN_PASSWORD_MODE}'. Skipping."
fi
fi fi
} }

2
values.yaml
View File

@ -342,12 +342,14 @@ gitea:
## @param gitea.admin.existingSecret Use an existing secret to store admin user credentials ## @param gitea.admin.existingSecret Use an existing secret to store admin user credentials
## @param gitea.admin.password Password for the Gitea admin user ## @param gitea.admin.password Password for the Gitea admin user
## @param gitea.admin.email Email for the Gitea admin user ## @param gitea.admin.email Email for the Gitea admin user
## @param gitea.admin.passwordMode Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated
admin: admin:
# existingSecret: gitea-admin-secret # existingSecret: gitea-admin-secret
existingSecret: existingSecret:
username: gitea_admin username: gitea_admin
password: r8sA8CPHD9!bt6d password: r8sA8CPHD9!bt6d
email: "gitea@local.domain" email: "gitea@local.domain"
passwordMode: keepUpdated
## @param gitea.metrics.enabled Enable Gitea metrics ## @param gitea.metrics.enabled Enable Gitea metrics
## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor ## @param gitea.metrics.serviceMonitor.enabled Enable Gitea metrics service monitor