diff --git a/.drone.yml b/.drone.yml index d0244e3..40fc93e 100644 --- a/.drone.yml +++ b/.drone.yml @@ -10,22 +10,31 @@ platform: steps: - name: helm lint pull: always - image: alpine:3.16 + image: alpine:3.17 commands: - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm - helm lint - name: helm template pull: always - image: alpine:3.16 + image: alpine:3.17 commands: - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm - helm dependency update - helm template --debug gitea-helm . +- name: helm unittests + pull: always + image: alpine:3.17 + commands: + - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing make helm git bash + - helm plugin install https://github.com/heyhabito/helm-unittest + - helm dependency update + - make unittests + - name: verify readme pull: always - image: alpine:3.16 + image: alpine:3.17 commands: - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing make npm git - make readme @@ -61,7 +70,7 @@ trigger: steps: - name: generate-chart pull: always - image: alpine:3.16 + image: alpine:3.17 commands: - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm - apk add --no-cache curl @@ -76,8 +85,16 @@ steps: pull: always image: plugins/s3:latest settings: - bucket: gitea-artifacts - endpoint: https://ams3.digitaloceanspaces.com + acl: + from_secret: aws_s3_acl + region: + from_secret: aws_s3_region + bucket: + from_secret: aws_s3_bucket + endpoint: + from_secret: aws_s3_endpoint + path_style: + from_secret: aws_s3_path_style access_key: from_secret: aws_access_key_id secret_key: diff --git a/.gitignore b/.gitignore index 22b7fa6..10261af 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ charts/ node_modules/ .DS_Store +unittests/*/__snapshot__/ diff --git a/.helmignore b/.helmignore index a8cc816..e608c23 100644 --- a/.helmignore +++ b/.helmignore @@ -25,3 +25,9 @@ node_modules/ package.json package-lock.json .gitea/ +Makefile +.markdownlintignore +.markdownlint.yaml +.drone.yml +CONTRIBUTING.md +unittests/ diff --git a/.markdownlint.yaml b/.markdownlint.yaml index a67574a..6320f35 100644 --- a/.markdownlint.yaml +++ b/.markdownlint.yaml @@ -45,7 +45,7 @@ MD012: # MD013/line-length - Line length MD013: # Number of characters - line_length: 80 + line_length: 200 # Number of characters for headings heading_line_length: 80 # Number of characters for code blocks diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index d06973c..78f77d9 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -50,3 +50,13 @@ be used: forwarded first from `minikube` to localhost first via `kubectl --namespace default port-forward svc/gitea-http 3000:3000`. Now Gitea is accessible at [http://localhost:3000](http://localhost:3000). + +### Unit tests + +```bash +# install the unittest plugin +$ helm plugin install https://github.com/heyhabito/helm-unittest + +# run the unittests +make unittests +``` diff --git a/Chart.yaml b/Chart.yaml index 446305a..4f0bc4c 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -3,7 +3,7 @@ name: gitea description: Gitea Helm chart for Kubernetes type: application version: 0.0.0 -appVersion: 1.17.2 +appVersion: 1.18.5 icon: https://docs.gitea.io/images/gitea.png keywords: @@ -31,9 +31,11 @@ maintainers: # Bitnami charts are served from GitHub CDN - See https://github.com/bitnami/charts/issues/10539 for details dependencies: +# OCI registry: https://blog.bitnami.com/2023/01/bitnami-helm-charts-available-as-oci.html (2023-01) +# Chart release date: 2023-02 - name: memcached - repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami - version: 5.9.0 + repository: oci://registry-1.docker.io/bitnamicharts + version: 6.3.7 condition: memcached.enabled - name: mysql repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami diff --git a/Makefile b/Makefile index 720a657..2b61849 100644 --- a/Makefile +++ b/Makefile @@ -6,3 +6,7 @@ prepare-environment: readme: prepare-environment npm run readme:parameters npm run readme:lint + +.PHONY: unittests +unittests: + helm unittest --helm3 --strict -f 'unittests/**/*.yaml' ./ diff --git a/README.md b/README.md index 2fc73f7..bb64eb6 100644 --- a/README.md +++ b/README.md @@ -41,24 +41,6 @@ of this document for major and breaking changes. - Helm 3.0+ - PV provisioner for persistent data support -## Configure Commit Signing - -When using the rootless image the gpg key folder was is not persistent by -default. If you consider using signed commits for internal Gitea activities -(e.g. initial commit), you'd need to provide a signing key. Prior to -[PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be -re-imported once the container got replaced by another. - -The mentioned PR introduced a new configuration object `signing` allowing you to -configure prerequisites for commit signing. By default this section is disabled -to maintain backwards compatibility. - -```yaml -signing: - enabled: false - gpgHome: /data/git/.gnupg -``` - ## Examples ### Gitea Configuration @@ -525,6 +507,49 @@ gitea: ... ``` +## Configure commit signing + +When using the rootless image the gpg key folder is not persistent by +default. If you consider using signed commits for internal Gitea activities +(e.g. initial commit), you'd need to provide a signing key. Prior to +[PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be +re-imported once the container got replaced by another. + +The mentioned PR introduced a new configuration object `signing` allowing you to +configure prerequisites for commit signing. By default this section is disabled +to maintain backwards compatibility. + +```yaml +signing: + enabled: false + gpgHome: /data/git/.gnupg +``` + +Regardless of the used container image the `signing` object allows to specify a +private gpg key. Either using the `signing.privateKey` to define the key inline, +or refer to an existing secret containing the key data by using `signing.existingKey`. + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: custom-gitea-gpg-key +type: Opaque +stringData: + privateKey: |- + -----BEGIN PGP PRIVATE KEY BLOCK----- + ... + -----END PGP PRIVATE KEY BLOCK----- +``` + +```yaml +signing: + existingSecret: custom-gitea-gpg-key +``` + +To use the gpg key, Gitea needs to be configured accordingly. A detailed description +can be found in the [official Gitea documentation](https://docs.gitea.io/en-us/signing/#general-configuration). + ### Metrics and profiling A Prometheus `/metrics` endpoint on the `HTTP_PORT` and `pprof` profiling @@ -566,6 +591,7 @@ gitea: | `global.imageRegistry` | global image registry override | `""` | | `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets` | `[]` | | `global.storageClass` | global storage class override | `""` | +| `global.hostAliases` | global hostAliases which will be added to the pod's hosts files | `[]` | | `replicaCount` | number of replicas for the statefulset | `1` | | `clusterDomain` | cluster domain | `cluster.local` | @@ -669,10 +695,12 @@ gitea: ### Signing -| Name | Description | Value | -| ----------------- | ---------------------------- | ------------------ | -| `signing.enabled` | Enable commit/action signing | `false` | -| `signing.gpgHome` | GPG home directory | `/data/git/.gnupg` | +| Name | Description | Value | +| ------------------------ | ----------------------------------------------------------------- | ------------------ | +| `signing.enabled` | Enable commit/action signing | `false` | +| `signing.gpgHome` | GPG home directory | `/data/git/.gnupg` | +| `signing.privateKey` | Inline private gpg key for signed Gitea actions | `""` | +| `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` | ### Gitea @@ -786,6 +814,17 @@ See [CONTRIBUTORS GUIDE](CONTRIBUTING.md) for details. This section lists major and breaking changes of each Helm Chart version. Please read them carefully to upgrade successfully. +### To 7.0.0 + +#### Gitea 1.18.1 + +This Chart version updates Gitea to 1.18.1. Don't miss any application related [breaking changes of 1.18.0](https://blog.gitea.io/2022/12/gitea-1.18.0-is-released/#breaking-changes). + +#### Private GPG key configuration for Gitea signing actions + +Having `signing.enabled=true` now requires to use either `signing.privateKey` or `signing.existingSecret` so that the Chart can automatically prepare the GPG key for Gitea internal signing actions. +See [Configure commit signing](#configure-commit-signing) for details. + ### To 6.0.0 #### Different volume mounts for init-containers and runtime container diff --git a/package-lock.json b/package-lock.json index 5f0c69c..4a19561 100644 --- a/package-lock.json +++ b/package-lock.json @@ -7,14 +7,30 @@ "name": "gitea-helm-chart", "license": "MIT", "devDependencies": { - "markdownlint-cli": "^0.31.1", - "readme-generator-for-helm": "https://github.com/bitnami-labs/readme-generator-for-helm/tarball/main" + "@bitnami/readme-generator-for-helm": "^2.4.2", + "markdownlint-cli": "^0.31.1" }, "engines": { "node": ">=16.0.0", "npm": ">=8.0.0" } }, + "node_modules/@bitnami/readme-generator-for-helm": { + "version": "2.4.2", + "resolved": "https://registry.npmjs.org/@bitnami/readme-generator-for-helm/-/readme-generator-for-helm-2.4.2.tgz", + "integrity": "sha512-2kIXOjRiKJ3PBoBD6EaImp4SNyGM/w67ZPPwbuJi5NeXesupQjFyhIhcKliIledlpuiSrMeH9l80yl6hvmYHUA==", + "dev": true, + "dependencies": { + "commander": "^7.1.0", + "dot-object": "^2.1.4", + "lodash": "^4.17.21", + "markdown-table": "^2.0.0", + "yaml": "^2.0.0-3" + }, + "bin": { + "readme-generator": "bin/index.js" + } + }, "node_modules/argparse": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz", @@ -331,23 +347,6 @@ "node": ">=0.10.0" } }, - "node_modules/readme-generator-for-helm": { - "version": "2.4.0", - "resolved": "https://github.com/bitnami-labs/readme-generator-for-helm/tarball/main", - "integrity": "sha512-W5ziOuId0M00YQRDlA5le3oEguWe8hoINhivOAgEF+AZkk2bDoNxuFUaJIxqAUEvZRA8qlTfUlu+w90EOFbTLw==", - "dev": true, - "license": "ISC", - "dependencies": { - "commander": "^7.1.0", - "dot-object": "^2.1.4", - "lodash": "^4.17.21", - "markdown-table": "^2.0.0", - "yaml": "^2.0.0-3" - }, - "bin": { - "readme-generator": "bin/index.js" - } - }, "node_modules/repeat-string": { "version": "1.6.1", "resolved": "https://registry.npmjs.org/repeat-string/-/repeat-string-1.6.1.tgz", @@ -397,9 +396,9 @@ "dev": true }, "node_modules/yaml": { - "version": "2.1.1", - "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.1.1.tgz", - "integrity": "sha512-o96x3OPo8GjWeSLF+wOAbrPfhFOGY0W00GNaxCDv+9hkcDJEnev1yh8S7pgHF0ik6zc8sQLuL8hjHjJULZp8bw==", + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.1.3.tgz", + "integrity": "sha512-AacA8nRULjKMX2DvWvOAdBZMOfQlypSFkjcOcu9FalllIDJ1kvlREzcdIZmidQUqqeMv7jorHjq2HlLv/+c2lg==", "dev": true, "engines": { "node": ">= 14" @@ -407,6 +406,19 @@ } }, "dependencies": { + "@bitnami/readme-generator-for-helm": { + "version": "2.4.2", + "resolved": "https://registry.npmjs.org/@bitnami/readme-generator-for-helm/-/readme-generator-for-helm-2.4.2.tgz", + "integrity": "sha512-2kIXOjRiKJ3PBoBD6EaImp4SNyGM/w67ZPPwbuJi5NeXesupQjFyhIhcKliIledlpuiSrMeH9l80yl6hvmYHUA==", + "dev": true, + "requires": { + "commander": "^7.1.0", + "dot-object": "^2.1.4", + "lodash": "^4.17.21", + "markdown-table": "^2.0.0", + "yaml": "^2.0.0-3" + } + }, "argparse": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz", @@ -663,18 +675,6 @@ "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==", "dev": true }, - "readme-generator-for-helm": { - "version": "https://github.com/bitnami-labs/readme-generator-for-helm/tarball/main", - "integrity": "sha512-W5ziOuId0M00YQRDlA5le3oEguWe8hoINhivOAgEF+AZkk2bDoNxuFUaJIxqAUEvZRA8qlTfUlu+w90EOFbTLw==", - "dev": true, - "requires": { - "commander": "^7.1.0", - "dot-object": "^2.1.4", - "lodash": "^4.17.21", - "markdown-table": "^2.0.0", - "yaml": "^2.0.0-3" - } - }, "repeat-string": { "version": "1.6.1", "resolved": "https://registry.npmjs.org/repeat-string/-/repeat-string-1.6.1.tgz", @@ -712,9 +712,9 @@ "dev": true }, "yaml": { - "version": "2.1.1", - "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.1.1.tgz", - "integrity": "sha512-o96x3OPo8GjWeSLF+wOAbrPfhFOGY0W00GNaxCDv+9hkcDJEnev1yh8S7pgHF0ik6zc8sQLuL8hjHjJULZp8bw==", + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.1.3.tgz", + "integrity": "sha512-AacA8nRULjKMX2DvWvOAdBZMOfQlypSFkjcOcu9FalllIDJ1kvlREzcdIZmidQUqqeMv7jorHjq2HlLv/+c2lg==", "dev": true } } diff --git a/package.json b/package.json index 007e11f..deaa802 100644 --- a/package.json +++ b/package.json @@ -13,7 +13,7 @@ "readme:parameters": "readme-generator -v values.yaml -r README.md" }, "devDependencies": { - "markdownlint-cli": "^0.31.1", - "readme-generator-for-helm": "https://github.com/bitnami-labs/readme-generator-for-helm/tarball/main" + "@bitnami/readme-generator-for-helm": "^2.4.2", + "markdownlint-cli": "^0.31.1" } } diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 0e481e0..5bdcca9 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -331,3 +331,7 @@ https {{- toYaml .Values.extraVolumeMounts -}} {{- end -}} {{- end -}} + +{{- define "gitea.gpg-key-secret-name" -}} +{{ default (printf "%s-gpg-key" (include "gitea.fullname" .)) .Values.signing.existingSecret }} +{{- end -}} diff --git a/templates/gitea/gpg-secret.yaml b/templates/gitea/gpg-secret.yaml new file mode 100644 index 0000000..29b6d4f --- /dev/null +++ b/templates/gitea/gpg-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.signing.enabled -}} +{{- if and (empty .Values.signing.privateKey) (empty .Values.signing.existingSecret) -}} + {{- fail "Either specify `signing.privateKey` or `signing.existingKey`" -}} +{{- end }} +{{- if and (not (empty .Values.signing.privateKey)) (empty .Values.signing.existingSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "gitea.gpg-key-secret-name" . }} + labels: + {{- include "gitea.labels" . | nindent 4 }} +type: Opaque +data: + privateKey: {{ .Values.signing.privateKey | b64enc }} +{{- end }} +{{- end }} diff --git a/templates/gitea/init.yaml b/templates/gitea/init.yaml index 00af29b..838460b 100644 --- a/templates/gitea/init.yaml +++ b/templates/gitea/init.yaml @@ -6,6 +6,11 @@ metadata: {{- include "gitea.labels" . | nindent 4 }} type: Opaque stringData: + configure_gpg_environment.sh: |- + #!/usr/bin/env bash + set -eu + + gpg --batch --import /raw/private.asc init_directory_structure.sh: |- #!/usr/bin/env bash @@ -26,7 +31,7 @@ stringData: {{- end }} mkdir -p /data/git/.ssh chmod -R 700 /data/git/.ssh - [ ! -d /data/gitea ] && mkdir -p /data/gitea/conf + [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf # prepare temp directory structure mkdir -p "${GITEA_TEMP}" @@ -35,6 +40,14 @@ stringData: {{- end }} chmod ug+rwx "${GITEA_TEMP}" + {{ if .Values.signing.enabled -}} + if [ ! -d "${GNUPGHOME}" ]; then + mkdir -p "${GNUPGHOME}" + chmod 700 "${GNUPGHOME}" + chown 1000:1000 "${GNUPGHOME}" + fi + {{- end }} + configure_gitea.sh: |- #!/usr/bin/env bash diff --git a/templates/gitea/statefulset.yaml b/templates/gitea/statefulset.yaml index 994aafa..25a77ee 100644 --- a/templates/gitea/statefulset.yaml +++ b/templates/gitea/statefulset.yaml @@ -59,6 +59,10 @@ spec: {{- if .Values.statefulset.env }} {{- toYaml .Values.statefulset.env | nindent 12 }} {{- end }} + {{- if .Values.signing.enabled }} + - name: GNUPGHOME + value: {{ .Values.signing.gpgHome }} + {{- end }} volumeMounts: - name: init mountPath: /usr/sbin @@ -110,6 +114,36 @@ spec: {{- include "gitea.init-additional-mounts" . | nindent 12 }} securityContext: {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- if .Values.signing.enabled }} + - name: configure-gpg + image: "{{ include "gitea.image" . }}" + command: ["/usr/sbin/configure_gpg_environment.sh"] + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{- /* By default this container runs as user 1000 unless otherwise stated */ -}} + {{- $csc := deepCopy .Values.containerSecurityContext -}} + {{- if not (hasKey $csc "runAsUser") -}} + {{- $_ := set $csc "runAsUser" 1000 -}} + {{- end -}} + {{- toYaml $csc | nindent 12 }} + env: + - name: GNUPGHOME + value: {{ .Values.signing.gpgHome }} + volumeMounts: + - name: init + mountPath: /usr/sbin + - name: data + mountPath: /data + {{- if .Values.persistence.subPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + - name: gpg-private-key + mountPath: /raw + readOnly: true + {{- if .Values.extraVolumeMounts }} + {{- toYaml .Values.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- end }} - name: configure-gitea image: "{{ include "gitea.image" . }}" command: ["/usr/sbin/configure_gitea.sh"] @@ -270,6 +304,10 @@ spec: subPath: {{ .Values.persistence.subPath }} {{- end }} {{- include "gitea.container-additional-mounts" . | nindent 12 }} + {{- with .Values.global.hostAliases }} + hostAliases: + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -307,6 +345,15 @@ spec: {{- end }} - name: temp emptyDir: {} + {{- if .Values.signing.enabled }} + - name: gpg-private-key + secret: + secretName: {{ include "gitea.gpg-key-secret-name" . }} + items: + - key: privateKey + path: private.asc + defaultMode: 0100 + {{- end }} {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }} - name: data persistentVolumeClaim: diff --git a/unittests/gpg-secret/signing-disabled.yaml b/unittests/gpg-secret/signing-disabled.yaml new file mode 100644 index 0000000..3b1aba4 --- /dev/null +++ b/unittests/gpg-secret/signing-disabled.yaml @@ -0,0 +1,13 @@ +suite: GPG secret template (signing disabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/gpg-secret.yaml +tests: + - it: renders nothing + set: + signing.enabled: false + asserts: + - hasDocuments: + count: 0 diff --git a/unittests/gpg-secret/signing-enabled.yaml b/unittests/gpg-secret/signing-enabled.yaml new file mode 100644 index 0000000..3c742e9 --- /dev/null +++ b/unittests/gpg-secret/signing-enabled.yaml @@ -0,0 +1,40 @@ +suite: GPG secret template (signing enabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/gpg-secret.yaml +tests: + - it: fails rendering when nothing is configured + set: + signing: + enabled: true + asserts: + - failedTemplate: + errorMessage: Either specify `signing.privateKey` or `signing.existingKey` + - it: skips rendering using external secret reference + set: + signing: + enabled: true + existingSecret: "external-secret-reference" + asserts: + - hasDocuments: + count: 0 + - it: renders secret specification using inline gpg key + set: + signing: + enabled: true + privateKey: "gpg-key-placeholder" + asserts: + - hasDocuments: + count: 1 + - documentIndex: 0 + containsDocument: + kind: Secret + apiVersion: v1 + name: gitea-unittests-gpg-key + - isNotEmpty: + path: metadata.labels + - equal: + path: data.privateKey + value: "Z3BnLWtleS1wbGFjZWhvbGRlcg==" diff --git a/unittests/init/basic.yaml b/unittests/init/basic.yaml new file mode 100644 index 0000000..f2b746e --- /dev/null +++ b/unittests/init/basic.yaml @@ -0,0 +1,15 @@ +suite: Init template (basic) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/init.yaml +tests: + - it: renders a secret + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: Secret + apiVersion: v1 + name: gitea-unittests-init diff --git a/unittests/init/init_directory_structure.sh.yaml b/unittests/init/init_directory_structure.sh.yaml new file mode 100644 index 0000000..7be2336 --- /dev/null +++ b/unittests/init/init_directory_structure.sh.yaml @@ -0,0 +1,64 @@ +suite: Init template +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/init.yaml +tests: + - it: runs gpg in batch mode + set: + signing.enabled: true + asserts: + - equal: + path: stringData.[configure_gpg_environment.sh] + value: |- + #!/usr/bin/env bash + set -eu + + gpg --batch --import /raw/private.asc + - it: skips gpg script block for disabled signing + asserts: + - equal: + path: stringData.[init_directory_structure.sh] + value: |- + #!/usr/bin/env bash + + set -euo pipefail + + set -x + chown 1000:1000 /data + mkdir -p /data/git/.ssh + chmod -R 700 /data/git/.ssh + [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf + + # prepare temp directory structure + mkdir -p "${GITEA_TEMP}" + chown 1000:1000 "${GITEA_TEMP}" + chmod ug+rwx "${GITEA_TEMP}" + - it: adds gpg script block for enabled signing + set: + signing.enabled: true + asserts: + - equal: + path: stringData.[init_directory_structure.sh] + value: |- + #!/usr/bin/env bash + + set -euo pipefail + + set -x + chown 1000:1000 /data + mkdir -p /data/git/.ssh + chmod -R 700 /data/git/.ssh + [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf + + # prepare temp directory structure + mkdir -p "${GITEA_TEMP}" + chown 1000:1000 "${GITEA_TEMP}" + chmod ug+rwx "${GITEA_TEMP}" + + if [ ! -d "${GNUPGHOME}" ]; then + mkdir -p "${GNUPGHOME}" + chmod 700 "${GNUPGHOME}" + chown 1000:1000 "${GNUPGHOME}" + fi diff --git a/unittests/statefulset/basic.yaml b/unittests/statefulset/basic.yaml new file mode 100644 index 0000000..00fb684 --- /dev/null +++ b/unittests/statefulset/basic.yaml @@ -0,0 +1,17 @@ +suite: Statefulset template (basic) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/statefulset.yaml + - templates/gitea/config.yaml +tests: + - it: renders a statefulset + template: templates/gitea/statefulset.yaml + asserts: + - hasDocuments: + count: 1 + - containsDocument: + kind: StatefulSet + apiVersion: apps/v1 + name: gitea-unittests diff --git a/unittests/statefulset/signing-disabled.yaml b/unittests/statefulset/signing-disabled.yaml new file mode 100644 index 0000000..4f9f2ce --- /dev/null +++ b/unittests/statefulset/signing-disabled.yaml @@ -0,0 +1,40 @@ +suite: Statefulset template (signing disabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/statefulset.yaml + - templates/gitea/config.yaml +tests: + - it: skips gpg init container + template: templates/gitea/statefulset.yaml + asserts: + - notContains: + path: spec.template.spec.initContainers + any: true + content: + name: configure-gpg + - it: skips gpg env in `init-directories` init container + template: templates/gitea/statefulset.yaml + set: + signing.enabled: true + asserts: + - contains: + path: spec.template.spec.initContainers[0].env + content: + name: GNUPGHOME + value: /data/git/.gnupg + - it: skips gpg env in runtime container + template: templates/gitea/statefulset.yaml + asserts: + - notContains: + path: spec.template.spec.containers[0].env + content: + name: GNUPGHOME + - it: skips gpg volume spec + template: templates/gitea/statefulset.yaml + asserts: + - notContains: + path: spec.template.spec.volumes + content: + name: gpg-private-key diff --git a/unittests/statefulset/signing-enabled.yaml b/unittests/statefulset/signing-enabled.yaml new file mode 100644 index 0000000..ecb237f --- /dev/null +++ b/unittests/statefulset/signing-enabled.yaml @@ -0,0 +1,93 @@ +suite: Statefulset template (signing enabled) +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/statefulset.yaml + - templates/gitea/config.yaml +tests: + - it: adds gpg init container + template: templates/gitea/statefulset.yaml + set: + signing: + enabled: true + existingSecret: "custom-gpg-secret" + asserts: + - equal: + path: spec.template.spec.initContainers[2].name + value: configure-gpg + - equal: + path: spec.template.spec.initContainers[2].command + value: ["/usr/sbin/configure_gpg_environment.sh"] + - equal: + path: spec.template.spec.initContainers[2].securityContext + value: + runAsUser: 1000 + - equal: + path: spec.template.spec.initContainers[2].env + value: + - name: GNUPGHOME + value: /data/git/.gnupg + - equal: + path: spec.template.spec.initContainers[2].volumeMounts + value: + - name: init + mountPath: /usr/sbin + - name: data + mountPath: /data + - name: gpg-private-key + mountPath: /raw + readOnly: true + - it: adds gpg env in `init-directories` init container + template: templates/gitea/statefulset.yaml + set: + signing.enabled: true + asserts: + - contains: + path: spec.template.spec.initContainers[0].env + content: + name: GNUPGHOME + value: /data/git/.gnupg + - it: adds gpg env in runtime container + template: templates/gitea/statefulset.yaml + set: + signing.enabled: true + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: GNUPGHOME + value: /data/git/.gnupg + - it: adds gpg volume spec + template: templates/gitea/statefulset.yaml + set: + signing: + enabled: true + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: gpg-private-key + secret: + secretName: gitea-unittests-gpg-key + items: + - key: privateKey + path: private.asc + defaultMode: 0100 + - it: supports gpg volume spec with external reference + template: templates/gitea/statefulset.yaml + set: + signing: + enabled: true + existingSecret: custom-gpg-secret + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: gpg-private-key + secret: + secretName: custom-gpg-secret + items: + - key: privateKey + path: private.asc + defaultMode: 0100 diff --git a/values.yaml b/values.yaml index bd8c4d0..1213221 100644 --- a/values.yaml +++ b/values.yaml @@ -6,6 +6,7 @@ ## @param global.imageRegistry global image registry override ## @param global.imagePullSecrets global image pull secrets override; can be extended by `imagePullSecrets` ## @param global.storageClass global storage class override +## @param global.hostAliases global hostAliases which will be added to the pod's hosts files global: imageRegistry: "" ## E.g. @@ -14,6 +15,10 @@ global: ## imagePullSecrets: [] storageClass: "" + hostAliases: [] + # - ip: 192.168.137.2 + # hostnames: + # - example.com ## @param replicaCount number of replicas for the statefulset replicaCount: 1 @@ -63,7 +68,7 @@ containerSecurityContext: {} # runAsNonRoot: true # runAsUser: 1000 -## @depracated The securityContext variable has been split two: +## @deprecated The securityContext variable has been split two: ## - containerSecurityContext ## - podSecurityContext. ## @param securityContext Run init and Gitea containers as a specific securityContext @@ -228,7 +233,7 @@ extraContainerVolumeMounts: [] ## @param extraInitVolumeMounts Mounts that are only mapped into the init-containers. Can be used for additional preconfiguration. extraInitVolumeMounts: [] -## @depracated The extraVolumeMounts variable has been split two: +## @deprecated The extraVolumeMounts variable has been split two: ## - extraContainerVolumeMounts ## - extraInitVolumeMounts ## As an example, can be used to mount a client cert when connecting to an external Postgres server. @@ -253,9 +258,17 @@ initPreScript: "" # ## @param signing.enabled Enable commit/action signing ## @param signing.gpgHome GPG home directory +## @param signing.privateKey Inline private gpg key for signed Gitea actions +## @param signing.existingSecret Use an existing secret to store the value of `signing.privateKey` signing: enabled: false gpgHome: /data/git/.gnupg + privateKey: "" + # privateKey: |- + # -----BEGIN PGP PRIVATE KEY BLOCK----- + # ... + # -----END PGP PRIVATE KEY BLOCK----- + existingSecret: "" ## @section Gitea #