lunny/helm-chart
1
0
Fork 0
Code Issues 36 Pull Requests 14 Actions Packages Projects Releases 93 Wiki Activity

Revert "Use Secrets for passwords and tokens"

Browse Source
This commit is contained in:
Charlie Drage 2020-05-15 13:44:05 -04:00
parent 3d9c5b7abd
commit f75ba73ffd
9 changed files with 38 additions and 220 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
README.md
View File

@ -120,76 +120,7 @@ When upgrading, make sure you have the following enabled:
- Persistency for both mariadb + Gitea
- Using `existingGiteaClaim`
- Due to using the [bitnami/mariadb](https://github.com/helm/charts/tree/master/stable/mariadb) chart, make sure to HARDCODE your passwords within `values.yaml`,
or (better) set them in a separate secret named in mariadb.existingSecret. Or else you'll be unable to update mariadb
## Secrets
Secret values (database passwords, Gitea internal secrets / tokens) are passed to the containers using Kubernetes secrets.
These secrets can be automatically created using parameters from values.yaml or created externally and specified by name.
### MariaDB
If using the default MariaDB database, create the secret per the bitnami mariadb chart and specify its name in `mariadb.existingSecret`.
The secret will be created automatically if unspecified or if the password is supplied via `values.yaml`.
```yaml
apiVersion: v1
kind: Secret
metadata:
name: RELEASE-NAME-mariadb
type: Opaque
data:
mariadb-root-password: "<base64-encoded password>"
mariadb-password: "<base64-encoded password>"
```
### ExternalDB
If using a different database, specify the secret name in `externalDB.secretName`.
If this secret is shared with the database itself and has the password in a key other than `db-password`, you can specify the key name via `externalDB.passwordKey`.
The secret will be created automatically if the password is supplied via `values.yaml`.
```yaml
apiVersion: v1
kind: Secret
metadata:
name: RELEASE-NAME-externaldb
type: Opaque
data:
db-password: "<base64-encoded password>"
```
### Gitea Secrets
Gitea requires a number of internal secret tokens, which can be supplied via an externally-created secret or via `values.yaml`.
If they are not supplied, they will be auto-generated by the init container, and will change on upgrades.
Gitea requires particular encoding for some of these so they should be generated using `gitea generate secret`.
```yaml
apiVersion: v1
kind: Secret
metadata:
name: RELEASE-NAME
type: Opaque
data:
secret-key: "base64-encoded secret"
jwt-secret: "base64-encoded secret"
lfs-jwt-secret: "base64-encoded secret"
internal-token: "base64-encoded secret"
```
## Immutable Configuration
If `config.immutableConfig` is `true`, the Gitea `app.ini` is regenerated each time the init container runs and is set as read-only.
If it is `false`, then `app.ini` is generated only on first install and is editable by Gitea.
- Due to using the [bitnami/mariadb](https://github.com/helm/charts/tree/master/stable/mariadb) chart, make sure to HARDCODE your passwords within `values.yaml`. Or else you'll be unable to update mariadb
## Configuration
@ -240,15 +171,11 @@ The following table lists the configurable parameters of this chart and their de
| `mariadb.persistence.enabled` | Enable or diable persistence | `true` |
| `mariadb.persistence.accessMode` | What access mode to use | `ReadWriteOnce` |
| `mariadb.persistence.size` | What size of database to use | `8Gi` |
| `externalDB.secretName` | Name of existing secret containing externalDB password | ` unset` |
| `externalDB.passwordKey` | Name of password entry in Secret | `db-password` |
| `externalDB.dbUser` | external db user | ` unset` |
| `externalDB.dbPassword` | external db password | ` unset` |
| `externalDB.dbHost` | external db host | ` unset` |
| `externalDB.dbPort` | external db port | ` unset` |
| `externalDB.dbDatabase` | external db database name | ` unset` |
| `config.immutableConfig` | Set config as read-only and regenerate on every upgrade. | `false` |
| `config.secretName` | Name of existing secret containing Gitea internal tokens | ` unset` |
| `config.disableInstaller` | Disable the installer | `false` |
| `config.offlineMode` | Sets Gitea's Offline Mode. Values are `true` or `false`. | `false` |
| `config.requireSignin` | Require Gitea user to be signed in to see any pages. Values are `true` or `false`. | `false` |

32
templates/_helpers.tpl
View File

@ -29,35 +29,3 @@ Return the appropriate apiVersion for ingress.
{{- print "networking.k8s.io/v1beta1" -}}
{{- end -}}
{{- end -}}
{{- define "gitea-secret-name" -}}
{{- if .Values.config.secretName -}}
{{ .Values.config.secretName }}
{{- else -}}
{{ template "fullname" . }}
{{- end -}}
{{- end -}}
{{- define "db-secret-name" -}}
{{- if .Values.mariadb.enabled -}}
{{- if .Values.mariadb.existingSecret -}}
{{ .Values.mariadb.existingSecret }}
{{- else -}}
{{ template "mariadb.fullname" . }}
{{- end -}}
{{- else -}}
{{- if .Values.externalDB.secretName -}}
{{ .Values.externalDB.secretName }}
{{- else -}}
{{ printf "%s-externalDB" (include "fullname" .) }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "db-secret-key" -}}
{{- if .Values.mariadb.enabled -}}
{{- print "mariadb-password" -}}
{{- else -}}
{{ .Values.externalDB.passwordKey }}
{{- end -}}
{{- end -}}

9
templates/deployment.yaml
View File

@ -38,15 +38,6 @@ spec:
- name: gitea-config
configMap:
name: {{ template "fullname" . }}
- name: database-secret
secret:
secretName: {{ template "db-secret-name" . }}
items:
- key: {{ template "db-secret-key" . }}
path: db-password
- name: gitea-secret
secret:
secretName: {{ template "gitea-secret-name" . }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:

11
templates/gitea/_container.tpl
View File

@ -5,6 +5,17 @@ Create helm partial for gitea server
- name: gitea
image: {{ .Values.images.gitea }}
imagePullPolicy: {{ .Values.images.pullPolicy }}
env:
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
{{- if .Values.mariadb.enabled }}
name: {{ template "mariadb.fullname" . }}
key: mariadb-password
{{- else }}
name: {{ printf "%s-%s" .Release.Name "externaldb" }}
key: db-password
{{- end }}
ports:
- name: ssh
containerPort: 22

32
templates/gitea/gitea-config.yaml
View File

@ -248,7 +248,7 @@ data:
; Where your lfs files reside, default is data/lfs.
LFS_CONTENT_PATH = data/lfs
; LFS authentication secret, change this yourself
LFS_JWT_SECRET = HELM_LFS_JWT_SECRET
LFS_JWT_SECRET =
; LFS authentication validity period (in time.Duration), pushes taking longer than this may fail.
LFS_HTTP_AUTH_EXPIRY = 20m
@ -267,15 +267,20 @@ data:
HOST = {{ .Values.externalDB.dbHost }}:{{ .Values.externalDB.dbPort }}
NAME = {{ .Values.externalDB.dbDatabase }}
USER = {{ .Values.externalDB.dbUser }}
PASSWD = {{ .Values.externalDB.dbPassword }}
{{ else if .Values.mariadb.enabled }}
; Either "mysql", "postgres", "mssql" or "sqlite3", it's your choice
DB_TYPE = mysql
HOST = {{ template "mariadb.fullname" . }}:3306
NAME = {{ .Values.mariadb.db.name }}
USER = {{ .Values.mariadb.db.user }}
{{ end }}
; Use PASSWD = `your password` for quoting if you use special characters in the password.
PASSWD = HELM_DB_PASSWORD
{{ if .Values.mariadb.password }}
PASSWD = {{ .Values.mariadb.db.password }}
{{ else }}
PASSWD = MARIADB_PASSWORD
{{ end }}
{{ end }}
; For "postgres" only, either "disable", "require" or "verify-full"
SSL_MODE = disable
; For "sqlite3" and "tidb", use an absolute path when you start gitea as service
@ -303,8 +308,11 @@ data:
; Whether the installer is disabled
INSTALL_LOCK = {{ .Values.config.disableInstaller }}
; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!!
SECRET_KEY = HELM_SECRET_KEY
INTERNAL_TOKEN_URI = file:/data/gitea/conf/internal-token
{{ if .Values.config.secretKey }}
SECRET_KEY = {{ .Values.config.secretKey }}
{{ else }}
SECRET_KEY = {{ randAlphaNum 64 | quote }}
{{ end }}
; How long to remember that an user is logged in before requiring relogin (in days)
@ -654,20 +662,6 @@ data:
; Max number of items in a page
MAX_RESPONSE_ITEMS = 50
[oauth2]
; Enables OAuth2 provider
ENABLE = true
; Lifetime of an OAuth2 access token in seconds
ACCESS_TOKEN_EXPIRATION_TIME=3600
; Lifetime of an OAuth2 access token in hours
REFRESH_TOKEN_EXPIRATION_TIME=730
; Check if refresh token got already used
INVALIDATE_REFRESH_TOKENS=false
; OAuth2 authentication secret for access and refresh tokens, change this to a unique string.
JWT_SECRET=HELM_JWT_SECRET
; Maximum length of oauth2 token/cookie stored on server
MAX_TOKEN_LENGTH=32767
[i18n]
LANGS = en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,uk-UA,ja-JP,es-ES,pt-BR,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sr-SP,sv-SE,ko-KR
NAMES = English,简体中文,繁體中文(香港),繁體中文(台灣),Deutsch,français,Nederlands,latviešu,русский,Українська,日本語,español,português do Brasil,polski,български,italiano,suomi,Türkçe,čeština,српски,svenska,한국어

41
templates/init/_container.tpl
View File

@ -6,43 +6,26 @@ Create helm partial for gitea server
image: {{ .Values.images.gitea }}
imagePullPolicy: {{ .Values.images.pullPolicy }}
env:
- name: MARIADB_PASSWORD
valueFrom:
secretKeyRef:
{{- if .Values.mariadb.enabled }}
name: {{ template "mariadb.fullname" . }}
key: mariadb-password
{{- else }}
name: {{ printf "%s-%s" .Release.Name "externaldb" }}
key: db-password
{{- end }}
- name: SCRIPT
value: &script |-
mkdir -p /datatmp/gitea/conf
if [ -f /etc/gitea-secret/internal-token ]; then
cp /etc/gitea-secret/internal-token /datatmp/gitea/conf/internal-token
if [ ! -f /datatmp/gitea/conf/app.ini ]; then
sed "s/MARIADB_PASSWORD/${MARIADB_PASSWORD}/g" < /etc/gitea/app.ini > /datatmp/gitea/conf/app.ini
fi
if [ ! -f /datatmp/gitea/conf/internal-token ]; then
gitea generate secret INTERNAL_TOKEN >/datatmp/gitea/conf/internal-token
fi
{{- if not .Values.config.immutableConfig }}
if [ -f /datatmp/gitea/conf/app.ini ]; then
chmod u+w /datatmp/gitea/conf/app.ini
exit
fi
{{- end }}
sed "s/HELM_DB_PASSWORD/$(cat /etc/database-secret/db-password)/g" < /etc/gitea/app.ini > /datatmp/gitea/conf/app.ini
sed -i "s/HELM_SECRET_KEY/$([ -f /etc/gitea-secret/secret-key ] && cat /etc/gitea-secret/secret-key || gitea generate secret SECRET_KEY)/g" /datatmp/gitea/conf/app.ini
sed -i "s/HELM_JWT_SECRET/$([ -f /etc/gitea-secret/jwt-secret ] && cat /etc/gitea-secret/jwt-secret || gitea generate secret JWT_SECRET)/g" /datatmp/gitea/conf/app.ini
sed -i "s/HELM_LFS_JWT_SECRET/$([ -f /etc/gitea-secret/lfs-jwt-secret ] && cat /etc/gitea-secret/lfs-jwt-secret || gitea generate secret LFS_JWT_SECRET)/g" /datatmp/gitea/conf/app.ini
{{- if .Values.config.immutableConfig }}
chmod a-w /datatmp/gitea/conf/app.ini
{{- end }}
command: ["/bin/sh",'-c', *script]
volumeMounts:
- name: gitea-data
mountPath: /datatmp
- name: gitea-config
mountPath: /etc/gitea
readOnly: true
- name: database-secret
mountPath: /etc/database-secret
readOnly: true
- name: gitea-secret
mountPath: /etc/gitea-secret
readOnly: true
{{- end }}

16
templates/secrets/externaldb-secret.yaml
View File

@ -1,16 +0,0 @@
{{- if .Values.externalDB -}}
{{- if (not .Values.externalDB.secretName) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "db-secret-name" . }}
labels:
app: {{ template "fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
type: Opaque
data:
{{ .Values.externalDB.passwordKey }}: {{ .Values.externalDB.dbPassword | b64enc }}
{{- end -}}
{{- end }}

25
templates/secrets/gitea-secret.yaml
View File

@ -1,25 +0,0 @@
{{- if (not .Values.config.secretName) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "gitea-secret-name" . }}
labels:
app: {{ template "fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: {{ .Release.Name | quote }}
heritage: {{ .Release.Service | quote }}
type: Opaque
data:
{{ if .Values.config.secretKey }}
secret-key: {{ .Values.config.secretKey | b64enc }}
{{ end }}
{{ if .Values.config.jwtSecret }}
jwt-secret: {{ .Values.config.jwtSecret | b64enc }}
{{ end }}
{{ if .Values.config.lfsJwtSecret }}
lfs-jwt-secret: {{ .Values.config.lfsJwtSecret | b64enc }}
{{ end }}
{{ if .Values.config.internalToken }}
internal-token: {{ .Values.config.internalToken | b64enc }}
{{ end }}
{{- end }}

17
values.yaml
View File

@ -187,8 +187,6 @@ mariadb:
## Connect to an external database instead
# externalDB:
# #secretName: "<EXISTING_SECRET_NAME>" # Existing secret that contains the password; auto-created otherwise.
# passwordKey: "db-password" # Identifier in the Secret's dictionary.
# dbUser: "postgres"
# dbPassword: "<MY_PASSWORD>"
# dbHost: "service-name.namespace.svc.cluster.local" # or some external host
@ -199,26 +197,13 @@ mariadb:
## Actual Gitea configuration (modified the default .ini file for Gitea)
## This will skip the initial installation screen. You must have a secretKey already defined
## and disableInstaller set to True
## If secretName is set, it should point to an existing secret with the following keys:
## - internal-token
## - secret-key
## - jwt-secret
## - lfs-jwt-secret
## If secretName is unset, secret is created from values specified below.
## Secrets should be generated with 'gitea generate secret'
## Unspecified secrets are auto-generated by the init container
config:
## secretName: "<Existing Secret Name>"
## secretKey: "<random>" # Generate with 'gitea generate secret SECRET_KEY'
## jwtSecret: "<random>" # Generate with 'gitea generate secret JWT_SECRET'
## lfsJwtSecret: "<random>" # Generate with 'gitea generate secret LFS_JWT_SECRET'
## internalToken: "<random>" # Generate with 'gitea generate secret INTERNAL_TOKEN'
## secretKey: ThisIsMySuperSecretKeyThatsUsedInterally
disableInstaller: false
offlineMode: false
requireSignin: false
disableRegistration: false
openidSignin: true
immutableConfig: false # Regenerate config every time, and set as read-only
## Common helm annotations
## Node labels and tolerations for pod assignment