enhancements to support postgres client-cert authentication (#47)

This PR adds a few new chart features which adds to the flexibility of the chart.

- allow extra volumes to be mounted (such as secrets): 2f862c5a48
- pass environment variables also to the init-container: 7044049478
- allow a preparation script to be "injected" into the init-container: 6125a69345

As a concrete example of how this can be used, I use is to configure Gitea to use client certificate authentication against an external Postgres database. That could be accomplished by having a `gitea-postgres-ssl` secret:

```
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: gitea-postgres-ssl
data:
  postgresql.crt: <base64...>
  postgresql.key: <base64...>
  root.crt: <base64...>
```

and then mounting this as a volume in Gitea using:

```
extraVolumes:
- name: postgres-ssl-vol
  secret:
    secretName: gitea-postgres-ssl

extraVolumeMounts:
- name: postgres-ssl-vol
  readOnly: true
  mountPath: "/pg-ssl"
```

To get the right permissions on the credentials, we'd use the `initPreScript`:

```
initPreScript: |
  # copy postgres client and CA cert from mount and
  # give proper permissions
  mkdir -p /data/git/.postgresql
  cp /pg-ssl/* /data/git/.postgresql/
  chown -R git:git /data/git/.postgresql/
  chmod 400 /data/git/.postgresql/postgresql.key
```

and to make sure that Gitea uses the certificate we need to pass the proper postgres environment variables (both to the init container and the "main" container):

```
statefulset:
  env:
  - name:  "PGSSLCERT"
    value: "/data/git/.postgresql/postgresql.crt"
  - name:  "PGSSLKEY"
    value: "/data/git/.postgresql/postgresql.key"
  - name:  "PGSSLROOTCERT"
    value: "/data/git/.postgresql/root.crt"
```

Co-authored-by: Peter Gardfjäll <peter.gardfjall.work@gmail.com>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/47
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: 6543 <6543@obermui.de>
Co-authored-by: petergardfjall <petergardfjall@noreply.gitea.io>
Co-committed-by: petergardfjall <petergardfjall@noreply.gitea.io>

.drone.yml

@@ -41,19 +41,19 @@ trigger:
 
 steps:
   - name: generate-chart
-    pull: default
+    pull: always
     image: alpine:3.12
     commands:
       - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
       - helm dependency update
-      - helm package ./
+      - helm package --version "${DRONE_TAG##v}" ./
       - mkdir gitea
       - mv gitea*.tgz gitea/
       - wget -O gitea/index.yaml https://dl.gitea.io/charts/index.yaml
       - helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
 
   - name: upload-chart
-    pull: default
+    pull: always
     image: plugins/s3:latest
     settings:
       bucket: releases

Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
-version: 2.1.3
-appVersion: 1.13.0
+version: 0.0.0
+appVersion: 1.13.1
 icon: https://docs.gitea.io/images/gitea.png
 
 keywords:

README.md

@@ -4,9 +4,9 @@
 
 ## Introduction
 
-This helm chart has taken some inspiration from https://github.com/jfelten/gitea-helm-chart
+This helm chart has taken some inspiration from <https://github.com/jfelten/gitea-helm-chart>
 But takes a completly different approach in providing database and cache with dependencies.
-Also this chart provides ldap and admin user configuration with values as well as it is deployed as statefulset to retain stored repositories.
+Also this chart provides LDAP and admin user configuration with values as well as it is deployed as statefulset to retain stored repositories.
 
 ## Dependencies
 
@@ -21,7 +21,7 @@ Dependencies:
 
 ## Installing
 
-```
+```sh
   helm repo add gitea-charts https://dl.gitea.io/charts/
   helm install gitea gitea-charts/gitea
 ```
@@ -60,7 +60,7 @@ INSTALL_LOCK is always set to true, since we want to configure gitea with this h
 
 If a builtIn database is enabled the database configuration is set automatically. For example postgresql builtIn which will appear in the app.ini as:
 
-```
+```ini
 [database]
 DB_TYPE = postgres
 HOST = RELEASE-NAME-postgresql.default.svc.cluster.local:5432
@@ -73,7 +73,7 @@ USER = gitea
 
 Memcached is handled the exakt same way as database builtIn. Once memcached builtIn is enabled, this chart will generate the following part in the app.ini:
 
-```
+```ini
 [cache]
 ADAPTER = memcache
 ENABLED = true
@@ -85,7 +85,7 @@ HOST = RELEASE-NAME-memcached.default.svc.cluster.local:11211
 The server defaults are a bit more complex.
 If ingress is enabled, the ROOT_URL, DOMAIN and SSH_DOMAIN will be set accordingly. HTTP_PORT always defaults to 3000 as well as SSH_PORT to 22.
 
-```
+```ini
 [server]
 APP_DATA_PATH = /data
 DOMAIN = git.example.com
@@ -188,9 +188,9 @@ If the built in cache should not be used simply configure the cache in gitea.con
 Gitea will be deployed as a statefulset. By simply enabling the persistence and setting the storage class according to your cluster
 everything else will be taken care of. The following example will create a PVC as a part of the statefulset. This PVC will not be deleted
 even if you uninstall the chart.
-When using Postgresql as dependency, this will also be deployed as a statefulset by default. 
+When using Postgresql as dependency, this will also be deployed as a statefulset by default.
 
-If you want to manage your own PVC you can simply pass the PVC name to the chart. 
+If you want to manage your own PVC you can simply pass the PVC name to the chart.
 
 ```yaml
   persistence:
@@ -200,7 +200,7 @@ If you want to manage your own PVC you can simply pass the PVC name to the chart
 
 In case that peristence has been disabled it will simply use an empty dir volume.
 
-Postgresql handles the persistence in the exact same way. 
+Postgresql handles the persistence in the exact same way.
 You can interact with the postgres settings as displayed in the following example:
 
 ```yaml
@@ -224,6 +224,7 @@ You can interact with the postgres settings as displayed in the following exampl
 
 This chart enables you to create a default admin user. It is also possible to update the password for this user by upgrading or redeloying the chart.
 It is not possible to delete an admin user after it has been created. This has to be done in the ui.
+You cannot use `admin` as username.
 
 ```yaml
   gitea:
@@ -235,8 +236,8 @@ It is not possible to delete an admin user after it has been created. This has t
 
 ### LDAP Settings
 
-Like the admin user the ldap settings can be updated but also disabled or deleted.
-All ldap values from https://docs.gitea.io/en-us/command-line/#admin are available.
+Like the admin user the LDAP settings can be updated but also disabled or deleted.
+All LDAP values from <https://docs.gitea.io/en-us/command-line/#admin> are available.
 You can either use them in camel case or kebab case.
 
 camelCase:
@@ -290,17 +291,20 @@ Annotations can be added to the Gitea pod.
 
 ### Others
 
-| Parameter           | Description                       | Default                      |
-|---------------------|-----------------------------------|------------------------------|
-|statefulset.terminationGracePeriodSeconds| Image to start for this pod | gitea/gitea |
-|statefulset.env           | Additional environment variables to pass to containers | [] |
+| Parameter                                 | Description                                            | Default     |
+|-------------------------------------------|--------------------------------------------------------|-------------|
+| statefulset.terminationGracePeriodSeconds | Image to start for this pod                            | gitea/gitea |
+| statefulset.env                           | Additional environment variables to pass to containers | []          |
+| extraVolumes                              | Additional volumes to mount to the Gitea statefulset   | {}          |
+| extraVolumeMounts                         | Additional volumes mounts for the Gitea containers     | {}          |
+| initPreScript                             | Bash script copied verbatim to start of init container |             |
 
 ### Image
 
 | Parameter           | Description                       | Default                      |
 |---------------------|-----------------------------------|------------------------------|
 |image.repository| Image to start for this pod | gitea/gitea |
-|image.version| Image Version | 1.13.0 |
+|image.tag| [Image tag](https://hub.docker.com/r/gitea/gitea/tags?page=1&ordering=last_updated) | 1.13.1 |
 |image.pullPolicy| Image pull policy | Always |
 
 ### Persistence

templates/_helpers.tpl

@@ -99,7 +99,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- range $key, $val := .Values.gitea.ldap -}}
 {{- if ne $key "enabled" -}}
 {{- if eq $key "port" -}}
-{{- printf "--%s %s " ($key | kebabcase) $val -}}
+{{- printf "--%s %d " ($key | kebabcase) ($val | int) -}}
 {{- else -}}
 {{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}}
 {{- end -}}

templates/gitea/init.yaml

@@ -8,6 +8,14 @@ type: Opaque
 stringData:
   init_gitea.sh: |-
     #!/bin/bash
+    {{- if .Values.initPreScript }}
+    # BEGIN: initPreScript
+    {{- with .Values.initPreScript -}}
+    {{ . | nindent 4}}
+    {{- end -}}
+    # END: initPreScript
+    {{- end }}
+
     mkdir -p /data/git/.ssh
     chmod -R 700 /data/git/.ssh
     mkdir -p /data/gitea/conf
@@ -32,4 +40,4 @@ stringData:
       {{- include "gitea.ldap_settings" . | nindent 6 }} \
     ) \
     {{- end }}
-    '
+    '

templates/gitea/statefulset.yaml

@@ -14,6 +14,7 @@ spec:
     metadata:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/gitea/config.yaml") . | sha256sum }}
+        checksum/ldap: {{ include "gitea.ldap_settings" . | sha256sum }}
         {{- with .Values.gitea.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -28,8 +29,13 @@ spec:
         fsGroup: 1000
       initContainers:
         - name: init
-          image: "{{ .Values.image.repository }}:{{ .Values.image.version }}"
+          image: "{{ .Values.image.repository }}:{{ ternary .Values.image.version .Values.image.tag (hasKey .Values.image "version") }}"
           command: ["/usr/sbin/init_gitea.sh"]
+          env:
+          {{- range .Values.statefulset.env }}
+          - name: {{ .name | quote | nospace }}
+            value: {{ .value | quote }}
+          {{- end }}
           volumeMounts:
             - name: init
               mountPath: /usr/sbin
@@ -37,10 +43,13 @@ spec:
               mountPath: /etc/gitea/conf
             - name: data
               mountPath: /data
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
       terminationGracePeriodSeconds: {{ .Values.statefulset.terminationGracePeriodSeconds }}
       containers:
         - name: {{ .Chart.Name }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.version }}"
+          image: "{{ .Values.image.repository }}:{{ ternary .Values.image.version .Values.image.tag (hasKey .Values.image "version") }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
             # SSH Port values have to be set here as well for openssh configuration
@@ -77,6 +86,9 @@ spec:
           volumeMounts:
             - name: data
               mountPath: /data
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -97,6 +109,9 @@ spec:
         - name: config
           secret:
             secretName: {{ include "gitea.fullname" . }}
+        {{- if .Values.extraVolumes }}
+        {{- toYaml .Values.extraVolumes | nindent 8 }}
+        {{- end }}
   {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
         - name: data
           persistentVolumeClaim:

values.yaml

@@ -8,7 +8,7 @@ clusterDomain: cluster.local
 
 image:
   repository: gitea/gitea
-  version: 1.13.0
+  tag: 1.13.1
   pullPolicy: Always
 
 imagePullSecrets: []
@@ -69,11 +69,36 @@ statefulset:
 
 persistence:
   enabled: true
-  # existingClaim: 
+  # existingClaim:
   size: 10Gi
   accessModes:
     - ReadWriteOnce
 
+# additional volumes to add to the Gitea statefulset.
+extraVolumes:
+# - name: postgres-ssl-vol
+#   secret:
+#     secretName: gitea-postgres-ssl
+
+
+# additional volumes to mount, both to the init container and to the main
+# container. As an example, can be used to mount a client cert when connecting
+# to an external Postgres server.
+extraVolumeMounts:
+# - name: postgres-ssl-vol
+#   readOnly: true
+#   mountPath: "/pg-ssl"
+
+# bash shell script copied verbatim to the start of the init-container.
+initPreScript: ""
+#
+# initPreScript: |
+#   mkdir -p /data/git/.postgresql
+#   cp /pg-ssl/* /data/git/.postgresql/
+#   chown -R git:git /data/git/.postgresql/
+#   chmod 400 /data/git/.postgresql/postgresql.key
+
+
 gitea:
   admin:
     username: gitea_admin
@@ -82,22 +107,22 @@ gitea:
 
   ldap:
     enabled: false
-    name: ""
-    securityProtocol: ""
-    host: ""
-    port: ""
-    userSearchBase: ""
-    userFilter: ""
-    adminFilter: ""
-    emailAttribute: ""
-    bindDn: ""
-    bindPassword: ""
-    usernameAttribute: ""
+    #name: 
+    #securityProtocol: 
+    #host: 
+    #port: 
+    #userSearchBase: 
+    #userFilter: 
+    #adminFilter: 
+    #emailAttribute: 
+    #bindDn: 
+    #bindPassword: 
+    #usernameAttribute: 
 
   config: {}
   #  APP_NAME: "Gitea: Git with a cup of tea"
-  #  RUN_MODE: dev   
-  #   
+  #  RUN_MODE: dev
+  #
   #  server:
   #    SSH_PORT: 22
   #