fix: Only create conf directoy if not exists (#211)

Only create conf directory if not yet exists

fixes #210

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/211
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-authored-by: Michael Kriese <michael.kriese@visualon.de>
Co-committed-by: Michael Kriese <michael.kriese@visualon.de>

.drone.yml

@@ -9,7 +9,7 @@ platform:
 steps:
 - name: lint
   pull: always
-  image: alpine:3.12
+  image: alpine:3.13
   commands:
     - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
     - helm lint
@@ -42,21 +42,22 @@ trigger:
 steps:
   - name: generate-chart
     pull: always
-    image: alpine:3.12
+    image: alpine:3.13
     commands:
       - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing helm
+      - apk add --no-cache curl
       - helm dependency update
       - helm package --version "${DRONE_TAG##v}" ./
       - mkdir gitea
       - mv gitea*.tgz gitea/
-      - wget -O gitea/index.yaml https://dl.gitea.io/charts/index.yaml
+      - curl -L -o gitea/index.yaml https://dl.gitea.io/charts/index.yaml
       - helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
 
   - name: upload-chart
     pull: always
     image: plugins/s3:latest
     settings:
-      bucket: releases
+      bucket: gitea-artifacts
       endpoint: https://storage.gitea.io
       path_style: true
       access_key:

Chart.yaml

@@ -3,7 +3,7 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.14.1
+appVersion: 1.14.6
 icon: https://docs.gitea.io/images/gitea.png
 
 keywords:
@@ -26,11 +26,13 @@ maintainers:
     email: konrad.lother@novum-rgi.de
   - name: Lucas Hahn
     email: lucas.hahn@novum-rgi.de
+  - name: Steven Kriegler
+    email: sk.bunsenbrenner@gmail.com
 
 dependencies:
 - name: memcached
   repository: https://charts.bitnami.com/bitnami
-  version: 4.2.20
+  version: 5.9.0
   condition: gitea.cache.builtIn.enabled
 - name: mysql
   repository: https://charts.bitnami.com/bitnami
@@ -38,9 +40,9 @@ dependencies:
   condition: gitea.database.builtIn.mysql.enabled
 - name: postgresql
   repository: https://charts.bitnami.com/bitnami
-  version: 9.7.2
+  version: 10.3.17
   condition: gitea.database.builtIn.postgresql.enabled
 - name: mariadb
   repository: https://charts.bitnami.com/bitnami
-  version: 8.0.0
+  version: 9.3.6
   condition: gitea.database.builtIn.mariadb.enabled

templates/NOTES.txt

@@ -1,7 +1,9 @@
 1. Get the application URL by running these commands:
 {{- if .Values.ingress.enabled }}
 {{- range $host := .Values.ingress.hosts }}
-  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host }}/
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.service.http.type }}
   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "gitea.fullname" . }})

templates/_helpers.tpl

@@ -108,12 +108,27 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{- define "gitea.ldap_settings" -}}
+{{- if not (hasKey .Values.gitea.ldap "bindDn") -}}
+{{- $_ := set .Values.gitea.ldap "bindDn" "" -}}
+{{- end -}}
+
+{{- if not (hasKey .Values.gitea.ldap "bindPassword") -}}
+{{- $_ := set .Values.gitea.ldap "bindPassword" "" -}}
+{{- end -}}
+
+{{- $flags := list "notActive" "skipTlsVerify" "allowDeactivateAll" "synchronizeUsers" "attributesInBind" -}}
 {{- range $key, $val := .Values.gitea.ldap -}}
-{{- if ne $key "enabled" -}}
-{{- if eq $key "port" -}}
-{{- printf "--%s %d " ($key | kebabcase) ($val | int) -}}
+{{- if and (ne $key "enabled") (ne $key "existingSecret") -}}
+{{- if eq $key "bindDn" -}}
+{{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_BIND_DN}" | quote ) -}}
+{{- else if eq $key "bindPassword" -}}
+{{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_PASSWORD}" | quote ) -}}
+{{- else if eq $key "port" -}}
+{{- printf "--%s %d " $key ($val | int) -}}
+{{- else if has $key $flags -}}
+{{- printf "--%s " ($key | kebabcase) -}}
 {{- else -}}
-{{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}}
+{{- printf "--%s %s " ($key | kebabcase) ($val | squote) -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}
@@ -122,7 +137,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- define "gitea.oauth_settings" -}}
 {{- range $key, $val := .Values.gitea.oauth -}}
 {{- if ne $key "enabled" -}}
-{{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}}
+{{- printf "--%s %s " ($key | kebabcase) ($val | squote) -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}

templates/gitea/config.yaml

@@ -50,7 +50,7 @@ stringData:
     {{- end -}}
     {{- if not (.Values.gitea.config.server.DOMAIN) -}}
     {{- if gt (len .Values.ingress.hosts) 0 -}}
-    {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0) -}}
+    {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0).host -}}
     {{- else -}}
     {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
     {{- end -}}
@@ -60,7 +60,7 @@ stringData:
     {{- if gt (len .Values.ingress.tls) 0 -}}
     {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index (index .Values.ingress.tls 0).hosts 0)) -}}
     {{- else -}}
-    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index .Values.ingress.hosts 0)) -}}
+    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index .Values.ingress.hosts 0).host) -}}
     {{- end -}}
     {{- else -}}
     {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL .Values.gitea.config.server.DOMAIN) -}}

templates/gitea/ingress.yaml

@@ -29,13 +29,14 @@ spec:
   {{- end }}
 {{- end }}
   rules:
-  {{- range .Values.ingress.hosts }}
-    - host: {{ . | quote }}
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
       http:
         paths:
-          - path: /
-            {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
-            pathType: Prefix
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- if and .pathType ($.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") }}
+            pathType: {{ .pathType }}
             {{- end }}
             backend:
             {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
@@ -47,5 +48,6 @@ spec:
               serviceName: {{ $fullName }}-http
               servicePort: {{ $httpPort }}
             {{- end }}
-  {{- end }}
+          {{- end }}
+    {{- end }}
 {{- end }}

templates/gitea/init.yaml

@@ -6,8 +6,11 @@ metadata:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
 stringData:
-  init_gitea.sh: |-
-    #!/bin/bash
+  init_directory_structure.sh: |-
+    #!/usr/bin/env bash
+
+    set -euo pipefail
+
     {{- if .Values.initPreScript }}
     # BEGIN: initPreScript
     {{- with .Values.initPreScript -}}
@@ -16,52 +19,107 @@ stringData:
     # END: initPreScript
     {{- end }}
 
+    set -x
+
+    {{- if not .Values.image.rootless }}
     chown 1000:1000 /data
+    {{- end }}
     mkdir -p /data/git/.ssh
     chmod -R 700 /data/git/.ssh
-    mkdir -p /data/gitea/conf
+    [ ! -d /data/gitea ] && mkdir -p /data/gitea/conf
+
+    # prepare temp directory structure
+    mkdir -p "${GITEA_TEMP}"
+    chown 1000:1000 "${GITEA_TEMP}"
+    chmod ug+rwx "${GITEA_TEMP}"
 
     # Copy config file to writable volume
     cp /etc/gitea/conf/app.ini /data/gitea/conf/app.ini
     chmod a+rwx /data/gitea/conf/app.ini
+  configure_gitea.sh: |-
+    #!/usr/bin/env bash
+
+    set -euo pipefail
+
     {{- if include "db.servicename" . }}
-    # Wait for database to become avialble
-    nc -v -w2 -z {{ include "db.servicename" . }} {{ include "db.port" . }} && \
+    # Connection retry inspired by https://gist.github.com/dublx/e99ea94858c07d2ca6de
+    function test_db_connection() {
+      local RETRY=0
+      local MAX=30
+
+      echo 'Wait for database to become avialable...'
+      until [ "${RETRY}" -ge "${MAX}" ]; do
+        nc -vz -w2 {{ include "db.servicename" . }} {{ include "db.port" . }} && break
+        RETRY=$[${RETRY}+1]
+        echo "...not ready yet (${RETRY}/${MAX})"
+      done
+
+      if [ "${RETRY}" -ge "${MAX}" ]; then
+        echo "Database not reachable after '${MAX}' attempts!"
+        exit 1
+      fi
+    }
+
+    test_db_connection
     {{- end }}
-    {{- if not .Values.image.rootless }}
-    su git -c ' \
-    {{- end }}
-    set -x; \
-    gitea migrate; \
-    {{- if and .Values.gitea.admin.username .Values.gitea.admin.password }}
-    gitea admin create-user --username  {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }} --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
-    || \
-    gitea admin change-password --username {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }} \
-    || \
-    gitea admin user create --username  {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }} --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
-    || \
-    gitea admin user change-password --username {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }}; \
+
+    echo '==== BEGIN GITEA CONFIGURATION ===='
+
+    gitea migrate
+
+    {{- if or .Values.gitea.admin.existingSecret (and .Values.gitea.admin.username .Values.gitea.admin.password) }}
+    function configure_admin_user() {
+      local ACCOUNT_ID=$(gitea admin user list --admin | grep -e "\s\+${GITEA_ADMIN_USERNAME}\s\+" | awk -F " " "{printf \$1}")
+      if [[ -z "${ACCOUNT_ID}" ]]; then
+        echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..."
+        gitea admin user create --admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }} --must-change-password=false
+        echo '...created.'
+      else
+        echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
+        gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}"
+        echo '...password sync done.'
+      fi
+    }
+
+    configure_admin_user
     {{- end }}
+
     {{- if .Values.gitea.ldap.enabled }}
-    gitea admin auth add-ldap \
-    {{- include "gitea.ldap_settings" . | nindent 6 }} \
-    || \
-    ( \
-      export GITEA_AUTH_ID=$(gitea admin auth list | grep {{ .Values.gitea.ldap.name | quote }} | awk -F " "  "{print \$1}"); \
-      gitea admin auth update-ldap --id ${GITEA_AUTH_ID} \
-      {{- include "gitea.ldap_settings" . | nindent 6 }} \
-    ) \
+    function configure_ldap() {
+      local LDAP_NAME={{ (printf "%s" .Values.gitea.ldap.name) | squote }}
+      local GITEA_AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${LDAP_NAME}\s+\|" | grep -iE '\|LDAP \(via BindDN\)\s+\|' | awk -F " "  "{print \$1}")
+
+      if [[ -z "${GITEA_AUTH_ID}" ]]; then
+        echo "No ldap configuration found with name '${LDAP_NAME}'. Installing it now..."
+        gitea admin auth add-ldap {{- include "gitea.ldap_settings" . | indent 1 }}
+        echo '...installed.'
+      else
+        echo "Existing ldap configuration with name '${LDAP_NAME}': '${GITEA_AUTH_ID}'. Running update to sync settings..."
+        gitea admin auth update-ldap --id "${GITEA_AUTH_ID}" {{- include "gitea.ldap_settings" . | indent 1 }}
+        echo '...sync settings done.'
+      fi
+    }
+
+    configure_ldap
     {{- end }}
+
     {{- if .Values.gitea.oauth.enabled }}
-    gitea admin auth add-oauth \
-    {{- include "gitea.oauth_settings" . | nindent 6 }} \
-    || \
-    ( \
-      export GITEA_AUTH_ID=$(gitea admin auth list | grep {{ .Values.gitea.oauth.name | quote }} | awk -F " "  "{print \$1}"); \
-      gitea admin auth update-oauth --id ${GITEA_AUTH_ID} \
-      {{- include "gitea.oauth_settings" . | nindent 6 }} \
-    ) \
-    {{- end }}
-    {{- if not .Values.image.rootless }}
-    '
+    function configure_oauth() {
+      local OAUTH_NAME={{ (printf "%s" .Values.gitea.oauth.name) | squote }}
+      local AUTH_ID=$(gitea admin auth list --vertical-bars | grep -E "\|${OAUTH_NAME}\s+\|" | grep -iE '\|OAuth2\s+\|' | awk -F " "  "{print \$1}")
+
+      if [[ -z "${AUTH_ID}" ]]; then
+        echo "No oauth configuration found with name '${OAUTH_NAME}'. Installing it now..."
+        gitea admin auth add-oauth {{- include "gitea.oauth_settings" . | indent 1 }}
+        echo '...installed.'
+      else
+        echo "Existing oauth configuration with name '${OAUTH_NAME}': '${AUTH_ID}'. Running update to sync settings..."
+        gitea admin auth update-oauth --id "${AUTH_ID}" {{- include "gitea.oauth_settings" . | indent 1 }}
+        echo '...sync settings done.'
+      fi
+    }
+
+    configure_oauth
     {{- end }}
+
+    echo '==== END GITEA CONFIGURATION ===='

templates/gitea/statefulset.yaml

@@ -38,9 +38,9 @@ spec:
       securityContext:
         fsGroup: 1000
       initContainers:
-        - name: init
+        - name: init-directories
           image: "{{ include "gitea.image" . }}"
-          command: ["/usr/sbin/init_gitea.sh"]
+          command: ["/usr/sbin/init_directory_structure.sh"]
           env:
             - name: GITEA_APP_INI
               value: /data/gitea/conf/app.ini
@@ -48,12 +48,16 @@ spec:
               value: /data/gitea
             - name: GITEA_WORK_DIR
               value: /data
+            - name: GITEA_TEMP
+              value: /tmp/gitea
             {{- if .Values.statefulset.env }}
             {{- toYaml .Values.statefulset.env | nindent 12 }}
             {{- end }}
           volumeMounts:
             - name: init
               mountPath: /usr/sbin
+            - name: temp
+              mountPath: /tmp
             - name: config
               mountPath: /etc/gitea/conf
             - name: data
@@ -61,6 +65,69 @@ spec:
             {{- if .Values.extraVolumeMounts }}
             {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
             {{- end }}
+        - name: configure-gitea
+          image: "{{ include "gitea.image" . }}"
+          command: ["/usr/sbin/configure_gitea.sh"]
+          securityContext:
+            runAsUser: 1000
+          env:
+            - name: GITEA_APP_INI
+              value: /data/gitea/conf/app.ini
+            - name: GITEA_CUSTOM
+              value: /data/gitea
+            - name: GITEA_WORK_DIR
+              value: /data
+            - name: GITEA_TEMP
+              value: /tmp/gitea
+            {{- if .Values.gitea.ldap.enabled }}
+            {{- if .Values.gitea.ldap.existingSecret }}
+            - name: GITEA_LDAP_BIND_DN
+              valueFrom:
+                secretKeyRef:
+                  key:  bindDn
+                  name: {{ .Values.gitea.ldap.existingSecret }}
+            - name: GITEA_LDAP_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key:  bindPassword
+                  name: {{ .Values.gitea.ldap.existingSecret }}
+            {{- else }}
+            - name: GITEA_LDAP_BIND_DN
+              value: {{ .Values.gitea.ldap.bindDn | quote }}
+            - name: GITEA_LDAP_PASSWORD
+              value: {{ .Values.gitea.ldap.bindPassword | quote }}
+            {{- end }}
+            {{- end }}
+            {{- if .Values.gitea.admin.existingSecret }}
+            - name: GITEA_ADMIN_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  key:  username
+                  name: {{ .Values.gitea.admin.existingSecret }}
+            - name: GITEA_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key:  password
+                  name: {{ .Values.gitea.admin.existingSecret }}
+            {{- else }}
+            - name: GITEA_ADMIN_USERNAME
+              value: {{ .Values.gitea.admin.username | quote }}
+            - name: GITEA_ADMIN_PASSWORD
+              value: {{ .Values.gitea.admin.password | quote }}
+            {{- end }}
+            {{- if .Values.statefulset.env }}
+            {{- toYaml .Values.statefulset.env | nindent 12 }}
+            {{- end }}
+          volumeMounts:
+            - name: init
+              mountPath: /usr/sbin
+            - name: temp
+              mountPath: /tmp
+            - name: data
+              mountPath: /data
+            {{- if .Values.extraVolumeMounts }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
       terminationGracePeriodSeconds: {{ .Values.statefulset.terminationGracePeriodSeconds }}
       containers:
         - name: {{ .Chart.Name }}
@@ -82,6 +149,10 @@ spec:
               value: /tmp/gitea
             - name: TMPDIR
               value: /tmp/gitea
+            {{- if .Values.signing.enabled }}
+            - name: GNUPGHOME
+              value: {{ .Values.signing.gpgHome }}
+            {{- end }}
             {{- if .Values.statefulset.env }}
             {{- toYaml .Values.statefulset.env | nindent 12 }}
             {{- end }}
@@ -173,7 +244,9 @@ spec:
   {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
         - name: data
           persistentVolumeClaim:
-            claimName: {{ .Values.persistence.existingClaim }}
+  {{- with .Values.persistence.existingClaim }}
+            claimName: {{ tpl . $ }}
+  {{- end }}
   {{- else if not .Values.persistence.enabled }}
         - name: data
           emptyDir: {}

values.yaml

@@ -8,7 +8,7 @@ clusterDomain: cluster.local
 
 image:
   repository: gitea/gitea
-  tag: 1.14.2
+  tag: 1.14.6
   pullPolicy: Always
   rootless: false # only possible when running 1.14 or later
 
@@ -16,15 +16,22 @@ imagePullSecrets: []
 
 # only usable with rootless image due to image design
 securityContext: {}
-#  allowPrivilegeEscalation: false
-#  capabilities:
-#    drop:
-#      - ALL
-#  privileged: false
-#  readOnlyRootFilesystem: true
-#  runAsGroup: 1000
-#  runAsNonRoot: true
-#  runAsUser: 1000
+#   allowPrivilegeEscalation: false
+#   capabilities:
+#     drop:
+#       - ALL
+#   # Add the SYS_CHROOT capability for root and rootless images if you intend to
+#   # run pods on nodes that use the container runtime cri-o. Otherwise, you will
+#   # get an error message from the SSH server that it is not possible to read from
+#   # the repository.
+#   # https://gitea.com/gitea/helm-chart/issues/161
+#     add:
+#       - SYS_CHROOT
+#   privileged: false
+#   readOnlyRootFilesystem: true
+#   runAsGroup: 1000
+#   runAsNonRoot: true
+#   runAsUser: 1000
 
 service:
   http:
@@ -54,7 +61,10 @@ ingress:
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
   hosts:
-    - git.example.com
+    - host: git.example.com
+      paths:
+        - path: /
+          pathType: Prefix
   tls: []
   #  - secretName: chart-example-tls
   #    hosts:
@@ -124,9 +134,14 @@ initPreScript: ""
 #   chown -R git:git /data/git/.postgresql/
 #   chmod 400 /data/git/.postgresql/postgresql.key
 
+# Configure commit/action signing prerequisites
+signing:
+  enabled: false
+  gpgHome: /data/git/.gnupg
 
 gitea:
   admin:
+    #existingSecret: gitea-admin-secret
     username: gitea_admin
     password: r8sA8CPHD9!bt6d
     email: "gitea@local.domain"
@@ -140,6 +155,7 @@ gitea:
 
   ldap:
     enabled: false
+    #existingSecret: gitea-ldap-secret
     #name:
     #securityProtocol:
     #host:
@@ -208,6 +224,7 @@ gitea:
   startupProbe:
     enabled: false
     initialDelaySeconds: 60
+    timeoutSeconds: 1
     periodSeconds: 10
     successThreshold: 1
     failureThreshold: 10