create initial secrets before app.ini removal

fix #396

Set the default of `$HOME` to `/data/gitea/git` for rootless images to make chart openshift compliant.

Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/447
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: pat-s <patrick.schratz@gmail.com>
Co-committed-by: pat-s <patrick.schratz@gmail.com>

.gitea/workflows/release-version.yml

@@ -19,24 +19,35 @@ jobs:
           apt update -y
           apt install -y python helm python3-pip apt-transport-https
           pip install awscli
+
+      - name: Import GPG key
+        id: import_gpg
+        uses: https://github.com/crazy-max/ghaction-import-gpg@v5
+        with:
+          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
+          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
+          fingerprint: CC64B1DB67ABBEECAB24B6455FC346329753F4B0
+
+      # Using helm gpg plugin as 'helm package --sign' has issues with gpg2: https://github.com/helm/helm/issues/2843
       - name: package chart
         run: |
+          # FIXME: use upstream after https://github.com/technosophos/helm-gpg/issues/1 is solved
+          helm plugin install https://github.com/pat-s/helm-gpg
           helm dependency update
           helm package --version "${GITHUB_REF#refs/tags/v}" ./
+          helm gpg sign "gitea-${GITHUB_REF#refs/tags/v}.tgz"
           mkdir gitea
           mv gitea*.tgz gitea/
           curl -L -o gitea/index.yaml https://dl.gitea.com/charts/index.yaml
           helm repo index gitea/ --url https://dl.gitea.io/charts --merge gitea/index.yaml
+
       - name: aws credential configure
         uses: https://github.com/aws-actions/configure-aws-credentials@v2
         with:
           aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: ${{ secrets.AWS_REGION }}
-      - name: install aws cli
-        run: |
-          apt update -y &&
-          pip install awscli
+
       - name: Copy files to S3 and clear cache
         run: |
           aws s3 sync gitea/ s3://${{ secrets.AWS_S3_BUCKET}}/charts/

Chart.yaml

@@ -3,7 +3,7 @@ name: gitea
 description: Gitea Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.19.2
+appVersion: 1.19.3
 icon: https://docs.gitea.io/images/gitea.png
 
 keywords:

README.md

@@ -756,7 +756,7 @@ gitea:
 | Name                                                    | Description                                                      | Value   |
 | ------------------------------------------------------- | ---------------------------------------------------------------- | ------- |
 | `postgresql.enabled`                                    | Enable PostgreSQL                                                | `true`  |
-| `postgresql.global.postgresql.auth.password`            | Password for the "Gitea" user (overrides `auth.password`)        | `gitea` |
+| `postgresql.global.postgresql.auth.password`            | Password for the `gitea` user (overrides `auth.password`)        | `gitea` |
 | `postgresql.global.postgresql.auth.database`            | Name for a custom database to create (overrides `auth.database`) | `gitea` |
 | `postgresql.global.postgresql.auth.username`            | Name for a custom user to create (overrides `auth.username`)     | `gitea` |
 | `postgresql.global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`)   | `5432`  |
@@ -770,6 +770,7 @@ gitea:
 | `test.enabled`     | Set it to false to disable test-connection Pod.                    | `true`    |
 | `test.image.name`  | Image name for the wget container used in the test-connection Pod. | `busybox` |
 | `test.image.tag`   | Image tag for the wget container used in the test-connection Pod.  | `latest`  |
+| `extraDeploy`      | Array of extra objects to deploy with the release                  | `[]`      |
 
 ## Contributing
 

package.json

@@ -13,7 +13,7 @@
     "readme:parameters": "readme-generator -v values.yaml -r README.md"
   },
   "devDependencies": {
-    "@bitnami/readme-generator-for-helm": "^2.4.2",
-    "markdownlint-cli": "^0.31.1"
+    "@bitnami/readme-generator-for-helm": "^2.5.0",
+    "markdownlint-cli": "^0.34.0"
   }
 }

templates/gitea/config.yaml

@@ -20,6 +20,28 @@ stringData:
     #!/usr/bin/env bash
     set -euo pipefail
 
+    ### initial creation of persistent secrets
+    if ![ -f ${GITEA_APP_INI} ]; then
+      function env2ini::generate_initial_secrets() {
+        # These environment variables will either be
+        #   - overwritten with user defined values,
+        #   - initially used to set up Gitea
+        # Anyway, they won't harm existing app.ini files
+
+        export ENV_TO_INI__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
+        export ENV_TO_INI__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
+        export ENV_TO_INI__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
+        export ENV_TO_INI__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
+
+        env2ini::log "...Initial secrets generated\n"
+      }
+    fi
+
+    # ensure a clean start
+    if [ -f ${GITEA_APP_INI} ]; then
+      rm $GITEA_APP_INI
+    fi
+
     function env2ini::log() {
       printf "${1}\n"
     }
@@ -128,20 +150,6 @@ stringData:
       fi
     }
 
-    function env2ini::generate_initial_secrets() {
-      # These environment variables will either be
-      #   - overwritten with user defined values,
-      #   - initially used to set up Gitea
-      # Anyway, they won't harm existing app.ini files
-
-      export ENV_TO_INI__SECURITY__INTERNAL_TOKEN=$(gitea generate secret INTERNAL_TOKEN)
-      export ENV_TO_INI__SECURITY__SECRET_KEY=$(gitea generate secret SECRET_KEY)
-      export ENV_TO_INI__OAUTH2__JWT_SECRET=$(gitea generate secret JWT_SECRET)
-      export ENV_TO_INI__SERVER__LFS_JWT_SECRET=$(gitea generate secret LFS_JWT_SECRET)
-
-      env2ini::log "...Initial secrets generated\n"
-    }
-
     env | (grep ENV_TO_INI || [[ $? == 1 ]]) > /tmp/existing-envs
     
     # MUST BE CALLED BEFORE OTHER CONFIGURATION

templates/gitea/extra-list.yaml

@@ -0,0 +1,8 @@
+{{- range .Values.extraDeploy }}
+---
+{{- if typeIs "string" . }}
+    {{- tpl . $ }}
+{{- else }}
+    {{- tpl (. | toYaml) $ }}
+{{- end }}
+{{- end }}

templates/gitea/statefulset.yaml

@@ -173,6 +173,10 @@ spec:
               value: /data
             - name: GITEA_TEMP
               value: /tmp/gitea
+            {{- if .Values.image.rootless }}
+            - name: HOME
+              value: /data/gitea/git
+            {{- end }}
             {{- if .Values.gitea.ldap }}
             {{- range $idx, $value := .Values.gitea.ldap }}
             {{- if $value.existingSecret }}
@@ -268,6 +272,10 @@ spec:
               value: /tmp/gitea
             - name: TMPDIR
               value: /tmp/gitea
+            {{- if .Values.image.rootless }}
+            - name: HOME
+              value: /data/gitea/git
+            {{- end }}
             {{- if .Values.signing.enabled }}
             - name: GNUPGHOME
               value: {{ .Values.signing.gpgHome }}

values.yaml

@@ -450,7 +450,7 @@ memcached:
 ## @section PostgreSQL
 #
 ## @param postgresql.enabled Enable PostgreSQL
-## @param postgresql.global.postgresql.auth.password Password for the "gitea" user (overrides `auth.password`)
+## @param postgresql.global.postgresql.auth.password Password for the `gitea` user (overrides `auth.password`)
 ## @param postgresql.global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`)
 ## @param postgresql.global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`)
 ## @param postgresql.global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
@@ -483,3 +483,7 @@ test:
   image:
     name: busybox
     tag: latest
+
+## @param extraDeploy Array of extra objects to deploy with the release
+##
+extraDeploy: []