lunny/helm-chart
1
0
Fork 1
Code Issues 36 Pull Requests 14 Actions Packages Projects Releases 93 Wiki Activity

Install gitea on OKD/openshift #567

New Issue
Open
opened 2023-11-16 08:40:42 +00:00 by ffppmm · 12 comments
ffppmm commented 2023-11-16 08:40:42 +00:00 (Migrated from gitea.com)
Copy Link

Hello,

I like gitea a lot and used it private. Now I wan't to use it in my company and tried to deploy it to an okd cluster. I think the Security Constraints are somehow missing.

Is there a step by step "explanation" how to install gitea on okd/openshift?

Regards Philipp

Hello, I like gitea a lot and used it private. Now I wan't to use it in my company and tried to deploy it to an okd cluster. I think the Security Constraints are somehow missing. Is there a step by step "explanation" how to install gitea on okd/openshift? Regards Philipp
pat-s commented 2023-11-16 10:27:15 +00:00 (Migrated from gitea.com)
Copy Link

Is there a step by step "explanation" how to install gitea on okd/openshift?

There is not, otherwise it would exist in the documentation :)

You need to tell us what is missing/doesn't work. There are actually quite a few security-related options in the chart like containerSecurityContext and others.

> Is there a step by step "explanation" how to install gitea on okd/openshift? There is not, otherwise it would exist in the documentation :) You need to tell us what is missing/doesn't work. There are actually quite a few security-related options in the chart like `containerSecurityContext` and others.
ffppmm commented 2023-11-17 08:04:35 +00:00 (Migrated from gitea.com)
Copy Link

Hello,

Is there a step by step "explanation" how to install gitea on okd/openshift?

There is not, otherwise it would exist in the documentation :)

Just asking if I missed something.

You need to tell us what is missing/doesn't work. There are actually quite a few security-related options in the chart like containerSecurityContext and others.

Than I will bring gitea to "live" on OKD/Openshift and let you know how I did it. Maybe I can contribute to the Documentation 😄

I will start with "AllInOnePod", thank you,
Regards Philipp

Hello, > > Is there a step by step "explanation" how to install gitea on okd/openshift? > > There is not, otherwise it would exist in the documentation :) Just asking if I missed something. > You need to tell us what is missing/doesn't work. There are actually quite a few security-related options in the chart like `containerSecurityContext` and others. Than I will bring gitea to "live" on OKD/Openshift and let you know how I did it. Maybe I can contribute to the Documentation 😄 I will start with "AllInOnePod", thank you, Regards Philipp
❤️ 1
justusbunsi commented 2023-11-17 08:10:37 +00:00 (Migrated from gitea.com)
Copy Link

Awesome. Thanks in advance for sharing.

Awesome. Thanks in advance for sharing.
ffppmm commented 2023-11-20 11:20:28 +00:00 (Migrated from gitea.com)
Copy Link

Hi,

I the following is the "problem" with openshift/OKD:

            {{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
            {{- $csc := deepCopy .Values.containerSecurityContext -}}
            {{- if not (hasKey $csc "runAsUser") -}}
            {{- $_ := set $csc "runAsUser" 1000 -}}
            {{- end -}}

For openshift/OKD deployment we don't need a default user so I removed the {{- if not (hasKey $csc "runAsUser") -}} ... {{- end -}} block and it works find, because the POD gets a random user assigned.

My first thought was to create something like this:

            {{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
            {{- $csc := deepCopy .Values.containerSecurityContext -}}
            {{- if and not (hasKey $csc "runAsUser") .Values.deployment.insertDefaultRunAsUser -}}
            {{- $_ := set $csc "runAsUser" 1000 -}}
            {{- end -}}

ofc with the corresponding value set to true in values.yaml, so no default behavior is touched.

Any thoughts on this?
regards Philipp

Hi, I the following is the "problem" with openshift/OKD: ``` {{- /* By default this container runs as user 1000 unless otherwise stated */ -}} {{- $csc := deepCopy .Values.containerSecurityContext -}} {{- if not (hasKey $csc "runAsUser") -}} {{- $_ := set $csc "runAsUser" 1000 -}} {{- end -}} ``` For openshift/OKD deployment we don't need a default user so I removed the ` {{- if not (hasKey $csc "runAsUser") -}} ... {{- end -}}` block and it works find, because the POD gets a random user assigned. My first thought was to create something like this: ``` {{- /* By default this container runs as user 1000 unless otherwise stated */ -}} {{- $csc := deepCopy .Values.containerSecurityContext -}} {{- if and not (hasKey $csc "runAsUser") .Values.deployment.insertDefaultRunAsUser -}} {{- $_ := set $csc "runAsUser" 1000 -}} {{- end -}} ``` ofc with the corresponding value set to true in values.yaml, so no default behavior is touched. Any thoughts on this? regards Philipp
ffppmm commented 2023-11-21 07:40:41 +00:00 (Migrated from gitea.com)
Copy Link

Hi,

some News, I made a mistake :( I used:

oc adm policy add-scc-to-user anyuid -z default -n gitea

So Everything works correct with the fsGroup of the container. I will dig into the matter Security Constraints,

Regards Philipp

Hi, some News, I made a mistake :( I used: ```bash oc adm policy add-scc-to-user anyuid -z default -n gitea ``` So Everything works correct with the fsGroup of the container. I will dig into the matter Security Constraints, Regards Philipp
👍 1
pat-s commented 2023-11-30 15:05:55 +00:00 (Migrated from gitea.com)
Copy Link

So, everything works? If so, this would be great news. Maybe you could post any modifications to values.yml which you needed to make to get this working? Could also be a PR to the README to make it easier for others to find.

So, everything works? If so, this would be great news. Maybe you could post any modifications to values.yml which you needed to make to get this working? Could also be a PR to the README to make it easier for others to find.
ffppmm commented 2023-12-01 08:56:17 +00:00 (Migrated from gitea.com)
Copy Link

Hi,
sry for not replying, I will dive into it next week, currently no time 😄

I have not forgotten gitea 😉

Regards Philipp

Hi, sry for not replying, I will dive into it next week, currently no time 😄 I have not forgotten gitea 😉 Regards Philipp
ffppmm commented 2023-12-06 15:08:44 +00:00 (Migrated from gitea.com)
Copy Link

So hi again 😄

I had to make the following changes to the original helm chart:

diff -r gitea/templates/gitea/deployment.yaml gitea_orig/templates/gitea/deployment.yaml
139c139,144
<             {{- toYaml .Values.containerSecurityContext | nindent 12 }}
---
>             {{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
>             {{- $csc := deepCopy .Values.containerSecurityContext -}}
>             {{- if not (hasKey $csc "runAsUser") -}}
>             {{- $_ := set $csc "runAsUser" 1000 -}}
>             {{- end -}}
>             {{- toYaml $csc | nindent 12 }}
165c170,175
<             {{- toYaml .Values.containerSecurityContext | nindent 12 }}
---
>             {{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
>             {{- $csc := deepCopy .Values.containerSecurityContext -}}
>             {{- if not (hasKey $csc "runAsUser") -}}
>             {{- $_ := set $csc "runAsUser" 1000 -}}
>             {{- end -}}
>             {{- toYaml $csc | nindent 12 }}
Only in gitea_orig/templates/gitea: ssh-svc.yaml
diff -r gitea/values.yaml gitea_orig/values.yaml
63,64c63,64
< podSecurityContext: {}
< #  fsGroup: 1000
---
> podSecurityContext:
>   fsGroup: 1000

These changes are primary to eliminate any "user context". Found an interessting article how to do it with id 1000 😉

https://cookbook.openshift.org/users-and-role-based-access-control/how-can-i-enable-an-image-to-run-as-a-set-user-id.html

This I will check out next week because it sounds better than modifying the gitea helm chart. Also because the user git has id 1000, much nicer 😄

regards Philipp

So hi again 😄 I had to make the following changes to the original helm chart: ``` diff -r gitea/templates/gitea/deployment.yaml gitea_orig/templates/gitea/deployment.yaml 139c139,144 < {{- toYaml .Values.containerSecurityContext | nindent 12 }} --- > {{- /* By default this container runs as user 1000 unless otherwise stated */ -}} > {{- $csc := deepCopy .Values.containerSecurityContext -}} > {{- if not (hasKey $csc "runAsUser") -}} > {{- $_ := set $csc "runAsUser" 1000 -}} > {{- end -}} > {{- toYaml $csc | nindent 12 }} 165c170,175 < {{- toYaml .Values.containerSecurityContext | nindent 12 }} --- > {{- /* By default this container runs as user 1000 unless otherwise stated */ -}} > {{- $csc := deepCopy .Values.containerSecurityContext -}} > {{- if not (hasKey $csc "runAsUser") -}} > {{- $_ := set $csc "runAsUser" 1000 -}} > {{- end -}} > {{- toYaml $csc | nindent 12 }} Only in gitea_orig/templates/gitea: ssh-svc.yaml diff -r gitea/values.yaml gitea_orig/values.yaml 63,64c63,64 < podSecurityContext: {} < # fsGroup: 1000 --- > podSecurityContext: > fsGroup: 1000 ``` These changes are primary to eliminate any "user context". Found an interessting article how to do it with id 1000 😉 https://cookbook.openshift.org/users-and-role-based-access-control/how-can-i-enable-an-image-to-run-as-a-set-user-id.html This I will check out next week because it sounds better than modifying the gitea helm chart. Also because the user git has id 1000, much nicer 😄 regards Philipp
techknowlogick commented 2023-12-07 18:03:04 +00:00 (Migrated from gitea.com)
Copy Link

Thanks Phillpp, your investigations into this has been helpful. I've only had access to a more relaxed openshift environment in terms of security (likely more relaxed than defaults), so this will for sure be beneficial for others too :)

Thanks Phillpp, your investigations into this has been helpful. I've only had access to a more relaxed openshift environment in terms of security (likely more relaxed than defaults), so this will for sure be beneficial for others too :)
pat-s commented 2023-12-11 08:14:25 +00:00 (Migrated from gitea.com)
Copy Link

I'll have to work in an openshift env soon and also planning to play around with OKD. WRT to "user context": I think there should be a "better" way than to remove the part from the chart. From what I know, Openshift is actually very "user context" focused (i.e. using non-root execution) so maybe it only needs some config adaptions instead of removing the context.

I'll have to work in an openshift env soon and also planning to play around with OKD. WRT to "user context": I think there should be a "better" way than to remove the part from the chart. From what I know, Openshift is actually very "user context" focused (i.e. using non-root execution) so maybe it only needs some config adaptions instead of removing the context.
ffppmm commented 2023-12-13 09:08:54 +00:00 (Migrated from gitea.com)
Copy Link

Hi,

didn't find time to create my own SCC, but ...

I added the "gitea" service User to the nonroot-v2 SCC, that's OK for us:

oc adm policy add-scc-to-user nonroot-v2 -z gitea -n gitea

and everything works,
regards

Hi, didn't find time to create my own SCC, but ... I added the "gitea" service User to the nonroot-v2 SCC, that's OK for us: ```bash oc adm policy add-scc-to-user nonroot-v2 -z gitea -n gitea ``` and everything works, regards
ffppmm commented 2023-12-14 13:48:08 +00:00 (Migrated from gitea.com)
Copy Link

Hi,
you could also do this by template:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: 'gitea:nonroot-v2'
  namespace: gitea
subjects:
  - kind: ServiceAccount
    name: gitea
    namespace: gitea
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: 'system:openshift:scc:nonroot-v2'

Works perfect 😄
Regards Philipp

Hi, you could also do this by template: ```yaml kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: 'gitea:nonroot-v2' namespace: gitea subjects: - kind: ServiceAccount name: gitea namespace: gitea roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: 'system:openshift:scc:nonroot-v2' ``` Works perfect 😄 Regards Philipp
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
has/backport
in progress
invalid
kind/breaking
kind/bug
kind/build
kind/dependency
kind/deployment
kind/docs
kind/enhancement
kind/feature
kind/lint
kind/proposal
kind/question
kind/refactor
kind/security
kind/testing
kind/translation
kind/ui
need/backport
priority/critical
priority/low
priority/maybe
priority/medium
reviewed/duplicate
reviewed/invalid
reviewed/wontfix
skip-changelog
status/blocked
status/needs-feedback
status/needs-reviews
status/wip
upstream/gitea
upstream/other
No Label
kind/question
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
lunny
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: lunny/helm-chart#567
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?