allowed pass db credential through secret. #60

New Issue

Closed

opened 2020-11-17 19:09:31 +00:00 by wener · 10 comments

wener commented 2020-11-17 19:09:31 +00:00 (Migrated from gitea.com)

Copy Link

Using gitops, deploy must go through git, but this chart require clear credential.

During the init, can mount the external secret as env or somthing to provice extra conf for app.ini.

Using gitops, deploy must go through git, but this chart require clear credential. During the init, can mount the external secret as env or somthing to provice extra conf for app.ini.

👍 1

luhahn commented 2020-11-19 10:49:08 +00:00 (Migrated from gitea.com)

Copy Link

Do you want this option for the admin password only or for the database credentials as well?

Do you want this option for the admin password only or for the database credentials as well?

viceice commented 2021-01-28 05:32:01 +00:00 (Migrated from gitea.com)

Copy Link

I think this should be for all passwords / secrets.

Maybe the chart can optionally use key-value pairs from an existing secret?

I think this should be for all passwords / secrets. Maybe the chart can optionally use key-value pairs from an existing secret?

Starefossen commented 2021-02-16 22:48:21 +00:00 (Migrated from gitea.com)

Copy Link

Injecting database credentials via secrets is a requirement if you want to use gitea with the Kubernetes PostgreSQL operator.

Injecting database credentials via secrets is a requirement if you want to use gitea with the Kubernetes PostgreSQL operator.

luhahn commented 2021-04-12 12:01:50 +00:00 (Migrated from gitea.com)

Copy Link

I currently have no idea how to do this properly :/

It is no problem at all to inject those secrets as env variables. However to set the database passwords we somehow need to get them into the app.ini.

First idea would be to check if secrets are available and set a placeholder in the generated app.ini and set it later in the init container via sed.

But im not really happy with this approach

I currently have no idea how to do this properly :/ It is no problem at all to inject those secrets as env variables. However to set the database passwords we somehow need to get them into the app.ini. First idea would be to check if secrets are available and set a placeholder in the generated app.ini and set it later in the init container via sed. But im not really happy with this approach

rema commented 2021-04-22 10:36:18 +00:00 (Migrated from gitea.com)

Copy Link

I am also interested in providing secrets to gitea using environment variables instead of setting them in plain format in app.ini. I did a bit of research and found out, since gitea image v1.14.1, there is the possibility to override everything in app.ini by passing ENVs by following the pattern "GITEA__SECTION_NAME__KEY_NAME". You can read more about this feature Managing Deployments With Environment Variables

So if I understand it correctly, we just need to extend the {{Values.statefulset.env}} to support not only simple "value" but also a "valueFrom" object. e.g:
...
env:
- name: GITEA_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: nameOfSecret
key: password

Thanks

I am also interested in providing secrets to gitea using environment variables instead of setting them in plain format in app.ini. I did a bit of research and found out, since gitea image v1.14.1, there is the possibility to override everything in app.ini by passing ENVs by following the pattern "GITEA__SECTION_NAME__KEY_NAME". You can read more about this feature [Managing Deployments With Environment Variables](https://docs.gitea.io/en-us/install-with-docker/#managing-deployments-with-environment-variables) So if I understand it correctly, we just need to extend the {{Values.statefulset.env}} to support not only simple "value" but also a "valueFrom" object. e.g: ... env: - name: GITEA_ADMIN_PASSWORD valueFrom: secretKeyRef: name: nameOfSecret key: password Thanks

🎉 1

luhahn commented 2021-04-23 10:57:56 +00:00 (Migrated from gitea.com)

Copy Link

will check this, thanks for the hint :)

will check this, thanks for the hint :)

luhahn commented 2021-04-29 09:19:13 +00:00 (Migrated from gitea.com)

Copy Link

merged with #148

merged with #148

wener commented 2021-08-01 17:13:09 +00:00 (Migrated from gitea.com)

Copy Link

@luhahn still don't get how can I pass db conf by secret, there is no gitea.database.existingSecret like admin

@luhahn still don't get how can I pass db conf by secret, there is no gitea.database.existingSecret like admin

wener commented 2021-08-01 17:15:32 +00:00 (Migrated from gitea.com)

Copy Link

ok, 1.14 support from env. like

- GITEA__database__DB_TYPE=mysql
- GITEA__database__HOST=db:3306
- GITEA__database__NAME=gitea
- GITEA__database__USER=gitea
- GITEA__database__PASSWD=gitea

ok, 1.14 support from env. like ```yaml - GITEA__database__DB_TYPE=mysql - GITEA__database__HOST=db:3306 - GITEA__database__NAME=gitea - GITEA__database__USER=gitea - GITEA__database__PASSWD=gitea ```

rounakdatta commented 2024-09-25 08:38:21 +00:00 (Migrated from gitea.com)

Copy Link

Just in case anyone comes across this, here's a snippet how you can do this:

gitea:
  additionalConfigFromEnvs:
    - name: GITEA__DATABASE__PASSWD
      valueFrom:
        secretKeyRef:
          name: postgresdb-password
          key: password
    - name: GITEA__database__USER
      value: 'mario'

This is possible as this block is inserted as-is.

Just in case anyone comes across this, here's a snippet how you can do this: ``` gitea: additionalConfigFromEnvs: - name: GITEA__DATABASE__PASSWD valueFrom: secretKeyRef: name: postgresdb-password key: password - name: GITEA__database__USER value: 'mario' ``` This is possible as [this](https://gitea.com/gitea/helm-chart/src/branch/main/templates/gitea/deployment.yaml#L112) block is inserted as-is.

❤️ 1

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

renovate/postgresql-ha-15.x

renovate/postgresql-16.x

renovate/redis-20.x

renovate/redis-cluster-11.x

fix-674

app-ini-recreation

fix-env-to-ini

clean-app-ini

gitea-ha

v10.6.0

v10.5.0

v10.4.1

v10.4.0

v10.3.0

v10.2.0

v10.1.4

v10.1.3

v10.1.2

v10.1.1

v10.1.0

v10.0.2

v10.0.1

v10.0.0

v9.6.1

v9.6.0

v9.5.1

v9.5.0

v9.4.0

v9.3.0

v9.2.1

v9.2.0

v9.1.0

v9.0.4

v9.0.3

v9.0.2

v9.0.1

v9.0.0

v8.3.0

v8.2.0

v8.1.0

v8.0.3

v8.0.2

v8.0.1

v8.0.0

v7.0.4

v7.0.3

v7.0.2

v7.0.1

v7.0.0

v6.0.5

v6.0.4

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.9

v5.0.8

v5.0.7

v5.0.6

v5.0.5

v5.0.4

v5.0.3

v5.0.2

v5.0.1

v5.0.0

v4.1.1

v4.1.0

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.0

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.11

v2.1.10

v2.1.9

v2.1.8

v2.1.7

v2.1.6

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.0

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.9

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

Labels

Clear labels

has/backport

in progress

invalid

kind/breaking

kind/bug

kind/build

kind/dependency

kind/deployment

kind/docs

kind/enhancement

kind/feature

kind/lint

kind/proposal

kind/question

kind/refactor

kind/security

kind/testing

kind/translation

kind/ui

need/backport

priority/critical

priority/low

priority/maybe

priority/medium

reviewed/duplicate

reviewed/invalid

reviewed/wontfix

skip-changelog

status/blocked

status/needs-feedback

status/needs-reviews

status/wip

upstream/gitea

upstream/other

No Label

kind/proposal

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

lunny

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: lunny/helm-chart#60

No description provided.