DevFW-CICD/forgejo-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: added OpenShift route (#954)

Browse source 
Reviewed-on: https://code.forgejo.org/forgejo-helm/forgejo-helm/pulls/954
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Lucien Weller <lucien@wellernet.ch>
Co-committed-by: Lucien Weller <lucien@wellernet.ch>
This commit is contained in:
Lucien Weller 2024-11-10 08:56:52 +00:00 committed by Michael Kriese
parent 8bd2c48184
commit 7e1629e174
4 changed files with 263 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
README.md
View file

@ -700,6 +700,13 @@ global:
adaptSecurityContext: force
```
An OCP route to access Forgejo can be enabled with the following config:
```yaml
route:
enabled: true
```
## Configure commit signing
When using the rootless image the gpg key folder is not persistent by default.
@ -954,6 +961,22 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
| `ingress.tls` | Ingress tls settings | `[]` |
| `ingress.apiVersion` | Specify APIVersion of ingress object. Mostly would only be used for argocd. | |
### Route
| Name | Description | Value |
| ----------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
| `route.enabled` | Enable route | `false` |
| `route.annotations` | Route annotations | `{}` |
| `route.host` | Host to use for the route (will be assigned automatically by OKD / OpenShift is not defined) | `nil` |
| `route.wildcardPolicy` | Wildcard policy if any for the route, currently only 'Subdomain' or 'None' is allowed. | `nil` |
| `route.tls.termination` | termination type (see [OKD documentation](https://docs.okd.io/latest/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls)) | `edge` |
| `route.tls.insecureEdgeTerminationPolicy` | the desired behavior for insecure connections to a route (e.g. with http) | `Redirect` |
| `route.tls.existingSecret` | the name of a predefined secret of type kubernetes.io/tls with both key (tls.crt and tls.key) set accordingly (if defined attributes 'certificate', 'caCertificate' and 'privateKey' are ignored) | `nil` |
| `route.tls.certificate` | PEM encoded single certificate | `nil` |
| `route.tls.privateKey` | PEM encoded private key | `nil` |
| `route.tls.caCertificate` | PEM encoded CA certificate or chain that issued the certificate | `nil` |
| `route.tls.destinationCACertificate` | PEM encoded CA certificate used to verify the authenticity of final end point when 'termination' is set to 'passthrough' (ignored otherwise) | `nil` |
### deployment
| Name | Description | Value |

43
templates/gitea/route.yaml Normal file
View file

@ -0,0 +1,43 @@
{{- if .Values.route.enabled -}}
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: {{ include "gitea.fullname" . }}-http
namespace: {{ include "common.names.namespace" . | quote }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
annotations:
{{- toYaml .Values.route.annotations | nindent 4 }}
spec:
{{- if .Values.route.host }}
host: {{ tpl .Values.route.host $ | quote }}
{{- end }}
{{- if .Values.route.wildcardPolicy }}
wildcardPolicy: {{ .Values.route.wildcardPolicy }}
{{- end }}
to:
kind: Service
name: {{ include "gitea.fullname" . }}-http
weight: 100
port:
targetPort: http
tls:
termination: edge
insecureEdgeTerminationPolicy: Redirect
{{- if .Values.route.tls.existingSecret }}
externalCertificate: {{ .Values.route.tls.existingSecret }}
{{- else if and .Values.route.tls.certificate
.Values.route.tls.privateKey
.Values.route.tls.caCertificate }}
certificate: |
{{ .Values.route.tls.certificate | indent 6 }}
key: |
{{ .Values.route.tls.privateKey | indent 6 }}
caCertificate: |
{{ .Values.route.tls.caCertificate | indent 6 }}
{{- else if or .Values.route.tls.certificate
.Values.route.tls.privateKey
.Values.route.tls.caCertificate }}
{{- fail "certificate, privateKey and caCertificate must be specified together" }}
{{- end }}
{{- end }}

155
unittests/deployment/route-configuration.yaml Normal file
View file

@ -0,0 +1,155 @@
# $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
suite: route template
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/route.yaml
tests:
- it: hostname using TPL
set:
global.giteaHostName: 'gitea.example.com'
route.enabled: true
route.host: '{{ .Values.global.giteaHostName }}'
asserts:
- isKind:
of: Route
- equal:
path: spec.host
value: 'gitea.example.com'
- notExists:
path: spec.wildcardPolicy
- it: wildcard policy
set:
global.giteaHostName: 'gitea.example.com'
route.enabled: true
route.wildcardPolicy: 'Subdomain'
asserts:
- isKind:
of: Route
- equal:
path: spec.wildcardPolicy
value: 'Subdomain'
- it: existing certificate
set:
route.enabled: true
route.tls.existingSecret: certificate-secret
route.tls.certificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
route.tls.privateKey: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
route.tls.caCertificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
asserts:
- isKind:
of: Route
- equal:
path: spec.tls.externalCertificate
value: certificate-secret
- notExists:
path: spec.tls.certificate
- notExists:
path: spec.tls.key
- notExists:
path: spec.tls.caCertificate
- it: valid certificate values
set:
route.enabled: true
route.tls.certificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
route.tls.privateKey: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
route.tls.caCertificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
asserts:
- isKind:
of: Route
- notExists:
path: spec.tls.externalCertificate
- equal:
path: spec.tls.certificate
value: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
- equal:
path: spec.tls.key
value: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
- equal:
path: spec.tls.caCertificate
value: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
- it: missing certificate values
set:
route.enabled: true
route.tls.privateKey: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
route.tls.caCertificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
asserts:
- failedTemplate:
errorMessage: certificate, privateKey and caCertificate must be specified together
- it: missing privateKey values
set:
route.enabled: true
route.tls.certificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
route.tls.caCertificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
asserts:
- failedTemplate:
errorMessage: certificate, privateKey and caCertificate must be specified together
- it: missing caCertificate values
set:
route.enabled: true
route.tls.certificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
route.tls.privateKey: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
asserts:
- failedTemplate:
errorMessage: certificate, privateKey and caCertificate must be specified together

42
values.yaml
View file

@ -186,6 +186,48 @@ ingress:
# If helm doesn't correctly detect your ingress API version you can set it here.
# apiVersion: networking.k8s.io/v1
## @section Route
## @param route.enabled Enable route
## @param route.annotations Route annotations
## @param route.host Host to use for the route (will be assigned automatically by OKD / OpenShift is not defined)
## @param route.wildcardPolicy Wildcard policy if any for the route, currently only 'Subdomain' or 'None' is allowed.
## @param route.tls.termination termination type (see [OKD documentation](https://docs.okd.io/latest/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls))
## @param route.tls.insecureEdgeTerminationPolicy the desired behavior for insecure connections to a route (e.g. with http)
## @param route.tls.existingSecret the name of a predefined secret of type kubernetes.io/tls with both key (tls.crt and tls.key) set accordingly (if defined attributes 'certificate', 'caCertificate' and 'privateKey' are ignored)
## @param route.tls.certificate PEM encoded single certificate
## @param route.tls.privateKey PEM encoded private key
## @param route.tls.caCertificate PEM encoded CA certificate or chain that issued the certificate
## @param route.tls.destinationCACertificate PEM encoded CA certificate used to verify the authenticity of final end point when 'termination' is set to 'passthrough' (ignored otherwise)
route:
enabled: false
annotations: {}
host:
wildcardPolicy:
tls:
termination: edge
insecureEdgeTerminationPolicy: Redirect
existingSecret:
certificate:
# certificate: |-
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
privateKey:
# privateKey: |-
# -----BEGIN PRIVATE KEY-----
# ...
# -----END PRIVATE KEY-----
caCertificate:
# caCertificate: |-
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
destinationCACertificate:
# destinationCACertificate: |-
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
## @section deployment
#
## @param resources Kubernetes resources