From 7e1629e174ef54031deb6ccf0a4932ea5e4da84c Mon Sep 17 00:00:00 2001 From: Lucien Weller Date: Sun, 10 Nov 2024 08:56:52 +0000 Subject: [PATCH] feat: added OpenShift route (#954) Reviewed-on: https://code.forgejo.org/forgejo-helm/forgejo-helm/pulls/954 Reviewed-by: Michael Kriese Co-authored-by: Lucien Weller Co-committed-by: Lucien Weller --- README.md | 23 +++ templates/gitea/route.yaml | 43 +++++ unittests/deployment/route-configuration.yaml | 155 ++++++++++++++++++ values.yaml | 42 +++++ 4 files changed, 263 insertions(+) create mode 100644 templates/gitea/route.yaml create mode 100644 unittests/deployment/route-configuration.yaml diff --git a/README.md b/README.md index 31b8396..8dda4e0 100644 --- a/README.md +++ b/README.md @@ -700,6 +700,13 @@ global: adaptSecurityContext: force ``` +An OCP route to access Forgejo can be enabled with the following config: + +```yaml +route: + enabled: true +``` + ## Configure commit signing When using the rootless image the gpg key folder is not persistent by default. @@ -954,6 +961,22 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus | `ingress.tls` | Ingress tls settings | `[]` | | `ingress.apiVersion` | Specify APIVersion of ingress object. Mostly would only be used for argocd. | | +### Route + +| Name | Description | Value | +| ----------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | +| `route.enabled` | Enable route | `false` | +| `route.annotations` | Route annotations | `{}` | +| `route.host` | Host to use for the route (will be assigned automatically by OKD / OpenShift is not defined) | `nil` | +| `route.wildcardPolicy` | Wildcard policy if any for the route, currently only 'Subdomain' or 'None' is allowed. | `nil` | +| `route.tls.termination` | termination type (see [OKD documentation](https://docs.okd.io/latest/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls)) | `edge` | +| `route.tls.insecureEdgeTerminationPolicy` | the desired behavior for insecure connections to a route (e.g. with http) | `Redirect` | +| `route.tls.existingSecret` | the name of a predefined secret of type kubernetes.io/tls with both key (tls.crt and tls.key) set accordingly (if defined attributes 'certificate', 'caCertificate' and 'privateKey' are ignored) | `nil` | +| `route.tls.certificate` | PEM encoded single certificate | `nil` | +| `route.tls.privateKey` | PEM encoded private key | `nil` | +| `route.tls.caCertificate` | PEM encoded CA certificate or chain that issued the certificate | `nil` | +| `route.tls.destinationCACertificate` | PEM encoded CA certificate used to verify the authenticity of final end point when 'termination' is set to 'passthrough' (ignored otherwise) | `nil` | + ### deployment | Name | Description | Value | diff --git a/templates/gitea/route.yaml b/templates/gitea/route.yaml new file mode 100644 index 0000000..740721f --- /dev/null +++ b/templates/gitea/route.yaml @@ -0,0 +1,43 @@ +{{- if .Values.route.enabled -}} +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: {{ include "gitea.fullname" . }}-http + namespace: {{ include "common.names.namespace" . | quote }} + labels: + {{- include "gitea.labels" . | nindent 4 }} + annotations: + {{- toYaml .Values.route.annotations | nindent 4 }} +spec: + {{- if .Values.route.host }} + host: {{ tpl .Values.route.host $ | quote }} + {{- end }} + {{- if .Values.route.wildcardPolicy }} + wildcardPolicy: {{ .Values.route.wildcardPolicy }} + {{- end }} + to: + kind: Service + name: {{ include "gitea.fullname" . }}-http + weight: 100 + port: + targetPort: http + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + {{- if .Values.route.tls.existingSecret }} + externalCertificate: {{ .Values.route.tls.existingSecret }} + {{- else if and .Values.route.tls.certificate + .Values.route.tls.privateKey + .Values.route.tls.caCertificate }} + certificate: | +{{ .Values.route.tls.certificate | indent 6 }} + key: | +{{ .Values.route.tls.privateKey | indent 6 }} + caCertificate: | +{{ .Values.route.tls.caCertificate | indent 6 }} + {{- else if or .Values.route.tls.certificate + .Values.route.tls.privateKey + .Values.route.tls.caCertificate }} + {{- fail "certificate, privateKey and caCertificate must be specified together" }} + {{- end }} +{{- end }} diff --git a/unittests/deployment/route-configuration.yaml b/unittests/deployment/route-configuration.yaml new file mode 100644 index 0000000..b4da640 --- /dev/null +++ b/unittests/deployment/route-configuration.yaml @@ -0,0 +1,155 @@ +# $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json +suite: route template +release: + name: gitea-unittests + namespace: testing +templates: + - templates/gitea/route.yaml +tests: + - it: hostname using TPL + set: + global.giteaHostName: 'gitea.example.com' + route.enabled: true + route.host: '{{ .Values.global.giteaHostName }}' + asserts: + - isKind: + of: Route + - equal: + path: spec.host + value: 'gitea.example.com' + - notExists: + path: spec.wildcardPolicy + - it: wildcard policy + set: + global.giteaHostName: 'gitea.example.com' + route.enabled: true + route.wildcardPolicy: 'Subdomain' + asserts: + - isKind: + of: Route + - equal: + path: spec.wildcardPolicy + value: 'Subdomain' + - it: existing certificate + set: + route.enabled: true + route.tls.existingSecret: certificate-secret + route.tls.certificate: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + route.tls.privateKey: | + -----BEGIN PRIVATE KEY----- + ... + -----END PRIVATE KEY----- + route.tls.caCertificate: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + asserts: + - isKind: + of: Route + - equal: + path: spec.tls.externalCertificate + value: certificate-secret + - notExists: + path: spec.tls.certificate + - notExists: + path: spec.tls.key + - notExists: + path: spec.tls.caCertificate + - it: valid certificate values + set: + route.enabled: true + route.tls.certificate: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + route.tls.privateKey: | + -----BEGIN PRIVATE KEY----- + ... + -----END PRIVATE KEY----- + route.tls.caCertificate: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + asserts: + - isKind: + of: Route + - notExists: + path: spec.tls.externalCertificate + - equal: + path: spec.tls.certificate + value: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + - equal: + path: spec.tls.key + value: | + -----BEGIN PRIVATE KEY----- + ... + -----END PRIVATE KEY----- + - equal: + path: spec.tls.caCertificate + value: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + - it: missing certificate values + set: + route.enabled: true + route.tls.privateKey: | + -----BEGIN PRIVATE KEY----- + ... + -----END PRIVATE KEY----- + route.tls.caCertificate: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + asserts: + - failedTemplate: + errorMessage: certificate, privateKey and caCertificate must be specified together + - it: missing privateKey values + set: + route.enabled: true + route.tls.certificate: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + route.tls.caCertificate: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + asserts: + - failedTemplate: + errorMessage: certificate, privateKey and caCertificate must be specified together + - it: missing caCertificate values + set: + route.enabled: true + route.tls.certificate: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + route.tls.privateKey: | + -----BEGIN PRIVATE KEY----- + ... + -----END PRIVATE KEY----- + asserts: + - failedTemplate: + errorMessage: certificate, privateKey and caCertificate must be specified together diff --git a/values.yaml b/values.yaml index fee9460..04d7099 100644 --- a/values.yaml +++ b/values.yaml @@ -186,6 +186,48 @@ ingress: # If helm doesn't correctly detect your ingress API version you can set it here. # apiVersion: networking.k8s.io/v1 +## @section Route +## @param route.enabled Enable route +## @param route.annotations Route annotations +## @param route.host Host to use for the route (will be assigned automatically by OKD / OpenShift is not defined) +## @param route.wildcardPolicy Wildcard policy if any for the route, currently only 'Subdomain' or 'None' is allowed. +## @param route.tls.termination termination type (see [OKD documentation](https://docs.okd.io/latest/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls)) +## @param route.tls.insecureEdgeTerminationPolicy the desired behavior for insecure connections to a route (e.g. with http) +## @param route.tls.existingSecret the name of a predefined secret of type kubernetes.io/tls with both key (tls.crt and tls.key) set accordingly (if defined attributes 'certificate', 'caCertificate' and 'privateKey' are ignored) +## @param route.tls.certificate PEM encoded single certificate +## @param route.tls.privateKey PEM encoded private key +## @param route.tls.caCertificate PEM encoded CA certificate or chain that issued the certificate +## @param route.tls.destinationCACertificate PEM encoded CA certificate used to verify the authenticity of final end point when 'termination' is set to 'passthrough' (ignored otherwise) +route: + enabled: false + annotations: {} + host: + wildcardPolicy: + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + existingSecret: + certificate: + # certificate: |- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + privateKey: + # privateKey: |- + # -----BEGIN PRIVATE KEY----- + # ... + # -----END PRIVATE KEY----- + caCertificate: + # caCertificate: |- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + destinationCACertificate: + # destinationCACertificate: |- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + ## @section deployment # ## @param resources Kubernetes resources