DevFW-CICD/forgejo-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: added OpenShift route (#954)

Browse source 
Reviewed-on: https://code.forgejo.org/forgejo-helm/forgejo-helm/pulls/954
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Lucien Weller <lucien@wellernet.ch>
Co-committed-by: Lucien Weller <lucien@wellernet.ch>
This commit is contained in:
Lucien Weller 2024-11-10 08:56:52 +00:00 committed by Michael Kriese
parent 8bd2c48184
commit 7e1629e174
4 changed files with 263 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
README.md
View file

@ -700,6 +700,13 @@ global:
adaptSecurityContext: force adaptSecurityContext: force
``` ```
An OCP route to access Forgejo can be enabled with the following config:
```yaml
route:
enabled: true
```
## Configure commit signing ## Configure commit signing
When using the rootless image the gpg key folder is not persistent by default. When using the rootless image the gpg key folder is not persistent by default.
@ -954,6 +961,22 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
| `ingress.tls` | Ingress tls settings | `[]` | | `ingress.tls` | Ingress tls settings | `[]` |
| `ingress.apiVersion` | Specify APIVersion of ingress object. Mostly would only be used for argocd. | | | `ingress.apiVersion` | Specify APIVersion of ingress object. Mostly would only be used for argocd. | |
### Route
| Name | Description | Value |
| ----------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
| `route.enabled` | Enable route | `false` |
| `route.annotations` | Route annotations | `{}` |
| `route.host` | Host to use for the route (will be assigned automatically by OKD / OpenShift is not defined) | `nil` |
| `route.wildcardPolicy` | Wildcard policy if any for the route, currently only 'Subdomain' or 'None' is allowed. | `nil` |
| `route.tls.termination` | termination type (see [OKD documentation](https://docs.okd.io/latest/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls)) | `edge` |
| `route.tls.insecureEdgeTerminationPolicy` | the desired behavior for insecure connections to a route (e.g. with http) | `Redirect` |
| `route.tls.existingSecret` | the name of a predefined secret of type kubernetes.io/tls with both key (tls.crt and tls.key) set accordingly (if defined attributes 'certificate', 'caCertificate' and 'privateKey' are ignored) | `nil` |
| `route.tls.certificate` | PEM encoded single certificate | `nil` |
| `route.tls.privateKey` | PEM encoded private key | `nil` |
| `route.tls.caCertificate` | PEM encoded CA certificate or chain that issued the certificate | `nil` |
| `route.tls.destinationCACertificate` | PEM encoded CA certificate used to verify the authenticity of final end point when 'termination' is set to 'passthrough' (ignored otherwise) | `nil` |
### deployment ### deployment
| Name | Description | Value | | Name | Description | Value |

43
templates/gitea/route.yaml Normal file
View file

@ -0,0 +1,43 @@
{{- if .Values.route.enabled -}}
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: {{ include "gitea.fullname" . }}-http
namespace: {{ include "common.names.namespace" . | quote }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
annotations:
{{- toYaml .Values.route.annotations | nindent 4 }}
spec:
{{- if .Values.route.host }}
host: {{ tpl .Values.route.host $ | quote }}
{{- end }}
{{- if .Values.route.wildcardPolicy }}
wildcardPolicy: {{ .Values.route.wildcardPolicy }}
{{- end }}
to:
kind: Service
name: {{ include "gitea.fullname" . }}-http
weight: 100
port:
targetPort: http
tls:
termination: edge
insecureEdgeTerminationPolicy: Redirect
{{- if .Values.route.tls.existingSecret }}
externalCertificate: {{ .Values.route.tls.existingSecret }}
{{- else if and .Values.route.tls.certificate
.Values.route.tls.privateKey
.Values.route.tls.caCertificate }}
certificate: |
{{ .Values.route.tls.certificate | indent 6 }}
key: |
{{ .Values.route.tls.privateKey | indent 6 }}
caCertificate: |
{{ .Values.route.tls.caCertificate | indent 6 }}
{{- else if or .Values.route.tls.certificate
.Values.route.tls.privateKey
.Values.route.tls.caCertificate }}
{{- fail "certificate, privateKey and caCertificate must be specified together" }}
{{- end }}
{{- end }}

155
unittests/deployment/route-configuration.yaml Normal file
View file

@ -0,0 +1,155 @@
# $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
suite: route template
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/route.yaml
tests:
- it: hostname using TPL
set:
global.giteaHostName: 'gitea.example.com'
route.enabled: true
route.host: '{{ .Values.global.giteaHostName }}'
asserts:
- isKind:
of: Route
- equal:
path: spec.host
value: 'gitea.example.com'
- notExists:
path: spec.wildcardPolicy
- it: wildcard policy
set:
global.giteaHostName: 'gitea.example.com'
route.enabled: true
route.wildcardPolicy: 'Subdomain'
asserts:
- isKind:
of: Route
- equal:
path: spec.wildcardPolicy
value: 'Subdomain'
- it: existing certificate
set:
route.enabled: true
route.tls.existingSecret: certificate-secret
route.tls.certificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
route.tls.privateKey: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
route.tls.caCertificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
asserts:
- isKind:
of: Route
- equal:
path: spec.tls.externalCertificate
value: certificate-secret
- notExists:
path: spec.tls.certificate
- notExists:
path: spec.tls.key
- notExists:
path: spec.tls.caCertificate
- it: valid certificate values
set:
route.enabled: true
route.tls.certificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
route.tls.privateKey: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
route.tls.caCertificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
asserts:
- isKind:
of: Route
- notExists:
path: spec.tls.externalCertificate
- equal:
path: spec.tls.certificate
value: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
- equal:
path: spec.tls.key
value: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
- equal:
path: spec.tls.caCertificate
value: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
- it: missing certificate values
set:
route.enabled: true
route.tls.privateKey: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
route.tls.caCertificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
asserts:
- failedTemplate:
errorMessage: certificate, privateKey and caCertificate must be specified together
- it: missing privateKey values
set:
route.enabled: true
route.tls.certificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
route.tls.caCertificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
asserts:
- failedTemplate:
errorMessage: certificate, privateKey and caCertificate must be specified together
- it: missing caCertificate values
set:
route.enabled: true
route.tls.certificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
route.tls.privateKey: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
asserts:
- failedTemplate:
errorMessage: certificate, privateKey and caCertificate must be specified together

42
values.yaml
View file

@ -186,6 +186,48 @@ ingress:
# If helm doesn't correctly detect your ingress API version you can set it here. # If helm doesn't correctly detect your ingress API version you can set it here.
# apiVersion: networking.k8s.io/v1 # apiVersion: networking.k8s.io/v1
## @section Route
## @param route.enabled Enable route
## @param route.annotations Route annotations
## @param route.host Host to use for the route (will be assigned automatically by OKD / OpenShift is not defined)
## @param route.wildcardPolicy Wildcard policy if any for the route, currently only 'Subdomain' or 'None' is allowed.
## @param route.tls.termination termination type (see [OKD documentation](https://docs.okd.io/latest/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls))
## @param route.tls.insecureEdgeTerminationPolicy the desired behavior for insecure connections to a route (e.g. with http)
## @param route.tls.existingSecret the name of a predefined secret of type kubernetes.io/tls with both key (tls.crt and tls.key) set accordingly (if defined attributes 'certificate', 'caCertificate' and 'privateKey' are ignored)
## @param route.tls.certificate PEM encoded single certificate
## @param route.tls.privateKey PEM encoded private key
## @param route.tls.caCertificate PEM encoded CA certificate or chain that issued the certificate
## @param route.tls.destinationCACertificate PEM encoded CA certificate used to verify the authenticity of final end point when 'termination' is set to 'passthrough' (ignored otherwise)
route:
enabled: false
annotations: {}
host:
wildcardPolicy:
tls:
termination: edge
insecureEdgeTerminationPolicy: Redirect
existingSecret:
certificate:
# certificate: |-
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
privateKey:
# privateKey: |-
# -----BEGIN PRIVATE KEY-----
# ...
# -----END PRIVATE KEY-----
caCertificate:
# caCertificate: |-
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
destinationCACertificate:
# destinationCACertificate: |-
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
## @section deployment ## @section deployment
# #
## @param resources Kubernetes resources ## @param resources Kubernetes resources