feat: made compatible with OCP (OKD or OpenShift) (#953)
Reviewed-on: https://code.forgejo.org/forgejo-helm/forgejo-helm/pulls/953 Reviewed-by: Michael Kriese <michael.kriese@gmx.de> Co-authored-by: Lucien Weller <lucien@wellernet.ch> Co-committed-by: Lucien Weller <lucien@wellernet.ch>
This commit is contained in:
parent
b691f297f1
commit
8bd2c48184
4 changed files with 69 additions and 8 deletions
11
README.md
11
README.md
|
@ -689,6 +689,17 @@ gitea:
|
|||
existingSecret: gitea-oauth-secret
|
||||
```
|
||||
|
||||
### Compatibility with OCP (OKD or OpenShift)
|
||||
|
||||
Normally OCP is automatically detected and the compatibility mode set accordingly. To enforce the OCP compatibility mode use the following configuration:
|
||||
|
||||
```yaml
|
||||
global:
|
||||
compatibility:
|
||||
openshift:
|
||||
adaptSecurityContext: force
|
||||
```
|
||||
|
||||
## Configure commit signing
|
||||
|
||||
When using the rootless image the gpg key folder is not persistent by default.
|
||||
|
|
|
@ -57,7 +57,7 @@ spec:
|
|||
{{- end }}
|
||||
{{- include "gitea.images.pullSecrets" . | nindent 6 }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.podSecurityContext | nindent 8 }}
|
||||
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }}
|
||||
initContainers:
|
||||
- name: init-directories
|
||||
image: "{{ include "gitea.image" . }}"
|
||||
|
@ -91,7 +91,7 @@ spec:
|
|||
{{- end }}
|
||||
{{- include "gitea.init-additional-mounts" . | nindent 12 }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.containerSecurityContext | nindent 12 }}
|
||||
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
|
||||
resources:
|
||||
{{- toYaml .Values.initContainers.resources | nindent 12 }}
|
||||
- name: init-app-ini
|
||||
|
@ -131,7 +131,7 @@ spec:
|
|||
{{- end }}
|
||||
{{- include "gitea.init-additional-mounts" . | nindent 12 }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.containerSecurityContext | nindent 12 }}
|
||||
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
|
||||
resources:
|
||||
{{- toYaml .Values.initContainers.resources | nindent 12 }}
|
||||
{{- if .Values.signing.enabled }}
|
||||
|
@ -145,7 +145,7 @@ spec:
|
|||
{{- if not (hasKey $csc "runAsUser") -}}
|
||||
{{- $_ := set $csc "runAsUser" 1000 -}}
|
||||
{{- end -}}
|
||||
{{- toYaml $csc | nindent 12 }}
|
||||
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" $csc "context" $) | nindent 12 }}
|
||||
env:
|
||||
- name: GNUPGHOME
|
||||
value: {{ .Values.signing.gpgHome }}
|
||||
|
@ -176,7 +176,7 @@ spec:
|
|||
{{- if not (hasKey $csc "runAsUser") -}}
|
||||
{{- $_ := set $csc "runAsUser" 1000 -}}
|
||||
{{- end -}}
|
||||
{{- toYaml $csc | nindent 12 }}
|
||||
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" $csc "context" $) | nindent 12 }}
|
||||
env:
|
||||
- name: GITEA_APP_INI
|
||||
value: /data/gitea/conf/app.ini
|
||||
|
@ -327,9 +327,9 @@ spec:
|
|||
securityContext:
|
||||
{{- /* Honor the deprecated securityContext variable when defined */ -}}
|
||||
{{- if .Values.containerSecurityContext -}}
|
||||
{{ toYaml .Values.containerSecurityContext | nindent 12 -}}
|
||||
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
|
||||
{{- else -}}
|
||||
{{ toYaml .Values.securityContext | nindent 12 -}}
|
||||
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.securityContext "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: temp
|
||||
|
@ -353,7 +353,7 @@ spec:
|
|||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.topologySpreadConstraints }}
|
||||
topologySpreadConstraints:
|
||||
topologySpreadConstraints:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
|
|
25
unittests/deployment/security-context-normal.yaml
Normal file
25
unittests/deployment/security-context-normal.yaml
Normal file
|
@ -0,0 +1,25 @@
|
|||
# $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
|
||||
suite: deployment template (security context)
|
||||
release:
|
||||
name: gitea-unittests
|
||||
namespace: testing
|
||||
templates:
|
||||
- templates/gitea/deployment.yaml
|
||||
- templates/gitea/config.yaml
|
||||
tests:
|
||||
- it: FS group set to 1000
|
||||
template: templates/gitea/deployment.yaml
|
||||
set:
|
||||
image.rootless: false
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.template.spec.securityContext.fsGroup
|
||||
value: 1000
|
||||
- it: run configure-gitea with UID 1000
|
||||
template: templates/gitea/deployment.yaml
|
||||
set:
|
||||
image.rootless: false
|
||||
asserts:
|
||||
- equal:
|
||||
path: spec.template.spec.initContainers[?(@.name == 'configure-gitea')].securityContext.runAsUser
|
||||
value: 1000
|
25
unittests/deployment/security-context-ocp.yaml
Normal file
25
unittests/deployment/security-context-ocp.yaml
Normal file
|
@ -0,0 +1,25 @@
|
|||
# $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
|
||||
suite: deployment template (security context)
|
||||
release:
|
||||
name: gitea-unittests
|
||||
namespace: testing
|
||||
templates:
|
||||
- templates/gitea/deployment.yaml
|
||||
- templates/gitea/config.yaml
|
||||
tests:
|
||||
- it: FS group not set
|
||||
template: templates/gitea/deployment.yaml
|
||||
set:
|
||||
image.rootless: false
|
||||
global.compatibility.openshift.adaptSecurityContext: force
|
||||
asserts:
|
||||
- notExists:
|
||||
path: spec.template.spec.securityContext.fsGroup
|
||||
- it: configure-gitea without runaAsUser
|
||||
template: templates/gitea/deployment.yaml
|
||||
set:
|
||||
image.rootless: false
|
||||
global.compatibility.openshift.adaptSecurityContext: force
|
||||
asserts:
|
||||
- notExists:
|
||||
path: spec.template.spec.initContainers[?(@.name == 'configure-gitea')].securityContext.runAsUser
|
Loading…
Reference in a new issue