feat: made compatible with OCP (OKD or OpenShift) (#953)

Reviewed-on: https://code.forgejo.org/forgejo-helm/forgejo-helm/pulls/953
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Lucien Weller <lucien@wellernet.ch>
Co-committed-by: Lucien Weller <lucien@wellernet.ch>
This commit is contained in:
Lucien Weller 2024-11-10 08:16:08 +00:00 committed by Michael Kriese
parent b691f297f1
commit 8bd2c48184
4 changed files with 69 additions and 8 deletions

View file

@ -689,6 +689,17 @@ gitea:
existingSecret: gitea-oauth-secret
```
### Compatibility with OCP (OKD or OpenShift)
Normally OCP is automatically detected and the compatibility mode set accordingly. To enforce the OCP compatibility mode use the following configuration:
```yaml
global:
compatibility:
openshift:
adaptSecurityContext: force
```
## Configure commit signing
When using the rootless image the gpg key folder is not persistent by default.

View file

@ -57,7 +57,7 @@ spec:
{{- end }}
{{- include "gitea.images.pullSecrets" . | nindent 6 }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }}
initContainers:
- name: init-directories
image: "{{ include "gitea.image" . }}"
@ -91,7 +91,7 @@ spec:
{{- end }}
{{- include "gitea.init-additional-mounts" . | nindent 12 }}
securityContext:
{{- toYaml .Values.containerSecurityContext | nindent 12 }}
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
resources:
{{- toYaml .Values.initContainers.resources | nindent 12 }}
- name: init-app-ini
@ -131,7 +131,7 @@ spec:
{{- end }}
{{- include "gitea.init-additional-mounts" . | nindent 12 }}
securityContext:
{{- toYaml .Values.containerSecurityContext | nindent 12 }}
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
resources:
{{- toYaml .Values.initContainers.resources | nindent 12 }}
{{- if .Values.signing.enabled }}
@ -145,7 +145,7 @@ spec:
{{- if not (hasKey $csc "runAsUser") -}}
{{- $_ := set $csc "runAsUser" 1000 -}}
{{- end -}}
{{- toYaml $csc | nindent 12 }}
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" $csc "context" $) | nindent 12 }}
env:
- name: GNUPGHOME
value: {{ .Values.signing.gpgHome }}
@ -176,7 +176,7 @@ spec:
{{- if not (hasKey $csc "runAsUser") -}}
{{- $_ := set $csc "runAsUser" 1000 -}}
{{- end -}}
{{- toYaml $csc | nindent 12 }}
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" $csc "context" $) | nindent 12 }}
env:
- name: GITEA_APP_INI
value: /data/gitea/conf/app.ini
@ -327,9 +327,9 @@ spec:
securityContext:
{{- /* Honor the deprecated securityContext variable when defined */ -}}
{{- if .Values.containerSecurityContext -}}
{{ toYaml .Values.containerSecurityContext | nindent 12 -}}
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- else -}}
{{ toYaml .Values.securityContext | nindent 12 -}}
{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.securityContext "context" $) | nindent 12 }}
{{- end }}
volumeMounts:
- name: temp
@ -353,7 +353,7 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints:
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}

View file

@ -0,0 +1,25 @@
# $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
suite: deployment template (security context)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/deployment.yaml
- templates/gitea/config.yaml
tests:
- it: FS group set to 1000
template: templates/gitea/deployment.yaml
set:
image.rootless: false
asserts:
- equal:
path: spec.template.spec.securityContext.fsGroup
value: 1000
- it: run configure-gitea with UID 1000
template: templates/gitea/deployment.yaml
set:
image.rootless: false
asserts:
- equal:
path: spec.template.spec.initContainers[?(@.name == 'configure-gitea')].securityContext.runAsUser
value: 1000

View file

@ -0,0 +1,25 @@
# $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
suite: deployment template (security context)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/deployment.yaml
- templates/gitea/config.yaml
tests:
- it: FS group not set
template: templates/gitea/deployment.yaml
set:
image.rootless: false
global.compatibility.openshift.adaptSecurityContext: force
asserts:
- notExists:
path: spec.template.spec.securityContext.fsGroup
- it: configure-gitea without runaAsUser
template: templates/gitea/deployment.yaml
set:
image.rootless: false
global.compatibility.openshift.adaptSecurityContext: force
asserts:
- notExists:
path: spec.template.spec.initContainers[?(@.name == 'configure-gitea')].securityContext.runAsUser