From 8bd2c481844806ec76480e6352e40fc725f32310 Mon Sep 17 00:00:00 2001
From: Lucien Weller <lucien@wellernet.ch>
Date: Sun, 10 Nov 2024 08:16:08 +0000
Subject: [PATCH] feat: made compatible with OCP (OKD or OpenShift) (#953)

Reviewed-on: https://code.forgejo.org/forgejo-helm/forgejo-helm/pulls/953
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Lucien Weller <lucien@wellernet.ch>
Co-committed-by: Lucien Weller <lucien@wellernet.ch>
---
 README.md                                     | 11 ++++++++
 templates/gitea/deployment.yaml               | 16 ++++++------
 .../deployment/security-context-normal.yaml   | 25 +++++++++++++++++++
 .../deployment/security-context-ocp.yaml      | 25 +++++++++++++++++++
 4 files changed, 69 insertions(+), 8 deletions(-)
 create mode 100644 unittests/deployment/security-context-normal.yaml
 create mode 100644 unittests/deployment/security-context-ocp.yaml

diff --git a/README.md b/README.md
index a4325c1..31b8396 100644
--- a/README.md
+++ b/README.md
@@ -689,6 +689,17 @@ gitea:
       existingSecret: gitea-oauth-secret
 ```
 
+### Compatibility with OCP (OKD or OpenShift)
+
+Normally OCP is automatically detected and the compatibility mode set accordingly. To enforce the OCP compatibility mode use the following configuration:
+
+```yaml
+global:
+  compatibility:
+    openshift:
+      adaptSecurityContext: force
+```
+
 ## Configure commit signing
 
 When using the rootless image the gpg key folder is not persistent by default.
diff --git a/templates/gitea/deployment.yaml b/templates/gitea/deployment.yaml
index 063c719..f82c407 100644
--- a/templates/gitea/deployment.yaml
+++ b/templates/gitea/deployment.yaml
@@ -57,7 +57,7 @@ spec:
       {{- end }}
       {{- include "gitea.images.pullSecrets" . | nindent 6 }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }}
       initContainers:
         - name: init-directories
           image: "{{ include "gitea.image" . }}"
@@ -91,7 +91,7 @@ spec:
               {{- end }}
             {{- include "gitea.init-additional-mounts" . | nindent 12 }}
           securityContext:
-            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
           resources:
             {{- toYaml .Values.initContainers.resources | nindent 12 }}
         - name: init-app-ini
@@ -131,7 +131,7 @@ spec:
             {{- end }}
             {{- include "gitea.init-additional-mounts" . | nindent 12 }}
           securityContext:
-            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
           resources:
             {{- toYaml .Values.initContainers.resources | nindent 12 }}
         {{- if .Values.signing.enabled }}
@@ -145,7 +145,7 @@ spec:
             {{- if not (hasKey $csc "runAsUser") -}}
             {{- $_ := set $csc "runAsUser" 1000 -}}
             {{- end -}}
-            {{- toYaml $csc | nindent 12 }}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $csc "context" $) | nindent 12 }}
           env:
             - name: GNUPGHOME
               value: {{ .Values.signing.gpgHome }}
@@ -176,7 +176,7 @@ spec:
             {{- if not (hasKey $csc "runAsUser") -}}
             {{- $_ := set $csc "runAsUser" 1000 -}}
             {{- end -}}
-            {{- toYaml $csc | nindent 12 }}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $csc "context" $) | nindent 12 }}
           env:
             - name: GITEA_APP_INI
               value: /data/gitea/conf/app.ini
@@ -327,9 +327,9 @@ spec:
           securityContext:
             {{- /* Honor the deprecated securityContext variable when defined */ -}}
             {{- if .Values.containerSecurityContext -}}
-            {{ toYaml .Values.containerSecurityContext | nindent 12 -}}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
             {{- else -}}
-            {{ toYaml .Values.securityContext | nindent 12 -}}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.securityContext "context" $) | nindent 12 }}
             {{- end }}
           volumeMounts:
             - name: temp
@@ -353,7 +353,7 @@ spec:
         {{- toYaml . | nindent 8 }}
     {{- end }}
     {{- with .Values.topologySpreadConstraints }}
-      topologySpreadConstraints: 
+      topologySpreadConstraints:
         {{- toYaml . | nindent 8 }}
     {{- end }}
     {{- with .Values.tolerations }}
diff --git a/unittests/deployment/security-context-normal.yaml b/unittests/deployment/security-context-normal.yaml
new file mode 100644
index 0000000..2418371
--- /dev/null
+++ b/unittests/deployment/security-context-normal.yaml
@@ -0,0 +1,25 @@
+# $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
+suite: deployment template (security context)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: FS group set to 1000
+    template: templates/gitea/deployment.yaml
+    set:
+      image.rootless: false
+    asserts:
+      - equal:
+          path: spec.template.spec.securityContext.fsGroup
+          value: 1000
+  - it: run configure-gitea with UID 1000
+    template: templates/gitea/deployment.yaml
+    set:
+      image.rootless: false
+    asserts:
+      - equal:
+          path: spec.template.spec.initContainers[?(@.name == 'configure-gitea')].securityContext.runAsUser
+          value: 1000
diff --git a/unittests/deployment/security-context-ocp.yaml b/unittests/deployment/security-context-ocp.yaml
new file mode 100644
index 0000000..5f7127a
--- /dev/null
+++ b/unittests/deployment/security-context-ocp.yaml
@@ -0,0 +1,25 @@
+# $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
+suite: deployment template (security context)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: FS group not set
+    template: templates/gitea/deployment.yaml
+    set:
+      image.rootless: false
+      global.compatibility.openshift.adaptSecurityContext: force
+    asserts:
+      - notExists:
+          path: spec.template.spec.securityContext.fsGroup
+  - it: configure-gitea without runaAsUser
+    template: templates/gitea/deployment.yaml
+    set:
+      image.rootless: false
+      global.compatibility.openshift.adaptSecurityContext: force
+    asserts:
+      - notExists:
+          path: spec.template.spec.initContainers[?(@.name == 'configure-gitea')].securityContext.runAsUser