feat: made compatible with OCP (OKD or OpenShift) (#953)

Reviewed-on: https://code.forgejo.org/forgejo-helm/forgejo-helm/pulls/953 Reviewed-by: Michael Kriese <michael.kriese@gmx.de> Co-authored-by: Lucien Weller <lucien@wellernet.ch> Co-committed-by: Lucien Weller <lucien@wellernet.ch>
2024-11-10 08:16:08 +00:00 · 2024-11-10 08:16:08 +00:00 · 8bd2c48184
commit 8bd2c48184
parent b691f297f1
4 changed files with 69 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -689,6 +689,17 @@ gitea:
      existingSecret: gitea-oauth-secret
 ```
 ### Compatibility with OCP (OKD or OpenShift)
 Normally OCP is automatically detected and the compatibility mode set accordingly. To enforce the OCP compatibility mode use the following configuration:
 ```yaml
 global:
  compatibility:
    openshift:
      adaptSecurityContext: force
 ```
 ## Configure commit signing
 When using the rootless image the gpg key folder is not persistent by default.
--- a/templates/gitea/deployment.yaml
+++ b/templates/gitea/deployment.yaml
@ -57,7 +57,7 @@ spec:
      {{- end }}
      {{- include "gitea.images.pullSecrets" . | nindent 6 }}
      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }}
      initContainers:
        - name: init-directories
          image: "{{ include "gitea.image" . }}"
@ -91,7 +91,7 @@ spec:
              {{- end }}
            {{- include "gitea.init-additional-mounts" . | nindent 12 }}
          securityContext:
-            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
          resources:
            {{- toYaml .Values.initContainers.resources | nindent 12 }}
        - name: init-app-ini
@ -131,7 +131,7 @@ spec:
            {{- end }}
            {{- include "gitea.init-additional-mounts" . | nindent 12 }}
          securityContext:
-            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
          resources:
            {{- toYaml .Values.initContainers.resources | nindent 12 }}
        {{- if .Values.signing.enabled }}
@ -145,7 +145,7 @@ spec:
            {{- if not (hasKey $csc "runAsUser") -}}
            {{- $_ := set $csc "runAsUser" 1000 -}}
            {{- end -}}
-            {{- toYaml $csc | nindent 12 }}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $csc "context" $) | nindent 12 }}
          env:
            - name: GNUPGHOME
              value: {{ .Values.signing.gpgHome }}
@ -176,7 +176,7 @@ spec:
            {{- if not (hasKey $csc "runAsUser") -}}
            {{- $_ := set $csc "runAsUser" 1000 -}}
            {{- end -}}
-            {{- toYaml $csc | nindent 12 }}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $csc "context" $) | nindent 12 }}
          env:
            - name: GITEA_APP_INI
              value: /data/gitea/conf/app.ini
@ -327,9 +327,9 @@ spec:
          securityContext:
            {{- /* Honor the deprecated securityContext variable when defined */ -}}
            {{- if .Values.containerSecurityContext -}}
-            {{ toYaml .Values.containerSecurityContext | nindent 12 -}}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
            {{- else -}}
-            {{ toYaml .Values.securityContext | nindent 12 -}}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.securityContext "context" $) | nindent 12 }}
            {{- end }}
          volumeMounts:
            - name: temp
--- a/unittests/deployment/security-context-normal.yaml
+++ b/unittests/deployment/security-context-normal.yaml
@ -0,0 +1,25 @@
 # $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
 suite: deployment template (security context)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/deployment.yaml
  - templates/gitea/config.yaml
 tests:
  - it: FS group set to 1000
    template: templates/gitea/deployment.yaml
    set:
      image.rootless: false
    asserts:
      - equal:
          path: spec.template.spec.securityContext.fsGroup
          value: 1000
  - it: run configure-gitea with UID 1000
    template: templates/gitea/deployment.yaml
    set:
      image.rootless: false
    asserts:
      - equal:
          path: spec.template.spec.initContainers[?(@.name == 'configure-gitea')].securityContext.runAsUser
          value: 1000
--- a/unittests/deployment/security-context-ocp.yaml
+++ b/unittests/deployment/security-context-ocp.yaml
@ -0,0 +1,25 @@
 # $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
 suite: deployment template (security context)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/deployment.yaml
  - templates/gitea/config.yaml
 tests:
  - it: FS group not set
    template: templates/gitea/deployment.yaml
    set:
      image.rootless: false
      global.compatibility.openshift.adaptSecurityContext: force
    asserts:
      - notExists:
          path: spec.template.spec.securityContext.fsGroup
  - it: configure-gitea without runaAsUser
    template: templates/gitea/deployment.yaml
    set:
      image.rootless: false
      global.compatibility.openshift.adaptSecurityContext: force
    asserts:
      - notExists:
          path: spec.template.spec.initContainers[?(@.name == 'configure-gitea')].securityContext.runAsUser