feat: made compatible with OCP (OKD or OpenShift)

README.md

@@ -689,6 +689,17 @@ gitea:
       existingSecret: gitea-oauth-secret
 ```
 
+### Compatibility with OCP (OKD or OpenShift)
+
+Normally OCP is automatically detected and the compatibility mode set accordingly. To enforce the OCP compatibility mode use the following configuration:
+
+```yaml
+global:
+  compatibility:
+    openshift:
+      adaptSecurityContext: force
+```
+
 ## Configure commit signing
 
 When using the rootless image the gpg key folder is not persistent by default.

templates/gitea/deployment.yaml

@@ -57,7 +57,7 @@ spec:
       {{- end }}
       {{- include "gitea.images.pullSecrets" . | nindent 6 }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }}
       initContainers:
         - name: init-directories
           image: "{{ include "gitea.image" . }}"
@@ -91,7 +91,7 @@ spec:
               {{- end }}
             {{- include "gitea.init-additional-mounts" . | nindent 12 }}
           securityContext:
-            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
           resources:
             {{- toYaml .Values.initContainers.resources | nindent 12 }}
         - name: init-app-ini
@@ -131,7 +131,7 @@ spec:
             {{- end }}
             {{- include "gitea.init-additional-mounts" . | nindent 12 }}
           securityContext:
-            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
           resources:
             {{- toYaml .Values.initContainers.resources | nindent 12 }}
         {{- if .Values.signing.enabled }}
@@ -145,7 +145,7 @@ spec:
             {{- if not (hasKey $csc "runAsUser") -}}
             {{- $_ := set $csc "runAsUser" 1000 -}}
             {{- end -}}
-            {{- toYaml $csc | nindent 12 }}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $csc "context" $) | nindent 12 }}
           env:
             - name: GNUPGHOME
               value: {{ .Values.signing.gpgHome }}
@@ -176,7 +176,7 @@ spec:
             {{- if not (hasKey $csc "runAsUser") -}}
             {{- $_ := set $csc "runAsUser" 1000 -}}
             {{- end -}}
-            {{- toYaml $csc | nindent 12 }}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $csc "context" $) | nindent 12 }}
           env:
             - name: GITEA_APP_INI
               value: /data/gitea/conf/app.ini
@@ -327,9 +327,9 @@ spec:
           securityContext:
             {{- /* Honor the deprecated securityContext variable when defined */ -}}
             {{- if .Values.containerSecurityContext -}}
-            {{ toYaml .Values.containerSecurityContext | nindent 12 -}}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
             {{- else -}}
-            {{ toYaml .Values.securityContext | nindent 12 -}}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.securityContext "context" $) | nindent 12 }}
             {{- end }}
           volumeMounts:
             - name: temp
@@ -353,7 +353,7 @@ spec:
         {{- toYaml . | nindent 8 }}
     {{- end }}
     {{- with .Values.topologySpreadConstraints }}
-      topologySpreadConstraints: 
+      topologySpreadConstraints:
         {{- toYaml . | nindent 8 }}
     {{- end }}
     {{- with .Values.tolerations }}

unittests/deployment/security-context-normal.yaml

@@ -0,0 +1,25 @@
+# $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
+suite: deployment template (security context)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: FS group set to 1000
+    template: templates/gitea/deployment.yaml
+    set:
+      image.rootless: false
+    asserts:
+      - equal:
+          path: spec.template.spec.securityContext.fsGroup
+          value: 1000
+  - it: run configure-gitea with UID 1000
+    template: templates/gitea/deployment.yaml
+    set:
+      image.rootless: false
+    asserts:
+      - equal:
+          path: spec.template.spec.initContainers[?(@.name == 'configure-gitea')].securityContext.runAsUser
+          value: 1000

unittests/deployment/security-context-ocp.yaml

@@ -0,0 +1,25 @@
+# $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
+suite: deployment template (security context)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: FS group not set
+    template: templates/gitea/deployment.yaml
+    set:
+      image.rootless: false
+      global.compatibility.openshift.adaptSecurityContext: force
+    asserts:
+      - notExists:
+          path: spec.template.spec.securityContext.fsGroup
+  - it: configure-gitea without runaAsUser
+    template: templates/gitea/deployment.yaml
+    set:
+      image.rootless: false
+      global.compatibility.openshift.adaptSecurityContext: force
+    asserts:
+      - notExists:
+          path: spec.template.spec.initContainers[?(@.name == 'configure-gitea')].securityContext.runAsUser