Enable admin user password creation/update mode in values (#677)

This enables sane modes for forcing reset, as well as providing more options to users of the chart by giving them the flexibility to set the mode for password creation/modification as part of init whether the user exists or not. The new default should revert to the behavior before #673 became an issue, while also providing more flexibility for users who want to be able to manage their initial admin user password out-of-band after creating it the first time. None that I can think of. - fixes #673 See the discussion in #675 as well - [X] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm) Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/677 Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.com> Co-authored-by: James Harmison <jharmison@gmail.com> Co-committed-by: James Harmison <jharmison@gmail.com> (cherry picked from commit 1dbf171ad3566dc3cddd5aa74650708da0238d6e)
2024-07-07 09:59:29 +00:00 · 2024-07-07 09:59:29 +00:00 · a5d50b91b6
commit a5d50b91b6
parent 4094461603
5 changed files with 58 additions and 18 deletions
--- a/README.md
+++ b/README.md
@ -573,6 +573,20 @@ gitea:
    existingSecret: gitea-admin-secret
 ```

+Whether you use the existing Secret or specify a user name and password, there are three modes for how the admin user password is created or set.
+
+- `keepUpdated` (the default) will set the admin user password, and reset it to the defined value every time the pod is recreated.
+- `initialOnlyNoReset` will set the admin user password when creating it, but never try to update the password.
+- `initialOnlyRequireReset` will set the admin user password when creating it, never update it, and require that the password be changed at the initial login.
+
+These modes can be set like the following:
+
+```yaml
+gitea:
+  admin:
+    passwordMode: initialOnlyRequireReset
+```
+
 ### LDAP Settings

 Like the admin user the LDAP settings can be updated.
@ -988,20 +1002,21 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus

 ### Gitea

-| Name                                   | Description                                                                 | Value                |
-| -------------------------------------- | --------------------------------------------------------------------------- | -------------------- |
-| `gitea.admin.username`                 | Username for the Forgejo admin user                                         | `gitea_admin`        |
-| `gitea.admin.existingSecret`           | Use an existing secret to store admin user credentials                      | `nil`                |
-| `gitea.admin.password`                 | Password for the Forgejo admin user                                         | `r8sA8CPHD9!bt6d`    |
-| `gitea.admin.email`                    | Email for the Forgejo admin user                                            | `gitea@local.domain` |
-| `gitea.metrics.enabled`                | Enable Forgejo metrics                                                      | `false`              |
-| `gitea.metrics.serviceMonitor.enabled` | Enable Forgejo metrics service monitor                                      | `false`              |
-| `gitea.ldap`                           | LDAP configuration                                                          | `[]`                 |
-| `gitea.oauth`                          | OAuth configuration                                                         | `[]`                 |
-| `gitea.additionalConfigSources`        | Additional configuration from secret or configmap                           | `[]`                 |
-| `gitea.additionalConfigFromEnvs`       | Additional configuration sources from environment variables                 | `[]`                 |
-| `gitea.podAnnotations`                 | Annotations for the Forgejo pod                                             | `{}`                 |
-| `gitea.ssh.logLevel`                   | Configure OpenSSH's log level. Only available for root-based Forgejo image. | `INFO`               |
+| Name                                   | Description                                                                                                                   | Value                |
+| -------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | -------------------- |
+| `gitea.admin.username`                 | Username for the Forgejo admin user                                                                                           | `gitea_admin`        |
+| `gitea.admin.existingSecret`           | Use an existing secret to store admin user credentials                                                                        | `nil`                |
+| `gitea.admin.password`                 | Password for the Forgejo admin user                                                                                           | `r8sA8CPHD9!bt6d`    |
+| `gitea.admin.email`                    | Email for the Forgejo admin user                                                                                              | `gitea@local.domain` |
+| `gitea.admin.passwordMode`             | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated`        |
+| `gitea.metrics.enabled`                | Enable Forgejo metrics                                                                                                        | `false`              |
+| `gitea.metrics.serviceMonitor.enabled` | Enable Forgejo metrics service monitor                                                                                        | `false`              |
+| `gitea.ldap`                           | LDAP configuration                                                                                                            | `[]`                 |
+| `gitea.oauth`                          | OAuth configuration                                                                                                           | `[]`                 |
+| `gitea.additionalConfigSources`        | Additional configuration from secret or configmap                                                                             | `[]`                 |
+| `gitea.additionalConfigFromEnvs`       | Additional configuration sources from environment variables                                                                   | `[]`                 |
+| `gitea.podAnnotations`                 | Annotations for the Forgejo pod                                                                                               | `{}`                 |
+| `gitea.ssh.logLevel`                   | Configure OpenSSH's log level. Only available for root-based Forgejo image.                                                   | `INFO`               |

 ### `app.ini` overrides

--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@ -400,3 +400,11 @@ https
 {{- define "gitea.serviceAccountName" -}}
 {{ .Values.serviceAccount.name | default (include "gitea.fullname" .) }}
 {{- end -}}
+
+{{- define "gitea.admin.passwordMode" -}}
+{{- if has .Values.gitea.admin.passwordMode (tuple "keepUpdated" "initialOnlyNoReset" "initialOnlyRequireReset") -}}
+{{ .Values.gitea.admin.passwordMode }}
+{{- else -}}
+{{ printf "gitea.admin.passwordMode must be set to one of 'keepUpdated', 'initialOnlyNoReset', or 'initialOnlyRequireReset'. Received: '%s'" .Values.gitea.admin.passwordMode | fail }}
+{{- end -}}
+{{- end -}}
--- a/templates/gitea/deployment.yaml
+++ b/templates/gitea/deployment.yaml
@ -243,6 +243,8 @@ spec:
            - name: GITEA_ADMIN_PASSWORD
              value: {{ .Values.gitea.admin.password | quote }}
            {{- end }}
+            - name: GITEA_ADMIN_PASSWORD_MODE
+              value: {{ include "gitea.admin.passwordMode" $ }}
            {{- if .Values.deployment.env }}
            {{- toYaml .Values.deployment.env | nindent 12 }}
            {{- end }}
--- a/templates/gitea/init.yaml
+++ b/templates/gitea/init.yaml
@ -109,13 +109,26 @@ stringData:

      local ACCOUNT_ID=$(echo "${actual_user_table}" | grep -E "\s+${GITEA_ADMIN_USERNAME}\s+" | awk -F " " "{printf \$1}")
      if [[ -z "${ACCOUNT_ID}" ]]; then
+        local -a create_args
+        create_args=(--admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }})
+        if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = initialOnlyRequireReset ]]; then
+          create_args+=(--must-change-password=true)
+        else
+          create_args+=(--must-change-password=false)
+        fi
        echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..."
-        gitea admin user create --admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }} --must-change-password=false
+        gitea admin user create "${create_args[@]}"
        echo '...created.'
      else
-        echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
-        gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --must-change-password=false
-        echo '...password sync done.'
+        if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = keepUpdated ]]; then
+          echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
+          local -a change_args
+          change_args=(--username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --must-change-password=false)
+          gitea admin user change-password "${change_args[@]}"
+          echo '...password sync done.'
+        else
+          echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist, but update mode is set to '${GITEA_ADMIN_PASSWORD_MODE}'. Skipping."
+        fi
      fi
    }

--- a/values.yaml
+++ b/values.yaml
@ -342,12 +342,14 @@ gitea:
  ## @param gitea.admin.existingSecret Use an existing secret to store admin user credentials
  ## @param gitea.admin.password Password for the Forgejo admin user
  ## @param gitea.admin.email Email for the Forgejo admin user
+  ## @param gitea.admin.passwordMode Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated
  admin:
    # existingSecret: gitea-admin-secret
    existingSecret:
    username: gitea_admin
    password: r8sA8CPHD9!bt6d
    email: 'gitea@local.domain'
+    passwordMode: keepUpdated

  ## @param gitea.metrics.enabled Enable Forgejo metrics
  ## @param gitea.metrics.serviceMonitor.enabled Enable Forgejo metrics service monitor