From c49dc047a498973920e6743fa6c330fd2f81dd47 Mon Sep 17 00:00:00 2001
From: luhahn <luhahn@noreply.gitea.io>
Date: Thu, 10 Jun 2021 19:13:33 +0800
Subject: [PATCH] Allow existing secrets for passwords (#170)

Allow admin user and password to be configured via existing secrets

Allow LDAP bindDn and bindPassword to be configured via existing secrets

Update Readme

Fixes: #169

Co-authored-by: Lucas Hahn <lucas.hahn@novum-rgi.de>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/170
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: luhahn <luhahn@noreply.gitea.io>
Co-committed-by: luhahn <luhahn@noreply.gitea.io>
---
 README.md                        | 39 ++++++++++++++++++++++++++++++++
 templates/_helpers.tpl           | 16 +++++++++++--
 templates/gitea/init.yaml        |  8 +++----
 templates/gitea/statefulset.yaml | 34 ++++++++++++++++++++++++++++
 values.yaml                      |  2 ++
 5 files changed, 93 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 195b9e9..2fe06f6 100644
--- a/README.md
+++ b/README.md
@@ -262,6 +262,25 @@ You cannot use `admin` as username.
       email: "gi@tea.com"
 ```
 
+You can also use an existing Secret to configure the admin user:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-admin-secret
+type: Opaque
+stringData:
+  username: MyAwesomeGiteaAdmin
+  password: AReallyAwesomeGiteaPassword
+```
+
+```yaml
+gitea:
+    admin:
+      existingSecret: gitea-admin-secret
+```
+
 ### LDAP Settings
 
 Like the admin user the LDAP settings can be updated, but also disabled or deleted.
@@ -306,6 +325,26 @@ kebab-case:
       bind-password: JustAnotherBindPw
       username-attribute: CN
 ```
+
+You can also use an existing secret to set the bindDn and bindPassword:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-ldap-secret
+type: Opaque
+stringData:
+  bindDn: CN=ldap read,OU=Spezial,DC=example,DC=com
+  bindPassword: JustAnotherBindPw
+```
+
+```yaml
+gitea:
+    ldap:
+      existingSecret: gitea-ldap-secret
+```
+
 ### OAuth2 Settings
 
 Like the admin user the OAuth2 settings can be updated but also disabled or deleted.
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index 4f2841c..9a4f940 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -108,9 +108,21 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{- define "gitea.ldap_settings" -}}
+{{- if or (not (hasKey .Values.gitea.ldap "bindDn")) (not (hasKey .Values.gitea.ldap "bind-dn")) -}}
+{{- $_ := set .Values.gitea.ldap "bindDn" "" -}}
+{{- end -}}
+
+{{- if or (not (hasKey .Values.gitea.ldap "bindPassword")) (not (hasKey .Values.gitea.ldap "bind-password")) -}}
+{{- $_ := set .Values.gitea.ldap "bindPassword" "" -}}
+{{- end -}}
+
 {{- range $key, $val := .Values.gitea.ldap -}}
-{{- if ne $key "enabled" -}}
-{{- if eq $key "port" -}}
+{{- if and (ne $key "enabled") (ne $key "existingSecret") -}}
+{{- if eq  ($key | kebabcase) "bind-dn" -}}
+{{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_BIND_DN}" | quote ) -}}
+{{- else if eq ($key | kebabcase) "bind-password" -}}
+{{- printf "--%s %s " ($key | kebabcase) ("${GITEA_LDAP_PASSWORD}" | quote ) -}}
+{{- else if eq $key "port" -}}
 {{- printf "--%s %d " ($key | kebabcase) ($val | int) -}}
 {{- else -}}
 {{- printf "--%s %s " ($key | kebabcase) ($val | quote) -}}
diff --git a/templates/gitea/init.yaml b/templates/gitea/init.yaml
index 33184d7..d23f8df 100644
--- a/templates/gitea/init.yaml
+++ b/templates/gitea/init.yaml
@@ -41,13 +41,13 @@ stringData:
     set -x; \
     gitea migrate; \
     {{- if and .Values.gitea.admin.username .Values.gitea.admin.password }}
-    gitea admin create-user --username  {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }} --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
+    gitea admin create-user --username  "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
     || \
-    gitea admin change-password --username {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }} \
+    gitea admin change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" \
     || \
-    gitea admin user create --username  {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }} --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
+    gitea admin user create --username  "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email }} --admin --must-change-password=false \
     || \
-    gitea admin user change-password --username {{ .Values.gitea.admin.username }} --password {{ .Values.gitea.admin.password | quote }}; \
+    gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}"; \
     {{- end }}
     {{- if .Values.gitea.ldap.enabled }}
     gitea admin auth add-ldap \
diff --git a/templates/gitea/statefulset.yaml b/templates/gitea/statefulset.yaml
index e20e940..42c1945 100644
--- a/templates/gitea/statefulset.yaml
+++ b/templates/gitea/statefulset.yaml
@@ -50,6 +50,40 @@ spec:
               value: /data
             - name: GITEA_TEMP
               value: /tmp/gitea
+            {{- if .Values.gitea.ldap.existingSecret }}
+            - name: GITEA_LDAP_BIND_DN
+              valueFrom:
+                secretKeyRef:
+                  key:  bindDn
+                  name: {{ .Values.gitea.ldap.existingSecret }}
+            - name: GITEA_LDAP_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key:  bindPassword
+                  name: {{ .Values.gitea.ldap.existingSecret }}
+            {{- else }}
+            - name: GITEA_LDAP_BIND_DN
+              value: {{ .Values.gitea.ldap.bindDn | quote }}
+            - name: GITEA_ADMIN_PASSWORD
+              value: {{ .Values.gitea.ldap.bindPassword | quote }}
+            {{- end }}
+            {{- if .Values.gitea.admin.existingSecret }}
+            - name: GITEA_ADMIN_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  key:  username
+                  name: {{ .Values.gitea.admin.existingSecret }}
+            - name: GITEA_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key:  password
+                  name: {{ .Values.gitea.admin.existingSecret }}
+            {{- else }}
+            - name: GITEA_ADMIN_USERNAME
+              value: {{ .Values.gitea.admin.username | quote }}
+            - name: GITEA_ADMIN_PASSWORD
+              value: {{ .Values.gitea.admin.password | quote }}
+            {{- end }}
             {{- if .Values.statefulset.env }}
             {{- toYaml .Values.statefulset.env | nindent 12 }}
             {{- end }}
diff --git a/values.yaml b/values.yaml
index 6ea4b7e..40c1ecd 100644
--- a/values.yaml
+++ b/values.yaml
@@ -127,6 +127,7 @@ initPreScript: ""
 
 gitea:
   admin:
+    #existingSecret: gitea-admin-secret
     username: gitea_admin
     password: r8sA8CPHD9!bt6d
     email: "gitea@local.domain"
@@ -140,6 +141,7 @@ gitea:
 
   ldap:
     enabled: false
+    #existingSecret: gitea-ldap-secret
     #name:
     #securityProtocol:
     #host: