mirror of
https://gitea.com/gitea/helm-chart.git
synced 2024-06-01 18:01:24 +05:30
bef0cea1b1
Hello ! I'm using the new Helm chart (5.x) and I really like the new configuration mechanism. 👍 I would like to contribute the following enhancement. ## The problem I want to solve I'm trying to deploy Gitea in a Kubernetes shared platform and I need to make sure each instance is running as a different user so that in case of container escape, the risk of data leak is minimized. Additionally, on my platform (OpenShift), arbitrary users (such as uid 1000 for Gitea) are not allowed. The current helm chart does not allow me to achieve this because: - the container security context is configurable only for the main container. The security context of init containers cannot be specified. - a fixed uid is hard coded - a fixed fs group is hard coded Also, the securityContext of a pod and the securityContext of a container do not accept the same options. - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#podsecuritycontext-v1-core - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#securitycontext-v1-core ## How I'm solving the problem I split the `securityContext` (values.yaml) in two: `containerSecurityContext` and `podSecurityContext`. The containerSecurityContext applies to all containers (init and main) in order to be consistent with file permissions. The behavior for existing deployments is unchanged: - fsGroup 1000 is the default value for the podSecurityContext variable - the "configure-gitea" init container uses the uid 1000 unless otherwise stated in the containerSecurityContext - the main container is using the existing securityContext variable when defined in order not to break existing deployments and uses the new containerSecurityContext variable if not. This approach is well tested: it is used consistently on bitnami's Helm charts. ## How I tested I tested both root and rootless variants on a Kubernetes 1.22, as well as rootless variant on OpenShift 4.7. **rootless variant on Kubernetes**: ```yaml podSecurityContext: fsGroup: 10001 containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL add: - SYS_CHROOT privileged: false runAsGroup: 10001 runAsNonRoot: true runAsUser: 10001 extraVolumes: - name: var-lib-gitea emptyDir: {} extraVolumeMounts: - name: var-lib-gitea readOnly: false mountPath: "/var/lib/gitea" ``` **rootless variant on OpenShift**: ```yaml podSecurityContext: fsGroup: null containerSecurityContext: allowPrivilegeEscalation: false privileged: false runAsNonRoot: true runAsUser: 1000790000 extraVolumes: - name: var-lib-gitea emptyDir: {} extraVolumeMounts: - name: var-lib-gitea readOnly: false mountPath: "/var/lib/gitea" ``` Let me know if something is unclear. Co-authored-by: Nicolas MASSE <nicolas.masse@itix.fr> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/259 Reviewed-by: luhahn <luhahn@noreply.gitea.io> Reviewed-by: justusbunsi <justusbunsi@noreply.gitea.io> Co-authored-by: nmasse-itix <nmasse-itix@noreply.gitea.io> Co-committed-by: nmasse-itix <nmasse-itix@noreply.gitea.io>
285 lines
6 KiB
YAML
285 lines
6 KiB
YAML
# Default values for gitea.
|
|
# This is a YAML-formatted file.
|
|
# Declare variables to be passed into your templates.
|
|
|
|
replicaCount: 1
|
|
|
|
clusterDomain: cluster.local
|
|
|
|
image:
|
|
repository: gitea/gitea
|
|
tag: 1.15.4
|
|
pullPolicy: Always
|
|
rootless: false # only possible when running 1.14 or later
|
|
|
|
imagePullSecrets: []
|
|
|
|
# Security context is only usable with rootless image due to image design
|
|
podSecurityContext:
|
|
fsGroup: 1000
|
|
|
|
containerSecurityContext: {}
|
|
# allowPrivilegeEscalation: false
|
|
# capabilities:
|
|
# drop:
|
|
# - ALL
|
|
# # Add the SYS_CHROOT capability for root and rootless images if you intend to
|
|
# # run pods on nodes that use the container runtime cri-o. Otherwise, you will
|
|
# # get an error message from the SSH server that it is not possible to read from
|
|
# # the repository.
|
|
# # https://gitea.com/gitea/helm-chart/issues/161
|
|
# add:
|
|
# - SYS_CHROOT
|
|
# privileged: false
|
|
# readOnlyRootFilesystem: true
|
|
# runAsGroup: 1000
|
|
# runAsNonRoot: true
|
|
# runAsUser: 1000
|
|
|
|
# DEPRECATED. The securityContext variable has been split two:
|
|
# - containerSecurityContext
|
|
# - podSecurityContext.
|
|
securityContext: {}
|
|
|
|
service:
|
|
http:
|
|
type: ClusterIP
|
|
port: 3000
|
|
clusterIP: None
|
|
#loadBalancerIP:
|
|
#nodePort:
|
|
#externalTrafficPolicy:
|
|
#externalIPs:
|
|
loadBalancerSourceRanges: []
|
|
annotations:
|
|
ssh:
|
|
type: ClusterIP
|
|
port: 22
|
|
clusterIP: None
|
|
#loadBalancerIP:
|
|
#nodePort:
|
|
#externalTrafficPolicy:
|
|
#externalIPs:
|
|
loadBalancerSourceRanges: []
|
|
annotations:
|
|
|
|
ingress:
|
|
enabled: false
|
|
# className: nginx
|
|
annotations: {}
|
|
# kubernetes.io/ingress.class: nginx
|
|
# kubernetes.io/tls-acme: "true"
|
|
hosts:
|
|
- host: git.example.com
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
tls: []
|
|
# - secretName: chart-example-tls
|
|
# hosts:
|
|
# - git.example.com
|
|
|
|
resources: {}
|
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
# choice for the user. This also increases chances charts run on environments with little
|
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
# limits:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
# requests:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
|
|
## Use an alternate scheduler, e.g. "stork".
|
|
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
|
|
##
|
|
# schedulerName:
|
|
|
|
nodeSelector: {}
|
|
|
|
tolerations: []
|
|
|
|
affinity: {}
|
|
|
|
statefulset:
|
|
env: []
|
|
# - name: VARIABLE
|
|
# value: my-value
|
|
terminationGracePeriodSeconds: 60
|
|
labels: {}
|
|
|
|
persistence:
|
|
enabled: true
|
|
# existingClaim:
|
|
size: 10Gi
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
labels: {}
|
|
annotations: {}
|
|
# storageClass:
|
|
|
|
# additional volumes to add to the Gitea statefulset.
|
|
extraVolumes:
|
|
# - name: postgres-ssl-vol
|
|
# secret:
|
|
# secretName: gitea-postgres-ssl
|
|
|
|
|
|
# additional volumes to mount, both to the init container and to the main
|
|
# container. As an example, can be used to mount a client cert when connecting
|
|
# to an external Postgres server.
|
|
extraVolumeMounts:
|
|
# - name: postgres-ssl-vol
|
|
# readOnly: true
|
|
# mountPath: "/pg-ssl"
|
|
|
|
# bash shell script copied verbatim to the start of the init-container.
|
|
initPreScript: ""
|
|
#
|
|
# initPreScript: |
|
|
# mkdir -p /data/git/.postgresql
|
|
# cp /pg-ssl/* /data/git/.postgresql/
|
|
# chown -R git:git /data/git/.postgresql/
|
|
# chmod 400 /data/git/.postgresql/postgresql.key
|
|
|
|
# Configure commit/action signing prerequisites
|
|
signing:
|
|
enabled: false
|
|
gpgHome: /data/git/.gnupg
|
|
|
|
gitea:
|
|
admin:
|
|
#existingSecret: gitea-admin-secret
|
|
username: gitea_admin
|
|
password: r8sA8CPHD9!bt6d
|
|
email: "gitea@local.domain"
|
|
|
|
metrics:
|
|
enabled: false
|
|
serviceMonitor:
|
|
enabled: false
|
|
# additionalLabels:
|
|
# prometheus-release: prom1
|
|
|
|
ldap: []
|
|
# - name: "LDAP 1"
|
|
# existingSecret:
|
|
# securityProtocol:
|
|
# host:
|
|
# port:
|
|
# userSearchBase:
|
|
# userFilter:
|
|
# adminFilter:
|
|
# emailAttribute:
|
|
# bindDn:
|
|
# bindPassword:
|
|
# usernameAttribute:
|
|
# publicSSHKeyAttribute:
|
|
|
|
oauth:
|
|
enabled: false
|
|
#name:
|
|
#provider:
|
|
#key:
|
|
#secret:
|
|
#autoDiscoverUrl:
|
|
#useCustomUrls:
|
|
#customAuthUrl:
|
|
#customTokenUrl:
|
|
#customProfileUrl:
|
|
#customEmailUrl:
|
|
|
|
config: {}
|
|
# APP_NAME: "Gitea: Git with a cup of tea"
|
|
# RUN_MODE: dev
|
|
#
|
|
# server:
|
|
# SSH_PORT: 22
|
|
#
|
|
# security:
|
|
# PASSWORD_COMPLEXITY: spec
|
|
|
|
podAnnotations: {}
|
|
|
|
database:
|
|
builtIn:
|
|
postgresql:
|
|
enabled: true
|
|
mysql:
|
|
enabled: false
|
|
mariadb:
|
|
enabled: false
|
|
|
|
cache:
|
|
builtIn:
|
|
enabled: true
|
|
|
|
# Modify the liveness probe for your needs or completely disable it by commenting out.
|
|
livenessProbe:
|
|
tcpSocket:
|
|
port: http
|
|
initialDelaySeconds: 200
|
|
timeoutSeconds: 1
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
failureThreshold: 10
|
|
|
|
# Modify the readiness probe for your needs or completely disable it by commenting out.
|
|
readinessProbe:
|
|
tcpSocket:
|
|
port: http
|
|
initialDelaySeconds: 5
|
|
timeoutSeconds: 1
|
|
periodSeconds: 10
|
|
successThreshold: 1
|
|
failureThreshold: 3
|
|
|
|
# # Uncomment the startup probe to enable and modify it for your needs.
|
|
# startupProbe:
|
|
# tcpSocket:
|
|
# port: http
|
|
# initialDelaySeconds: 60
|
|
# timeoutSeconds: 1
|
|
# periodSeconds: 10
|
|
# successThreshold: 1
|
|
# failureThreshold: 10
|
|
|
|
memcached:
|
|
service:
|
|
port: 11211
|
|
|
|
postgresql:
|
|
global:
|
|
postgresql:
|
|
postgresqlDatabase: gitea
|
|
postgresqlUsername: gitea
|
|
postgresqlPassword: gitea
|
|
servicePort: 5432
|
|
persistence:
|
|
size: 10Gi
|
|
|
|
mysql:
|
|
root:
|
|
password: gitea
|
|
db:
|
|
user: gitea
|
|
password: gitea
|
|
name: gitea
|
|
service:
|
|
port: 3306
|
|
persistence:
|
|
size: 10Gi
|
|
|
|
mariadb:
|
|
auth:
|
|
database: gitea
|
|
username: gitea
|
|
password: gitea
|
|
rootPassword: gitea
|
|
primary:
|
|
service:
|
|
port: 3306
|
|
persistence:
|
|
size: 10Gi
|