Right before big longhorn diff

README.org

@@ -75,3 +75,7 @@ Email Attribute: mail
 
 * EVERYTHING
 https://www.talkingquickly.co.uk/gitea-sso-with-keycloak-openldap-openid-connect
+
+* DRONE AND GITEA
+?
+https://dev.to/ruanbekker/self-hosted-cicd-with-gitea-and-drone-ci-200l

templates/_definitions.yaml

@@ -17,3 +17,20 @@ data:
 {{- $pass := (get $secretData "password") | default "UNDEFINED" -}}
 {{- $pass | quote -}}
 {{- end -}}
+
+{{- /*
+    Returns given number of random Hex characters.
+    - randNumeric 4 | atoi generates a random number in [0, 10^4)
+      This is a range range evenly divisble by 16, but even if off by one,
+      that last partial interval offsetting randomness is only 1 part in 625.
+    - mod N 16 maps to the range 0-15
+    - printf "%x" represents a single number 0-15 as a single hex character
+*/}}
+{{- define "randHex" -}}
+    {{- $result := "" }}
+    {{- range $i := until . }}
+        {{- $rand_hex_char := mod (randNumeric 4 | atoi) 16 | printf "%x" }}
+        {{- $result = print $result $rand_hex_char }}
+    {{- end }}
+    {{- $result }}
+{{- end }}

templates/auth.yaml

@@ -1,18 +1,25 @@
 ---
 {{- define "homey.auth.ingress.annotations" }}
-    nginx.ingress.kubernetes.io/auth-url: "https://git.zakobar.com/oauth/authorize"
+    # nginx.ingress.kubernetes.io/auth-signin: "https://auth.zakobar.com"
-    nginx.ingress.kubernetes.io/auth-signin: "https://git.zakobar.com/login"
+    nginx.ingress.kubernetes.io/auth-url: "http://ldap-auth-internal.{{ .Release.Namespace }}.svc.cluster.local:80"
-    # nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Email
+    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Email
-    # nginx.ingress.kubernetes.io/configuration-snippet: |-
+    nginx.ingress.kubernetes.io/location-snippets: |-
-    #     proxy_set_header X-Ldap-URL      "ldap://openldap";
+      auth_request /auth
-    #     proxy_set_header X-Ldap-BaseDN   "ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}";
+    nginx.ingress.kubernetes.io/configuration-snippet: |-
-    #     proxy_set_header X-Ldap-BindDN   "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}";
+      location /auth {
-    #     proxy_set_header X-Ldap-BindPass {{ (get (get (lookup "v1" "Secret" .Release.Namespace "openldap-ro") "data") "password") | b64dec | quote}};
+        # proxy_pass http://ldap-auth-internal;
-    #     proxy_set_header X-CookieName "homey.auth.cookie";
+        proxy_pass_request_body off;
-    #     proxy_set_header Cookie $cookie_homey.auth.cookie;
+        proxy_set_header X-Target http://ldap-auth-internal.{{ .Release.Namespace }}.svc.cluster.local:80;
-    #     proxy_set_header X-Remote-User $remote_user;
+        proxy_set_header X-Ldap-URL      "ldap://openldap";
-    #     proxy_set_header X-Forwarded-Method $request_method;
+        proxy_set_header X-Ldap-BaseDN   "ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}";
-    #     proxy_set_header X-Ldap-Template "(uid=%(username)s)";
+        proxy_set_header X-Ldap-BindDN   "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}";
+        proxy_set_header X-Ldap-BindPass {{ (get (get (lookup "v1" "Secret" .Release.Namespace "openldap-ro") "data") "password") | b64dec | quote}};
+        proxy_set_header X-CookieName "homey.auth.cookie";
+        proxy_set_header Cookie $cookie_homey.auth.cookie;
+        proxy_set_header X-Remote-User $remote_user;
+        proxy_set_header X-Forwarded-Method $request_method;
+        proxy_set_header X-Ldap-Template "(uid=%(username)s)";
+      }
 {{- end }}
 ---
 {{ template "homey.randomsecret" (merge (dict "secretname" "openldap-admin") $) }}
@@ -21,10 +28,6 @@
 # ---
 {{ template "homey.randomsecret" (merge (dict "secretname" "openldap-ro") $) }}
 ---
-# {{ template "homey.randomsecret" (merge (dict "secretname" "keycloak-pass") $) }}
----
-# {{ template "homey.randomsecret" (merge (dict "secretname" "keycloak-db-pass") $) }}
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:

templates/gitea.yaml

@@ -7,9 +7,35 @@ metadata:
     "helm.sh/resource-policy": "keep"
 type: Opaque
 data:
-  {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "gitea-admin-pass") | default dict }}
+{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "gitea-admin-pass") | default dict -}}
-  {{- $secretData := (get $secretObj "data") | default dict }}
+{{- $secretData := (get $secretObj "data") | default dict -}}
-  {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }}
+{{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) -}}
+  password: {{ $pass | quote }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: drone-gitea-oauth2-key
+  annotations:
+    "helm.sh/resource-policy": "keep"
+type: Opaque
+data:
+{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "drone-gitea-oauth2-key") | default dict -}}
+{{- $secretData := (get $secretObj "data") | default dict -}}
+{{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) -}}
+  password: {{ $pass | quote }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: drone-gitea-oauth2-secret
+  annotations:
+    "helm.sh/resource-policy": "keep"
+type: Opaque
+data:
+{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "drone-gitea-oauth2-secret") | default dict -}}
+{{- $secretData := (get $secretObj "data") | default dict -}}
+{{- $pass := (get $secretData "password") | default (randHex 32 | b64enc) -}}
   password: {{ $pass | quote }}
 ---
 apiVersion: apps/v1
@@ -29,6 +55,7 @@ spec:
       containers:
       - name: gitea
         image: gitea/gitea:latest
+        ports:
         - containerPort: 3000
           name: http
         volumeMounts:

templates/ldap-auth.yaml

@@ -21,6 +21,7 @@ spec:
         image: linuxserver/ldap-auth
         imagePullPolicy: Always
 ---
+#https://stackoverflow.com/questions/51149921/how-to-authenticate-nginx-with-ldap
 apiVersion: v1
 kind: Service
 metadata:
@@ -31,4 +32,39 @@ spec:
   ports:
   - port: 80
     targetPort: 9000
-    name: ldap-auth-port
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ldap-auth-internal
+spec:
+  selector:
+    app: ldap-auth
+  ports:
+  - port: 80
+    targetPort: 8888
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ldap-auth-ingress
+  annotations:
+spec:
+  ingressClassName: {{ .Values.homey.ingress_class }}
+  tls:
+    - hosts:
+      - auth.{{ .Values.homey.url }}
+      secretName: {{ .Values.homey.certname }}
+  rules:
+  - host: auth.{{ .Values.homey.url }}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: ldap-auth
+            port:
+              number: 80
+---
+

templates/phpldapadmin.yaml

@@ -44,7 +44,7 @@ kind: Ingress
 metadata:
   name: phpldapadmin
   annotations:
-    nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
+    {{ template "homey.auth.ingress.annotations" $ }}
 spec:
   ingressClassName: {{ .Values.homey.ingress_class }}
   tls: