gerrit: use pcloud oauth provider instead of auth-proxy
Change-Id: I555a05ca00c90e84d3c82f31ccd53a220feff344
diff --git a/core/installer/values-tmpl/gerrit.cue b/core/installer/values-tmpl/gerrit.cue
index 70fda48..221a286 100644
--- a/core/installer/values-tmpl/gerrit.cue
+++ b/core/installer/values-tmpl/gerrit.cue
@@ -2,7 +2,6 @@
network: #Network
subdomain: string
key: #SSHKey
- sshPort: int
}
_domain: "\(input.subdomain).\(input.network.domain)"
@@ -16,7 +15,7 @@
_ingressWithAuthProxy: _IngressWithAuthProxy & {
inp: {
auth: {
- enabled: true
+ enabled: false
}
network: input.network
subdomain: input.subdomain
@@ -73,6 +72,22 @@
namespace: global.id
}
}
+ oauth2Client: {
+ chart: "charts/oauth2-client"
+ sourceRef: {
+ kind: "GitRepository"
+ name: "pcloud"
+ namespace: global.id
+ }
+ }
+ resourceRenderer: {
+ chart: "charts/resource-renderer"
+ sourceRef: {
+ kind: "GitRepository"
+ name: "pcloud"
+ namespace: global.id
+ }
+ }
}
volumes: {
@@ -94,18 +109,97 @@
_longhorn: "longhorn"
_httpPort: 80
-_sshPort: 22
-portForward: [#PortForward & {
- allocator: input.network.allocatePortAddr
- sourcePort: input.sshPort
- // TODO(gio): namespace part must be populated by app manager. Otherwise
- // third-party app developer might point to a service from different namespace.
- targetService: "\(release.namespace)/gerrit-gerrit-service"
- targetPort: _sshPort
-}]
+_oauth2ClientCredentials: "gerrit-oauth2-credentials"
+_gerritConfigMapName: "gerrit-config"
helm: _ingressWithAuthProxy.out.helm & {
+ "oauth2-client": {
+ chart: charts.oauth2Client
+ values: {
+ name: "gerrit-oauth2-client"
+ secretName: _oauth2ClientCredentials
+ grantTypes: ["authorization_code"]
+ scope: "openid profile email"
+ hydraAdmin: "http://hydra-admin.\(global.id)-core-auth.svc.cluster.local"
+ redirectUris: ["https://\(_domain)/oauth"]
+ }
+ }
+ "config-renderer": {
+ chart: charts.resourceRenderer
+ values: {
+ name: "config-renderer"
+ secretName: _oauth2ClientCredentials
+ resourceTemplate: """
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: \(_gerritConfigMapName)
+ namespace: \(release.namespace)
+data:
+ replication.config: |
+ [gerrit]
+ autoReload = false
+ replicateOnStartup = true
+ defaultForceUpdate = true
+ gerrit.config: |
+ [gerrit]
+ basePath = git # FIXED
+ serverId = gerrit-1
+ # The canonical web URL has to be set to the Ingress host, if an Ingress
+ # is used. If a LoadBalancer-service is used, this should be set to the
+ # LoadBalancer's external IP. This can only be done manually after installing
+ # the chart, when you know the external IP the LoadBalancer got from the
+ # cluster.
+ canonicalWebUrl = https://\(_domain)
+ disableReverseDnsLookup = true
+ [index]
+ type = LUCENE
+ [auth]
+ type = OAUTH
+ gitBasicAuthPolicy = HTTP
+ userNameToLowerCase = true
+ userNameCaseInsensitive = true
+ [plugin "gerrit-oauth-provider-pcloud-oauth"]
+ root-url = https://hydra.\(global.domain)
+ client-id = "{{ .client_id }}"
+ client-secret = "{{ .client_secret }}"
+ link-to-existing-openid-accounts = true
+ [download]
+ command = branch
+ command = checkout
+ command = cherry_pick
+ command = pull
+ command = format_patch
+ command = reset
+ scheme = http
+ scheme = anon_http
+ [httpd]
+ # If using an ingress use proxy-http or proxy-https
+ listenUrl = proxy-http://*:8080/
+ requestLog = true
+ gracefulStopTimeout = 1m
+ [sshd]
+ listenAddress = off
+ [transfer]
+ timeout = 120 s
+ [user]
+ name = Gerrit Code Review
+ email = gerrit@\(global.domain)
+ anonymousCoward = Unnamed User
+ [cache]
+ directory = cache
+ [container]
+ user = gerrit # FIXED
+ javaHome = /usr/lib/jvm/java-11-openjdk # FIXED
+ javaOptions = -Djavax.net.ssl.trustStore=/var/gerrit/etc/keystore # FIXED
+ javaOptions = -Xms200m
+ # Has to be lower than 'gerrit.resources.limits.memory'. Also
+ # consider memories used by other applications in the container.
+ javaOptions = -Xmx4g
+"""
+ }
+ }
gerrit: {
chart: charts.gerrit
values: {
@@ -172,8 +266,7 @@
}
http: port: _httpPort
ssh: {
- enabled: true
- port: _sshPort
+ enabled: false
}
}
pluginManagement: {
@@ -181,75 +274,20 @@
name: "gitiles"
}, {
name: "download-commands"
+ }, {
+ name: "oauth"
+ url: "https://drive.google.com/uc?export=download&id=1rSUpZCAVvHZTmRgUl4enrsAM73gndjeP"
+ sha1: "cbdc5228a18b051a6e048a8e783e556394cc5db1"
}]
libs: []
cache: enabled: false
}
etc: {
secret: {
- // TODO(gio): auto generate
ssh_host_ecdsa_key: input.key.private
"ssh_host_ecdsa_key.pub": input.key.public
}
- config: {
- "replication.config": """
-[gerrit]
- autoReload = false
- replicateOnStartup = true
- defaultForceUpdate = true"""
- "gerrit.config": """
-[gerrit]
- basePath = git # FIXED
- serverId = gerrit-1
- # The canonical web URL has to be set to the Ingress host, if an Ingress
- # is used. If a LoadBalancer-service is used, this should be set to the
- # LoadBalancer's external IP. This can only be done manually after installing
- # the chart, when you know the external IP the LoadBalancer got from the
- # cluster.
- canonicalWebUrl = https://\(_domain)
- disableReverseDnsLookup = true
-[index]
- type = LUCENE
-[auth]
- type = HTTP
- httpHeader = X-User
- emailFormat = '{0}@\(global.domain)'
- logoutUrl = https://accounts-ui.\(global.domain)/logout
- gitBasicAuthPolicy = HTTP
- userNameToLowerCase = true
- userNameCaseInsensitive = true
-[download]
- command = pull
- command = cherry_pick
- command = checkout
- command = format_patch
- scheme = ssh
- scheme = http
-[httpd]
- # If using an ingress use proxy-http or proxy-https
- listenUrl = proxy-http://*:8080/
- requestLog = true
- gracefulStopTimeout = 1m
-[sshd]
- listenAddress = 0.0.0.0:29418
- advertisedAddress = \(_domain):\(input.sshPort)
-[transfer]
- timeout = 120 s
-[user]
- name = Gerrit Code Review
- email = gerrit@\(global.domain)
- anonymousCoward = Unnamed User
-[cache]
- directory = cache
-[container]
- user = gerrit # FIXED
- javaHome = /usr/lib/jvm/java-11-openjdk # FIXED
- javaOptions = -Djavax.net.ssl.trustStore=/var/gerrit/etc/keystore # FIXED
- javaOptions = -Xms200m
- # Has to be lower than 'gerrit.resources.limits.memory'. Also
- # consider memories used by other applications in the container.
- javaOptions = -Xmx4g"""
- }
+ existingConfigMapName: _gerritConfigMapName
}
}
}