fix: unique admin password for gitea (#1940)

Author: merll

helmfile.d/snippets/defaults.gotmpl

@@ -7,7 +7,10 @@
 environments:
   default:
     values:
-    - teamConfig:
+    - apps:
+        gitea:
+          adminPassword: {{ randAlphaNum 20 }}
+      teamConfig:
     {{- range $team := $teams }}
         {{ $team }}:
           apps:

helmfile.d/snippets/derived.gotmpl

@@ -188,7 +188,6 @@ environments:
                 password: {{ $a | get "harbor.registry.credentials.password" $v.otomi.adminPassword }}
           gitea:
             enabled: true
-            adminPassword: {{ $a | get "gitea.adminPassword" $v.otomi.adminPassword }}
           keycloak:
             enabled: true
             address: {{ $keycloakBaseUrl }}
@@ -215,4 +214,4 @@ environments:
         otomi:
           version: {{ $otomiTag }}
         versions: {{- $versions | toYaml | nindent 10 }}
-      - ../core.yaml
+      - ../core.yaml

src/cmd/apply.ts

@@ -114,7 +114,7 @@ const applyAll = async () => {
 
   await upgrade({ when: 'post' })
   if (!(env.isDev && env.DISABLE_SYNC)) {
-    await commit()
+    await commit(initialInstall)
     if (initialInstall) {
       await hf(
         {

src/cmd/commit.ts

@@ -50,20 +50,39 @@ const commitAndPush = async (values: Record<string, any>, branch: string): Promi
     return
   }
   if (values._derived?.untrustedCA) process.env.GIT_SSL_NO_VERIFY = '1'
-  d.log('git config:')
-  await $`cat .git/config`
-  await $`git push -u origin ${branch}`
+  await retry(
+    async () => {
+      try {
+        cd(env.ENV_DIR)
+        await $`git push -u origin ${branch}`
+      } catch (e) {
+        d.warn(`The values repository is not yet reachable. Retrying.`)
+        throw e
+      }
+    },
+    {
+      retries: 20,
+      maxTimeout: 30000,
+    },
+  )
   d.log('Successfully pushed the updated values')
 }
 
-export const commit = async (): Promise<void> => {
+export const commit = async (initialInstall: boolean): Promise<void> => {
   const d = terminal(`cmd:${cmdName}:commit`)
   await validateValues()
   d.info('Preparing values')
   const values = (await hfValues()) as Record<string, any>
-  // we call this here again, as we might not have completed (happens upon first install):
-  await bootstrapGit(values)
-  const { branch, remote } = getRepo(values)
+  const { branch, remote, username, email } = getRepo(values)
+  if (initialInstall) {
+    // we call this here again, as we might not have completed (happens upon first install):
+    await bootstrapGit(values)
+  } else {
+    cd(env.ENV_DIR)
+    await setIdentity(username, email)
+    // the url might need updating (e.g. if credentials changed)
+    await $`git remote set-url origin ${remote}`
+  }
   // lets wait until the remote is ready
   if (values?.apps!.gitea!.enabled ?? true) {
     await waitTillGitRepoAvailable(remote)
@@ -100,7 +119,7 @@ export const cloneOtomiChartsInGitea = async (): Promise<void> => {
     await $`rm -f .gitignore`
     await $`rm -f LICENSE`
     await $`git init`
-    await setIdentity(username, password, email)
+    await setIdentity(username, email)
     await $`git checkout -b main`
     await $`git add .`
     await $`git commit -m "first commit"`
@@ -222,6 +241,6 @@ export const module = {
   handler: async (argv: Arguments): Promise<void> => {
     setParsedArgs(argv)
     await prepareEnvironment({ skipKubeContextCheck: true })
-    await commit()
+    await commit(true)
   },
 }

src/common/bootstrap.ts

@@ -30,9 +30,8 @@ export const prepareDomainSuffix = async (inValues: Record<string, any> | undefi
   }
 }
 
-export const setIdentity = async (username, password, email) => {
+export const setIdentity = async (username, email) => {
   await $`git config --local user.name ${username}`.nothrow().quiet()
-  await $`git config --local user.password ${password}`.nothrow().quiet()
   await $`git config --local user.email ${email}`.nothrow().quiet()
 }
 /**
@@ -51,11 +50,11 @@ export const bootstrapGit = async (inValues?: Record<string, any>): Promise<void
     // we couldn't find the domainSuffix in the values, so create it
     await prepareDomainSuffix(values)
   }
-  const { remote, branch, email, username, password } = getRepo(values)
+  const { remote, branch, email, username } = getRepo(values)
   cd(env.ENV_DIR)
   if (await pathExists(`${env.ENV_DIR}/.git`)) {
     d.info(`Git repo was already bootstrapped, setting identity just in case`)
-    await setIdentity(username, password, email)
+    await setIdentity(username, email)
     return
   }
   // we don't care about ssl verification as repo endpoint is either ours or user input
@@ -106,7 +105,7 @@ export const bootstrapGit = async (inValues?: Record<string, any>): Promise<void
     await $`git config --global --add safe.directory ${env.ENV_DIR}`.nothrow().quiet()
   }
 
-  await setIdentity(username, password, email)
+  await setIdentity(username, email)
 
   if (!hasCommits) {
     await $`git checkout -b ${branch}`.nothrow().quiet()

src/common/values.ts

@@ -83,7 +83,7 @@ export const getRepo = (values: Record<string, any>): Repo => {
     branch = otomiApiGit?.branch ?? branch
   } else {
     username = 'otomi-admin'
-    password = values?.apps?.gitea?.adminPassword ?? values?.otomi?.adminPassword
+    password = values?.apps?.gitea?.adminPassword
     email = `[email protected]`
     const giteaUrl = `gitea-http.gitea.svc.cluster.local:3000`
     const giteaOrg = 'otomi'

values-schema.yaml

@@ -1821,7 +1821,7 @@ properties:
             $ref: '#/definitions/rawValues'
           adminPassword:
             type: string
-            x-secret: ''
+            x-secret: '{{ randAlphaNum 20 }}'
           postgresqlPassword:
             type: string
             description: This password was generated and cannot be changed without manual intervention.