[SOLVED] [drone-ui] web ui cert shows as not secure (mixed content)

Drone Support
1

Our drone web ui letsencrypt tls cert is being blamed by the browser as not secure because drone is trying to pull a gitea avatar icon using an url without https.

We are seeing “Connection not secure” and “Parts of this page are not secure (such as images)” under Firefox.

image
image1327×259 46.7 KB

Nowhere we have used non https settings on the helm chart:

$ cat drone-helm-values.yaml | egrep 'DRONE_SERVER_PROTO|DRONE_GITEA_SERVER'
  DRONE_SERVER_PROTO: https
  DRONE_GITEA_SERVER: "https://git.ourgiteaserver.com"

Any tips on how one can investigate and attempt to rectify this are very welcome!

2

The avatar URL comes from Gitea in the webhook payload (example below). If the avatar has an http address instead of an https address this is because Gitea is sending the wrong address. This can be resolved by updating your Gitea server configuration to use the appropriate address (I am not a Gitea user, so you’ll probably want to reach out to Gitea community support for instructions on how to make this configuration change).

{
  "ref": "feature",
  "ref_type": "branch",
  "default_branch": "master",
  "repository": {
    "id": 61,
    "owner": {
      "id": 25,
      "login": "gogits",
      "full_name": "",
      "email": "",
+     "avatar_url": "http://try.gitea.io/avatars/25",
      "username": "gogits"
    }
}

EDIT please see this existing thread [SOLVED] Wrong avatar URL with Gitea integration

3

Thank you so much! @bradrydzewski

For people using the gitea chart, the option is not populated under values.yaml but you can add yourself under ‘gitea.config’:

[...]
config:
    server:
      ROOT_URL: "https://gitea.example.com"

  #  APP_NAME: "Gitea: Git with a cup of tea"
  #  RUN_MODE: dev
  #
  #  server:
  #    SSH_PORT: 22
  #
  #  security:
  #    PASSWORD_COMPLEXITY: spec

The reason why it defaults to http is because if ingress is present it takes the ingress hostname which does not carry a protocol and it prefixes with the default http value to it.

From the chart:

# gitea/templates/gitea/config.yaml
[..]
    {{- /* server default settings */ -}}
    {{- if not (hasKey .Values.gitea.config.server "HTTP_PORT") -}}
    {{- $_ := set .Values.gitea.config.server "HTTP_PORT" .Values.service.http.port -}}
    {{- end -}}
    {{- if not .Values.gitea.config.server.PROTOCOL -}}
    {{- $_ := set .Values.gitea.config.server "PROTOCOL" "http" -}}
    {{- end -}}
    {{- if not (.Values.gitea.config.server.DOMAIN) -}}
    {{- if gt (len .Values.ingress.hosts) 0 -}}
    {{- $_ := set .Values.gitea.config.server "DOMAIN" (index .Values.ingress.hosts 0).host -}}
    {{- else -}}
    {{- $_ := set .Values.gitea.config.server "DOMAIN" (include "gitea.default_domain" .) -}}
    {{- end -}}
    {{- end -}}
    {{- if not .Values.gitea.config.server.ROOT_URL -}}
    {{- if .Values.ingress.enabled -}}
    {{- if gt (len .Values.ingress.tls) 0 -}}
    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index (index .Values.ingress.tls 0).hosts 0)) -}}
    {{- else -}}
    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL (index .Values.ingress.hosts 0).host) -}}
    {{- end -}}
    {{- else -}}
    {{- $_ := set .Values.gitea.config.server "ROOT_URL" (printf "%s://%s" .Values.gitea.config.server.PROTOCOL .Values.gitea.config.server.DOMAIN) -}}
    {{- end -}}
    {{- end -}}

Thanks again!