Stable oauth2.JWT_SECRET #106
Labels
No Label
has
backport
in progress
invalid
kind
breaking
kind
bug
kind
build
kind
dependency
kind
deployment
kind
docs
kind
enhancement
kind
feature
kind
lint
kind
proposal
kind
question
kind
refactor
kind
security
kind
testing
kind
translation
kind
ui
need
backport
priority
critical
priority
low
priority
maybe
priority
medium
reviewed
duplicate
reviewed
invalid
reviewed
wontfix
skip-changelog
status
blocked
status
needs-feedback
status
needs-reviews
status
wip
upstream
gitea
upstream
other
No Milestone
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: gitea/helm-chart#106
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
The
oauth2.JWT_SECRET
should be stable.Currently it will be regenerated on each container restart. So all existing token are invalid then.
https://discourse.gitea.io/t/drone-auth-error-after-gitea-server-restart/2880/4
Maybe related to #43
Well, you can always define the oauth token yourself.
The same goes for #43. Should be stable if you've defined one :)
Sure, but the
JWT_SECRET
must have a specific structure, otherwise it will be overwritten on every gitea startup0cd87d64ff/modules/setting/setting.go (L760)
Seems need exacly 32 bytes (then base64 encoded)
fe79b13ab2/modules/generate/generate.go (L60-L68)
Maybe we could create those tokens (internal token, jwt_secret, secret_key) prior to the actual run. There are gitea cli commands to do that. We could even dynamically create a Kubernetes secret storing these values for the future. This would requires access to the Kubernetes API which could be done using a serviceaccount with the necessary permissions (e.g. update a specific secret that is created with the helm chart rollout in the cluster).
Doing so would persist those data in a secure way so that they can be reused.
What do you think @luhahn?
I am sure this issue will be fixed with #239, once ready.