gitea/helm-chart
45
54
Fork 127
Code Issues 30 Pull Requests 8 Actions Releases 87 Activity

Stable oauth2.JWT_SECRET #106

New Issue
Closed
opened 2021-01-28 05:27:11 +00:00 by viceice · 5 comments
viceice commented 2021-01-28 05:27:11 +00:00
Contributor
Copy Link

The oauth2.JWT_SECRET should be stable.

Currently it will be regenerated on each container restart. So all existing token are invalid then.

https://discourse.gitea.io/t/drone-auth-error-after-gitea-server-restart/2880/4

The `oauth2.JWT_SECRET` should be stable. Currently it will be regenerated on each container restart. So all existing token are invalid then. https://discourse.gitea.io/t/drone-auth-error-after-gitea-server-restart/2880/4
viceice commented 2021-01-28 05:30:16 +00:00
Author
Contributor
Copy Link

Maybe related to #43

Maybe related to #43
luhahn commented 2021-02-09 08:39:21 +00:00
Member
Copy Link

Well, you can always define the oauth token yourself.
The same goes for #43. Should be stable if you've defined one :)

gitea:
  config:
    oauth2:
      JWT_SECRET: <your_secret>
    security:
      INTERNAL_TOKEN: <token>
Well, you can always define the oauth token yourself. The same goes for #43. Should be stable if you've defined one :) ```yaml gitea: config: oauth2: JWT_SECRET: <your_secret> security: INTERNAL_TOKEN: <token> ```
viceice commented 2021-02-09 08:45:11 +00:00
Author
Contributor
Copy Link

Sure, but the JWT_SECRET must have a specific structure, otherwise it will be overwritten on every gitea startup

0cd87d64ff/modules/setting/setting.go (L760)

Seems need exacly 32 bytes (then base64 encoded)

fe79b13ab2/modules/generate/generate.go (L60-L68)

Sure, but the `JWT_SECRET` must have a specific structure, otherwise it will be overwritten on every gitea startup https://github.com/go-gitea/gitea/blob/0cd87d64ff8bb40520877d3a217363de299f4531/modules/setting/setting.go#L760 Seems need exacly 32 bytes (then base64 encoded) https://github.com/go-gitea/gitea/blob/fe79b13ab2ce9526fae10a5257b4e171cae30ecb/modules/generate/generate.go#L60-L68
justusbunsi commented 2021-06-17 19:53:43 +00:00
Member
Copy Link

Maybe we could create those tokens (internal token, jwt_secret, secret_key) prior to the actual run. There are gitea cli commands to do that. We could even dynamically create a Kubernetes secret storing these values for the future. This would requires access to the Kubernetes API which could be done using a serviceaccount with the necessary permissions (e.g. update a specific secret that is created with the helm chart rollout in the cluster).

Doing so would persist those data in a secure way so that they can be reused.

What do you think @luhahn?

Maybe we could create those tokens (internal token, jwt_secret, secret_key) prior to the actual run. There are gitea cli commands to do that. We could even dynamically create a Kubernetes secret storing these values for the future. This would requires access to the Kubernetes API which could be done using a serviceaccount with the necessary permissions (e.g. update a specific secret that is created with the helm chart rollout in the cluster). Doing so would persist those data in a secure way so that they can be reused. What do you think @luhahn?
justusbunsi commented 2021-11-12 17:04:01 +00:00
Member
Copy Link

I am sure this issue will be fixed with #239, once ready.

I am sure this issue will be fixed with #239, once ready.
❤️ 1
justusbunsi added the
kind
bug
 label 2021-11-13 12:38:17 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
renovate/workflow-dependencies-(minor-and-patch)
app-ini-recreation
fix-env-to-ini
clean-app-ini
gitea-ha
v10.1.4
v10.1.3
v10.1.2
v10.1.1
v10.1.0
v10.0.2
v10.0.1
v10.0.0
v9.6.1
v9.6.0
v9.5.1
v9.5.0
v9.4.0
v9.3.0
v9.2.1
v9.2.0
v9.1.0
v9.0.4
v9.0.3
v9.0.2
v9.0.1
v9.0.0
v8.3.0
v8.2.0
v8.1.0
v8.0.3
v8.0.2
v8.0.1
v8.0.0
v7.0.4
v7.0.3
v7.0.2
v7.0.1
v7.0.0
v6.0.5
v6.0.4
v6.0.3
v6.0.2
v6.0.1
v6.0.0
v5.0.9
v5.0.8
v5.0.7
v5.0.6
v5.0.5
v5.0.4
v5.0.3
v5.0.2
v5.0.1
v5.0.0
v4.1.1
v4.1.0
v4.0.3
v4.0.2
v4.0.1
v4.0.0
v3.1.4
v3.1.3
v3.1.2
v3.1.1
v3.1.0
v3.0.0
v2.2.5
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.11
v2.1.10
v2.1.9
v2.1.8
v2.1.7
v2.1.6
v2.1.5
v2.1.4
v2.1.3
v2.1.2
v2.1.1
v2.1.0
v2.0.7
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.0
v1.5.5
v1.5.4
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.9
v1.4.8
v1.4.7
v1.4.6
v1.4.5
v1.4.4
v1.4.3
v1.4.2
Labels
Clear labels   
has
backport

  
in progress

   
invalid
  
kind
breaking

  
kind
bug

  
kind
build

  
kind
dependency

  
kind
deployment

  
kind
docs

  
kind
enhancement

  
kind
feature

  
kind
lint

  
kind
proposal

  
kind
question

  
kind
refactor

  
kind
security

  
kind
testing

  
kind
translation

  
kind
ui

  
need
backport

  
priority
critical

  
priority
low

  
priority
maybe

  
priority
medium

  
reviewed
duplicate

  
reviewed
invalid

  
reviewed
wontfix

  
skip-changelog
  
status
blocked

  
status
needs-feedback

  
status
needs-reviews

  
status
wip

  
upstream
gitea

  
upstream
other

No Label
has
backport
in progress
invalid
kind
breaking
kind
bug
kind
build
kind
dependency
kind
deployment
kind
docs
kind
enhancement
kind
feature
kind
lint
kind
proposal
kind
question
kind
refactor
kind
security
kind
testing
kind
translation
kind
ui
need
backport
priority
critical
priority
low
priority
maybe
priority
medium
reviewed
duplicate
reviewed
invalid
reviewed
wontfix
skip-changelog
status
blocked
status
needs-feedback
status
needs-reviews
status
wip
upstream
gitea
upstream
other
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
3 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: gitea/helm-chart#106
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?