Allow configuring a system gpg key #107
Labels
No Label
has
backport
in progress
invalid
kind
breaking
kind
bug
kind
build
kind
dependency
kind
deployment
kind
docs
kind
enhancement
kind
feature
kind
lint
kind
proposal
kind
question
kind
refactor
kind
security
kind
testing
kind
translation
kind
ui
need
backport
priority
critical
priority
low
priority
maybe
priority
medium
reviewed
duplicate
reviewed
invalid
reviewed
wontfix
skip-changelog
status
blocked
status
needs-feedback
status
needs-reviews
status
wip
upstream
gitea
upstream
other
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: gitea/helm-chart#107
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
It would be nice if there is a possibility to add and configure a gpg key to use the gitea gpg signing feature
Hi. IMO, this could be a great addition to the chart. After playing around with the configuration it would require several inputs:
<keyid>
to be used as reference in configuration.gitconfig
orapp.ini
)SIGNING_KEY
mode (default or the keyid)With that gpg key pair we would be able to generate a valid gpg file structure that could be injected into the container. Not sure what this would mean from a security perspective.
Depending on the specified
SIGNING_KEY
mode, the chart would either need to modify the.gitconfig
or add the necessary environment variables so that env-to-ini can take care of them during app.ini creation.Since the private key is highly valuable it wouldn't be wise to allow an inline configuration at
values.yaml
. Means, Kubernetes secret for these inputs, mounted into an initcontainer (and only into that) for creating the required gpg files. And referring to that secret invalues.yaml
.EDIT: I've removed the "public key" references as it isn't required for that.
This is partially solved by #186.
It now needs only manual import of the private key to git and the Gitea signing options.
Good catch. Missed that. ?
And with the upcoming pull requests regarding sensitive data injection to the app.ini it will be much more secure to define. Then it would just be the gpg store init.
Reopen this because #343 got reverted in #373 by @justusbunsi.
@pat-s Can you please create a new PR with those changes again? ❤️
@viceice
There is #374 to add it again. It was removed to tag without breaking changes.
I just realized that there are conflicts in the mentioned PR. ? Have to resolve them.
I've disabled chart singing and use manual
GNUPGHOME/data/git/.gnupg
for now.Need to think how the best way to publish the key to a secret via terraform.
Must be working via automated CI (currently github-actions). ?
The setup is possible with Chart version 7.0.0. No need for manual mapping anymore. ?
I know, but my gpg key isn't yet available to my terraform config, which is deploying the gitea helm chart. So i need to fix that first. ?