gitea/helm-chart
45
55
Fork 125
Code Issues 32 Pull Requests 8 Actions Releases 87 Activity

Allow configuring a system gpg key #107

New Issue
Closed
opened 2021-02-01 12:25:41 +00:00 by viceice · 9 comments
viceice commented 2021-02-01 12:25:41 +00:00
Contributor
Copy Link

It would be nice if there is a possibility to add and configure a gpg key to use the gitea gpg signing feature

It would be nice if there is a possibility to add and configure a gpg key to use the gitea gpg signing feature
👍 1
justusbunsi commented 2021-06-18 16:50:13 +00:00
Member
Copy Link

Hi. IMO, this could be a great addition to the chart. After playing around with the configuration it would require several inputs:

  • private gpg key (for importing into the system)
  • <keyid> to be used as reference in configuration
  • username + email (either for .gitconfig or app.ini)
  • SIGNING_KEY mode (default or the keyid)

With that gpg key pair we would be able to generate a valid gpg file structure that could be injected into the container. Not sure what this would mean from a security perspective.
Depending on the specified SIGNING_KEY mode, the chart would either need to modify the .gitconfig or add the necessary environment variables so that env-to-ini can take care of them during app.ini creation.

Since the private key is highly valuable it wouldn't be wise to allow an inline configuration at values.yaml. Means, Kubernetes secret for these inputs, mounted into an initcontainer (and only into that) for creating the required gpg files. And referring to that secret in values.yaml.

EDIT: I've removed the "public key" references as it isn't required for that.

Hi. IMO, this could be a great addition to the chart. After playing around with the configuration it would require several inputs: - private gpg key (for importing into the system) - `<keyid>` to be used as reference in configuration - username + email (either for `.gitconfig` or `app.ini`) - `SIGNING_KEY` mode (default or the keyid) With that gpg key pair we would be able to generate a valid gpg file structure that could be injected into the container. Not sure what this would mean from a security perspective. Depending on the specified `SIGNING_KEY` mode, the chart would either need to modify the `.gitconfig` or add the necessary environment variables so that env-to-ini can take care of them during app.ini creation. Since the private key is highly valuable it wouldn't be wise to allow an inline configuration at `values.yaml`. Means, Kubernetes secret for these inputs, mounted into an initcontainer (and only into that) for creating the required gpg files. And referring to that secret in `values.yaml`. EDIT: I've removed the "public key" references as it isn't required for that.
justusbunsi added the
kind
feature
 label 2021-06-26 11:24:14 +00:00
viceice commented 2021-11-23 14:49:12 +00:00
Author
Contributor
Copy Link

This is partially solved by #186.
It now needs only manual import of the private key to git and the Gitea signing options.

This is partially solved by #186. It now needs only manual import of the private key to git and the Gitea signing options.
justusbunsi commented 2021-11-24 12:15:49 +00:00
Member
Copy Link

Good catch. Missed that. ?
And with the upcoming pull requests regarding sensitive data injection to the app.ini it will be much more secure to define. Then it would just be the gpg store init.

Good catch. Missed that. ? And with the upcoming pull requests regarding sensitive data injection to the app.ini it will be much more secure to define. Then it would just be the gpg store init.
pat-s closed this issue 2022-09-28 08:19:00 +00:00
viceice commented 2023-01-04 15:23:02 +00:00
Author
Contributor
Copy Link

Reopen this because #343 got reverted in #373 by @justusbunsi.

@pat-s Can you please create a new PR with those changes again? ❤️

Reopen this because #343 got reverted in #373 by @justusbunsi. @pat-s Can you please create a new PR with those changes again? :heart:
viceice reopened this issue 2023-01-04 15:23:08 +00:00
justusbunsi commented 2023-01-04 15:35:12 +00:00
Member
Copy Link

@viceice

Reopen this because #343 got reverted in #373 by @justusbunsi.

@pat-s Can you please create a new PR with those changes again? ❤️

There is #374 to add it again. It was removed to tag without breaking changes.

@viceice >Reopen this because #343 got reverted in #373 by @justusbunsi. > >@pat-s Can you please create a new PR with those changes again? :heart: There is #374 to add it again. It was removed to tag without breaking changes.
👍 1 ❤️ 1
justusbunsi commented 2023-01-04 15:37:31 +00:00
Member
Copy Link

I just realized that there are conflicts in the mentioned PR. ? Have to resolve them.

I just realized that there are conflicts in the mentioned PR. ? Have to resolve them.
viceice commented 2023-03-07 12:23:36 +00:00
Author
Contributor
Copy Link

I've disabled chart singing and use manual GNUPGHOME/data/git/.gnupg for now.

Need to think how the best way to publish the key to a secret via terraform.
Must be working via automated CI (currently github-actions). ?

I've disabled chart singing and use manual `GNUPGHOME/data/git/.gnupg` for now. Need to think how the best way to publish the key to a secret via terraform. Must be working via automated CI (currently github-actions). ?
justusbunsi commented 2023-03-07 15:31:36 +00:00
Member
Copy Link

I've disabled chart singing and use manual GNUPGHOME/data/git/.gnupg for now.

The setup is possible with Chart version 7.0.0. No need for manual mapping anymore. ?

> I've disabled chart singing and use manual `GNUPGHOME/data/git/.gnupg` for now. The setup is possible with Chart version 7.0.0. No need for manual mapping anymore. ?
viceice commented 2023-03-21 05:32:12 +00:00
Author
Contributor
Copy Link

I've disabled chart singing and use manual GNUPGHOME/data/git/.gnupg for now.

The setup is possible with Chart version 7.0.0. No need for manual mapping anymore. ?

I know, but my gpg key isn't yet available to my terraform config, which is deploying the gitea helm chart. So i need to fix that first. ?

> > I've disabled chart singing and use manual `GNUPGHOME/data/git/.gnupg` for now. > > The setup is possible with Chart version 7.0.0. No need for manual mapping anymore. ? I know, but my gpg key isn't yet available to my terraform config, which is deploying the gitea helm chart. So i need to fix that first. ?
👍 1
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
quote-image-tag
app-ini-recreation
fix-env-to-ini
clean-app-ini
gitea-ha
v10.1.4
v10.1.3
v10.1.2
v10.1.1
v10.1.0
v10.0.2
v10.0.1
v10.0.0
v9.6.1
v9.6.0
v9.5.1
v9.5.0
v9.4.0
v9.3.0
v9.2.1
v9.2.0
v9.1.0
v9.0.4
v9.0.3
v9.0.2
v9.0.1
v9.0.0
v8.3.0
v8.2.0
v8.1.0
v8.0.3
v8.0.2
v8.0.1
v8.0.0
v7.0.4
v7.0.3
v7.0.2
v7.0.1
v7.0.0
v6.0.5
v6.0.4
v6.0.3
v6.0.2
v6.0.1
v6.0.0
v5.0.9
v5.0.8
v5.0.7
v5.0.6
v5.0.5
v5.0.4
v5.0.3
v5.0.2
v5.0.1
v5.0.0
v4.1.1
v4.1.0
v4.0.3
v4.0.2
v4.0.1
v4.0.0
v3.1.4
v3.1.3
v3.1.2
v3.1.1
v3.1.0
v3.0.0
v2.2.5
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.11
v2.1.10
v2.1.9
v2.1.8
v2.1.7
v2.1.6
v2.1.5
v2.1.4
v2.1.3
v2.1.2
v2.1.1
v2.1.0
v2.0.7
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.0
v1.5.5
v1.5.4
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.9
v1.4.8
v1.4.7
v1.4.6
v1.4.5
v1.4.4
v1.4.3
v1.4.2
Labels
Clear labels   
has
backport

  
in progress

   
invalid
  
kind
breaking

  
kind
bug

  
kind
build

  
kind
dependency

  
kind
deployment

  
kind
docs

  
kind
enhancement

  
kind
feature

  
kind
lint

  
kind
proposal

  
kind
question

  
kind
refactor

  
kind
security

  
kind
testing

  
kind
translation

  
kind
ui

  
need
backport

  
priority
critical

  
priority
low

  
priority
maybe

  
priority
medium

  
reviewed
duplicate

  
reviewed
invalid

  
reviewed
wontfix

  
skip-changelog
  
status
blocked

  
status
needs-feedback

  
status
needs-reviews

  
status
wip

  
upstream
gitea

  
upstream
other

No Label
has
backport
in progress
invalid
kind
breaking
kind
bug
kind
build
kind
dependency
kind
deployment
kind
docs
kind
enhancement
kind
feature
kind
lint
kind
proposal
kind
question
kind
refactor
kind
security
kind
testing
kind
translation
kind
ui
need
backport
priority
critical
priority
low
priority
maybe
priority
medium
reviewed
duplicate
reviewed
invalid
reviewed
wontfix
skip-changelog
status
blocked
status
needs-feedback
status
needs-reviews
status
wip
upstream
gitea
upstream
other
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: gitea/helm-chart#107
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?