Allow configuring a system gpg key #107

New Issue

Closed

opened 2021-02-01 12:25:41 +00:00 by viceice · 9 comments

viceice commented 2021-02-01 12:25:41 +00:00 (Migrated from gitea.com)

Copy Link

It would be nice if there is a possibility to add and configure a gpg key to use the gitea gpg signing feature

It would be nice if there is a possibility to add and configure a gpg key to use the gitea gpg signing feature

👍 1

justusbunsi commented 2021-06-18 16:50:13 +00:00 (Migrated from gitea.com)

Copy Link

Hi. IMO, this could be a great addition to the chart. After playing around with the configuration it would require several inputs:

• private gpg key (for importing into the system)
• <keyid> to be used as reference in configuration
• username + email (either for .gitconfig or app.ini)
• SIGNING_KEY mode (default or the keyid)

With that gpg key pair we would be able to generate a valid gpg file structure that could be injected into the container. Not sure what this would mean from a security perspective.
Depending on the specified SIGNING_KEY mode, the chart would either need to modify the .gitconfig or add the necessary environment variables so that env-to-ini can take care of them during app.ini creation.

Since the private key is highly valuable it wouldn't be wise to allow an inline configuration at values.yaml. Means, Kubernetes secret for these inputs, mounted into an initcontainer (and only into that) for creating the required gpg files. And referring to that secret in values.yaml.

EDIT: I've removed the "public key" references as it isn't required for that.

Hi. IMO, this could be a great addition to the chart. After playing around with the configuration it would require several inputs: - private gpg key (for importing into the system) - `<keyid>` to be used as reference in configuration - username + email (either for `.gitconfig` or `app.ini`) - `SIGNING_KEY` mode (default or the keyid) With that gpg key pair we would be able to generate a valid gpg file structure that could be injected into the container. Not sure what this would mean from a security perspective. Depending on the specified `SIGNING_KEY` mode, the chart would either need to modify the `.gitconfig` or add the necessary environment variables so that env-to-ini can take care of them during app.ini creation. Since the private key is highly valuable it wouldn't be wise to allow an inline configuration at `values.yaml`. Means, Kubernetes secret for these inputs, mounted into an initcontainer (and only into that) for creating the required gpg files. And referring to that secret in `values.yaml`. EDIT: I've removed the "public key" references as it isn't required for that.

viceice commented 2021-11-23 14:49:12 +00:00 (Migrated from gitea.com)

Copy Link

This is partially solved by #186.
It now needs only manual import of the private key to git and the Gitea signing options.

This is partially solved by #186. It now needs only manual import of the private key to git and the Gitea signing options.

justusbunsi commented 2021-11-24 12:15:49 +00:00 (Migrated from gitea.com)

Copy Link

Good catch. Missed that. ?
And with the upcoming pull requests regarding sensitive data injection to the app.ini it will be much more secure to define. Then it would just be the gpg store init.

Good catch. Missed that. ? And with the upcoming pull requests regarding sensitive data injection to the app.ini it will be much more secure to define. Then it would just be the gpg store init.

viceice commented 2023-01-04 15:23:02 +00:00 (Migrated from gitea.com)

Copy Link

Reopen this because #343 got reverted in #373 by @justusbunsi.

@pat-s Can you please create a new PR with those changes again? ❤️

Reopen this because #343 got reverted in #373 by @justusbunsi. @pat-s Can you please create a new PR with those changes again? :heart:

justusbunsi commented 2023-01-04 15:35:12 +00:00 (Migrated from gitea.com)

Copy Link

@viceice

Reopen this because #343 got reverted in #373 by @justusbunsi.

@pat-s Can you please create a new PR with those changes again? ❤️

There is #374 to add it again. It was removed to tag without breaking changes.

@viceice >Reopen this because #343 got reverted in #373 by @justusbunsi. > >@pat-s Can you please create a new PR with those changes again? :heart: There is #374 to add it again. It was removed to tag without breaking changes.

👍 1 ❤️ 1

justusbunsi commented 2023-01-04 15:37:31 +00:00 (Migrated from gitea.com)

Copy Link

I just realized that there are conflicts in the mentioned PR. ? Have to resolve them.

I just realized that there are conflicts in the mentioned PR. ? Have to resolve them.

viceice commented 2023-03-07 12:23:36 +00:00 (Migrated from gitea.com)

Copy Link

I've disabled chart singing and use manual GNUPGHOME/data/git/.gnupg for now.

Need to think how the best way to publish the key to a secret via terraform.
Must be working via automated CI (currently github-actions). ?

I've disabled chart singing and use manual `GNUPGHOME/data/git/.gnupg` for now. Need to think how the best way to publish the key to a secret via terraform. Must be working via automated CI (currently github-actions). ?

justusbunsi commented 2023-03-07 15:31:36 +00:00 (Migrated from gitea.com)

Copy Link

I've disabled chart singing and use manual GNUPGHOME/data/git/.gnupg for now.

The setup is possible with Chart version 7.0.0. No need for manual mapping anymore. ?

> I've disabled chart singing and use manual `GNUPGHOME/data/git/.gnupg` for now. The setup is possible with Chart version 7.0.0. No need for manual mapping anymore. ?

viceice commented 2023-03-21 05:32:12 +00:00 (Migrated from gitea.com)

Copy Link

I've disabled chart singing and use manual GNUPGHOME/data/git/.gnupg for now.

The setup is possible with Chart version 7.0.0. No need for manual mapping anymore. ?

I know, but my gpg key isn't yet available to my terraform config, which is deploying the gitea helm chart. So i need to fix that first. ?

> > I've disabled chart singing and use manual `GNUPGHOME/data/git/.gnupg` for now. > > The setup is possible with Chart version 7.0.0. No need for manual mapping anymore. ? I know, but my gpg key isn't yet available to my terraform config, which is deploying the gitea helm chart. So i need to fix that first. ?

👍 1

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

No results found.

v10.6.0

v10.5.0

v10.4.1

v10.4.0

v10.3.0

v10.2.0

v10.1.4

v10.1.3

v10.1.2

v10.1.1

v10.1.0

v10.0.2

v10.0.1

v10.0.0

v9.6.1

v9.6.0

v9.5.1

v9.5.0

v9.4.0

v9.3.0

v9.2.1

v9.2.0

v9.1.0

v9.0.4

v9.0.3

v9.0.2

v9.0.1

v9.0.0

v8.3.0

v8.2.0

v8.1.0

v8.0.3

v8.0.2

v8.0.1

v8.0.0

v7.0.4

v7.0.3

v7.0.2

v7.0.1

v7.0.0

v6.0.5

v6.0.4

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.9

v5.0.8

v5.0.7

v5.0.6

v5.0.5

v5.0.4

v5.0.3

v5.0.2

v5.0.1

v5.0.0

v4.1.1

v4.1.0

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.0

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.11

v2.1.10

v2.1.9

v2.1.8

v2.1.7

v2.1.6

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.0

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.9

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

Labels

Clear labels

has/backport

in progress

invalid

kind/breaking

kind/bug

kind/build

kind/dependency

kind/deployment

kind/docs

kind/enhancement

kind/feature

kind/lint

kind/proposal

kind/question

kind/refactor

kind/security

kind/testing

kind/translation

kind/ui

need/backport

priority/critical

priority/low

priority/maybe

priority/medium

reviewed/duplicate

reviewed/invalid

reviewed/wontfix

skip-changelog

status/blocked

status/needs-feedback

status/needs-reviews

status/wip

upstream/gitea

upstream/other

No Label

kind/feature

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: lunny/helm-chart#107

No description provided.