do not save sensitive data within the gitea configmap #17
Closed
opened 2020-08-31 16:02:29 +00:00 by Jasper-Ben
·
6 comments
No Branch/Tag Specified
main
renovate/postgresql-ha-15.x
renovate/postgresql-16.x
renovate/redis-20.x
renovate/redis-cluster-11.x
fix-674
app-ini-recreation
fix-env-to-ini
clean-app-ini
gitea-ha
v10.6.0
v10.5.0
v10.4.1
v10.4.0
v10.3.0
v10.2.0
v10.1.4
v10.1.3
v10.1.2
v10.1.1
v10.1.0
v10.0.2
v10.0.1
v10.0.0
v9.6.1
v9.6.0
v9.5.1
v9.5.0
v9.4.0
v9.3.0
v9.2.1
v9.2.0
v9.1.0
v9.0.4
v9.0.3
v9.0.2
v9.0.1
v9.0.0
v8.3.0
v8.2.0
v8.1.0
v8.0.3
v8.0.2
v8.0.1
v8.0.0
v7.0.4
v7.0.3
v7.0.2
v7.0.1
v7.0.0
v6.0.5
v6.0.4
v6.0.3
v6.0.2
v6.0.1
v6.0.0
v5.0.9
v5.0.8
v5.0.7
v5.0.6
v5.0.5
v5.0.4
v5.0.3
v5.0.2
v5.0.1
v5.0.0
v4.1.1
v4.1.0
v4.0.3
v4.0.2
v4.0.1
v4.0.0
v3.1.4
v3.1.3
v3.1.2
v3.1.1
v3.1.0
v3.0.0
v2.2.5
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.11
v2.1.10
v2.1.9
v2.1.8
v2.1.7
v2.1.6
v2.1.5
v2.1.4
v2.1.3
v2.1.2
v2.1.1
v2.1.0
v2.0.7
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.0
v1.5.5
v1.5.4
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.9
v1.4.8
v1.4.7
v1.4.6
v1.4.5
v1.4.4
v1.4.3
v1.4.2
Labels
Clear labels
has/backport
in progress
invalid
kind/breaking
kind/bug
kind/build
kind/dependency
kind/deployment
kind/docs
kind/enhancement
kind/feature
kind/lint
kind/proposal
kind/question
kind/refactor
kind/security
kind/testing
kind/translation
kind/ui
need/backport
priority/critical
priority/low
priority/maybe
priority/medium
reviewed/duplicate
reviewed/invalid
reviewed/wontfix
skip-changelog
status/blocked
status/needs-feedback
status/needs-reviews
status/wip
upstream/gitea
upstream/other
No labels
kind/security
Milestone
No items
No Milestone
Projects
Clear projects
No projects
Assignees
lunny (Lunny Xiao)
Clear assignees
lunny (Lunny Xiao)
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: lunny/helm-chart#17
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Currently, the configmap used to configure gitea contains the postgresql/mysql password.
To fix this, I propose one of the following solutions:
If(?) environment variables within the
app.iniare interpreted, the easiest solution would be to mount the already existing postgresql/mysql secret into an environment variable.Otherwise, creating an init container to replace a placeholder in the app.ini using the secret is also a valid option.
FWIW some secrets (
INTERNAL_TOKENis one) can be read from a reference on disk, so k8s secrets could be used for those and the app.ini wouldn't need any secrets to be stored in plain text in them.I had a PR against the old repo for this chart (https://github.com/k8s-land/gitea-chart/pull/22) that put all sensitive data into Secrets, but it was never merged.
Unfortunately it looks like it may need a fair bit of work now since the massive changes of PR #7, and it'll likely be a few weeks before I have time to look at it again.
option 1 above won't work as the Gitea container runs an init system with scripts that try to do overly clever things with environment variables. (That was my first thought, too.)
I'll have a look at it and will see if we can adapt this to the new structure. Might be later that week or next week
Takes a little longer until i get back to this helm chart. Currently remodeling our cluster :D
Currently working on a PR for this. I think i might have a good and easy solution for this problem.
So, I've moved all password related data to secrets, please let me know if this is what you've had in mind.
We can discuss about not storing data in app.ini at all, but imo when someone gets access to your gitea container, security is broken anyways :D