Re-add GPG configuration feature #374

Merged
justusbunsi merged 4 commits from refs/pull/374/head into main 2023-01-17 16:58:11 +00:00
18 changed files with 448 additions and 23 deletions

View File

@ -23,6 +23,15 @@ steps:
- helm dependency update
- helm template --debug gitea-helm .
- name: helm unittests
pull: always
image: alpine:3.17
commands:
- apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing make helm git bash
- helm plugin install https://github.com/heyhabito/helm-unittest
- helm dependency update
- make unittests
- name: verify readme
pull: always
image: alpine:3.17

1
.gitignore vendored
View File

@ -1,3 +1,4 @@
charts/
node_modules/
.DS_Store
unittests/*/__snapshot__/

View File

@ -29,4 +29,5 @@ Makefile
.markdownlintignore
.markdownlint.yaml
.drone.yml
CONTRIBUTING.md
CONTRIBUTING.md
unittests/

View File

@ -50,3 +50,13 @@ be used:
forwarded first from `minikube` to localhost first via `kubectl --namespace
default port-forward svc/gitea-http 3000:3000`. Now Gitea is accessible at
[http://localhost:3000](http://localhost:3000).
### Unit tests
```bash
# install the unittest plugin
$ helm plugin install https://github.com/heyhabito/helm-unittest
# run the unittests
make unittests
```

View File

@ -6,3 +6,7 @@ prepare-environment:
readme: prepare-environment
npm run readme:parameters
npm run readme:lint
.PHONY: unittests
unittests:
helm unittest --helm3 --strict -f 'unittests/**/*.yaml' ./

View File

@ -41,24 +41,6 @@ of this document for major and breaking changes.
- Helm 3.0+
- PV provisioner for persistent data support
## Configure Commit Signing
When using the rootless image the gpg key folder was is not persistent by
default. If you consider using signed commits for internal Gitea activities
(e.g. initial commit), you'd need to provide a signing key. Prior to
[PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be
re-imported once the container got replaced by another.
The mentioned PR introduced a new configuration object `signing` allowing you to
configure prerequisites for commit signing. By default this section is disabled
to maintain backwards compatibility.
```yaml
signing:
enabled: false
gpgHome: /data/git/.gnupg
```
## Examples
### Gitea Configuration
@ -525,6 +507,49 @@ gitea:
...
```
## Configure commit signing
When using the rootless image the gpg key folder is not persistent by
default. If you consider using signed commits for internal Gitea activities
(e.g. initial commit), you'd need to provide a signing key. Prior to
[PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be
re-imported once the container got replaced by another.
The mentioned PR introduced a new configuration object `signing` allowing you to
configure prerequisites for commit signing. By default this section is disabled
to maintain backwards compatibility.
```yaml
signing:
enabled: false
gpgHome: /data/git/.gnupg
```
Regardless of the used container image the `signing` object allows to specify a
private gpg key. Either using the `signing.privateKey` to define the key inline,
or refer to an existing secret containing the key data by using `signing.existingKey`.
```yaml
apiVersion: v1
kind: Secret
metadata:
name: custom-gitea-gpg-key
type: Opaque
stringData:
privateKey: |-
-----BEGIN PGP PRIVATE KEY BLOCK-----
...
-----END PGP PRIVATE KEY BLOCK-----
```
```yaml
signing:
existingSecret: custom-gitea-gpg-key
```
To use the gpg key, Gitea needs to be configured accordingly. A detailed description
can be found in the [official Gitea documentation](https://docs.gitea.io/en-us/signing/#general-configuration).
### Metrics and profiling
A Prometheus `/metrics` endpoint on the `HTTP_PORT` and `pprof` profiling
@ -669,10 +694,12 @@ gitea:
### Signing
| Name | Description | Value |
| ----------------- | ---------------------------- | ------------------ |
| `signing.enabled` | Enable commit/action signing | `false` |
| `signing.gpgHome` | GPG home directory | `/data/git/.gnupg` |
| Name | Description | Value |
| ------------------------ | ----------------------------------------------------------------- | ------------------ |
| `signing.enabled` | Enable commit/action signing | `false` |
| `signing.gpgHome` | GPG home directory | `/data/git/.gnupg` |
| `signing.privateKey` | Inline private gpg key for signed Gitea actions | `""` |
| `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` |
### Gitea
@ -786,6 +813,13 @@ See [CONTRIBUTORS GUIDE](CONTRIBUTING.md) for details.
This section lists major and breaking changes of each Helm Chart version.
Please read them carefully to upgrade successfully.
### To 7.0.0
#### Private GPG key configuration for Gitea signing actions
Having `signing.enabled=true` now requires to use either `signing.privateKey` or `signing.existingSecret` so that the Chart can automatically prepare the GPG key for Gitea internal signing actions.
See [Configure commit signing](#configure-commit-signing) for details.
### To 6.0.0
#### Different volume mounts for init-containers and runtime container

View File

@ -331,3 +331,7 @@ https
{{- toYaml .Values.extraVolumeMounts -}}
{{- end -}}
{{- end -}}
{{- define "gitea.gpg-key-secret-name" -}}
{{ default (printf "%s-gpg-key" (include "gitea.fullname" .)) .Values.signing.existingSecret }}
{{- end -}}

View File

@ -0,0 +1,16 @@
{{- if .Values.signing.enabled -}}
{{- if and (empty .Values.signing.privateKey) (empty .Values.signing.existingSecret) -}}
{{- fail "Either specify `signing.privateKey` or `signing.existingKey`" -}}
{{- end }}
{{- if and (not (empty .Values.signing.privateKey)) (empty .Values.signing.existingSecret) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "gitea.gpg-key-secret-name" . }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
type: Opaque
data:
privateKey: {{ .Values.signing.privateKey | b64enc }}
{{- end }}
{{- end }}

View File

@ -6,6 +6,11 @@ metadata:
{{- include "gitea.labels" . | nindent 4 }}
type: Opaque
stringData:
configure_gpg_environment.sh: |-
#!/usr/bin/env bash
set -eu
gpg --batch --import /raw/private.asc
init_directory_structure.sh: |-
#!/usr/bin/env bash
@ -35,6 +40,14 @@ stringData:
{{- end }}
chmod ug+rwx "${GITEA_TEMP}"
{{ if .Values.signing.enabled -}}
if [ ! -d "${GNUPGHOME}" ]; then
mkdir -p "${GNUPGHOME}"
chmod 700 "${GNUPGHOME}"
chown 1000:1000 "${GNUPGHOME}"
fi
{{- end }}
configure_gitea.sh: |-
#!/usr/bin/env bash

View File

@ -59,6 +59,10 @@ spec:
{{- if .Values.statefulset.env }}
{{- toYaml .Values.statefulset.env | nindent 12 }}
{{- end }}
{{- if .Values.signing.enabled }}
- name: GNUPGHOME
value: {{ .Values.signing.gpgHome }}
{{- end }}
volumeMounts:
- name: init
mountPath: /usr/sbin
@ -110,6 +114,36 @@ spec:
{{- include "gitea.init-additional-mounts" . | nindent 12 }}
securityContext:
{{- toYaml .Values.containerSecurityContext | nindent 12 }}
{{- if .Values.signing.enabled }}
- name: configure-gpg
image: "{{ include "gitea.image" . }}"
command: ["/usr/sbin/configure_gpg_environment.sh"]
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
{{- $csc := deepCopy .Values.containerSecurityContext -}}
{{- if not (hasKey $csc "runAsUser") -}}
{{- $_ := set $csc "runAsUser" 1000 -}}
{{- end -}}
{{- toYaml $csc | nindent 12 }}
env:
- name: GNUPGHOME
value: {{ .Values.signing.gpgHome }}
volumeMounts:
- name: init
mountPath: /usr/sbin
- name: data
mountPath: /data
{{- if .Values.persistence.subPath }}
subPath: {{ .Values.persistence.subPath }}
{{- end }}
- name: gpg-private-key
mountPath: /raw
readOnly: true
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
{{- end }}
- name: configure-gitea
image: "{{ include "gitea.image" . }}"
command: ["/usr/sbin/configure_gitea.sh"]
@ -305,6 +339,15 @@ spec:
{{- end }}
- name: temp
emptyDir: {}
{{- if .Values.signing.enabled }}
- name: gpg-private-key
secret:
secretName: {{ include "gitea.gpg-key-secret-name" . }}
items:
- key: privateKey
path: private.asc
defaultMode: 0100
{{- end }}
{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
- name: data
persistentVolumeClaim:

View File

@ -0,0 +1,13 @@
suite: GPG secret template (signing disabled)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/gpg-secret.yaml
tests:
- it: renders nothing
set:
signing.enabled: false
asserts:
- hasDocuments:
count: 0

View File

@ -0,0 +1,40 @@
suite: GPG secret template (signing enabled)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/gpg-secret.yaml
tests:
- it: fails rendering when nothing is configured
set:
signing:
enabled: true
asserts:
- failedTemplate:
errorMessage: Either specify `signing.privateKey` or `signing.existingKey`
- it: skips rendering using external secret reference
set:
signing:
enabled: true
existingSecret: "external-secret-reference"
asserts:
- hasDocuments:
count: 0
- it: renders secret specification using inline gpg key
set:
signing:
enabled: true
privateKey: "gpg-key-placeholder"
asserts:
- hasDocuments:
count: 1
- documentIndex: 0
containsDocument:
kind: Secret
apiVersion: v1
name: gitea-unittests-gpg-key
- isNotEmpty:
path: metadata.labels
- equal:
path: data.privateKey
value: "Z3BnLWtleS1wbGFjZWhvbGRlcg=="

15
unittests/init/basic.yaml Normal file
View File

@ -0,0 +1,15 @@
suite: Init template (basic)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/init.yaml
tests:
- it: renders a secret
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: Secret
apiVersion: v1
name: gitea-unittests-init

View File

@ -0,0 +1,64 @@
suite: Init template
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/init.yaml
tests:
- it: runs gpg in batch mode
set:
signing.enabled: true
asserts:
- equal:
path: stringData.[configure_gpg_environment.sh]
value: |-
#!/usr/bin/env bash
set -eu
gpg --batch --import /raw/private.asc
- it: skips gpg script block for disabled signing
asserts:
- equal:
path: stringData.[init_directory_structure.sh]
value: |-
#!/usr/bin/env bash
set -euo pipefail
set -x
chown 1000:1000 /data
mkdir -p /data/git/.ssh
chmod -R 700 /data/git/.ssh
[ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
# prepare temp directory structure
mkdir -p "${GITEA_TEMP}"
chown 1000:1000 "${GITEA_TEMP}"
chmod ug+rwx "${GITEA_TEMP}"
- it: adds gpg script block for enabled signing
set:
signing.enabled: true
asserts:
- equal:
path: stringData.[init_directory_structure.sh]
value: |-
#!/usr/bin/env bash
set -euo pipefail
set -x
chown 1000:1000 /data
mkdir -p /data/git/.ssh
chmod -R 700 /data/git/.ssh
[ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
# prepare temp directory structure
mkdir -p "${GITEA_TEMP}"
chown 1000:1000 "${GITEA_TEMP}"
chmod ug+rwx "${GITEA_TEMP}"
if [ ! -d "${GNUPGHOME}" ]; then
mkdir -p "${GNUPGHOME}"
chmod 700 "${GNUPGHOME}"
chown 1000:1000 "${GNUPGHOME}"
fi

View File

@ -0,0 +1,17 @@
suite: Statefulset template (basic)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/statefulset.yaml
- templates/gitea/config.yaml
tests:
- it: renders a statefulset
template: templates/gitea/statefulset.yaml
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: StatefulSet
apiVersion: apps/v1
name: gitea-unittests

View File

@ -0,0 +1,40 @@
suite: Statefulset template (signing disabled)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/statefulset.yaml
- templates/gitea/config.yaml
tests:
- it: skips gpg init container
template: templates/gitea/statefulset.yaml
asserts:
- notContains:
path: spec.template.spec.initContainers
any: true
content:
name: configure-gpg
- it: skips gpg env in `init-directories` init container
template: templates/gitea/statefulset.yaml
set:
signing.enabled: true
asserts:
- contains:
path: spec.template.spec.initContainers[0].env
content:
name: GNUPGHOME
value: /data/git/.gnupg
- it: skips gpg env in runtime container
template: templates/gitea/statefulset.yaml
asserts:
- notContains:
path: spec.template.spec.containers[0].env
content:
name: GNUPGHOME
- it: skips gpg volume spec
template: templates/gitea/statefulset.yaml
asserts:
- notContains:
path: spec.template.spec.volumes
content:
name: gpg-private-key

View File

@ -0,0 +1,93 @@
suite: Statefulset template (signing enabled)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/statefulset.yaml
- templates/gitea/config.yaml
tests:
- it: adds gpg init container
template: templates/gitea/statefulset.yaml
set:
signing:
enabled: true
existingSecret: "custom-gpg-secret"
asserts:
- equal:
path: spec.template.spec.initContainers[2].name
value: configure-gpg
- equal:
path: spec.template.spec.initContainers[2].command
value: ["/usr/sbin/configure_gpg_environment.sh"]
- equal:
path: spec.template.spec.initContainers[2].securityContext
value:
runAsUser: 1000
- equal:
path: spec.template.spec.initContainers[2].env
value:
- name: GNUPGHOME
value: /data/git/.gnupg
- equal:
path: spec.template.spec.initContainers[2].volumeMounts
value:
- name: init
mountPath: /usr/sbin
- name: data
mountPath: /data
- name: gpg-private-key
mountPath: /raw
readOnly: true
- it: adds gpg env in `init-directories` init container
template: templates/gitea/statefulset.yaml
set:
signing.enabled: true
asserts:
- contains:
path: spec.template.spec.initContainers[0].env
content:
name: GNUPGHOME
value: /data/git/.gnupg
- it: adds gpg env in runtime container
template: templates/gitea/statefulset.yaml
set:
signing.enabled: true
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: GNUPGHOME
value: /data/git/.gnupg
- it: adds gpg volume spec
template: templates/gitea/statefulset.yaml
set:
signing:
enabled: true
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: gpg-private-key
secret:
secretName: gitea-unittests-gpg-key
items:
- key: privateKey
path: private.asc
defaultMode: 0100
- it: supports gpg volume spec with external reference
template: templates/gitea/statefulset.yaml
set:
signing:
enabled: true
existingSecret: custom-gpg-secret
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: gpg-private-key
secret:
secretName: custom-gpg-secret
items:
- key: privateKey
path: private.asc
defaultMode: 0100

View File

@ -253,9 +253,17 @@ initPreScript: ""
#
## @param signing.enabled Enable commit/action signing
## @param signing.gpgHome GPG home directory
## @param signing.privateKey Inline private gpg key for signed Gitea actions
## @param signing.existingSecret Use an existing secret to store the value of `signing.privateKey`
signing:
enabled: false
gpgHome: /data/git/.gnupg
privateKey: ""
# privateKey: |-
# -----BEGIN PGP PRIVATE KEY BLOCK-----
# ...
# -----END PGP PRIVATE KEY BLOCK-----
existingSecret: ""
## @section Gitea
#