Add gpg configuration settings (#343)

### Description of the change

This PR adds support for gpg key setup. It allows to pass the gpg private key content inline inside `values.yaml` or refer to an existing secret containing the key content data.

### Benefits

Administrators don't need to manually setup the gpg environment from inside a running container. It also eliminates the breaking change of Gitea 1.17 regarding `[git].HOME` as the `GNUPGHOME` environment variable is used consistently to relocate the `.gnupg` directory to its former location.

### Applicable issues

  - fixes #107

### Additional information

This PR add the first unit tests to this Helm Chart, ensuring templating integrity for signing related configuration.

### Checklist

- [x] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)

Co-authored-by: justusbunsi <sk.bunsenbrenner@gmail.com>
Co-authored-by: pat-s <pat-s@noreply.gitea.io>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/343
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: justusbunsi <justusbunsi@noreply.gitea.io>
Co-committed-by: justusbunsi <justusbunsi@noreply.gitea.io>
This commit is contained in:
justusbunsi 2022-09-28 16:18:59 +08:00 committed by pat-s
parent 0d1f748898
commit b8f0310c43
18 changed files with 429 additions and 22 deletions

View File

@ -23,6 +23,15 @@ steps:
- helm dependency update
- helm template --debug gitea-helm .
- name: helm unittests
pull: always
image: alpine:3.16
commands:
- apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing make helm git bash
- helm plugin install https://github.com/heyhabito/helm-unittest
- helm dependency update
- make unittests
- name: verify readme
pull: always
image: alpine:3.16

1
.gitignore vendored
View File

@ -1,3 +1,4 @@
charts/
node_modules/
.DS_Store
unittests/*/__snapshot__/

View File

@ -25,3 +25,4 @@ node_modules/
package.json
package-lock.json
.gitea/
unittests/

View File

@ -50,3 +50,13 @@ be used:
forwarded first from `minikube` to localhost first via `kubectl --namespace
default port-forward svc/gitea-http 3000:3000`. Now Gitea is accessible at
[http://localhost:3000](http://localhost:3000).
### Unit tests
```bash
# install the unittest plugin
$ helm plugin install https://github.com/heyhabito/helm-unittest
# run the unittests
make unittests
```

View File

@ -6,3 +6,7 @@ prepare-environment:
readme: prepare-environment
npm run readme:parameters
npm run readme:lint
.PHONY: unittests
unittests:
helm unittest --helm3 --strict -f 'unittests/**/*.yaml' ./

View File

@ -41,24 +41,6 @@ of this document for major and breaking changes.
- Helm 3.0+
- PV provisioner for persistent data support
## Configure Commit Signing
When using the rootless image the gpg key folder was is not persistent by
default. If you consider using signed commits for internal Gitea activities
(e.g. initial commit), you'd need to provide a signing key. Prior to
[PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be
re-imported once the container got replaced by another.
The mentioned PR introduced a new configuration object `signing` allowing you to
configure prerequisites for commit signing. By default this section is disabled
to maintain backwards compatibility.
```yaml
signing:
enabled: false
gpgHome: /data/git/.gnupg
```
## Examples
### Gitea Configuration
@ -525,6 +507,49 @@ gitea:
...
```
## Configure commit signing
When using the rootless image the gpg key folder is not persistent by
default. If you consider using signed commits for internal Gitea activities
(e.g. initial commit), you'd need to provide a signing key. Prior to
[PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be
re-imported once the container got replaced by another.
The mentioned PR introduced a new configuration object `signing` allowing you to
configure prerequisites for commit signing. By default this section is disabled
to maintain backwards compatibility.
```yaml
signing:
enabled: false
gpgHome: /data/git/.gnupg
```
Regardless of the used container image the `signing` object allows to specify a
private gpg key. Either using the `signing.privateKey` to define the key inline,
or refer to an existing secret containing the key data by using `signing.existingKey`.
```yaml
apiVersion: v1
kind: Secret
metadata:
name: custom-gitea-gpg-key
type: Opaque
stringData:
privateKey: |-
-----BEGIN PGP PRIVATE KEY BLOCK-----
...
-----END PGP PRIVATE KEY BLOCK-----
```
```yaml
signing:
existingSecret: custom-gitea-gpg-key
```
To use the gpg key, Gitea needs to be configured accordingly. A detailed description
can be found in the [official Gitea documentation](https://docs.gitea.io/en-us/signing/#general-configuration).
### Metrics and profiling
A Prometheus `/metrics` endpoint on the `HTTP_PORT` and `pprof` profiling
@ -670,9 +695,11 @@ gitea:
### Signing
| Name | Description | Value |
| ----------------- | ---------------------------- | ------------------ |
| ------------------------ | ----------------------------------------------------------------- | ------------------ |
| `signing.enabled` | Enable commit/action signing | `false` |
| `signing.gpgHome` | GPG home directory | `/data/git/.gnupg` |
| `signing.privateKey` | Inline private gpg key for signed Gitea actions | `""` |
| `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` |
### Gitea

View File

@ -331,3 +331,7 @@ https
{{- toYaml .Values.extraVolumeMounts -}}
{{- end -}}
{{- end -}}
{{- define "gitea.gpg-key-secret-name" -}}
{{ default (printf "%s-gpg-key" (include "gitea.fullname" .)) .Values.signing.existingSecret }}
{{- end -}}

View File

@ -0,0 +1,16 @@
{{- if .Values.signing.enabled -}}
{{- if and (empty .Values.signing.privateKey) (empty .Values.signing.existingSecret) -}}
{{- fail "Either specify `signing.privateKey` or `signing.existingKey`" -}}
{{- end }}
{{- if and (not (empty .Values.signing.privateKey)) (empty .Values.signing.existingSecret) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "gitea.gpg-key-secret-name" . }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
type: Opaque
data:
privateKey: {{ .Values.signing.privateKey | b64enc }}
{{- end }}
{{- end }}

View File

@ -6,6 +6,11 @@ metadata:
{{- include "gitea.labels" . | nindent 4 }}
type: Opaque
stringData:
configure_gpg_environment.sh: |-
#!/usr/bin/env bash
set -eu
gpg --import /raw/private.asc
init_directory_structure.sh: |-
#!/usr/bin/env bash
@ -35,6 +40,14 @@ stringData:
{{- end }}
chmod ug+rwx "${GITEA_TEMP}"
{{ if .Values.signing.enabled -}}
if [ ! -d "${GNUPGHOME}" ]; then
mkdir -p "${GNUPGHOME}"
chmod 700 "${GNUPGHOME}"
chown 1000:1000 "${GNUPGHOME}"
fi
{{- end }}
configure_gitea.sh: |-
#!/usr/bin/env bash

View File

@ -59,6 +59,10 @@ spec:
{{- if .Values.statefulset.env }}
{{- toYaml .Values.statefulset.env | nindent 12 }}
{{- end }}
{{- if .Values.signing.enabled }}
- name: GNUPGHOME
value: {{ .Values.signing.gpgHome }}
{{- end }}
volumeMounts:
- name: init
mountPath: /usr/sbin
@ -110,6 +114,36 @@ spec:
{{- include "gitea.init-additional-mounts" . | nindent 12 }}
securityContext:
{{- toYaml .Values.containerSecurityContext | nindent 12 }}
{{- if .Values.signing.enabled }}
- name: configure-gpg
image: "{{ include "gitea.image" . }}"
command: ["/usr/sbin/configure_gpg_environment.sh"]
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
{{- $csc := deepCopy .Values.containerSecurityContext -}}
{{- if not (hasKey $csc "runAsUser") -}}
{{- $_ := set $csc "runAsUser" 1000 -}}
{{- end -}}
{{- toYaml $csc | nindent 12 }}
env:
- name: GNUPGHOME
value: {{ .Values.signing.gpgHome }}
volumeMounts:
- name: init
mountPath: /usr/sbin
- name: data
mountPath: /data
{{- if .Values.persistence.subPath }}
subPath: {{ .Values.persistence.subPath }}
{{- end }}
- name: gpg-private-key
mountPath: /raw
readOnly: true
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
{{- end }}
- name: configure-gitea
image: "{{ include "gitea.image" . }}"
command: ["/usr/sbin/configure_gitea.sh"]
@ -305,6 +339,15 @@ spec:
{{- end }}
- name: temp
emptyDir: {}
{{- if .Values.signing.enabled }}
- name: gpg-private-key
secret:
secretName: {{ include "gitea.gpg-key-secret-name" . }}
items:
- key: privateKey
path: private.asc
defaultMode: 0100
{{- end }}
{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
- name: data
persistentVolumeClaim:

View File

@ -0,0 +1,13 @@
suite: GPG secret template (signing disabled)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/gpg-secret.yaml
tests:
- it: renders nothing
set:
signing.enabled: false
asserts:
- hasDocuments:
count: 0

View File

@ -0,0 +1,40 @@
suite: GPG secret template (signing enabled)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/gpg-secret.yaml
tests:
- it: fails rendering when nothing is configured
set:
signing:
enabled: true
asserts:
- failedTemplate:
errorMessage: Either specify `signing.privateKey` or `signing.existingKey`
- it: skips rendering using external secret reference
set:
signing:
enabled: true
existingSecret: "external-secret-reference"
asserts:
- hasDocuments:
count: 0
- it: renders secret specification using inline gpg key
set:
signing:
enabled: true
privateKey: "gpg-key-placeholder"
asserts:
- hasDocuments:
count: 1
- documentIndex: 0
containsDocument:
kind: Secret
apiVersion: v1
name: gitea-unittests-gpg-key
- isNotEmpty:
path: metadata.labels
- equal:
path: data.privateKey
value: "Z3BnLWtleS1wbGFjZWhvbGRlcg=="

15
unittests/init/basic.yaml Normal file
View File

@ -0,0 +1,15 @@
suite: Init template (basic)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/init.yaml
tests:
- it: renders a secret
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: Secret
apiVersion: v1
name: gitea-unittests-init

View File

@ -0,0 +1,53 @@
suite: Init template
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/init.yaml
tests:
- it: skips gpg script block for disabled signing
asserts:
- equal:
path: stringData.[init_directory_structure.sh]
value: |-
#!/usr/bin/env bash
set -euo pipefail
set -x
chown 1000:1000 /data
mkdir -p /data/git/.ssh
chmod -R 700 /data/git/.ssh
[ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
# prepare temp directory structure
mkdir -p "${GITEA_TEMP}"
chown 1000:1000 "${GITEA_TEMP}"
chmod ug+rwx "${GITEA_TEMP}"
- it: adds gpg script block for enabled signing
set:
signing.enabled: true
asserts:
- equal:
path: stringData.[init_directory_structure.sh]
value: |-
#!/usr/bin/env bash
set -euo pipefail
set -x
chown 1000:1000 /data
mkdir -p /data/git/.ssh
chmod -R 700 /data/git/.ssh
[ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
# prepare temp directory structure
mkdir -p "${GITEA_TEMP}"
chown 1000:1000 "${GITEA_TEMP}"
chmod ug+rwx "${GITEA_TEMP}"
if [ ! -d "${GNUPGHOME}" ]; then
mkdir -p "${GNUPGHOME}"
chmod 700 "${GNUPGHOME}"
chown 1000:1000 "${GNUPGHOME}"
fi

View File

@ -0,0 +1,17 @@
suite: Statefulset template (basic)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/statefulset.yaml
- templates/gitea/config.yaml
tests:
- it: renders a statefulset
template: templates/gitea/statefulset.yaml
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: StatefulSet
apiVersion: apps/v1
name: gitea-unittests

View File

@ -0,0 +1,40 @@
suite: Statefulset template (signing disabled)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/statefulset.yaml
- templates/gitea/config.yaml
tests:
- it: skips gpg init container
template: templates/gitea/statefulset.yaml
asserts:
- notContains:
path: spec.template.spec.initContainers
any: true
content:
name: configure-gpg
- it: skips gpg env in `init-directories` init container
template: templates/gitea/statefulset.yaml
set:
signing.enabled: true
asserts:
- contains:
path: spec.template.spec.initContainers[0].env
content:
name: GNUPGHOME
value: /data/git/.gnupg
- it: skips gpg env in runtime container
template: templates/gitea/statefulset.yaml
asserts:
- notContains:
path: spec.template.spec.containers[0].env
content:
name: GNUPGHOME
- it: skips gpg volume spec
template: templates/gitea/statefulset.yaml
asserts:
- notContains:
path: spec.template.spec.volumes
content:
name: gpg-private-key

View File

@ -0,0 +1,93 @@
suite: Statefulset template (signing enabled)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/statefulset.yaml
- templates/gitea/config.yaml
tests:
- it: adds gpg init container
template: templates/gitea/statefulset.yaml
set:
signing:
enabled: true
existingSecret: "custom-gpg-secret"
asserts:
- equal:
path: spec.template.spec.initContainers[2].name
value: configure-gpg
- equal:
path: spec.template.spec.initContainers[2].command
value: ["/usr/sbin/configure_gpg_environment.sh"]
- equal:
path: spec.template.spec.initContainers[2].securityContext
value:
runAsUser: 1000
- equal:
path: spec.template.spec.initContainers[2].env
value:
- name: GNUPGHOME
value: /data/git/.gnupg
- equal:
path: spec.template.spec.initContainers[2].volumeMounts
value:
- name: init
mountPath: /usr/sbin
- name: data
mountPath: /data
- name: gpg-private-key
mountPath: /raw
readOnly: true
- it: adds gpg env in `init-directories` init container
template: templates/gitea/statefulset.yaml
set:
signing.enabled: true
asserts:
- contains:
path: spec.template.spec.initContainers[0].env
content:
name: GNUPGHOME
value: /data/git/.gnupg
- it: adds gpg env in runtime container
template: templates/gitea/statefulset.yaml
set:
signing.enabled: true
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: GNUPGHOME
value: /data/git/.gnupg
- it: adds gpg volume spec
template: templates/gitea/statefulset.yaml
set:
signing:
enabled: true
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: gpg-private-key
secret:
secretName: gitea-unittests-gpg-key
items:
- key: privateKey
path: private.asc
defaultMode: 0100
- it: supports gpg volume spec with external reference
template: templates/gitea/statefulset.yaml
set:
signing:
enabled: true
existingSecret: custom-gpg-secret
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: gpg-private-key
secret:
secretName: custom-gpg-secret
items:
- key: privateKey
path: private.asc
defaultMode: 0100

View File

@ -253,9 +253,17 @@ initPreScript: ""
#
## @param signing.enabled Enable commit/action signing
## @param signing.gpgHome GPG home directory
## @param signing.privateKey Inline private gpg key for signed Gitea actions
## @param signing.existingSecret Use an existing secret to store the value of `signing.privateKey`
signing:
enabled: false
gpgHome: /data/git/.gnupg
privateKey: ""
# privateKey: |-
# -----BEGIN PGP PRIVATE KEY BLOCK-----
# ...
# -----END PGP PRIVATE KEY BLOCK-----
existingSecret: ""
## @section Gitea
#