Re-add GPG configuration feature (#374)

This reverts d5ce1a47ea and therefore adds the GPG feature back into main. As it is a breaking change, this PR now also contains the required upgrade notes. Closes #107 again. Co-authored-by: justusbunsi <sk.bunsenbrenner@gmail.com> Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/374 Reviewed-by: pat-s <pat-s@noreply.gitea.io> Reviewed-by: John Olheiser <john+gitea@jolheiser.com>
2023-01-18 00:58:10 +08:00
parent 8b6a00603a
commit 19e9b07e6e
18 changed files with 448 additions and 23 deletions
--- a/README.md
+++ b/README.md
@ -41,24 +41,6 @@ of this document for major and breaking changes.
 - Helm 3.0+
 - PV provisioner for persistent data support

-## Configure Commit Signing
-
-When using the rootless image the gpg key folder was is not persistent by
-default. If you consider using signed commits for internal Gitea activities
-(e.g. initial commit), you'd need to provide a signing key. Prior to
-[PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be
-re-imported once the container got replaced by another.
-
-The mentioned PR introduced a new configuration object `signing` allowing you to
-configure prerequisites for commit signing. By default this section is disabled
-to maintain backwards compatibility.
-
-```yaml
-signing:
-  enabled: false
-  gpgHome: /data/git/.gnupg
-```
-
 ## Examples

 ### Gitea Configuration
@ -525,6 +507,49 @@ gitea:
        ...
 ```

+## Configure commit signing
+
+When using the rootless image the gpg key folder is not persistent by
+default. If you consider using signed commits for internal Gitea activities
+(e.g. initial commit), you'd need to provide a signing key. Prior to
+[PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be
+re-imported once the container got replaced by another.
+
+The mentioned PR introduced a new configuration object `signing` allowing you to
+configure prerequisites for commit signing. By default this section is disabled
+to maintain backwards compatibility.
+
+```yaml
+signing:
+  enabled: false
+  gpgHome: /data/git/.gnupg
+```
+
+Regardless of the used container image the `signing` object allows to specify a
+private gpg key. Either using the `signing.privateKey` to define the key inline,
+or refer to an existing secret containing the key data by using `signing.existingKey`.
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: custom-gitea-gpg-key
+type: Opaque
+stringData:
+  privateKey: |-
+    -----BEGIN PGP PRIVATE KEY BLOCK-----
+    ...
+    -----END PGP PRIVATE KEY BLOCK-----
+```
+
+```yaml
+signing:
+  existingSecret: custom-gitea-gpg-key
+```
+
+To use the gpg key, Gitea needs to be configured accordingly. A detailed description
+can be found in the [official Gitea documentation](https://docs.gitea.io/en-us/signing/#general-configuration).
+
 ### Metrics and profiling

 A Prometheus `/metrics` endpoint on the `HTTP_PORT` and `pprof` profiling
@ -669,10 +694,12 @@ gitea:

 ### Signing

-| Name              | Description                  | Value              |
-| ----------------- | ---------------------------- | ------------------ |
-| `signing.enabled` | Enable commit/action signing | `false`            |
-| `signing.gpgHome` | GPG home directory           | `/data/git/.gnupg` |
+| Name                     | Description                                                       | Value              |
+| ------------------------ | ----------------------------------------------------------------- | ------------------ |
+| `signing.enabled`        | Enable commit/action signing                                      | `false`            |
+| `signing.gpgHome`        | GPG home directory                                                | `/data/git/.gnupg` |
+| `signing.privateKey`     | Inline private gpg key for signed Gitea actions                   | `""`               |
+| `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""`               |

 ### Gitea

@ -786,6 +813,13 @@ See [CONTRIBUTORS GUIDE](CONTRIBUTING.md) for details.
 This section lists major and breaking changes of each Helm Chart version.
 Please read them carefully to upgrade successfully.

+### To 7.0.0
+
+#### Private GPG key configuration for Gitea signing actions
+
+Having `signing.enabled=true` now requires to use either `signing.privateKey` or `signing.existingSecret` so that the Chart can automatically prepare the GPG key for Gitea internal signing actions.
+See [Configure commit signing](#configure-commit-signing) for details.
+
 ### To 6.0.0

 #### Different volume mounts for init-containers and runtime container