Temporary revert GPG feature for semver based retagging (#373)

Feature #343 happens to be a breaking change when enabling `.Values.signing` but not specifying
any of the new private key properties. Tag `v6.0.2` is therefore not following semantic versioning.

This temporarily reverts commit b8f0310c43 and a fix-up commit 57a1cd27d9
to retag 6.0.2 as 6.0.3.

Co-authored-by: justusbunsi <sk.bunsenbrenner@gmail.com>
Reviewed-on: https://gitea.com/gitea/helm-chart/pulls/373
Reviewed-by: techknowlogick <techknowlogick@gitea.io>
Reviewed-by: luhahn <luhahn@noreply.gitea.io>
This commit is contained in:
justusbunsi
2022-10-21 00:35:19 +08:00
parent 57a1cd27d9
commit 96493d5427
18 changed files with 22 additions and 440 deletions

View File

@@ -23,15 +23,6 @@ steps:
- helm dependency update - helm dependency update
- helm template --debug gitea-helm . - helm template --debug gitea-helm .
- name: helm unittests
pull: always
image: alpine:3.16
commands:
- apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing make helm git bash
- helm plugin install https://github.com/heyhabito/helm-unittest
- helm dependency update
- make unittests
- name: verify readme - name: verify readme
pull: always pull: always
image: alpine:3.16 image: alpine:3.16

1
.gitignore vendored
View File

@@ -1,4 +1,3 @@
charts/ charts/
node_modules/ node_modules/
.DS_Store .DS_Store
unittests/*/__snapshot__/

View File

@@ -25,4 +25,3 @@ node_modules/
package.json package.json
package-lock.json package-lock.json
.gitea/ .gitea/
unittests/

View File

@@ -50,13 +50,3 @@ be used:
forwarded first from `minikube` to localhost first via `kubectl --namespace forwarded first from `minikube` to localhost first via `kubectl --namespace
default port-forward svc/gitea-http 3000:3000`. Now Gitea is accessible at default port-forward svc/gitea-http 3000:3000`. Now Gitea is accessible at
[http://localhost:3000](http://localhost:3000). [http://localhost:3000](http://localhost:3000).
### Unit tests
```bash
# install the unittest plugin
$ helm plugin install https://github.com/heyhabito/helm-unittest
# run the unittests
make unittests
```

View File

@@ -6,7 +6,3 @@ prepare-environment:
readme: prepare-environment readme: prepare-environment
npm run readme:parameters npm run readme:parameters
npm run readme:lint npm run readme:lint
.PHONY: unittests
unittests:
helm unittest --helm3 --strict -f 'unittests/**/*.yaml' ./

View File

@@ -41,6 +41,24 @@ of this document for major and breaking changes.
- Helm 3.0+ - Helm 3.0+
- PV provisioner for persistent data support - PV provisioner for persistent data support
## Configure Commit Signing
When using the rootless image the gpg key folder was is not persistent by
default. If you consider using signed commits for internal Gitea activities
(e.g. initial commit), you'd need to provide a signing key. Prior to
[PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be
re-imported once the container got replaced by another.
The mentioned PR introduced a new configuration object `signing` allowing you to
configure prerequisites for commit signing. By default this section is disabled
to maintain backwards compatibility.
```yaml
signing:
enabled: false
gpgHome: /data/git/.gnupg
```
## Examples ## Examples
### Gitea Configuration ### Gitea Configuration
@@ -507,49 +525,6 @@ gitea:
... ...
``` ```
## Configure commit signing
When using the rootless image the gpg key folder is not persistent by
default. If you consider using signed commits for internal Gitea activities
(e.g. initial commit), you'd need to provide a signing key. Prior to
[PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be
re-imported once the container got replaced by another.
The mentioned PR introduced a new configuration object `signing` allowing you to
configure prerequisites for commit signing. By default this section is disabled
to maintain backwards compatibility.
```yaml
signing:
enabled: false
gpgHome: /data/git/.gnupg
```
Regardless of the used container image the `signing` object allows to specify a
private gpg key. Either using the `signing.privateKey` to define the key inline,
or refer to an existing secret containing the key data by using `signing.existingKey`.
```yaml
apiVersion: v1
kind: Secret
metadata:
name: custom-gitea-gpg-key
type: Opaque
stringData:
privateKey: |-
-----BEGIN PGP PRIVATE KEY BLOCK-----
...
-----END PGP PRIVATE KEY BLOCK-----
```
```yaml
signing:
existingSecret: custom-gitea-gpg-key
```
To use the gpg key, Gitea needs to be configured accordingly. A detailed description
can be found in the [official Gitea documentation](https://docs.gitea.io/en-us/signing/#general-configuration).
### Metrics and profiling ### Metrics and profiling
A Prometheus `/metrics` endpoint on the `HTTP_PORT` and `pprof` profiling A Prometheus `/metrics` endpoint on the `HTTP_PORT` and `pprof` profiling
@@ -695,11 +670,9 @@ gitea:
### Signing ### Signing
| Name | Description | Value | | Name | Description | Value |
| ------------------------ | ----------------------------------------------------------------- | ------------------ | | ----------------- | ---------------------------- | ------------------ |
| `signing.enabled` | Enable commit/action signing | `false` | | `signing.enabled` | Enable commit/action signing | `false` |
| `signing.gpgHome` | GPG home directory | `/data/git/.gnupg` | | `signing.gpgHome` | GPG home directory | `/data/git/.gnupg` |
| `signing.privateKey` | Inline private gpg key for signed Gitea actions | `""` |
| `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` |
### Gitea ### Gitea

View File

@@ -331,7 +331,3 @@ https
{{- toYaml .Values.extraVolumeMounts -}} {{- toYaml .Values.extraVolumeMounts -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- define "gitea.gpg-key-secret-name" -}}
{{ default (printf "%s-gpg-key" (include "gitea.fullname" .)) .Values.signing.existingSecret }}
{{- end -}}

View File

@@ -1,16 +0,0 @@
{{- if .Values.signing.enabled -}}
{{- if and (empty .Values.signing.privateKey) (empty .Values.signing.existingSecret) -}}
{{- fail "Either specify `signing.privateKey` or `signing.existingKey`" -}}
{{- end }}
{{- if and (not (empty .Values.signing.privateKey)) (empty .Values.signing.existingSecret) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "gitea.gpg-key-secret-name" . }}
labels:
{{- include "gitea.labels" . | nindent 4 }}
type: Opaque
data:
privateKey: {{ .Values.signing.privateKey | b64enc }}
{{- end }}
{{- end }}

View File

@@ -6,11 +6,6 @@ metadata:
{{- include "gitea.labels" . | nindent 4 }} {{- include "gitea.labels" . | nindent 4 }}
type: Opaque type: Opaque
stringData: stringData:
configure_gpg_environment.sh: |-
#!/usr/bin/env bash
set -eu
gpg --batch --import /raw/private.asc
init_directory_structure.sh: |- init_directory_structure.sh: |-
#!/usr/bin/env bash #!/usr/bin/env bash
@@ -40,14 +35,6 @@ stringData:
{{- end }} {{- end }}
chmod ug+rwx "${GITEA_TEMP}" chmod ug+rwx "${GITEA_TEMP}"
{{ if .Values.signing.enabled -}}
if [ ! -d "${GNUPGHOME}" ]; then
mkdir -p "${GNUPGHOME}"
chmod 700 "${GNUPGHOME}"
chown 1000:1000 "${GNUPGHOME}"
fi
{{- end }}
configure_gitea.sh: |- configure_gitea.sh: |-
#!/usr/bin/env bash #!/usr/bin/env bash

View File

@@ -59,10 +59,6 @@ spec:
{{- if .Values.statefulset.env }} {{- if .Values.statefulset.env }}
{{- toYaml .Values.statefulset.env | nindent 12 }} {{- toYaml .Values.statefulset.env | nindent 12 }}
{{- end }} {{- end }}
{{- if .Values.signing.enabled }}
- name: GNUPGHOME
value: {{ .Values.signing.gpgHome }}
{{- end }}
volumeMounts: volumeMounts:
- name: init - name: init
mountPath: /usr/sbin mountPath: /usr/sbin
@@ -114,36 +110,6 @@ spec:
{{- include "gitea.init-additional-mounts" . | nindent 12 }} {{- include "gitea.init-additional-mounts" . | nindent 12 }}
securityContext: securityContext:
{{- toYaml .Values.containerSecurityContext | nindent 12 }} {{- toYaml .Values.containerSecurityContext | nindent 12 }}
{{- if .Values.signing.enabled }}
- name: configure-gpg
image: "{{ include "gitea.image" . }}"
command: ["/usr/sbin/configure_gpg_environment.sh"]
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
{{- /* By default this container runs as user 1000 unless otherwise stated */ -}}
{{- $csc := deepCopy .Values.containerSecurityContext -}}
{{- if not (hasKey $csc "runAsUser") -}}
{{- $_ := set $csc "runAsUser" 1000 -}}
{{- end -}}
{{- toYaml $csc | nindent 12 }}
env:
- name: GNUPGHOME
value: {{ .Values.signing.gpgHome }}
volumeMounts:
- name: init
mountPath: /usr/sbin
- name: data
mountPath: /data
{{- if .Values.persistence.subPath }}
subPath: {{ .Values.persistence.subPath }}
{{- end }}
- name: gpg-private-key
mountPath: /raw
readOnly: true
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
{{- end }}
- name: configure-gitea - name: configure-gitea
image: "{{ include "gitea.image" . }}" image: "{{ include "gitea.image" . }}"
command: ["/usr/sbin/configure_gitea.sh"] command: ["/usr/sbin/configure_gitea.sh"]
@@ -339,15 +305,6 @@ spec:
{{- end }} {{- end }}
- name: temp - name: temp
emptyDir: {} emptyDir: {}
{{- if .Values.signing.enabled }}
- name: gpg-private-key
secret:
secretName: {{ include "gitea.gpg-key-secret-name" . }}
items:
- key: privateKey
path: private.asc
defaultMode: 0100
{{- end }}
{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }} {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
- name: data - name: data
persistentVolumeClaim: persistentVolumeClaim:

View File

@@ -1,13 +0,0 @@
suite: GPG secret template (signing disabled)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/gpg-secret.yaml
tests:
- it: renders nothing
set:
signing.enabled: false
asserts:
- hasDocuments:
count: 0

View File

@@ -1,40 +0,0 @@
suite: GPG secret template (signing enabled)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/gpg-secret.yaml
tests:
- it: fails rendering when nothing is configured
set:
signing:
enabled: true
asserts:
- failedTemplate:
errorMessage: Either specify `signing.privateKey` or `signing.existingKey`
- it: skips rendering using external secret reference
set:
signing:
enabled: true
existingSecret: "external-secret-reference"
asserts:
- hasDocuments:
count: 0
- it: renders secret specification using inline gpg key
set:
signing:
enabled: true
privateKey: "gpg-key-placeholder"
asserts:
- hasDocuments:
count: 1
- documentIndex: 0
containsDocument:
kind: Secret
apiVersion: v1
name: gitea-unittests-gpg-key
- isNotEmpty:
path: metadata.labels
- equal:
path: data.privateKey
value: "Z3BnLWtleS1wbGFjZWhvbGRlcg=="

View File

@@ -1,15 +0,0 @@
suite: Init template (basic)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/init.yaml
tests:
- it: renders a secret
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: Secret
apiVersion: v1
name: gitea-unittests-init

View File

@@ -1,64 +0,0 @@
suite: Init template
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/init.yaml
tests:
- it: runs gpg in batch mode
set:
signing.enabled: true
asserts:
- equal:
path: stringData.[configure_gpg_environment.sh]
value: |-
#!/usr/bin/env bash
set -eu
gpg --batch --import /raw/private.asc
- it: skips gpg script block for disabled signing
asserts:
- equal:
path: stringData.[init_directory_structure.sh]
value: |-
#!/usr/bin/env bash
set -euo pipefail
set -x
chown 1000:1000 /data
mkdir -p /data/git/.ssh
chmod -R 700 /data/git/.ssh
[ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
# prepare temp directory structure
mkdir -p "${GITEA_TEMP}"
chown 1000:1000 "${GITEA_TEMP}"
chmod ug+rwx "${GITEA_TEMP}"
- it: adds gpg script block for enabled signing
set:
signing.enabled: true
asserts:
- equal:
path: stringData.[init_directory_structure.sh]
value: |-
#!/usr/bin/env bash
set -euo pipefail
set -x
chown 1000:1000 /data
mkdir -p /data/git/.ssh
chmod -R 700 /data/git/.ssh
[ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf
# prepare temp directory structure
mkdir -p "${GITEA_TEMP}"
chown 1000:1000 "${GITEA_TEMP}"
chmod ug+rwx "${GITEA_TEMP}"
if [ ! -d "${GNUPGHOME}" ]; then
mkdir -p "${GNUPGHOME}"
chmod 700 "${GNUPGHOME}"
chown 1000:1000 "${GNUPGHOME}"
fi

View File

@@ -1,17 +0,0 @@
suite: Statefulset template (basic)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/statefulset.yaml
- templates/gitea/config.yaml
tests:
- it: renders a statefulset
template: templates/gitea/statefulset.yaml
asserts:
- hasDocuments:
count: 1
- containsDocument:
kind: StatefulSet
apiVersion: apps/v1
name: gitea-unittests

View File

@@ -1,40 +0,0 @@
suite: Statefulset template (signing disabled)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/statefulset.yaml
- templates/gitea/config.yaml
tests:
- it: skips gpg init container
template: templates/gitea/statefulset.yaml
asserts:
- notContains:
path: spec.template.spec.initContainers
any: true
content:
name: configure-gpg
- it: skips gpg env in `init-directories` init container
template: templates/gitea/statefulset.yaml
set:
signing.enabled: true
asserts:
- contains:
path: spec.template.spec.initContainers[0].env
content:
name: GNUPGHOME
value: /data/git/.gnupg
- it: skips gpg env in runtime container
template: templates/gitea/statefulset.yaml
asserts:
- notContains:
path: spec.template.spec.containers[0].env
content:
name: GNUPGHOME
- it: skips gpg volume spec
template: templates/gitea/statefulset.yaml
asserts:
- notContains:
path: spec.template.spec.volumes
content:
name: gpg-private-key

View File

@@ -1,93 +0,0 @@
suite: Statefulset template (signing enabled)
release:
name: gitea-unittests
namespace: testing
templates:
- templates/gitea/statefulset.yaml
- templates/gitea/config.yaml
tests:
- it: adds gpg init container
template: templates/gitea/statefulset.yaml
set:
signing:
enabled: true
existingSecret: "custom-gpg-secret"
asserts:
- equal:
path: spec.template.spec.initContainers[2].name
value: configure-gpg
- equal:
path: spec.template.spec.initContainers[2].command
value: ["/usr/sbin/configure_gpg_environment.sh"]
- equal:
path: spec.template.spec.initContainers[2].securityContext
value:
runAsUser: 1000
- equal:
path: spec.template.spec.initContainers[2].env
value:
- name: GNUPGHOME
value: /data/git/.gnupg
- equal:
path: spec.template.spec.initContainers[2].volumeMounts
value:
- name: init
mountPath: /usr/sbin
- name: data
mountPath: /data
- name: gpg-private-key
mountPath: /raw
readOnly: true
- it: adds gpg env in `init-directories` init container
template: templates/gitea/statefulset.yaml
set:
signing.enabled: true
asserts:
- contains:
path: spec.template.spec.initContainers[0].env
content:
name: GNUPGHOME
value: /data/git/.gnupg
- it: adds gpg env in runtime container
template: templates/gitea/statefulset.yaml
set:
signing.enabled: true
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: GNUPGHOME
value: /data/git/.gnupg
- it: adds gpg volume spec
template: templates/gitea/statefulset.yaml
set:
signing:
enabled: true
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: gpg-private-key
secret:
secretName: gitea-unittests-gpg-key
items:
- key: privateKey
path: private.asc
defaultMode: 0100
- it: supports gpg volume spec with external reference
template: templates/gitea/statefulset.yaml
set:
signing:
enabled: true
existingSecret: custom-gpg-secret
asserts:
- contains:
path: spec.template.spec.volumes
content:
name: gpg-private-key
secret:
secretName: custom-gpg-secret
items:
- key: privateKey
path: private.asc
defaultMode: 0100

View File

@@ -253,17 +253,9 @@ initPreScript: ""
# #
## @param signing.enabled Enable commit/action signing ## @param signing.enabled Enable commit/action signing
## @param signing.gpgHome GPG home directory ## @param signing.gpgHome GPG home directory
## @param signing.privateKey Inline private gpg key for signed Gitea actions
## @param signing.existingSecret Use an existing secret to store the value of `signing.privateKey`
signing: signing:
enabled: false enabled: false
gpgHome: /data/git/.gnupg gpgHome: /data/git/.gnupg
privateKey: ""
# privateKey: |-
# -----BEGIN PGP PRIVATE KEY BLOCK-----
# ...
# -----END PGP PRIVATE KEY BLOCK-----
existingSecret: ""
## @section Gitea ## @section Gitea
# #