diff --git a/.drone.yml b/.drone.yml index b9365c4..d0244e3 100644 --- a/.drone.yml +++ b/.drone.yml @@ -23,15 +23,6 @@ steps: - helm dependency update - helm template --debug gitea-helm . -- name: helm unittests - pull: always - image: alpine:3.16 - commands: - - apk add --no-cache -X http://dl-cdn.alpinelinux.org/alpine/edge/testing make helm git bash - - helm plugin install https://github.com/heyhabito/helm-unittest - - helm dependency update - - make unittests - - name: verify readme pull: always image: alpine:3.16 diff --git a/.gitignore b/.gitignore index 10261af..22b7fa6 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,3 @@ charts/ node_modules/ .DS_Store -unittests/*/__snapshot__/ diff --git a/.helmignore b/.helmignore index 048126d..a8cc816 100644 --- a/.helmignore +++ b/.helmignore @@ -25,4 +25,3 @@ node_modules/ package.json package-lock.json .gitea/ -unittests/ diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 78f77d9..d06973c 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -50,13 +50,3 @@ be used: forwarded first from `minikube` to localhost first via `kubectl --namespace default port-forward svc/gitea-http 3000:3000`. Now Gitea is accessible at [http://localhost:3000](http://localhost:3000). - -### Unit tests - -```bash -# install the unittest plugin -$ helm plugin install https://github.com/heyhabito/helm-unittest - -# run the unittests -make unittests -``` diff --git a/Makefile b/Makefile index 2b61849..720a657 100644 --- a/Makefile +++ b/Makefile @@ -6,7 +6,3 @@ prepare-environment: readme: prepare-environment npm run readme:parameters npm run readme:lint - -.PHONY: unittests -unittests: - helm unittest --helm3 --strict -f 'unittests/**/*.yaml' ./ diff --git a/README.md b/README.md index d7eaa66..2fc73f7 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,24 @@ of this document for major and breaking changes. - Helm 3.0+ - PV provisioner for persistent data support +## Configure Commit Signing + +When using the rootless image the gpg key folder was is not persistent by +default. If you consider using signed commits for internal Gitea activities +(e.g. initial commit), you'd need to provide a signing key. Prior to +[PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be +re-imported once the container got replaced by another. + +The mentioned PR introduced a new configuration object `signing` allowing you to +configure prerequisites for commit signing. By default this section is disabled +to maintain backwards compatibility. + +```yaml +signing: + enabled: false + gpgHome: /data/git/.gnupg +``` + ## Examples ### Gitea Configuration @@ -507,49 +525,6 @@ gitea: ... ``` -## Configure commit signing - -When using the rootless image the gpg key folder is not persistent by -default. If you consider using signed commits for internal Gitea activities -(e.g. initial commit), you'd need to provide a signing key. Prior to -[PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be -re-imported once the container got replaced by another. - -The mentioned PR introduced a new configuration object `signing` allowing you to -configure prerequisites for commit signing. By default this section is disabled -to maintain backwards compatibility. - -```yaml -signing: - enabled: false - gpgHome: /data/git/.gnupg -``` - -Regardless of the used container image the `signing` object allows to specify a -private gpg key. Either using the `signing.privateKey` to define the key inline, -or refer to an existing secret containing the key data by using `signing.existingKey`. - -```yaml -apiVersion: v1 -kind: Secret -metadata: - name: custom-gitea-gpg-key -type: Opaque -stringData: - privateKey: |- - -----BEGIN PGP PRIVATE KEY BLOCK----- - ... - -----END PGP PRIVATE KEY BLOCK----- -``` - -```yaml -signing: - existingSecret: custom-gitea-gpg-key -``` - -To use the gpg key, Gitea needs to be configured accordingly. A detailed description -can be found in the [official Gitea documentation](https://docs.gitea.io/en-us/signing/#general-configuration). - ### Metrics and profiling A Prometheus `/metrics` endpoint on the `HTTP_PORT` and `pprof` profiling @@ -694,12 +669,10 @@ gitea: ### Signing -| Name | Description | Value | -| ------------------------ | ----------------------------------------------------------------- | ------------------ | -| `signing.enabled` | Enable commit/action signing | `false` | -| `signing.gpgHome` | GPG home directory | `/data/git/.gnupg` | -| `signing.privateKey` | Inline private gpg key for signed Gitea actions | `""` | -| `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""` | +| Name | Description | Value | +| ----------------- | ---------------------------- | ------------------ | +| `signing.enabled` | Enable commit/action signing | `false` | +| `signing.gpgHome` | GPG home directory | `/data/git/.gnupg` | ### Gitea diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 5bdcca9..0e481e0 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -331,7 +331,3 @@ https {{- toYaml .Values.extraVolumeMounts -}} {{- end -}} {{- end -}} - -{{- define "gitea.gpg-key-secret-name" -}} -{{ default (printf "%s-gpg-key" (include "gitea.fullname" .)) .Values.signing.existingSecret }} -{{- end -}} diff --git a/templates/gitea/gpg-secret.yaml b/templates/gitea/gpg-secret.yaml deleted file mode 100644 index 29b6d4f..0000000 --- a/templates/gitea/gpg-secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.signing.enabled -}} -{{- if and (empty .Values.signing.privateKey) (empty .Values.signing.existingSecret) -}} - {{- fail "Either specify `signing.privateKey` or `signing.existingKey`" -}} -{{- end }} -{{- if and (not (empty .Values.signing.privateKey)) (empty .Values.signing.existingSecret) -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "gitea.gpg-key-secret-name" . }} - labels: - {{- include "gitea.labels" . | nindent 4 }} -type: Opaque -data: - privateKey: {{ .Values.signing.privateKey | b64enc }} -{{- end }} -{{- end }} diff --git a/templates/gitea/init.yaml b/templates/gitea/init.yaml index 838460b..8ea3aa9 100644 --- a/templates/gitea/init.yaml +++ b/templates/gitea/init.yaml @@ -6,11 +6,6 @@ metadata: {{- include "gitea.labels" . | nindent 4 }} type: Opaque stringData: - configure_gpg_environment.sh: |- - #!/usr/bin/env bash - set -eu - - gpg --batch --import /raw/private.asc init_directory_structure.sh: |- #!/usr/bin/env bash @@ -40,14 +35,6 @@ stringData: {{- end }} chmod ug+rwx "${GITEA_TEMP}" - {{ if .Values.signing.enabled -}} - if [ ! -d "${GNUPGHOME}" ]; then - mkdir -p "${GNUPGHOME}" - chmod 700 "${GNUPGHOME}" - chown 1000:1000 "${GNUPGHOME}" - fi - {{- end }} - configure_gitea.sh: |- #!/usr/bin/env bash diff --git a/templates/gitea/statefulset.yaml b/templates/gitea/statefulset.yaml index ce6f550..ed9a887 100644 --- a/templates/gitea/statefulset.yaml +++ b/templates/gitea/statefulset.yaml @@ -59,10 +59,6 @@ spec: {{- if .Values.statefulset.env }} {{- toYaml .Values.statefulset.env | nindent 12 }} {{- end }} - {{- if .Values.signing.enabled }} - - name: GNUPGHOME - value: {{ .Values.signing.gpgHome }} - {{- end }} volumeMounts: - name: init mountPath: /usr/sbin @@ -114,36 +110,6 @@ spec: {{- include "gitea.init-additional-mounts" . | nindent 12 }} securityContext: {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- if .Values.signing.enabled }} - - name: configure-gpg - image: "{{ include "gitea.image" . }}" - command: ["/usr/sbin/configure_gpg_environment.sh"] - imagePullPolicy: {{ .Values.image.pullPolicy }} - securityContext: - {{- /* By default this container runs as user 1000 unless otherwise stated */ -}} - {{- $csc := deepCopy .Values.containerSecurityContext -}} - {{- if not (hasKey $csc "runAsUser") -}} - {{- $_ := set $csc "runAsUser" 1000 -}} - {{- end -}} - {{- toYaml $csc | nindent 12 }} - env: - - name: GNUPGHOME - value: {{ .Values.signing.gpgHome }} - volumeMounts: - - name: init - mountPath: /usr/sbin - - name: data - mountPath: /data - {{- if .Values.persistence.subPath }} - subPath: {{ .Values.persistence.subPath }} - {{- end }} - - name: gpg-private-key - mountPath: /raw - readOnly: true - {{- if .Values.extraVolumeMounts }} - {{- toYaml .Values.extraVolumeMounts | nindent 12 }} - {{- end }} - {{- end }} - name: configure-gitea image: "{{ include "gitea.image" . }}" command: ["/usr/sbin/configure_gitea.sh"] @@ -339,15 +305,6 @@ spec: {{- end }} - name: temp emptyDir: {} - {{- if .Values.signing.enabled }} - - name: gpg-private-key - secret: - secretName: {{ include "gitea.gpg-key-secret-name" . }} - items: - - key: privateKey - path: private.asc - defaultMode: 0100 - {{- end }} {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }} - name: data persistentVolumeClaim: diff --git a/unittests/gpg-secret/signing-disabled.yaml b/unittests/gpg-secret/signing-disabled.yaml deleted file mode 100644 index 3b1aba4..0000000 --- a/unittests/gpg-secret/signing-disabled.yaml +++ /dev/null @@ -1,13 +0,0 @@ -suite: GPG secret template (signing disabled) -release: - name: gitea-unittests - namespace: testing -templates: - - templates/gitea/gpg-secret.yaml -tests: - - it: renders nothing - set: - signing.enabled: false - asserts: - - hasDocuments: - count: 0 diff --git a/unittests/gpg-secret/signing-enabled.yaml b/unittests/gpg-secret/signing-enabled.yaml deleted file mode 100644 index 3c742e9..0000000 --- a/unittests/gpg-secret/signing-enabled.yaml +++ /dev/null @@ -1,40 +0,0 @@ -suite: GPG secret template (signing enabled) -release: - name: gitea-unittests - namespace: testing -templates: - - templates/gitea/gpg-secret.yaml -tests: - - it: fails rendering when nothing is configured - set: - signing: - enabled: true - asserts: - - failedTemplate: - errorMessage: Either specify `signing.privateKey` or `signing.existingKey` - - it: skips rendering using external secret reference - set: - signing: - enabled: true - existingSecret: "external-secret-reference" - asserts: - - hasDocuments: - count: 0 - - it: renders secret specification using inline gpg key - set: - signing: - enabled: true - privateKey: "gpg-key-placeholder" - asserts: - - hasDocuments: - count: 1 - - documentIndex: 0 - containsDocument: - kind: Secret - apiVersion: v1 - name: gitea-unittests-gpg-key - - isNotEmpty: - path: metadata.labels - - equal: - path: data.privateKey - value: "Z3BnLWtleS1wbGFjZWhvbGRlcg==" diff --git a/unittests/init/basic.yaml b/unittests/init/basic.yaml deleted file mode 100644 index f2b746e..0000000 --- a/unittests/init/basic.yaml +++ /dev/null @@ -1,15 +0,0 @@ -suite: Init template (basic) -release: - name: gitea-unittests - namespace: testing -templates: - - templates/gitea/init.yaml -tests: - - it: renders a secret - asserts: - - hasDocuments: - count: 1 - - containsDocument: - kind: Secret - apiVersion: v1 - name: gitea-unittests-init diff --git a/unittests/init/init_directory_structure.sh.yaml b/unittests/init/init_directory_structure.sh.yaml deleted file mode 100644 index 7be2336..0000000 --- a/unittests/init/init_directory_structure.sh.yaml +++ /dev/null @@ -1,64 +0,0 @@ -suite: Init template -release: - name: gitea-unittests - namespace: testing -templates: - - templates/gitea/init.yaml -tests: - - it: runs gpg in batch mode - set: - signing.enabled: true - asserts: - - equal: - path: stringData.[configure_gpg_environment.sh] - value: |- - #!/usr/bin/env bash - set -eu - - gpg --batch --import /raw/private.asc - - it: skips gpg script block for disabled signing - asserts: - - equal: - path: stringData.[init_directory_structure.sh] - value: |- - #!/usr/bin/env bash - - set -euo pipefail - - set -x - chown 1000:1000 /data - mkdir -p /data/git/.ssh - chmod -R 700 /data/git/.ssh - [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf - - # prepare temp directory structure - mkdir -p "${GITEA_TEMP}" - chown 1000:1000 "${GITEA_TEMP}" - chmod ug+rwx "${GITEA_TEMP}" - - it: adds gpg script block for enabled signing - set: - signing.enabled: true - asserts: - - equal: - path: stringData.[init_directory_structure.sh] - value: |- - #!/usr/bin/env bash - - set -euo pipefail - - set -x - chown 1000:1000 /data - mkdir -p /data/git/.ssh - chmod -R 700 /data/git/.ssh - [ ! -d /data/gitea/conf ] && mkdir -p /data/gitea/conf - - # prepare temp directory structure - mkdir -p "${GITEA_TEMP}" - chown 1000:1000 "${GITEA_TEMP}" - chmod ug+rwx "${GITEA_TEMP}" - - if [ ! -d "${GNUPGHOME}" ]; then - mkdir -p "${GNUPGHOME}" - chmod 700 "${GNUPGHOME}" - chown 1000:1000 "${GNUPGHOME}" - fi diff --git a/unittests/statefulset/basic.yaml b/unittests/statefulset/basic.yaml deleted file mode 100644 index 00fb684..0000000 --- a/unittests/statefulset/basic.yaml +++ /dev/null @@ -1,17 +0,0 @@ -suite: Statefulset template (basic) -release: - name: gitea-unittests - namespace: testing -templates: - - templates/gitea/statefulset.yaml - - templates/gitea/config.yaml -tests: - - it: renders a statefulset - template: templates/gitea/statefulset.yaml - asserts: - - hasDocuments: - count: 1 - - containsDocument: - kind: StatefulSet - apiVersion: apps/v1 - name: gitea-unittests diff --git a/unittests/statefulset/signing-disabled.yaml b/unittests/statefulset/signing-disabled.yaml deleted file mode 100644 index 4f9f2ce..0000000 --- a/unittests/statefulset/signing-disabled.yaml +++ /dev/null @@ -1,40 +0,0 @@ -suite: Statefulset template (signing disabled) -release: - name: gitea-unittests - namespace: testing -templates: - - templates/gitea/statefulset.yaml - - templates/gitea/config.yaml -tests: - - it: skips gpg init container - template: templates/gitea/statefulset.yaml - asserts: - - notContains: - path: spec.template.spec.initContainers - any: true - content: - name: configure-gpg - - it: skips gpg env in `init-directories` init container - template: templates/gitea/statefulset.yaml - set: - signing.enabled: true - asserts: - - contains: - path: spec.template.spec.initContainers[0].env - content: - name: GNUPGHOME - value: /data/git/.gnupg - - it: skips gpg env in runtime container - template: templates/gitea/statefulset.yaml - asserts: - - notContains: - path: spec.template.spec.containers[0].env - content: - name: GNUPGHOME - - it: skips gpg volume spec - template: templates/gitea/statefulset.yaml - asserts: - - notContains: - path: spec.template.spec.volumes - content: - name: gpg-private-key diff --git a/unittests/statefulset/signing-enabled.yaml b/unittests/statefulset/signing-enabled.yaml deleted file mode 100644 index ecb237f..0000000 --- a/unittests/statefulset/signing-enabled.yaml +++ /dev/null @@ -1,93 +0,0 @@ -suite: Statefulset template (signing enabled) -release: - name: gitea-unittests - namespace: testing -templates: - - templates/gitea/statefulset.yaml - - templates/gitea/config.yaml -tests: - - it: adds gpg init container - template: templates/gitea/statefulset.yaml - set: - signing: - enabled: true - existingSecret: "custom-gpg-secret" - asserts: - - equal: - path: spec.template.spec.initContainers[2].name - value: configure-gpg - - equal: - path: spec.template.spec.initContainers[2].command - value: ["/usr/sbin/configure_gpg_environment.sh"] - - equal: - path: spec.template.spec.initContainers[2].securityContext - value: - runAsUser: 1000 - - equal: - path: spec.template.spec.initContainers[2].env - value: - - name: GNUPGHOME - value: /data/git/.gnupg - - equal: - path: spec.template.spec.initContainers[2].volumeMounts - value: - - name: init - mountPath: /usr/sbin - - name: data - mountPath: /data - - name: gpg-private-key - mountPath: /raw - readOnly: true - - it: adds gpg env in `init-directories` init container - template: templates/gitea/statefulset.yaml - set: - signing.enabled: true - asserts: - - contains: - path: spec.template.spec.initContainers[0].env - content: - name: GNUPGHOME - value: /data/git/.gnupg - - it: adds gpg env in runtime container - template: templates/gitea/statefulset.yaml - set: - signing.enabled: true - asserts: - - contains: - path: spec.template.spec.containers[0].env - content: - name: GNUPGHOME - value: /data/git/.gnupg - - it: adds gpg volume spec - template: templates/gitea/statefulset.yaml - set: - signing: - enabled: true - asserts: - - contains: - path: spec.template.spec.volumes - content: - name: gpg-private-key - secret: - secretName: gitea-unittests-gpg-key - items: - - key: privateKey - path: private.asc - defaultMode: 0100 - - it: supports gpg volume spec with external reference - template: templates/gitea/statefulset.yaml - set: - signing: - enabled: true - existingSecret: custom-gpg-secret - asserts: - - contains: - path: spec.template.spec.volumes - content: - name: gpg-private-key - secret: - secretName: custom-gpg-secret - items: - - key: privateKey - path: private.asc - defaultMode: 0100 diff --git a/values.yaml b/values.yaml index 5958d24..bd8c4d0 100644 --- a/values.yaml +++ b/values.yaml @@ -253,17 +253,9 @@ initPreScript: "" # ## @param signing.enabled Enable commit/action signing ## @param signing.gpgHome GPG home directory -## @param signing.privateKey Inline private gpg key for signed Gitea actions -## @param signing.existingSecret Use an existing secret to store the value of `signing.privateKey` signing: enabled: false gpgHome: /data/git/.gnupg - privateKey: "" - # privateKey: |- - # -----BEGIN PGP PRIVATE KEY BLOCK----- - # ... - # -----END PGP PRIVATE KEY BLOCK----- - existingSecret: "" ## @section Gitea #