From 7e9f9fbe986b3d61524eab29cbc46679b6fc748f Mon Sep 17 00:00:00 2001 From: Nijat Mahmudov Date: Sat, 22 Feb 2020 12:19:14 +0400 Subject: [PATCH 1/3] fix(charts): Added missing flag --- chart/flux/templates/deployment.yaml | 1 + chart/flux/values.yaml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/chart/flux/templates/deployment.yaml b/chart/flux/templates/deployment.yaml index 103693970..2500a375f 100644 --- a/chart/flux/templates/deployment.yaml +++ b/chart/flux/templates/deployment.yaml @@ -216,6 +216,7 @@ spec: {{- end }} - --git-verify-signatures={{ .Values.git.verifySignatures }} - --git-set-author={{ .Values.git.setAuthor }} + - --git-secret={{ .Values.git.secret.enabled }} - --git-poll-interval={{ .Values.git.pollInterval }} - --git-timeout={{ .Values.git.timeout }} - --sync-interval={{ .Values.sync.interval | default .Values.git.pollInterval }} diff --git a/chart/flux/values.yaml b/chart/flux/values.yaml index 8b02133e3..23331bbb5 100644 --- a/chart/flux/values.yaml +++ b/chart/flux/values.yaml @@ -127,6 +127,9 @@ git: # 4. Add ./identity.pub as a deployment key with write access in your Git repo # 5. Set the secret name (flux-ssh) below secretName: "" + # Sets --git-secret flag + secret: + enabled: false # Global Git configuration See https://git-scm.com/docs/git-config for more details. config: enabled: false From 3ebaac1827374dffffeb9d9c7d2ed1e96a94a710 Mon Sep 17 00:00:00 2001 From: Nijat Mahmudov Date: Sat, 22 Feb 2020 13:03:02 +0400 Subject: [PATCH 2/3] docs(git-secret): Missing flag added to docs --- chart/flux/README.md | 1 + docs/references/daemon.md | 1 + 2 files changed, 2 insertions(+) diff --git a/chart/flux/README.md b/chart/flux/README.md index 9c76dfaaf..960c9dcd6 100755 --- a/chart/flux/README.md +++ b/chart/flux/README.md @@ -225,6 +225,7 @@ The following tables lists the configurable parameters of the Flux chart and the | `git.pollInterval` | `5m` | Period at which to poll git repo for new commits | `git.timeout` | `20s` | Duration after which git operations time out | `git.secretName` | `None` | Kubernetes secret with the SSH private key. Superseded by `helmOperator.git.secretName` if set. +| `git.secret.enabled` | `false` | If is set to true and a .gitsecret directory exist in the root of the git, flux will execute a "git secret reveal -f" in the working git. | `git.config.enabled` | `false` | Mount `$HOME/.gitconfig` via Secret into the Flux and HelmOperator Pods, allowing for custom global Git configuration | `git.config.secretName` | `Computed` | Kubernetes secret with the global Git configuration | `git.config.data` | `None` | Global Git configuration per [git-config](https://git-scm.com/docs/git-config) diff --git a/docs/references/daemon.md b/docs/references/daemon.md index cc7e67e63..b7b1de55d 100644 --- a/docs/references/daemon.md +++ b/docs/references/daemon.md @@ -52,6 +52,7 @@ Version controlling of cluster manifests provides reproducibility and a historic | --git-set-author | false | if set, the author of git commits will reflect the user who initiated the commit and will differ from the git committer | --git-gpg-key-import | | if set, fluxd will attempt to import the gpg key(s) found on the given path | --git-signing-key | | if set, commits made by fluxd to the user git repo will be signed with the provided GPG key. +| --git-secret | | if set to true and a .gitsecret directory exist in the root of the git, flux will execute a "git secret reveal -f" in the working git. | --git-label | | label to keep track of sync progress; overrides both --git-sync-tag and --git-notes-ref | --git-sync-tag | `flux-sync` | tag to use to mark sync progress for this cluster (old config, still used if --git-label is not supplied) | --git-notes-ref | `flux` | ref to use for keeping commit annotations in git notes From 3cfa740c6614cf48228d1be6eb44f5f4a7f5f640 Mon Sep 17 00:00:00 2001 From: Nijat Date: Mon, 24 Feb 2020 19:00:58 +0400 Subject: [PATCH 3/3] chore: applied suggested changes --- chart/flux/README.md | 2 +- chart/flux/templates/deployment.yaml | 4 +++- chart/flux/values.yaml | 5 ++++- docs/references/daemon.md | 2 +- 4 files changed, 9 insertions(+), 4 deletions(-) diff --git a/chart/flux/README.md b/chart/flux/README.md index 960c9dcd6..85bf7b855 100755 --- a/chart/flux/README.md +++ b/chart/flux/README.md @@ -225,7 +225,7 @@ The following tables lists the configurable parameters of the Flux chart and the | `git.pollInterval` | `5m` | Period at which to poll git repo for new commits | `git.timeout` | `20s` | Duration after which git operations time out | `git.secretName` | `None` | Kubernetes secret with the SSH private key. Superseded by `helmOperator.git.secretName` if set. -| `git.secret.enabled` | `false` | If is set to true and a .gitsecret directory exist in the root of the git, flux will execute a "git secret reveal -f" in the working git. +| `git.secret.enabled` | `false` | If set and a `.gitsecret` directory exist in the root of the git repository, Flux will execute a `git secret reveal -f` in the working clone before performing any operations | `git.config.enabled` | `false` | Mount `$HOME/.gitconfig` via Secret into the Flux and HelmOperator Pods, allowing for custom global Git configuration | `git.config.secretName` | `Computed` | Kubernetes secret with the global Git configuration | `git.config.data` | `None` | Global Git configuration per [git-config](https://git-scm.com/docs/git-config) diff --git a/chart/flux/templates/deployment.yaml b/chart/flux/templates/deployment.yaml index 2500a375f..1a2432ba6 100644 --- a/chart/flux/templates/deployment.yaml +++ b/chart/flux/templates/deployment.yaml @@ -216,7 +216,9 @@ spec: {{- end }} - --git-verify-signatures={{ .Values.git.verifySignatures }} - --git-set-author={{ .Values.git.setAuthor }} - - --git-secret={{ .Values.git.secret.enabled }} + {{- if .Values.git.secret.enabled }} + - --git-secret + {{- end }} - --git-poll-interval={{ .Values.git.pollInterval }} - --git-timeout={{ .Values.git.timeout }} - --sync-interval={{ .Values.sync.interval | default .Values.git.pollInterval }} diff --git a/chart/flux/values.yaml b/chart/flux/values.yaml index 23331bbb5..63fd265b3 100644 --- a/chart/flux/values.yaml +++ b/chart/flux/values.yaml @@ -127,7 +127,10 @@ git: # 4. Add ./identity.pub as a deployment key with write access in your Git repo # 5. Set the secret name (flux-ssh) below secretName: "" - # Sets --git-secret flag + # Enables `git-secret` support, as this makes use of known GPG keys + # you will need to have imported the paired secret-key with one of + # the public-keys which were used in the encryption using + # `gpgKeys.secretName`. secret: enabled: false # Global Git configuration See https://git-scm.com/docs/git-config for more details. diff --git a/docs/references/daemon.md b/docs/references/daemon.md index b7b1de55d..2dadbd1a6 100644 --- a/docs/references/daemon.md +++ b/docs/references/daemon.md @@ -52,7 +52,7 @@ Version controlling of cluster manifests provides reproducibility and a historic | --git-set-author | false | if set, the author of git commits will reflect the user who initiated the commit and will differ from the git committer | --git-gpg-key-import | | if set, fluxd will attempt to import the gpg key(s) found on the given path | --git-signing-key | | if set, commits made by fluxd to the user git repo will be signed with the provided GPG key. -| --git-secret | | if set to true and a .gitsecret directory exist in the root of the git, flux will execute a "git secret reveal -f" in the working git. +| --git-secret | | if set and a `.gitsecret` directory exist in the root of the git repository, Flux will execute a `git secret reveal -f` in the working clone before performing any operations | --git-label | | label to keep track of sync progress; overrides both --git-sync-tag and --git-notes-ref | --git-sync-tag | `flux-sync` | tag to use to mark sync progress for this cluster (old config, still used if --git-label is not supplied) | --git-notes-ref | `flux` | ref to use for keeping commit annotations in git notes