helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard

Published 20 hours ago verified publisher icon renovatebot

docs: adding support for privateKey sample

Open roe-pinhas opened this issue 4 years ago • 7 comments

Hello,

Im having trouble adding my custom private key to the container, my setup:

secrets:
  GITHUB_COM_TOKEN: "TOKEN"
  RENOVATE_PLATFORM: "gitlab"
  RENOVATE_TOKEN: "TOKEN"

extraVolumes:
  - name: private-key
    hostPath:
      path: /path/to/renovate/renovate-private-key.asc

extraVolumeMounts:
  - name: private-key
    mountPath: /tmp/renovate-private-key.asc

renovate:
  config: |
    {
      "platform": "gitlab",
      "endpoint": "https://gitlab.example.com/api/v4",
      "onboarding": true,
      "token": "TOKEN",
      "autodiscover": "false",
      "printConfig": true,
      "privateKeyPath": "/tmp/renovate-private-key.asc",
      "logLevel": "trace",
      "updateInternalDeps": true,
      "onboardingConfig": {
        "extends": [
          "local>gitlab/project/renovate-config"
        ]
      },
      "repositories": [
        "my-repo-test"
      ]
    }

while this solution works on my local machine I cannot deploy it on our live cluster since I will need to upload the private key to all the nodes and that's not secure/scalable.

so far Ive tried this options: Adding the private key to the secret section replacing newlines with \n characters for each line- secrets: RENOVATE_PRIVATE_KEY: "-----BEGIN PGP PRIVATE KEY BLOCK-----\n......"

tried also to add it w/o the /n and it also not working

Both cases were printed the error: "error": { "validationError": "Failed to decrypt field npmrc. Please re-encrypt and try again.", "message": "config-validation",

What is the best approach here to add the private key?

roe-pinhas avatar Nov 09 '21 10:11 roe-pinhas

make sure the key isn't rpotected by a passphrase

  • https://github.com/renovatebot/renovate/issues/12566

viceice avatar Nov 09 '21 11:11 viceice

You should add the private key to a kubernetes secret and mount it as file or environment var

viceice avatar Nov 09 '21 11:11 viceice

@viceice Thanks for the reply, its not protected by passphrase and indeed its working if I mount it as a file using the volumeMounts. However the current chart doesnt support adding the file as a secret file, but instead its only supported to add the file as an environment var. When Ive attempted to do it like this its failed (I assume the issue is with the format of the file vs the env var). Adding out of the box support for this specific file can help make the chart ready for a secure self hosted solution, what do you think?

roe-pinhas avatar Nov 09 '21 14:11 roe-pinhas

you should manually create a kubernetes secret and reference it from extraVolumes:

extraVolumes:
  - name: private-key
    secret:
      secretName: renovate-private-key

viceice avatar Nov 09 '21 14:11 viceice

That did the trick, thanks

roe-pinhas avatar Nov 10 '21 11:11 roe-pinhas

Reopen to track docs update to incluse the sample

viceice avatar Nov 10 '21 12:11 viceice

should be added here:

https://github.com/renovatebot/helm-charts/tree/main/charts/renovate#redis https://github.com/renovatebot/helm-charts/blob/9a7f134294d7ef719016b94027fd69cc84da485a/charts/renovate/README.md.gotmpl#L47

viceice avatar Nov 10 '21 12:11 viceice