From 9d4739505d2f74ee5cf3d5213da19f0096730c8b Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 3 Jul 2026 17:51:32 +1000 Subject: [PATCH] feat(artifactapi): mount terraform registry signing key Wires the GPG signing key the terraform provider registry needs into the api deployment. The secret is mounted optional so the pod runs before it exists; artifactapi leaves the registry disabled until a readable key is present. - mount secret artifactapi-tf-signing at /etc/artifactapi/tf-signing (optional) - set TF_SIGNING_KEY_PATH, and TF_SIGNING_KEY_PASSPHRASE from the secret's optional passphrase key Create the secret out of band with an armored private key: kubectl -n artifactapi create secret generic artifactapi-tf-signing \ --from-file=private-key.asc=./private-key.asc --- apps/base/artifactapi/api-deployment.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/apps/base/artifactapi/api-deployment.yaml b/apps/base/artifactapi/api-deployment.yaml index c29b7df..abf16de 100644 --- a/apps/base/artifactapi/api-deployment.yaml +++ b/apps/base/artifactapi/api-deployment.yaml @@ -48,10 +48,25 @@ spec: - secretRef: name: environment optional: false + env: + # Terraform provider registry signing. The secret is mounted + # optional, so the pod runs before it exists; artifactapi keeps the + # registry disabled until a readable key is present. + - name: TF_SIGNING_KEY_PATH + value: /etc/artifactapi/tf-signing/private-key.asc + - name: TF_SIGNING_KEY_PASSPHRASE + valueFrom: + secretKeyRef: + name: artifactapi-tf-signing + key: passphrase + optional: true volumeMounts: - name: combined-certs mountPath: /etc/ssl/combined readOnly: true + - name: tf-signing-key + mountPath: /etc/artifactapi/tf-signing + readOnly: true livenessProbe: failureThreshold: 3 httpGet: @@ -88,4 +103,8 @@ spec: path: ca.crt - name: combined-certs emptyDir: {} + - name: tf-signing-key + secret: + secretName: artifactapi-tf-signing + optional: true restartPolicy: Always