1 Commits

Author SHA1 Message Date
unkinben 9d4739505d feat(artifactapi): mount terraform registry signing key
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
Wires the GPG signing key the terraform provider registry needs into the api
deployment. The secret is mounted optional so the pod runs before it exists;
artifactapi leaves the registry disabled until a readable key is present.

- mount secret artifactapi-tf-signing at /etc/artifactapi/tf-signing (optional)
- set TF_SIGNING_KEY_PATH, and TF_SIGNING_KEY_PASSPHRASE from the secret's
  optional passphrase key

Create the secret out of band with an armored private key:
  kubectl -n artifactapi create secret generic artifactapi-tf-signing \
    --from-file=private-key.asc=./private-key.asc
2026-07-03 18:40:08 +10:00
+19
View File
@@ -48,10 +48,25 @@ spec:
- secretRef: - secretRef:
name: environment name: environment
optional: false optional: false
env:
# Terraform provider registry signing. The secret is mounted
# optional, so the pod runs before it exists; artifactapi keeps the
# registry disabled until a readable key is present.
- name: TF_SIGNING_KEY_PATH
value: /etc/artifactapi/tf-signing/private-key.asc
- name: TF_SIGNING_KEY_PASSPHRASE
valueFrom:
secretKeyRef:
name: artifactapi-tf-signing
key: passphrase
optional: true
volumeMounts: volumeMounts:
- name: combined-certs - name: combined-certs
mountPath: /etc/ssl/combined mountPath: /etc/ssl/combined
readOnly: true readOnly: true
- name: tf-signing-key
mountPath: /etc/artifactapi/tf-signing
readOnly: true
livenessProbe: livenessProbe:
failureThreshold: 3 failureThreshold: 3
httpGet: httpGet:
@@ -88,4 +103,8 @@ spec:
path: ca.crt path: ca.crt
- name: combined-certs - name: combined-certs
emptyDir: {} emptyDir: {}
- name: tf-signing-key
secret:
secretName: artifactapi-tf-signing
optional: true
restartPolicy: Always restartPolicy: Always