diff options
| author | Dustin Lactin <dustin.lactin@gmail.com> | 2024-06-18 13:00:40 -0600 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-06-18 15:00:40 -0400 |
| commit | ae73f740d3917e73ce90029f95c79f4b10438654 (patch) | |
| tree | d92dc4390493ad5b64dc563688f2bd9fedb64b91 /docs | |
| parent | 43f579e6df7f3936cb0a48f1eb16bf29022094f7 (diff) | |
feat: Support for signing commits with gpg and ssh (#710)
Signed-off-by: Dustin Lactin <dustin.lactin@gmail.com>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/basics/update-methods.md | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/docs/basics/update-methods.md b/docs/basics/update-methods.md index 404b5aa..73d82bf 100644 --- a/docs/basics/update-methods.md +++ b/docs/basics/update-methods.md @@ -247,6 +247,58 @@ as the author. You can override the author using the `git.user` and `git.email` in the `argocd-image-updater-config` ConfigMap. +## <a name="method-git-commit-signing"></a>Enabling commit signature signing using an SSH or GPG key + +### 1. SCM branch protection rules require signed commits +Commit signing for SCM branch protection rules require the repository be accessed using HTTPS or SSH with a user account. +Repositories accessed using a GitHub App can not be verified when using the git command line at this time. + +Each Git commit associated with an author's name and email address can be signed via a private SSH key or GPG key. + +Commit signing requires a bot account with a GPG or SSH key and the username and email address configured to match the bot account. + +Your preferred signing key must be associated with your bot account. See SCM provider documentation for further details: +* [GitHub](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) +* [GitLab](https://docs.gitlab.com/ee/user/project/repository/signed_commits/) +* [Bitbucket](https://confluence.atlassian.com/bitbucketserver/controlling-access-to-code-776639770.html) + +### 2. Signing commits for future use with ArgoCD Source Verification Policies +Commits can also be signed for use with source verification. +In this case signing keys do not need to be associated with an SCM user account. + +**SSH:** + +The private key must be mounted and accessible on the `argocd-image-updater` pod. + +Set `git.commit-signing-key` `argocd-image-updater-config` ConfigMap to the path of your private key: + +```yaml +data: + git.commit-sign-off: "true" + git.commit-signing-key: /app/.ssh/id_rsa + git.commit-signing-method: "ssh" +``` + +Create a new SSH secret or use your existing SSH secret: +```bash +kubectl -n argocd-image-updater create secret generic ssh-git-creds \ + --from-file=sshPrivateKey=~/.ssh/id_rsa +``` + +**GPG:** + +The GPG private key must be installed and available in the `argocd-image-updater` pod. +The `git.commit-signing-method` defaults to `openpgp`. +Set `git.commit-signing-key` in the `argocd-image-updater-config` ConfigMap to the GPG key ID you want to use: + +```yaml +data: + git.commit-sign-off: "true" + git.commit-signing-key: 3AA5C34371567BD2 +``` + +#### Commit Sign Off can be enabled by setting `git.commit-sign-off: "true"` + ### <a name="method-git-commit-message"></a>Changing the Git commit message You can change the default commit message used by Argo CD Image Updater to some |