From ae73f740d3917e73ce90029f95c79f4b10438654 Mon Sep 17 00:00:00 2001 From: Dustin Lactin Date: Tue, 18 Jun 2024 13:00:40 -0600 Subject: feat: Support for signing commits with gpg and ssh (#710) Signed-off-by: Dustin Lactin --- docs/basics/update-methods.md | 52 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) (limited to 'docs') diff --git a/docs/basics/update-methods.md b/docs/basics/update-methods.md index 404b5aa..73d82bf 100644 --- a/docs/basics/update-methods.md +++ b/docs/basics/update-methods.md @@ -247,6 +247,58 @@ as the author. You can override the author using the `git.user` and `git.email` in the `argocd-image-updater-config` ConfigMap. +## Enabling commit signature signing using an SSH or GPG key + +### 1. SCM branch protection rules require signed commits +Commit signing for SCM branch protection rules require the repository be accessed using HTTPS or SSH with a user account. +Repositories accessed using a GitHub App can not be verified when using the git command line at this time. + +Each Git commit associated with an author's name and email address can be signed via a private SSH key or GPG key. + +Commit signing requires a bot account with a GPG or SSH key and the username and email address configured to match the bot account. + +Your preferred signing key must be associated with your bot account. See SCM provider documentation for further details: +* [GitHub](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) +* [GitLab](https://docs.gitlab.com/ee/user/project/repository/signed_commits/) +* [Bitbucket](https://confluence.atlassian.com/bitbucketserver/controlling-access-to-code-776639770.html) + +### 2. Signing commits for future use with ArgoCD Source Verification Policies +Commits can also be signed for use with source verification. +In this case signing keys do not need to be associated with an SCM user account. + +**SSH:** + +The private key must be mounted and accessible on the `argocd-image-updater` pod. + +Set `git.commit-signing-key` `argocd-image-updater-config` ConfigMap to the path of your private key: + +```yaml +data: + git.commit-sign-off: "true" + git.commit-signing-key: /app/.ssh/id_rsa + git.commit-signing-method: "ssh" +``` + +Create a new SSH secret or use your existing SSH secret: +```bash +kubectl -n argocd-image-updater create secret generic ssh-git-creds \ + --from-file=sshPrivateKey=~/.ssh/id_rsa +``` + +**GPG:** + +The GPG private key must be installed and available in the `argocd-image-updater` pod. +The `git.commit-signing-method` defaults to `openpgp`. +Set `git.commit-signing-key` in the `argocd-image-updater-config` ConfigMap to the GPG key ID you want to use: + +```yaml +data: + git.commit-sign-off: "true" + git.commit-signing-key: 3AA5C34371567BD2 +``` + +#### Commit Sign Off can be enabled by setting `git.commit-sign-off: "true"` + ### Changing the Git commit message You can change the default commit message used by Argo CD Image Updater to some -- cgit v1.2.3