Removed public key requirement, removed SigningConfig function, updated commit function and documentation

Signed-off-by: Dustin Lactin <[email protected]>

Author: dlactin

.github/actions/spelling/expect.txt

@@ -21,6 +21,7 @@ installationid
 jfrog
 mep
 myregistry
+openpgp
 PRIVATEKEYDATA
 repocreds
 rollbacked

cmd/main.go

@@ -28,27 +28,28 @@ const applicationsAPIKindArgoCD = "argocd"
 
 // ImageUpdaterConfig contains global configuration and required runtime data
 type ImageUpdaterConfig struct {
-	ApplicationsAPIKind string
-	ClientOpts          argocd.ClientOptions
-	ArgocdNamespace     string
-	DryRun              bool
-	CheckInterval       time.Duration
-	ArgoClient          argocd.ArgoCD
-	LogLevel            string
-	KubeClient          *kube.KubernetesClient
-	MaxConcurrency      int
-	HealthPort          int
-	MetricsPort         int
-	RegistriesConf      string
-	AppNamePatterns     []string
-	AppLabel            string
-	GitCommitUser       string
-	GitCommitMail       string
-	GitCommitMessage    *template.Template
-	GitCommitSigningKey string
-	GitCommitSignOff    bool
-	DisableKubeEvents   bool
-	GitCreds            git.CredsStore
+	ApplicationsAPIKind    string
+	ClientOpts             argocd.ClientOptions
+	ArgocdNamespace        string
+	DryRun                 bool
+	CheckInterval          time.Duration
+	ArgoClient             argocd.ArgoCD
+	LogLevel               string
+	KubeClient             *kube.KubernetesClient
+	MaxConcurrency         int
+	HealthPort             int
+	MetricsPort            int
+	RegistriesConf         string
+	AppNamePatterns        []string
+	AppLabel               string
+	GitCommitUser          string
+	GitCommitMail          string
+	GitCommitMessage       *template.Template
+	GitCommitSigningKey    string
+	GitCommitSigningMethod string
+	GitCommitSignOff       bool
+	DisableKubeEvents      bool
+	GitCreds               git.CredsStore
 }
 
 // newRootCommand implements the root command of argocd-image-updater

cmd/run.go

@@ -240,7 +240,8 @@ func newRunCommand() *cobra.Command {
 	runCmd.Flags().BoolVar(&warmUpCache, "warmup-cache", true, "whether to perform a cache warm-up on startup")
 	runCmd.Flags().StringVar(&cfg.GitCommitUser, "git-commit-user", env.GetStringVal("GIT_COMMIT_USER", "argocd-image-updater"), "Username to use for Git commits")
 	runCmd.Flags().StringVar(&cfg.GitCommitMail, "git-commit-email", env.GetStringVal("GIT_COMMIT_EMAIL", "[email protected]"), "E-Mail address to use for Git commits")
-	runCmd.Flags().StringVar(&cfg.GitCommitSigningKey, "git-commit-signing-key", env.GetStringVal("GIT_COMMIT_SIGNING_KEY", ""), "GnuPG key ID or path to Public SSH Key used to sign the commits")
+	runCmd.Flags().StringVar(&cfg.GitCommitSigningKey, "git-commit-signing-key", env.GetStringVal("GIT_COMMIT_SIGNING_KEY", ""), "GnuPG key ID or path to Private SSH Key used to sign the commits")
+	runCmd.Flags().StringVar(&cfg.GitCommitSigningMethod, "git-commit-signing-method", env.GetStringVal("GIT_COMMIT_SIGNING_METHOD", "openpgp"), "Method used to sign Git commits ('openpgp' or 'ssh')")
 	runCmd.Flags().BoolVar(&cfg.GitCommitSignOff, "git-commit-sign-off", env.GetBoolVal("GIT_COMMIT_SIGN_OFF", false), "Whether to sign-off git commits")
 	runCmd.Flags().StringVar(&commitMessagePath, "git-commit-message-path", defaultCommitTemplatePath, "Path to a template to use for Git commit messages")
 	runCmd.Flags().BoolVar(&cfg.DisableKubeEvents, "disable-kube-events", env.GetBoolVal("IMAGE_UPDATER_KUBE_EVENTS", false), "Disable kubernetes events")
@@ -321,18 +322,19 @@ func runImageUpdater(cfg *ImageUpdaterConfig, warmUp bool) (argocd.ImageUpdaterR
 			defer sem.Release(1)
 			log.Debugf("Processing application %s", app)
 			upconf := &argocd.UpdateConfiguration{
-				NewRegFN:          registry.NewClient,
-				ArgoClient:        cfg.ArgoClient,
-				KubeClient:        cfg.KubeClient,
-				UpdateApp:         &curApplication,
-				DryRun:            dryRun,
-				GitCommitUser:     cfg.GitCommitUser,
-				GitCommitEmail:    cfg.GitCommitMail,
-				GitCommitMessage:  cfg.GitCommitMessage,
-				GitCommitSigningKey: cfg.GitCommitSigningKey,
-				GitCommitSignOff:    cfg.GitCommitSignOff,
-				DisableKubeEvents: cfg.DisableKubeEvents,
-				GitCreds:          cfg.GitCreds,
+				NewRegFN:               registry.NewClient,
+				ArgoClient:             cfg.ArgoClient,
+				KubeClient:             cfg.KubeClient,
+				UpdateApp:              &curApplication,
+				DryRun:                 dryRun,
+				GitCommitUser:          cfg.GitCommitUser,
+				GitCommitEmail:         cfg.GitCommitMail,
+				GitCommitMessage:       cfg.GitCommitMessage,
+				GitCommitSigningKey:    cfg.GitCommitSigningKey,
+				GitCommitSigningMethod: cfg.GitCommitSigningMethod,
+				GitCommitSignOff:       cfg.GitCommitSignOff,
+				DisableKubeEvents:      cfg.DisableKubeEvents,
+				GitCreds:               cfg.GitCreds,
 			}
 			res := argocd.UpdateApplication(upconf, syncState)
 			result.NumApplicationsProcessed += 1

docs/basics/update-methods.md

@@ -153,8 +153,7 @@ format. To create such a secret from an existing private key, you can use
 
 ```bash
 kubectl -n argocd-image-updater create secret generic git-creds \
-  --from-file=sshPrivateKey=~/.ssh/id_rsa \
-  --from-file=sshPublicKey=~/.ssh/id_rsa.pub \
+  --from-file=sshPrivateKey=~/.ssh/id_rsa
 ```
 
 ### <a name="method-git-repository"></a>Specifying a repository when using a Helm repository in repoURL
@@ -248,44 +247,48 @@ as the author. You can override the author using the
 `git.user` and `git.email`
 in the `argocd-image-updater-config` ConfigMap.
 
-### <a name="method-git-commit-signing"></a>Enabling commit signature verification using an SSH or GPG key
-Commit signing requires the repository be accessed using HTTPS or SSH with a user account.
+## <a name="method-git-commit-signing"></a>Enabling commit signature signing using an SSH or GPG key
+
+### 1. SCM branch protection rules require signed commits
+Commit signing for SCM branch protection rules require the repository be accessed using HTTPS or SSH with a user account.
 Repositories accessed using a GitHub App can not be verified when using the git command line at this time.
 
-Each Git commit associated with an author's name and email address can be signed via a public SSH key or GPG key.
+Each Git commit associated with an author's name and email address can be signed via a private SSH key or GPG key.
+
 Commit signing requires a bot account with a GPG or SSH key and the username and email address configured to match the bot account.
 
-Your preferred signing key must be associated with your bot account. See provider documentation for further details:
+Your preferred signing key must be associated with your bot account. See SCM provider documentation for further details:
 * [GitHub](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification)
 * [GitLab](https://docs.gitlab.com/ee/user/project/repository/signed_commits/)
 * [Bitbucket](https://confluence.atlassian.com/bitbucketserver/controlling-access-to-code-776639770.html)
 
-Commit Sign Off can be enabled by setting `git.commit-sign-off: "true"`
+### 2. Signing commits for future use with ArgoCD Source Verification Policies
+Commits can also be signed for use with source verification.
+In this case signing keys do not need to be associated with an SCM user account.
 
 **SSH:**
 
-Both private and public keys must be mounted and accessible on the `argocd-image-updater` pod.
+The private key must be mounted and accessible on the `argocd-image-updater` pod.
 
-Set `git.commit-signing-key` `argocd-image-updater-config` ConfigMap to the path of your public key:
+Set `git.commit-signing-key` `argocd-image-updater-config` ConfigMap to the path of your private key:
 
 ```yaml
 data:
   git.commit-sign-off: "true"
-  git.commit-signing-key: /app/.ssh/id_rsa.pub
+  git.commit-signing-key: /app/.ssh/id_rsa
+  git.commit-signing-method: "ssh"
 ```
 
-The matching private key must be available in the same location.
-
-Create a new SSH secret or add the public key to your existing SSH secret:
+Create a new SSH secret or use your existing SSH secret:
 ```bash
 kubectl -n argocd-image-updater create secret generic ssh-git-creds \
-  --from-file=sshPrivateKey=~/.ssh/id_rsa \
-  --from-file=sshPublicKey=~/.ssh/id_rsa.pub
+  --from-file=sshPrivateKey=~/.ssh/id_rsa
 ```
 
 **GPG:**
 
 The GPG private key must be installed and available in the `argocd-image-updater` pod.
+The `git.commit-signing-method` defaults to `openpgp`.
 Set `git.commit-signing-key` in the `argocd-image-updater-config` ConfigMap to the GPG key ID you want to use:
 
 ```yaml
@@ -294,6 +297,8 @@ data:
   git.commit-signing-key: 3AA5C34371567BD2
 ```
 
+#### Commit Sign Off can be enabled by setting `git.commit-sign-off: "true"`
+
 ### <a name="method-git-commit-message"></a>Changing the Git commit message
 
 You can change the default commit message used by Argo CD Image Updater to some

ext/git/client.go

@@ -82,7 +82,6 @@ type Client interface {
 	Add(path string) error
 	SymRefToBranch(symRef string) (string, error)
 	Config(username string, email string) error
-	SigningConfig(signingkey string) error
 }
 
 type EventHandlers struct {

ext/git/writer.go

@@ -3,7 +3,6 @@ package git
 import (
 	"fmt"
 	"os/exec"
-	"regexp"
 	"strings"
 
 	"github.com/argoproj-labs/argocd-image-updater/pkg/log"
@@ -15,8 +14,10 @@ type CommitOptions struct {
 	CommitMessageText string
 	// CommitMessagePath holds the path to a file to be used for the commit message (-F option)
 	CommitMessagePath string
-	// SigningKey holds a GnuPG key ID or path to Public SSH Key used to sign the commit with (-S option)
+	// SigningKey holds a GnuPG key ID or path to a Private SSH Key used to sign the commit with (-S option)
 	SigningKey string
+	// SigningMethod holds the signing method used to sign commits. (git -c gpg.format=ssh option)
+	SigningMethod string
 	// SignOff specifies whether to sign-off a commit (-s option)
 	SignOff bool
 }
@@ -26,25 +27,18 @@ type CommitOptions struct {
 // changes will be commited. If message is not the empty string, it will be
 // used as the commit message, otherwise a default commit message will be used.
 // If signingKey is not the empty string, commit will be signed with the given
-// GPG key.
+// GPG or SSH key.
 func (m *nativeGitClient) Commit(pathSpec string, opts *CommitOptions) error {
 	defaultCommitMsg := "Update parameters"
-	args := []string{"commit"}
+	// Git configuration
+	config := "gpg.format=" + opts.SigningMethod
+	args := []string{"-c", config, "commit"}
 	if pathSpec == "" || pathSpec == "*" {
 		args = append(args, "-a")
 	}
-	if opts.SigningKey != "" {
-		// Check if SiginingKey is a GPG key or Public SSH Key
-		keyCheck, err := regexp.MatchString(".*pub$", opts.SigningKey)
-		if err != nil {
-			return fmt.Errorf("could not validate Signing Key as GPG or Public SSH Key: %v", err)
-		}
-		if keyCheck {
-			args = append(args, "-S")
-		} else {
-			args = append(args, "-S", opts.SigningKey)
-		}
-	}
+	// Commit fails with a space between -S flag and path to SSH key
+	// -S/user/test/.ssh/signingKey or -SAAAAAAAA...
+	args = append(args, fmt.Sprintf("-S%s", opts.SigningKey))
 	if opts.SignOff {
 		args = append(args, "-s")
 	}
@@ -157,28 +151,3 @@ func (m *nativeGitClient) runCredentialedCmdWithOutput(args ...string) (string,
 	cmd.Env = append(cmd.Env, environ...)
 	return m.runCmdOutput(cmd, runOpts{})
 }
-
-// SigningConfig configures commit signing for the repository
-func (m *nativeGitClient) SigningConfig(signingkey string) error {
-	// Check if SiginingKey is a GPG key or Public SSH Key
-	keyCheck, err := regexp.MatchString(".*pub$", signingkey)
-	if err != nil {
-		return fmt.Errorf("could not validate Signing Key as GPG or Public SSH Key: %v", err)
-	}
-	if keyCheck {
-		// Setting the GPG format to ssh
-		log.Warnf("Setting GPG Format to SSH")
-		_, err = m.runCmd("config", "gpg.format", "ssh")
-		if err != nil {
-			return fmt.Errorf("could not set gpg format to ssh: %v", err)
-		}
-		// Setting Public SSH Key as our signing key
-		// SSH Keys can not currently be set via cli flag
-		_, err = m.runCmd("config", "user.signingkey", signingkey)
-		if err != nil {
-			return fmt.Errorf("could not set git signing key: %v", err)
-		}
-	}
-
-	return nil
-}

manifests/base/deployment/argocd-image-updater-deployment.yaml

@@ -83,6 +83,12 @@ spec:
               key: git.commit-signing-key
               name: argocd-image-updater-config
               optional: true
+        - name: GIT_COMMIT_SIGNING_METHOD
+          valueFrom:
+            configMapKeyRef:
+              key: git.commit-signing-key
+              name: argocd-image-updater-config
+              optional: true
         - name: GIT_COMMIT_SIGN_OFF
           valueFrom:
             configMapKeyRef:
@@ -132,10 +138,6 @@ spec:
           mountPath: /app/.ssh/id_rsa
           readOnly: true
           subPath: sshPrivateKey
-        - name: ssh-signing-key
-          mountPath: /app/.ssh/id_rsa.pub
-          readOnly: true
-          subPath: sshPublicKey
       serviceAccountName: argocd-image-updater
       volumes:
       - configMap:

manifests/install.yaml

@@ -164,6 +164,12 @@ spec:
               key: git.commit-signing-key
               name: argocd-image-updater-config
               optional: true
+        - name: GIT_COMMIT_SIGNING_METHOD
+          valueFrom:
+            configMapKeyRef:
+              key: git.commit-signing-key
+              name: argocd-image-updater-config
+              optional: true
         - name: GIT_COMMIT_SIGN_OFF
           valueFrom:
             configMapKeyRef:
@@ -215,10 +221,6 @@ spec:
           name: ssh-signing-key
           readOnly: true
           subPath: sshPrivateKey
-        - mountPath: /app/.ssh/id_rsa.pub
-          name: ssh-signing-key
-          readOnly: true
-          subPath: sshPublicKey
       serviceAccountName: argocd-image-updater
       volumes:
       - configMap:

pkg/argocd/git.go

@@ -169,14 +169,6 @@ func commitChangesGit(app *v1alpha1.Application, wbc *WriteBackConfig, changeLis
 		}
 	}
 
-	// Set commit signing configuration
-	if wbc.GitCommitSigningKey != "" {
-		err = gitC.SigningConfig(wbc.GitCommitSigningKey)
-		if err != nil {
-			return err
-		}
-	}
-
 	// The branch to checkout is either a configured branch in the write-back
 	// config, or taken from the application spec's targetRevision. If the
 	// target revision is set to the special value HEAD, or is the empty
@@ -246,6 +238,7 @@ func commitChangesGit(app *v1alpha1.Application, wbc *WriteBackConfig, changeLis
 		commitOpts.SigningKey = wbc.GitCommitSigningKey
 	}
 
+	commitOpts.SigningMethod = wbc.GitCommitSigningMethod
 	commitOpts.SignOff = wbc.GitCommitSignOff
 
 	err = gitC.Commit("", commitOpts)