argocd-image-updater icon indicating copy to clipboard operation
argocd-image-updater copied to clipboard

Published 20 hours ago verified publisher icon argoproj-labs

Support GPG-signed commits, fixes #427

Open vgrigoruk opened this issue 3 years ago • 8 comments

Fixes #427

vgrigoruk avatar Apr 29 '22 14:04 vgrigoruk

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Apr 29 '22 14:04 CLAassistant

Codecov Report

Merging #428 (e1ba3b7) into master (f12a5ab) will decrease coverage by 0.09%. The diff coverage is 0.00%.

@@            Coverage Diff             @@
##           master     #428      +/-   ##
==========================================
- Coverage   65.60%   65.50%   -0.10%     
==========================================
  Files          21       21              
  Lines        2035     2038       +3     
==========================================
  Hits         1335     1335              
- Misses        571      574       +3     
  Partials      129      129
Impacted Files Coverage Δ
pkg/argocd/update.go 68.95% <0.00%> (-0.85%) :arrow_down:

:mega: Codecov can now indicate which changes are the most critical in Pull Requests. Learn more

codecov-commenter avatar Apr 29 '22 14:04 codecov-commenter

Sorry for being so late on this PR!

Reading through the code, I have the feeling that some part of the code may be missing? I see configuration around setting the signing key and sign-off functions, but I don't see any code changes to the Git client to actually perform the signing or sign-off.

jannfis avatar Nov 18 '22 00:11 jannfis

Hey @jannfis . Thank you for looking into this. As far as I can see, the code which adds necessary flags to git commit CLI command is already there (but was previously unused):

  • https://github.com/argoproj-labs/argocd-image-updater/blob/a03f31915d71ae39f1c9ac5d7d4d1501d11d158b/ext/git/writer.go#L34-L39

vgrigoruk avatar Nov 18 '22 09:11 vgrigoruk

Hey @jannfis . Thank you for looking into this. As far as I can see, the code which adds necessary flags to git commit CLI command is already there (but was previously unused):

* https://github.com/argoproj-labs/argocd-image-updater/blob/a03f31915d71ae39f1c9ac5d7d4d1501d11d158b/ext/git/writer.go#L34-L39

Oops. Thanks, then it was probably dead code all the time. Would you mind writing documentation for this? In order to sign commits with PGP, I assume some private key ring needs to be mounted to the pod. Could you include step-by-step instructions for people on how to do this?

Thanks!

jannfis avatar Nov 18 '22 20:11 jannfis

Hey @jannfis . Thank you for looking into this. As far as I can see, the code which adds necessary flags to git commit CLI command is already there (but was previously unused):

* https://github.com/argoproj-labs/argocd-image-updater/blob/a03f31915d71ae39f1c9ac5d7d4d1501d11d158b/ext/git/writer.go#L34-L39

Oops. Thanks, then it was probably dead code all the time. Would you mind writing documentation for this? In order to sign commits with PGP, I assume some private key ring needs to be mounted to the pod. Could you include step-by-step instructions for people on how to do this?

Thanks!

Have gpg+gnupg installed, and then something like:

    mkdir -p ~/.gnupg && chmod 600 ~/.gnupg
    echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf
    echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf
    {
      echo \#\!/usr/bin/env bash
      echo "/usr/bin/gpg --batch --no-tty --pinentry-mode loopback --passphrase $GPG_PASS \"\$@\""
    } > ~/.gnupg/.gpgsign
    chmod 500 ~/.gnupg/.gpgsign
    gpg -q --batch --passphrase $GPG_PASS --import $GPG_PRIVATE_KEY_FILE

and also

    git config --global gpg.program ~/.gnupg/.gpgsign

Would be nice to get this in since it's almost 2y old now?!

ForbiddenEra avatar Mar 28 '24 16:03 ForbiddenEra

We ended up changing our setup to use argocd writeback method (in order to support manual rollback scenarios in ArgoCD, which turned to be problematic in case of using git write-back method). So this feature is not required for us anymore and I don't have a capacity to push this forward.

vgrigoruk avatar Apr 06 '24 18:04 vgrigoruk

TBH I ended up just having a CI pipeline update the kustomization in my repo because of all the issues with Argo with overrides with branches and/or submodules - it just doesn't work (the override makes 'changes' in the repo, then when Argo subsequently tries to pull new submodules or switch branches, git says you have uncommitted changes and now you're screwed)

Kind of annoying in the end that I spent hours of frustration dealing with the aforementioned bug, not having GPG-ability and everything that I got the same result with like 3 lines of pipeline code :/

Not to diss on the project but, I feel like there's a lot of cases where the image updater would be used and perhaps should be part of Argo itself not an add-on. Smaller teams aren't always making helm charts for each internal service/app letalone specifically versioning them letalone wanting to bump a version everytime they commit something and want to review it deployed, all of those cases (and many more I'm sure) don't end up updating the manifests (especially when the image is targeting 'latest' or 'staging' tag or something) and thus Argo doesn't sync, obviously this is known since image updater exists but again I think this should be a 1st class thing, not an alpha add-on that seems to be collecting a bit of dust already :/

ForbiddenEra avatar Apr 08 '24 13:04 ForbiddenEra