Support GPG-signed commits, fixes #427

[vgrigoruk]

Fixes #427

[CLAassistant]

All committers have signed the CLA.

[codecov-commenter]

Codecov Report

Merging #428 (e1ba3b7) into master (f12a5ab) will decrease coverage by 0.09%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##           master     #428      +/-   ##
==========================================
- Coverage   65.60%   65.50%   -0.10%     
==========================================
  Files          21       21              
  Lines        2035     2038       +3     
==========================================
  Hits         1335     1335              
- Misses        571      574       +3     
  Partials      129      129              

Impacted Files	Coverage Δ
pkg/argocd/update.go	68.95% <0.00%> (-0.85%)	⬇️

📣 Codecov can now indicate which changes are the most critical in Pull Requests. Learn more

[jannfis]

Sorry for being so late on this PR!

Reading through the code, I have the feeling that some part of the code may be missing? I see configuration around setting the signing key and sign-off functions, but I don't see any code changes to the Git client to actually perform the signing or sign-off.

[vgrigoruk]

Hey @jannfis . Thank you for looking into this.
As far as I can see, the code which adds necessary flags to git commit CLI command is already there (but was previously unused):

• argocd-image-updater/ext/git/writer.go

  Lines 34 to 39 in a03f319

  	if opts.SigningKey != "" {
  	args = append(args, "-S", opts.SigningKey)
  	}
  	if opts.SignOff {
  	args = append(args, "-s")
  	}

[jannfis]

Hey @jannfis . Thank you for looking into this. As far as I can see, the code which adds necessary flags to git commit CLI command is already there (but was previously unused):

* https://github.com/argoproj-labs/argocd-image-updater/blob/a03f31915d71ae39f1c9ac5d7d4d1501d11d158b/ext/git/writer.go#L34-L39

Oops. Thanks, then it was probably dead code all the time. Would you mind writing documentation for this? In order to sign commits with PGP, I assume some private key ring needs to be mounted to the pod. Could you include step-by-step instructions for people on how to do this?

Thanks!

[ForbiddenEra]

Hey @jannfis . Thank you for looking into this. As far as I can see, the code which adds necessary flags to git commit CLI command is already there (but was previously unused):

* https://github.com/argoproj-labs/argocd-image-updater/blob/a03f31915d71ae39f1c9ac5d7d4d1501d11d158b/ext/git/writer.go#L34-L39

Oops. Thanks, then it was probably dead code all the time. Would you mind writing documentation for this? In order to sign commits with PGP, I assume some private key ring needs to be mounted to the pod. Could you include step-by-step instructions for people on how to do this?

Thanks!

Have gpg+gnupg installed, and then something like:

    mkdir -p ~/.gnupg && chmod 600 ~/.gnupg
    echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf
    echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf
    {
      echo \#\!/usr/bin/env bash
      echo "/usr/bin/gpg --batch --no-tty --pinentry-mode loopback --passphrase $GPG_PASS \"\$@\""
    } > ~/.gnupg/.gpgsign
    chmod 500 ~/.gnupg/.gpgsign
    gpg -q --batch --passphrase $GPG_PASS --import $GPG_PRIVATE_KEY_FILE

and also

    git config --global gpg.program ~/.gnupg/.gpgsign

Would be nice to get this in since it's almost 2y old now?!

[vgrigoruk]

We ended up changing our setup to use argocd writeback method (in order to support manual rollback scenarios in ArgoCD, which turned to be problematic in case of using git write-back method). So this feature is not required for us anymore and I don't have a capacity to push this forward.

[ForbiddenEra]

TBH I ended up just having a CI pipeline update the kustomization in my repo because of all the issues with Argo with overrides with branches and/or submodules - it just doesn't work (the override makes 'changes' in the repo, then when Argo subsequently tries to pull new submodules or switch branches, git says you have uncommitted changes and now you're screwed)

Kind of annoying in the end that I spent hours of frustration dealing with the aforementioned bug, not having GPG-ability and everything that I got the same result with like 3 lines of pipeline code :/

Not to diss on the project but, I feel like there's a lot of cases where the image updater would be used and perhaps should be part of Argo itself not an add-on. Smaller teams aren't always making helm charts for each internal service/app letalone specifically versioning them letalone wanting to bump a version everytime they commit something and want to review it deployed, all of those cases (and many more I'm sure) don't end up updating the manifests (especially when the image is targeting 'latest' or 'staging' tag or something) and thus Argo doesn't sync, obviously this is known since image updater exists but again I think this should be a 1st class thing, not an alpha add-on that seems to be collecting a bit of dust already :/