Cover create image update signing flags

Adds golden-file tests for the new --signing-key-secret and
--signing-key-type flags: no-signing (baseline), default-gpg (asserts
type: gpg is rendered explicitly when only the secret is set), ssh,
and the two validation-error cases. Establishes
cmd/flux/testdata/create_image_update/ for future expansion of this
command's coverage.

Signed-off-by: Hidde Beydals <hidde@hhh.computer>

cmd/flux/create_image_update_test.go

@@ -0,0 +1,62 @@
+/*
+Copyright 2026 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import "testing"
+
+func TestCreateImageUpdate(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   string
+		assert assertFunc
+	}{
+		{
+			name:   "no signing key",
+			args:   "create image update flux-system --git-repo-ref=flux-system --checkout-branch=main --author-name=flux --author-email=flux@example.com --interval=1m0s --namespace=flux-system --export",
+			assert: assertGoldenFile("./testdata/create_image_update/no-signing.yaml"),
+		},
+		{
+			name:   "signing secret without explicit type defaults to gpg",
+			args:   "create image update flux-system --git-repo-ref=flux-system --checkout-branch=main --author-name=flux --author-email=flux@example.com --signing-key-secret=my-key --interval=1m0s --namespace=flux-system --export",
+			assert: assertGoldenFile("./testdata/create_image_update/signing-default-gpg.yaml"),
+		},
+		{
+			name:   "ssh signing key",
+			args:   "create image update flux-system --git-repo-ref=flux-system --checkout-branch=main --author-name=flux --author-email=flux@example.com --signing-key-secret=my-deploy-key --signing-key-type=ssh --interval=1m0s --namespace=flux-system --export",
+			assert: assertGoldenFile("./testdata/create_image_update/signing-ssh.yaml"),
+		},
+		{
+			name:   "signing-key-type without secret errors",
+			args:   "create image update flux-system --git-repo-ref=flux-system --checkout-branch=main --author-name=flux --author-email=flux@example.com --signing-key-type=ssh --namespace=flux-system --export",
+			assert: assertError("--signing-key-type requires --signing-key-secret"),
+		},
+		{
+			name:   "invalid signing-key-type errors",
+			args:   "create image update flux-system --git-repo-ref=flux-system --checkout-branch=main --author-name=flux --author-email=flux@example.com --signing-key-secret=k --signing-key-type=pgp --namespace=flux-system --export",
+			assert: assertError("--signing-key-type must be one of: gpg, ssh"),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := cmdTestCase{
+				args:   tt.args,
+				assert: tt.assert,
+			}
+			cmd.runTestCmd(t)
+		})
+	}
+}

cmd/flux/testdata/create_image_update/no-signing.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: image.toolkit.fluxcd.io/v1
+kind: ImageUpdateAutomation
+metadata:
+  name: flux-system
+  namespace: flux-system
+spec:
+  git:
+    checkout:
+      ref:
+        branch: main
+    commit:
+      author:
+        email: flux@example.com
+        name: flux
+  interval: 1m0s
+  sourceRef:
+    kind: GitRepository
+    name: flux-system

cmd/flux/testdata/create_image_update/signing-default-gpg.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: image.toolkit.fluxcd.io/v1
+kind: ImageUpdateAutomation
+metadata:
+  name: flux-system
+  namespace: flux-system
+spec:
+  git:
+    checkout:
+      ref:
+        branch: main
+    commit:
+      author:
+        email: flux@example.com
+        name: flux
+      signingKey:
+        secretRef:
+          name: my-key
+        type: gpg
+  interval: 1m0s
+  sourceRef:
+    kind: GitRepository
+    name: flux-system

cmd/flux/testdata/create_image_update/signing-ssh.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: image.toolkit.fluxcd.io/v1
+kind: ImageUpdateAutomation
+metadata:
+  name: flux-system
+  namespace: flux-system
+spec:
+  git:
+    checkout:
+      ref:
+        branch: main
+    commit:
+      author:
+        email: flux@example.com
+        name: flux
+      signingKey:
+        secretRef:
+          name: my-deploy-key
+        type: ssh
+  interval: 1m0s
+  sourceRef:
+    kind: GitRepository
+    name: flux-system