From ea730551d487e46d21bea3e65084d23d923885c9 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Fri, 29 May 2026 22:11:38 +0200 Subject: [PATCH] Add signing-key flags to create image update Closes a pre-existing gap where the ImageUpdateAutomation SigningKey field was reachable only by hand-editing the rendered YAML. The two new flags --signing-key-secret and --signing-key-type populate the spec.git.commit.signingKey block directly. When --signing-key-secret is set without --signing-key-type, the run function fills in 'gpg' explicitly so the rendered YAML matches what the apiserver would default it to. Validation rejects --signing-key- type without --signing-key-secret and rejects values outside {gpg, ssh}, using the typed SigningKeyType constants exported from the image-automation-controller API so the validator and populator share a single source of truth. Signed-off-by: Hidde Beydals --- cmd/flux/create_image_update.go | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/cmd/flux/create_image_update.go b/cmd/flux/create_image_update.go index f0ee11cf..32d3a6f3 100644 --- a/cmd/flux/create_image_update.go +++ b/cmd/flux/create_image_update.go @@ -23,6 +23,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" autov1 "github.com/fluxcd/image-automation-controller/api/v1" + "github.com/fluxcd/pkg/apis/meta" sourcev1 "github.com/fluxcd/source-controller/api/v1" ) @@ -75,6 +76,8 @@ type imageUpdateFlags struct { commitTemplate string authorName string authorEmail string + signingKeySecret string + signingKeyType string } var imageUpdateArgs = imageUpdateFlags{} @@ -89,6 +92,8 @@ func init() { flags.StringVar(&imageUpdateArgs.commitTemplate, "commit-template", "", "a template for commit messages") flags.StringVar(&imageUpdateArgs.authorName, "author-name", "", "the name to use for commit author") flags.StringVar(&imageUpdateArgs.authorEmail, "author-email", "", "the email to use for commit author") + flags.StringVar(&imageUpdateArgs.signingKeySecret, "signing-key-secret", "", "name of the Secret containing the signing key referenced in spec.git.commit.signingKey") + flags.StringVar(&imageUpdateArgs.signingKeyType, "signing-key-type", "", "signing-key format: gpg or ssh (defaults to gpg when --signing-key-secret is set)") createImageCmd.AddCommand(createImageUpdateCmd) } @@ -112,6 +117,15 @@ func createImageUpdateRun(cmd *cobra.Command, args []string) error { return fmt.Errorf("the author email is required (--author-email)") } + if imageUpdateArgs.signingKeyType != "" && imageUpdateArgs.signingKeySecret == "" { + return fmt.Errorf("--signing-key-type requires --signing-key-secret") + } + if imageUpdateArgs.signingKeyType != "" && + imageUpdateArgs.signingKeyType != string(autov1.SigningKeyTypeGPG) && + imageUpdateArgs.signingKeyType != string(autov1.SigningKeyTypeSSH) { + return fmt.Errorf("--signing-key-type must be one of: gpg, ssh") + } + labels, err := parseLabels() if err != nil { return err @@ -163,6 +177,17 @@ func createImageUpdateRun(cmd *cobra.Command, args []string) error { } } + if imageUpdateArgs.signingKeySecret != "" { + keyType := imageUpdateArgs.signingKeyType + if keyType == "" { + keyType = string(autov1.SigningKeyTypeGPG) + } + update.Spec.GitSpec.Commit.SigningKey = &autov1.SigningKey{ + SecretRef: meta.LocalObjectReference{Name: imageUpdateArgs.signingKeySecret}, + Type: autov1.SigningKeyType(keyType), + } + } + if createArgs.export { return printExport(exportImageUpdate(&update)) }