Add signing-key flags to create image update

Closes a pre-existing gap where the ImageUpdateAutomation SigningKey field was reachable only by hand-editing the rendered YAML. The two new flags --signing-key-secret and --signing-key-type populate the spec.git.commit.signingKey block directly. When --signing-key-secret is set without --signing-key-type, the run function fills in 'gpg' explicitly so the rendered YAML matches what the apiserver would default it to. Validation rejects --signing-key- type without --signing-key-secret and rejects values outside {gpg, ssh}, using the typed SigningKeyType constants exported from the image-automation-controller API so the validator and populator share a single source of truth. Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2026-05-30 03:40:47 +00:00 · 2026-05-29 22:11:38 +02:00
parent 8b20c2efc1
commit ea730551d4
1 changed files with 25 additions and 0 deletions
@@ -23,6 +23,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

 	autov1 "github.com/fluxcd/image-automation-controller/api/v1"
+	"github.com/fluxcd/pkg/apis/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1"
 )

@@ -75,6 +76,8 @@ type imageUpdateFlags struct {
 	commitTemplate   string
 	authorName       string
 	authorEmail      string
+	signingKeySecret string
+	signingKeyType   string
 }

 var imageUpdateArgs = imageUpdateFlags{}
@@ -89,6 +92,8 @@ func init() {
 	flags.StringVar(&imageUpdateArgs.commitTemplate, "commit-template", "", "a template for commit messages")
 	flags.StringVar(&imageUpdateArgs.authorName, "author-name", "", "the name to use for commit author")
 	flags.StringVar(&imageUpdateArgs.authorEmail, "author-email", "", "the email to use for commit author")
+	flags.StringVar(&imageUpdateArgs.signingKeySecret, "signing-key-secret", "", "name of the Secret containing the signing key referenced in spec.git.commit.signingKey")
+	flags.StringVar(&imageUpdateArgs.signingKeyType, "signing-key-type", "", "signing-key format: gpg or ssh (defaults to gpg when --signing-key-secret is set)")

 	createImageCmd.AddCommand(createImageUpdateCmd)
 }
@@ -112,6 +117,15 @@ func createImageUpdateRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("the author email is required (--author-email)")
 	}

+	if imageUpdateArgs.signingKeyType != "" && imageUpdateArgs.signingKeySecret == "" {
+		return fmt.Errorf("--signing-key-type requires --signing-key-secret")
+	}
+	if imageUpdateArgs.signingKeyType != "" &&
+		imageUpdateArgs.signingKeyType != string(autov1.SigningKeyTypeGPG) &&
+		imageUpdateArgs.signingKeyType != string(autov1.SigningKeyTypeSSH) {
+		return fmt.Errorf("--signing-key-type must be one of: gpg, ssh")
+	}
+
 	labels, err := parseLabels()
 	if err != nil {
 		return err
@@ -163,6 +177,17 @@ func createImageUpdateRun(cmd *cobra.Command, args []string) error {
 		}
 	}

+	if imageUpdateArgs.signingKeySecret != "" {
+		keyType := imageUpdateArgs.signingKeyType
+		if keyType == "" {
+			keyType = string(autov1.SigningKeyTypeGPG)
+		}
+		update.Spec.GitSpec.Commit.SigningKey = &autov1.SigningKey{
+			SecretRef: meta.LocalObjectReference{Name: imageUpdateArgs.signingKeySecret},
+			Type:      autov1.SigningKeyType(keyType),
+		}
+	}
+
 	if createArgs.export {
 		return printExport(exportImageUpdate(&update))
 	}