Extends the existing TestExport 'image update' case with a signingKey
block on the seeded ImageUpdateAutomation, asserting the new field
survives the kubeClient.Get + serialize path. Parallels how the
existing fixture exercises every other field on the resource.
Also patches the embedded CRD source under manifests/bases/image-
automation-controller/ to inject the signingKey.type schema property
into both v1 and v1beta2. The patch is transitional and should be
removed once the image-automation-controller release bundle includes
the new type field natively.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Adds golden-file tests for the new --signing-key-secret and
--signing-key-type flags: no-signing (baseline), default-gpg (asserts
type: gpg is rendered explicitly when only the secret is set), ssh,
and the two validation-error cases. Establishes
cmd/flux/testdata/create_image_update/ for future expansion of this
command's coverage.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Closes a pre-existing gap where the ImageUpdateAutomation SigningKey
field was reachable only by hand-editing the rendered YAML. The two
new flags --signing-key-secret and --signing-key-type populate the
spec.git.commit.signingKey block directly.
When --signing-key-secret is set without --signing-key-type, the run
function fills in 'gpg' explicitly so the rendered YAML matches what
the apiserver would default it to. Validation rejects --signing-key-
type without --signing-key-secret and rejects values outside
{gpg, ssh}, using the typed SigningKeyType constants exported from
the image-automation-controller API so the validator and populator
share a single source of truth.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Covers the validation matrix of the new --gpg-* / --ssh-signing-*
surface: mutual exclusion (across GPG/SSH groups and within the SSH
group between --ssh-signing-key-file and --ssh-signing-reuse-private-
key), alias resolution between --ssh-signing-password and
--ssh-signing-passphrase, the dependency checks (--ssh-signing-
password requires --ssh-signing-key-file; --ssh-signing-reuse-
private-key requires --private-key-file), and pre-flight key-parse
failures (malformed PEM, encrypted SSH key without passphrase, GPG
ring with wrong passphrase). Test keys are checked in so the test
does not depend on local ssh-keygen or gpg invocations at run time.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Adds the same explicit-path SSH-signing wiring to flux bootstrap
github / gitlab / gitea / bitbucket-server, consulting the new
effectiveSshSigningPassword helper for the resolved passphrase.
The reuse-path wiring applies only to gitlab and bitbucket-server
(which consume --private-key-file as the SSH transport key). github
and gitea generate the transport key in-process, so they reject
--ssh-signing-reuse-private-key explicitly with a message explaining
why. The reject check fires immediately after each subcommand's
bootstrapOpts slice literal closes, before any conditional appends,
so the failure semantics match the reading order of the code.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Reads --ssh-signing-key-file when set, decodes the file contents,
resolves the effective signing passphrase, and appends
bootstrap.WithSSHCommitSigning to the bootstrap options. When
--ssh-signing-reuse-private-key is set, reads the transport
--private-key-file, pre-flights it against the subcommand-local
gitArgs.password, and reuses the same bytes + passphrase for signing.
The reuse-path pre-flight lives in this subcommand's RunE because
bootstrapValidate does not have access to the transport password.
Mutual exclusion with --gpg-* and explicit-path key-parse validation
are enforced upstream in bootstrapValidate.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Introduces four new persistent flags on flux bootstrap:
--ssh-signing-key-file, --ssh-signing-password, the hidden alias
--ssh-signing-passphrase, and the reuse boolean
--ssh-signing-reuse-private-key. They sit next to the existing
--gpg-key-ring / --gpg-passphrase / --gpg-key-id surface.
bootstrapValidate pre-flights the configured signing key for the
explicit GPG and SSH paths so malformed PEM, wrong passphrases, and
unsupported SSH algorithms surface before any clone runs. The GPG
pre-flight calls the now-exported SelectOpenPGPSigningEntity from
pkg/bootstrap directly, so the pre-flight cannot drift from the
bootstrap commit path. The reuse path's pre-flight runs inside each
subcommand's RunE (where the subcommand-local SSH transport password
is in scope) and lands with the wiring commits that follow.
A small effectiveSshSigningPassword helper resolves the
--ssh-signing-passphrase alias purely (returning the resolved value
or a mutual-exclusion error) instead of mutating the
package-scoped bootstrapArgs singleton inside bootstrapValidate.
Mutual exclusion is enforced between the GPG and SSH groups, and
between --ssh-signing-key-file and --ssh-signing-reuse-private-key.
--ssh-signing-reuse-private-key requires --private-key-file;
--ssh-signing-password requires --ssh-signing-key-file. The
--ssh-signing-passphrase alias is hidden in --help.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Adds two layers of coverage for the SSH commit-signing path that the
previous commit wires through PlainGitBootstrapper.
TestPlainGitBootstrapper_resolveSigner exercises every branch of the
new dispatcher: nil configuration, GPG-only, SSH-only, encrypted-SSH-
without-passphrase failure, and the documented GPG-wins-when-both-
set precedence.
TestPlainGitBootstrapper_sshSignerProducesVerifiableCommit drives an
end-to-end roundtrip: resolveSigner returns an SSH signer, the signer
plugs into repository.WithSigner, gogit.Client.Commit produces a
commit object, and signature.VerifySSHSignature cryptographically
verifies the gpgsig header against the matching authorized_key.
Catches regressions in the SSH-signing wiring that the dispatcher
unit tests would miss.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Bumps fluxcd/pkg/git to v0.52.0, which exposes the generic
signature.Signer interface and the NewOpenPGPSigner / NewSSHSigner
constructors, and migrates pkg/bootstrap's two WithSigner call sites
accordingly.
Adds a parallel WithSSHCommitSigning option alongside the existing
WithGitCommitSigning so callers can sign commits with an SSH private
key. PlainGitBootstrapper now dispatches through a new resolveSigner
helper that returns either an OpenPGP or SSH signer; the
repository.WithSigner option is appended conditionally to avoid the
typed-nil interface hazard the new generic field introduces.
The bootstrap path's OpenPGP entity selector is renamed and exported
as SelectOpenPGPSigningEntity so the flux CLI's pre-flight (introduced
later in this branch) can call it directly instead of carrying a
duplicate.
Also bumps image-automation-controller/api to a pseudo-version that
exposes SigningKey.Type and the SigningKeyTypeGPG/SigningKeyTypeSSH
constants; the bump is bundled here so the rest of the branch builds
incrementally. Refs fluxcd/pkg#398[1].
[1]: https://github.com/fluxcd/pkg/issues/398
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Local container image builds and envtest binaries were pinned to amd64,
forcing emulation (e.g. Rosetta) on Apple Silicon and other arm64 hosts. This
produced amd64 images/test binaries locally, which can surface subtle runtime
bugs. envtest now publishes arm64 binaries (including darwin/arm64), so the
historical amd64 pin (and the Darwin-specific override) is no longer needed.
Derive the architecture from the host Go toolchain (go env GOARCH) so local
builds are native, while keeping both values overridable for cross-arch builds.
Multi-arch release images are built by the fluxcd/gha-workflows release
workflow, not by "make docker-build", so release artifacts are unaffected.
Signed-off-by: leigh capili <leigh@null.net>
Reject HelmRepository source URLs with schemes unsupported by the
source-controller API before generating or applying the object.
Signed-off-by: Immanuel Tikhonov <pchpr.00@list.ru>
Assisted-by: codex/gpt-5
Hidde Beydals