Add verification failed reason

api/v1alpha1/condition_types.go

@@ -65,4 +65,8 @@ const (
 	// AuthenticationFailedReason represents the fact that a given secret does not
 	// have the required fields or the provided credentials do not match.
 	AuthenticationFailedReason string = "AuthenticationFailed"
+
+	// VerificationFailedReason represents the fact that the cryptographic provenance
+	// verification for the source failed.
+	VerificationFailedReason string = "VerificationFailed"
 )

api/v1alpha1/gitrepository_types.go

@@ -80,7 +80,7 @@ type GitRepositoryVerification struct {
 	SecretRef corev1.LocalObjectReference `json:"secretRef,omitempty"`
 }
 
-// GitRepositoryStatus defines the observed state of Git repository.
+// GitRepositoryStatus defines the observed state of a Git repository.
 type GitRepositoryStatus struct {
 	// +optional
 	Conditions []SourceCondition `json:"conditions,omitempty"`

config/crd/bases/source.fluxcd.io_gitrepositories.yaml

@@ -87,10 +87,12 @@ spec:
               pattern: ^(http|https|ssh)://
               type: string
             verify:
-              description: Verify PGP signature for the commit that HEAD points to.
+              description: Verify OpenPGP signature for the commit that HEAD points
+                to.
               properties:
                 mode:
-                  description: Mode describes what git object should be verified.
+                  description: Mode describes what git object should be verified,
+                    currently ('head').
                   enum:
                   - head
                   type: string
@@ -111,7 +113,7 @@ spec:
           - url
           type: object
         status:
-          description: GitRepositoryStatus defines the observed state of the GitRepository.
+          description: GitRepositoryStatus defines the observed state of a Git repository.
           properties:
             artifact:
               description: Artifact represents the output of the last successful repository

controllers/gitrepository_controller.go

@@ -271,7 +271,7 @@ func (r *GitRepositoryReconciler) sync(ctx context.Context, repository sourcev1.
 
 		if commit.PGPSignature == "" {
 			err = fmt.Errorf("PGP signature not found for commit '%s'", ref.Hash())
-			return sourcev1.GitRepositoryNotReady(repository, sourcev1.GitOperationFailedReason, err.Error()), err
+			return sourcev1.GitRepositoryNotReady(repository, sourcev1.VerificationFailedReason, err.Error()), err
 		}
 
 		name := types.NamespacedName{
@@ -283,7 +283,7 @@ func (r *GitRepositoryReconciler) sync(ctx context.Context, repository sourcev1.
 		err = r.Client.Get(ctx, name, &secret)
 		if err != nil {
 			err = fmt.Errorf("PGP public keys secret error: %w", err)
-			return sourcev1.GitRepositoryNotReady(repository, sourcev1.GitOperationFailedReason, err.Error()), err
+			return sourcev1.GitRepositoryNotReady(repository, sourcev1.VerificationFailedReason, err.Error()), err
 		}
 
 		var verified bool
@@ -296,7 +296,7 @@ func (r *GitRepositoryReconciler) sync(ctx context.Context, repository sourcev1.
 
 		if !verified {
 			err = fmt.Errorf("PGP signature of '%s' can't be verified", commit.Author)
-			return sourcev1.GitRepositoryNotReady(repository, sourcev1.GitOperationFailedReason, err.Error()), err
+			return sourcev1.GitRepositoryNotReady(repository, sourcev1.VerificationFailedReason, err.Error()), err
 		}
 	}