gitrepo: add HEAD, Tag, TagAndHEAD as verification modes

Add three new verification modes for `.spec.verify.mode`:
* `HEAD`: Verify the commit that the HEAD of the repo points to after
  checking out to the ref specified in `.spec.ref`. Its the same as
  `head`, which cannot be removed due to backwards compatibility
  reasons and is converted to `HEAD` internally.
* `Tag`: Verify the tag referred to by `.spec.ref.tag`.
* `TagAndHEAD`: Verify the tag referred to by `.spec.ref.tag` and the
  commit that the tag points to.

The default is `HEAD`, to ensure backwards compatibility.

Furthermore, add `.status.sourceVerificationMode` to record the last
successful verification mode used.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>

api/v1/gitrepository_types.go

@@ -38,6 +38,31 @@ const (
 	IncludeUnavailableCondition string = "IncludeUnavailable"
 )
 
+// GitVerificationMode specifies the verification mode for a Git repository.
+type GitVerificationMode string
+
+// Valid checks the validity of the Git verification mode.
+func (m GitVerificationMode) Valid() bool {
+	switch m {
+	case ModeGitHEAD, ModeGitTag, ModeGitTagAndHEAD:
+		return true
+	default:
+		return false
+	}
+}
+
+const (
+	// ModeGitHEAD implies that the HEAD of the Git repository (after it has been
+	// checked out to the required commit) should be verified.
+	ModeGitHEAD GitVerificationMode = "HEAD"
+	// ModeGitTag implies that the tag object specified in the checkout configuration
+	// should be verified.
+	ModeGitTag GitVerificationMode = "Tag"
+	// ModeGitTagAndHEAD implies that both the tag object and the commit it points
+	// to should be verified.
+	ModeGitTagAndHEAD GitVerificationMode = "TagAndHEAD"
+)
+
 // GitRepositorySpec specifies the required configuration to produce an
 // Artifact for a Git repository.
 type GitRepositorySpec struct {
@@ -172,9 +197,15 @@ type GitRepositoryRef struct {
 // GitRepositoryVerification specifies the Git commit signature verification
 // strategy.
 type GitRepositoryVerification struct {
-	// Mode specifies what Git object should be verified, currently ('head').
+	// Mode specifies which Git object(s) should be verified.
-	// +kubebuilder:validation:Enum=head
+	//
-	Mode string `json:"mode"`
+	// The variants "head" and "HEAD" both imply the same thing, i.e. verify
+	// the commit that the HEAD of the Git repository points to. The variant
+	// "head" solely exists to ensure backwards compatibility.
+	// +kubebuilder:validation:Enum=head;HEAD;Tag;TagAndHEAD
+	// +optional
+	// +kubebuilder:default:=HEAD
+	Mode GitVerificationMode `json:"mode,omitempty"`
 
 	// SecretRef specifies the Secret containing the public keys of trusted Git
 	// authors.
@@ -217,6 +248,11 @@ type GitRepositoryStatus struct {
 	// +optional
 	ObservedInclude []GitRepositoryInclude `json:"observedInclude,omitempty"`
 
+	// SourceVerificationMode is the last used verification mode indicating
+	// which Git object(s) have been verified.
+	// +optional
+	SourceVerificationMode *GitVerificationMode `json:"sourceVerificationMode,omitempty"`
+
 	meta.ReconcileRequestStatus `json:",inline"`
 }
 
@@ -252,6 +288,26 @@ func (in *GitRepository) GetArtifact() *Artifact {
 	return in.Status.Artifact
 }
 
+// GetMode returns the declared GitVerificationMode, or a ModeGitHEAD default.
+func (v *GitRepositoryVerification) GetMode() GitVerificationMode {
+	if v.Mode.Valid() {
+		return v.Mode
+	}
+	return ModeGitHEAD
+}
+
+// VerifyHEAD returns if the configured mode instructs verification of the
+// Git HEAD.
+func (v *GitRepositoryVerification) VerifyHEAD() bool {
+	return v.GetMode() == ModeGitHEAD || v.GetMode() == ModeGitTagAndHEAD
+}
+
+// VerifyTag returns if the configured mode instructs verification of the
+// Git tag.
+func (v *GitRepositoryVerification) VerifyTag() bool {
+	return v.GetMode() == ModeGitTag || v.GetMode() == ModeGitTagAndHEAD
+}
+
 // +genclient
 // +genclient:Namespaced
 // +kubebuilder:storageversion

api/v1/zz_generated.deepcopy.go

@@ -232,6 +232,11 @@ func (in *GitRepositoryStatus) DeepCopyInto(out *GitRepositoryStatus) {
 		*out = make([]GitRepositoryInclude, len(*in))
 		copy(*out, *in)
 	}
+	if in.SourceVerificationMode != nil {
+		in, out := &in.SourceVerificationMode, &out.SourceVerificationMode
+		*out = new(GitVerificationMode)
+		**out = **in
+	}
 	out.ReconcileRequestStatus = in.ReconcileRequestStatus
 }
 

config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml

@@ -168,10 +168,16 @@ spec:
                   Git commit signature(s).
                 properties:
                   mode:
-                    description: Mode specifies what Git object should be verified,
+                    default: HEAD
-                      currently ('head').
+                    description: "Mode specifies which Git object(s) should be verified.
+                      \n The variants \"head\" and \"HEAD\" both imply the same thing,
+                      i.e. verify the commit that the HEAD of the Git repository points
+                      to. The variant \"head\" solely exists to ensure backwards compatibility."
                     enum:
                     - head
+                    - HEAD
+                    - Tag
+                    - TagAndHEAD
                     type: string
                   secretRef:
                     description: SecretRef specifies the Secret containing the public
@@ -184,7 +190,6 @@ spec:
                     - name
                     type: object
                 required:
-                - mode
                 - secretRef
                 type: object
             required:
@@ -407,6 +412,10 @@ spec:
                 description: ObservedRecurseSubmodules is the observed resource submodules
                   configuration used to produce the current Artifact.
                 type: boolean
+              sourceVerificationMode:
+                description: SourceVerificationMode is the last used verification
+                  mode indicating which Git object(s) have been verified.
+                type: string
             type: object
         type: object
     served: true

docs/api/v1/source.md

@@ -800,6 +800,21 @@ produce the current Artifact.</p>
 </tr>
 <tr>
 <td>
+<code>sourceVerificationMode</code><br>
+<em>
+<a href="#source.toolkit.fluxcd.io/v1.GitVerificationMode">
+GitVerificationMode
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>SourceVerificationMode is the last used verification mode indicating
+which Git object(s) have been verified.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>ReconcileRequestStatus</code><br>
 <em>
 <a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#ReconcileRequestStatus">
@@ -839,11 +854,17 @@ strategy.</p>
 <td>
 <code>mode</code><br>
 <em>
-string
+<a href="#source.toolkit.fluxcd.io/v1.GitVerificationMode">
+GitVerificationMode
+</a>
 </em>
 </td>
 <td>
-<p>Mode specifies what Git object should be verified, currently (&lsquo;head&rsquo;).</p>
+<em>(Optional)</em>
+<p>Mode specifies which Git object(s) should be verified.</p>
+<p>The variants &ldquo;head&rdquo; and &ldquo;HEAD&rdquo; both imply the same thing, i.e. verify
+the commit that the HEAD of the Git repository points to. The variant
+&ldquo;head&rdquo; solely exists to ensure backwards compatibility.</p>
 </td>
 </tr>
 <tr>
@@ -864,6 +885,14 @@ authors.</p>
 </table>
 </div>
 </div>
+<h3 id="source.toolkit.fluxcd.io/v1.GitVerificationMode">GitVerificationMode
+(<code>string</code> alias)</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#source.toolkit.fluxcd.io/v1.GitRepositoryStatus">GitRepositoryStatus</a>, 
+<a href="#source.toolkit.fluxcd.io/v1.GitRepositoryVerification">GitRepositoryVerification</a>)
+</p>
+<p>GitVerificationMode specifies the verification mode for a Git repository.</p>
 <h3 id="source.toolkit.fluxcd.io/v1.Source">Source
 </h3>
 <p>Source interface must be supported by all API types.