Add PGP signature verification to API

api/v1alpha1/gitrepository_types.go

@@ -44,6 +44,10 @@ type GitRepositorySpec struct {
 	// master branch.
 	// +optional
 	Reference *GitRepositoryRef `json:"ref,omitempty"`
+
+	// Verify PGP signature for the commit that HEAD points to.
+	// +optional
+	Verification *GitRepositoryVerification `json:"verify,omitempty"`
 }
 
 // GitRepositoryRef defines the git ref used for pull and checkout operations.
@@ -67,6 +71,17 @@ type GitRepositoryRef struct {
 }
 
 // GitRepositoryStatus defines the observed state of the GitRepository.
+// GitRepositoryVerification defines the GPG signature verification process
+type GitRepositoryVerification struct {
+	// Mode describes what git object should be verified.
+	// +kubebuilder:validation:Enum=head
+	Mode string `json:"mode"`
+
+	// The secret name containing the public keys of all trusted git authors.
+	SecretRef corev1.LocalObjectReference `json:"secretRef,omitempty"`
+}
+
+// GitRepositoryStatus defines the observed state of GitRepository
 type GitRepositoryStatus struct {
 	// +optional
 	Conditions []SourceCondition `json:"conditions,omitempty"`

api/v1alpha1/zz_generated.deepcopy.go

@@ -129,6 +129,11 @@ func (in *GitRepositorySpec) DeepCopyInto(out *GitRepositorySpec) {
 		*out = new(GitRepositoryRef)
 		**out = **in
 	}
+	if in.Verification != nil {
+		in, out := &in.Verification, &out.Verification
+		*out = new(GitRepositoryVerification)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitRepositorySpec.
@@ -168,6 +173,22 @@ func (in *GitRepositoryStatus) DeepCopy() *GitRepositoryStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GitRepositoryVerification) DeepCopyInto(out *GitRepositoryVerification) {
+	*out = *in
+	out.SecretRef = in.SecretRef
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitRepositoryVerification.
+func (in *GitRepositoryVerification) DeepCopy() *GitRepositoryVerification {
+	if in == nil {
+		return nil
+	}
+	out := new(GitRepositoryVerification)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HelmChart) DeepCopyInto(out *HelmChart) {
 	*out = *in

config/crd/bases/source.fluxcd.io_gitrepositories.yaml

@@ -86,6 +86,26 @@ spec:
               description: The repository URL, can be a HTTP or SSH address.
               pattern: ^(http|https|ssh)://
               type: string
+            verify:
+              description: Verify PGP signature for the commit that HEAD points to.
+              properties:
+                mode:
+                  description: Mode describes what git object should be verified.
+                  enum:
+                  - head
+                  type: string
+                secretRef:
+                  description: The secret name containing the public keys of all trusted
+                    git authors.
+                  properties:
+                    name:
+                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        TODO: Add other useful fields. apiVersion, kind, uid?'
+                      type: string
+                  type: object
+              required:
+              - mode
+              type: object
           required:
           - interval
           - url