diff --git a/api/v1alpha1/gitrepository_types.go b/api/v1alpha1/gitrepository_types.go index e63b95ea..286812f7 100644 --- a/api/v1alpha1/gitrepository_types.go +++ b/api/v1alpha1/gitrepository_types.go @@ -44,6 +44,10 @@ type GitRepositorySpec struct { // master branch. // +optional Reference *GitRepositoryRef `json:"ref,omitempty"` + + // Verify PGP signature for the commit that HEAD points to. + // +optional + Verification *GitRepositoryVerification `json:"verify,omitempty"` } // GitRepositoryRef defines the git ref used for pull and checkout operations. @@ -67,6 +71,17 @@ type GitRepositoryRef struct { } // GitRepositoryStatus defines the observed state of the GitRepository. +// GitRepositoryVerification defines the GPG signature verification process +type GitRepositoryVerification struct { + // Mode describes what git object should be verified. + // +kubebuilder:validation:Enum=head + Mode string `json:"mode"` + + // The secret name containing the public keys of all trusted git authors. + SecretRef corev1.LocalObjectReference `json:"secretRef,omitempty"` +} + +// GitRepositoryStatus defines the observed state of GitRepository type GitRepositoryStatus struct { // +optional Conditions []SourceCondition `json:"conditions,omitempty"` diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 57439315..cabc171b 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -129,6 +129,11 @@ func (in *GitRepositorySpec) DeepCopyInto(out *GitRepositorySpec) { *out = new(GitRepositoryRef) **out = **in } + if in.Verification != nil { + in, out := &in.Verification, &out.Verification + *out = new(GitRepositoryVerification) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitRepositorySpec. @@ -168,6 +173,22 @@ func (in *GitRepositoryStatus) DeepCopy() *GitRepositoryStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GitRepositoryVerification) DeepCopyInto(out *GitRepositoryVerification) { + *out = *in + out.SecretRef = in.SecretRef +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitRepositoryVerification. +func (in *GitRepositoryVerification) DeepCopy() *GitRepositoryVerification { + if in == nil { + return nil + } + out := new(GitRepositoryVerification) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *HelmChart) DeepCopyInto(out *HelmChart) { *out = *in diff --git a/config/crd/bases/source.fluxcd.io_gitrepositories.yaml b/config/crd/bases/source.fluxcd.io_gitrepositories.yaml index 6cd6e1c4..2021a169 100644 --- a/config/crd/bases/source.fluxcd.io_gitrepositories.yaml +++ b/config/crd/bases/source.fluxcd.io_gitrepositories.yaml @@ -86,6 +86,26 @@ spec: description: The repository URL, can be a HTTP or SSH address. pattern: ^(http|https|ssh):// type: string + verify: + description: Verify PGP signature for the commit that HEAD points to. + properties: + mode: + description: Mode describes what git object should be verified. + enum: + - head + type: string + secretRef: + description: The secret name containing the public keys of all trusted + git authors. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + required: + - mode + type: object required: - interval - url