mirror of
https://github.com/argoproj/argo-cd
synced 2026-04-21 17:07:16 +00:00
be718e2b61
* Add initial primitives and tests for GPG related operations * More tests and test documentation * Move gpg primitives to own module * Add initial primitives for running git verify-commit and tests * Improve and better comment test * Implement VerifyCommitSignature() primitive for metrics wrapper * More commentary * Make reposerver verify gpg signatures when generating manifests * Make signature validation optional * Forbid use of local manifests when signature verification is enabled * Introduce new signatureKeys field in project CRD * Initial support for only syncing against signed revisions * Updates to GnuPG primitives and more test cases * Move signature verification to correct place and add tests * Add signature verification result to revision metadata and display it in UI * Add more primitives and move out some stuff to common module * Add more testdata * Add key management primitives to ArgoDB * Move type GnuPGPublicKey to appsv1 package * Add const ArgoCDGPGKeysConfigMapName * Handle key operations with appsv1.GnuPGPublicKey * Add initial API for managing GPG keys * Remove deprecated code * Add primitives for adding public keys to configuration * Change semantics of ValidateGPGKeys to return more key information * Add key import functionality to public key API * Fix code quirks reported by linter * More code quirks fixes * Fix test * Add primitives for deleting keys from configuration * Add delete key operation to API and CLI * Cosmetics * Implement logic to sync configuration to keyring in repo-server * Add IsGPGEnabled() primitive and also update trustdb on ownertrust changes * Use gpg.IsGPGEnabled() instead of custom test * Remove all keyring manipulating methods from DB * Cosmetics/comments * Require grpc methods from argoproj pkg * Enable setting config path via ARGOCD_GPG_DATA_PATH * Allow "no" and any cases in ARGOCD_GPG_ENABLED * Enable GPG feature on start and start-e2e and set required environment * Cosmetics/comments * Cosmetics and commentary * Update API documentation * Fix comment * Only run GPG related operations if GPG is enabled * Allow setting ARGOCD_GPG_ENABLE from the environment * Create GPG ConfigMap resource during installation * Use function instead of constant to get the watcher path * Re-watch source path in case it gets recreated. Also, error on finish * Add End-to-End tests for GPG commit verification * Introduce SignatureKey type for AppProject CRD * Fix merge error from previous commit * Adapt test for additional manifest (argocd-gpg-keys-cm.yaml) * Fix linter issues * Adapt CircleCI configuration to enable running tests * Add wrapper scripts for git and gpg * Sigh. * Display gpg version in CircleCI * Install gnupg2 and link it to gpg in CI * Try to install gnupg2 in CircleCI image * More CircleCI tweaks * # This is a combination of 10 commits. # This is the 1st commit message: Containerize tests - test cycle # This is the commit message #2: adapt working directory # This is the commit message #3: Build before running tests (so we might have a cache) # This is the commit message #4: Test limiting parallelism # This is the commit message #5: Remove unbound variable # This is the commit message #6: Decrease parallelism to find out limit # This is the commit message #7: Use correct flag # This is the commit message #8: Update Docker image # This is the commit message #9: Remove build phase and increase parallelism # This is the commit message #10: Further increase parallelism * Dockerize toolchain * Add new targets to Makefile * Codegen * Properly handle permissions for E2E tests * Remove gnupg2 installation from CircleCI configuration * Limit parallelism of build * Fix Yarn lint * Retrigger CI for possible flaky test * Codegen * Remove duplicate target in Makefile * Pull in pager from dep ensure -v * Adapt to gitops-engine changes and codegen * Use new health package for health status constants * Add GPG methods to ArgoDB mock module * Fix possible nil pointer dereference * Fix linter issue in imports * Introduce RBAC resource type 'gpgkeys' and adapt policies * Use ARGOCD_GNUPGHOME instead of GNUPGHOME for subsystem configuration Also remove some deprecated unit tests. * Also register GPG keys API with gRPC-GW * Update from codegen * Update GPG key API * Add web UI to manage GPG keys * Lint updates * Change wording * Add some plausibility checks for supplied data on key creation * Update from codegen * Re-allow binary keys and move check for ASCII armoured to UI * Make yarn lint happy * Add editing signature keys for projects in UI * Add ability to configure signature keys for project in CLI * Change default value to use for GNUPGHOME * Do not include data section in default gpg keys CM * Adapt Docker image for GnuPG feature * Add required configuration to installation manifests * Add add-signature-key and remove-signature-key commands to project CLI * Fix typo * Add initial user documentation for GnuPG verification * Fix role name - oops * Mention required RBAC roles in docs * Support GPG verification of git annotated tags as well * Ensure CLI can build succesfully * Better support verification on tags * Print key type in upper case * Update user documentation * Correctly disable GnuPG verification if ARGOCD_GPG_ENABLE=false * Clarify that this feature is only available with Git repositories * codegen * Move verification code to own function * Remove deprecated check * Make things more developer friendly when running locally * Enable GPG feature by default, and don't require ARGOCD_GNUPGHOME to be set * Revert changes to manifests to reflect default enable state * Codegen
162 lines
5.3 KiB
Go
162 lines
5.3 KiB
Go
package commands
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"os"
|
|
"strings"
|
|
"text/tabwriter"
|
|
|
|
"github.com/argoproj/gitops-engine/pkg/utils/errors"
|
|
argoio "github.com/argoproj/gitops-engine/pkg/utils/io"
|
|
"github.com/spf13/cobra"
|
|
|
|
argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
|
|
gpgkeypkg "github.com/argoproj/argo-cd/pkg/apiclient/gpgkey"
|
|
appsv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
|
|
)
|
|
|
|
// NewGPGCommand returns a new instance of an `argocd repo` command
|
|
func NewGPGCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
|
|
var command = &cobra.Command{
|
|
Use: "gpg",
|
|
Short: "Manage GPG keys used for signature verification",
|
|
Run: func(c *cobra.Command, args []string) {
|
|
c.HelpFunc()(c, args)
|
|
os.Exit(1)
|
|
},
|
|
Example: ``,
|
|
}
|
|
command.AddCommand(NewGPGListCommand(clientOpts))
|
|
command.AddCommand(NewGPGGetCommand(clientOpts))
|
|
command.AddCommand(NewGPGAddCommand(clientOpts))
|
|
command.AddCommand(NewGPGDeleteCommand(clientOpts))
|
|
return command
|
|
}
|
|
|
|
// NewGPGListCommand lists all configured public keys from the server
|
|
func NewGPGListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
|
|
var (
|
|
output string
|
|
)
|
|
var command = &cobra.Command{
|
|
Use: "list",
|
|
Short: "List configured GPG public keys",
|
|
Run: func(c *cobra.Command, args []string) {
|
|
conn, gpgIf := argocdclient.NewClientOrDie(clientOpts).NewGPGKeyClientOrDie()
|
|
defer argoio.Close(conn)
|
|
keys, err := gpgIf.List(context.Background(), &gpgkeypkg.GnuPGPublicKeyQuery{})
|
|
errors.CheckError(err)
|
|
switch output {
|
|
case "yaml", "json":
|
|
err := PrintResourceList(keys.Items, output, false)
|
|
errors.CheckError(err)
|
|
case "wide", "":
|
|
printKeyTable(keys.Items)
|
|
default:
|
|
errors.CheckError(fmt.Errorf("unknown output format: %s", output))
|
|
}
|
|
},
|
|
}
|
|
command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: json|yaml|wide")
|
|
return command
|
|
}
|
|
|
|
// NewGPGGetCommand retrieves a single public key from the server
|
|
func NewGPGGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
|
|
var (
|
|
output string
|
|
)
|
|
var command = &cobra.Command{
|
|
Use: "get KEYID",
|
|
Short: "Get the GPG public key with ID <KEYID> from the server",
|
|
Run: func(c *cobra.Command, args []string) {
|
|
if len(args) != 1 {
|
|
errors.CheckError(fmt.Errorf("Missing KEYID argument"))
|
|
}
|
|
conn, gpgIf := argocdclient.NewClientOrDie(clientOpts).NewGPGKeyClientOrDie()
|
|
defer argoio.Close(conn)
|
|
key, err := gpgIf.Get(context.Background(), &gpgkeypkg.GnuPGPublicKeyQuery{KeyID: args[0]})
|
|
errors.CheckError(err)
|
|
switch output {
|
|
case "yaml", "json":
|
|
err := PrintResourceList(key, output, false)
|
|
errors.CheckError(err)
|
|
case "wide", "":
|
|
fmt.Printf("Key ID: %s\n", key.KeyID)
|
|
fmt.Printf("Key fingerprint: %s\n", key.Fingerprint)
|
|
fmt.Printf("Key subtype: %s\n", strings.ToUpper(key.SubType))
|
|
fmt.Printf("Key owner: %s\n", key.Owner)
|
|
fmt.Printf("Key data follows until EOF:\n%s\n", key.KeyData)
|
|
default:
|
|
errors.CheckError(fmt.Errorf("unknown output format: %s", output))
|
|
}
|
|
},
|
|
}
|
|
command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: json|yaml|wide")
|
|
return command
|
|
}
|
|
|
|
// NewGPGAddCommand adds a public key to the server's configuration
|
|
func NewGPGAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
|
|
var (
|
|
fromFile string
|
|
)
|
|
var command = &cobra.Command{
|
|
Use: "add",
|
|
Short: "Adds a GPG public key to the server's keyring",
|
|
Run: func(c *cobra.Command, args []string) {
|
|
if fromFile == "" {
|
|
errors.CheckError(fmt.Errorf("--from is mandatory"))
|
|
}
|
|
keyData, err := ioutil.ReadFile(fromFile)
|
|
if err != nil {
|
|
errors.CheckError(err)
|
|
}
|
|
conn, gpgIf := argocdclient.NewClientOrDie(clientOpts).NewGPGKeyClientOrDie()
|
|
defer argoio.Close(conn)
|
|
resp, err := gpgIf.Create(context.Background(), &gpgkeypkg.GnuPGPublicKeyCreateRequest{Publickey: &appsv1.GnuPGPublicKey{KeyData: string(keyData)}})
|
|
errors.CheckError(err)
|
|
fmt.Printf("Created %d key(s) from input file", len(resp.Created.Items))
|
|
if len(resp.Skipped) > 0 {
|
|
fmt.Printf(", and %d key(s) were skipped because they exist already", len(resp.Skipped))
|
|
}
|
|
fmt.Printf(".\n")
|
|
},
|
|
}
|
|
command.Flags().StringVarP(&fromFile, "from", "f", "", "Path to the file that contains the GPG public key to import")
|
|
return command
|
|
|
|
}
|
|
|
|
// NewGPGDeleteCommand removes a key from the server's keyring
|
|
func NewGPGDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
|
|
var command = &cobra.Command{
|
|
Use: "rm KEYID",
|
|
Short: "Removes a GPG public key from the server's keyring",
|
|
Run: func(c *cobra.Command, args []string) {
|
|
if len(args) != 1 {
|
|
errors.CheckError(fmt.Errorf("Missing KEYID argument"))
|
|
}
|
|
conn, gpgIf := argocdclient.NewClientOrDie(clientOpts).NewGPGKeyClientOrDie()
|
|
defer argoio.Close(conn)
|
|
_, err := gpgIf.Delete(context.Background(), &gpgkeypkg.GnuPGPublicKeyQuery{KeyID: args[0]})
|
|
errors.CheckError(err)
|
|
fmt.Printf("Deleted key with key ID %s\n", args[0])
|
|
},
|
|
}
|
|
return command
|
|
|
|
}
|
|
|
|
// Print table of certificate info
|
|
func printKeyTable(keys []appsv1.GnuPGPublicKey) {
|
|
w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
|
|
fmt.Fprintf(w, "KEYID\tTYPE\tIDENTITY\n")
|
|
|
|
for _, k := range keys {
|
|
fmt.Fprintf(w, "%s\t%s\t%s\n", k.KeyID, strings.ToUpper(k.SubType), k.Owner)
|
|
}
|
|
_ = w.Flush()
|
|
}
|