mirror of
https://github.com/argoproj/argo-cd
synced 2026-04-21 17:07:16 +00:00
be718e2b61
* Add initial primitives and tests for GPG related operations * More tests and test documentation * Move gpg primitives to own module * Add initial primitives for running git verify-commit and tests * Improve and better comment test * Implement VerifyCommitSignature() primitive for metrics wrapper * More commentary * Make reposerver verify gpg signatures when generating manifests * Make signature validation optional * Forbid use of local manifests when signature verification is enabled * Introduce new signatureKeys field in project CRD * Initial support for only syncing against signed revisions * Updates to GnuPG primitives and more test cases * Move signature verification to correct place and add tests * Add signature verification result to revision metadata and display it in UI * Add more primitives and move out some stuff to common module * Add more testdata * Add key management primitives to ArgoDB * Move type GnuPGPublicKey to appsv1 package * Add const ArgoCDGPGKeysConfigMapName * Handle key operations with appsv1.GnuPGPublicKey * Add initial API for managing GPG keys * Remove deprecated code * Add primitives for adding public keys to configuration * Change semantics of ValidateGPGKeys to return more key information * Add key import functionality to public key API * Fix code quirks reported by linter * More code quirks fixes * Fix test * Add primitives for deleting keys from configuration * Add delete key operation to API and CLI * Cosmetics * Implement logic to sync configuration to keyring in repo-server * Add IsGPGEnabled() primitive and also update trustdb on ownertrust changes * Use gpg.IsGPGEnabled() instead of custom test * Remove all keyring manipulating methods from DB * Cosmetics/comments * Require grpc methods from argoproj pkg * Enable setting config path via ARGOCD_GPG_DATA_PATH * Allow "no" and any cases in ARGOCD_GPG_ENABLED * Enable GPG feature on start and start-e2e and set required environment * Cosmetics/comments * Cosmetics and commentary * Update API documentation * Fix comment * Only run GPG related operations if GPG is enabled * Allow setting ARGOCD_GPG_ENABLE from the environment * Create GPG ConfigMap resource during installation * Use function instead of constant to get the watcher path * Re-watch source path in case it gets recreated. Also, error on finish * Add End-to-End tests for GPG commit verification * Introduce SignatureKey type for AppProject CRD * Fix merge error from previous commit * Adapt test for additional manifest (argocd-gpg-keys-cm.yaml) * Fix linter issues * Adapt CircleCI configuration to enable running tests * Add wrapper scripts for git and gpg * Sigh. * Display gpg version in CircleCI * Install gnupg2 and link it to gpg in CI * Try to install gnupg2 in CircleCI image * More CircleCI tweaks * # This is a combination of 10 commits. # This is the 1st commit message: Containerize tests - test cycle # This is the commit message #2: adapt working directory # This is the commit message #3: Build before running tests (so we might have a cache) # This is the commit message #4: Test limiting parallelism # This is the commit message #5: Remove unbound variable # This is the commit message #6: Decrease parallelism to find out limit # This is the commit message #7: Use correct flag # This is the commit message #8: Update Docker image # This is the commit message #9: Remove build phase and increase parallelism # This is the commit message #10: Further increase parallelism * Dockerize toolchain * Add new targets to Makefile * Codegen * Properly handle permissions for E2E tests * Remove gnupg2 installation from CircleCI configuration * Limit parallelism of build * Fix Yarn lint * Retrigger CI for possible flaky test * Codegen * Remove duplicate target in Makefile * Pull in pager from dep ensure -v * Adapt to gitops-engine changes and codegen * Use new health package for health status constants * Add GPG methods to ArgoDB mock module * Fix possible nil pointer dereference * Fix linter issue in imports * Introduce RBAC resource type 'gpgkeys' and adapt policies * Use ARGOCD_GNUPGHOME instead of GNUPGHOME for subsystem configuration Also remove some deprecated unit tests. * Also register GPG keys API with gRPC-GW * Update from codegen * Update GPG key API * Add web UI to manage GPG keys * Lint updates * Change wording * Add some plausibility checks for supplied data on key creation * Update from codegen * Re-allow binary keys and move check for ASCII armoured to UI * Make yarn lint happy * Add editing signature keys for projects in UI * Add ability to configure signature keys for project in CLI * Change default value to use for GNUPGHOME * Do not include data section in default gpg keys CM * Adapt Docker image for GnuPG feature * Add required configuration to installation manifests * Add add-signature-key and remove-signature-key commands to project CLI * Fix typo * Add initial user documentation for GnuPG verification * Fix role name - oops * Mention required RBAC roles in docs * Support GPG verification of git annotated tags as well * Ensure CLI can build succesfully * Better support verification on tags * Print key type in upper case * Update user documentation * Correctly disable GnuPG verification if ARGOCD_GPG_ENABLE=false * Clarify that this feature is only available with Git repositories * codegen * Move verification code to own function * Remove deprecated check * Make things more developer friendly when running locally * Enable GPG feature by default, and don't require ARGOCD_GNUPGHOME to be set * Revert changes to manifests to reflect default enable state * Codegen
244 lines
9.8 KiB
YAML
244 lines
9.8 KiB
YAML
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: appprojects.argoproj.io
|
|
app.kubernetes.io/part-of: argocd
|
|
name: appprojects.argoproj.io
|
|
spec:
|
|
group: argoproj.io
|
|
names:
|
|
kind: AppProject
|
|
listKind: AppProjectList
|
|
plural: appprojects
|
|
shortNames:
|
|
- appproj
|
|
- appprojs
|
|
singular: appproject
|
|
scope: Namespaced
|
|
validation:
|
|
openAPIV3Schema:
|
|
description: 'AppProject provides a logical grouping of applications, providing
|
|
controls for: * where the apps may deploy to (cluster whitelist) * what may
|
|
be deployed (repository whitelist, resource whitelist/blacklist) * who can
|
|
access these applications (roles, OIDC group claims bindings) * and what they
|
|
can do (RBAC policies) * automation access to these roles (JWT tokens)'
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: AppProjectSpec is the specification of an AppProject
|
|
properties:
|
|
clusterResourceWhitelist:
|
|
description: ClusterResourceWhitelist contains list of whitelisted cluster
|
|
level resources
|
|
items:
|
|
description: GroupKind specifies a Group and a Kind, but does not
|
|
force a version. This is useful for identifying concepts during
|
|
lookup stages without having partially valid types
|
|
properties:
|
|
group:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
required:
|
|
- group
|
|
- kind
|
|
type: object
|
|
type: array
|
|
description:
|
|
description: Description contains optional project description
|
|
type: string
|
|
destinations:
|
|
description: Destinations contains list of destinations available for
|
|
deployment
|
|
items:
|
|
description: ApplicationDestination contains deployment destination
|
|
information
|
|
properties:
|
|
name:
|
|
description: Name of the destination cluster which can be used
|
|
instead of server (url) field
|
|
type: string
|
|
namespace:
|
|
description: Namespace overrides the environment namespace value
|
|
in the ksonnet app.yaml
|
|
type: string
|
|
server:
|
|
description: Server overrides the environment server value in
|
|
the ksonnet app.yaml
|
|
type: string
|
|
type: object
|
|
type: array
|
|
namespaceResourceBlacklist:
|
|
description: NamespaceResourceBlacklist contains list of blacklisted
|
|
namespace level resources
|
|
items:
|
|
description: GroupKind specifies a Group and a Kind, but does not
|
|
force a version. This is useful for identifying concepts during
|
|
lookup stages without having partially valid types
|
|
properties:
|
|
group:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
required:
|
|
- group
|
|
- kind
|
|
type: object
|
|
type: array
|
|
namespaceResourceWhitelist:
|
|
description: NamespaceResourceWhitelist contains list of whitelisted
|
|
namespace level resources
|
|
items:
|
|
description: GroupKind specifies a Group and a Kind, but does not
|
|
force a version. This is useful for identifying concepts during
|
|
lookup stages without having partially valid types
|
|
properties:
|
|
group:
|
|
type: string
|
|
kind:
|
|
type: string
|
|
required:
|
|
- group
|
|
- kind
|
|
type: object
|
|
type: array
|
|
orphanedResources:
|
|
description: OrphanedResources specifies if controller should monitor
|
|
orphaned resources of apps in this project
|
|
properties:
|
|
warn:
|
|
description: Warn indicates if warning condition should be created
|
|
for apps which have orphaned resources
|
|
type: boolean
|
|
type: object
|
|
roles:
|
|
description: Roles are user defined RBAC roles associated with this
|
|
project
|
|
items:
|
|
description: ProjectRole represents a role that has access to a project
|
|
properties:
|
|
description:
|
|
description: Description is a description of the role
|
|
type: string
|
|
groups:
|
|
description: Groups are a list of OIDC group claims bound to this
|
|
role
|
|
items:
|
|
type: string
|
|
type: array
|
|
jwtTokens:
|
|
description: JWTTokens are a list of generated JWT tokens bound
|
|
to this role
|
|
items:
|
|
description: JWTToken holds the issuedAt and expiresAt values
|
|
of a token
|
|
properties:
|
|
exp:
|
|
format: int64
|
|
type: integer
|
|
iat:
|
|
format: int64
|
|
type: integer
|
|
id:
|
|
type: string
|
|
required:
|
|
- iat
|
|
type: object
|
|
type: array
|
|
name:
|
|
description: Name is a name for this role
|
|
type: string
|
|
policies:
|
|
description: Policies Stores a list of casbin formated strings
|
|
that define access policies for the role in the project
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- name
|
|
type: object
|
|
type: array
|
|
signatureKeys:
|
|
description: List of PGP key IDs that commits to be synced to must be
|
|
signed with
|
|
items:
|
|
description: SignatureKey is the specification of a key required to
|
|
verify commit signatures with
|
|
properties:
|
|
keyID:
|
|
description: The ID of the key in hexadecimal notation
|
|
type: string
|
|
required:
|
|
- keyID
|
|
type: object
|
|
type: array
|
|
sourceRepos:
|
|
description: SourceRepos contains list of repository URLs which can
|
|
be used for deployment
|
|
items:
|
|
type: string
|
|
type: array
|
|
syncWindows:
|
|
description: SyncWindows controls when syncs can be run for apps in
|
|
this project
|
|
items:
|
|
description: SyncWindow contains the kind, time, duration and attributes
|
|
that are used to assign the syncWindows to apps
|
|
properties:
|
|
applications:
|
|
description: Applications contains a list of applications that
|
|
the window will apply to
|
|
items:
|
|
type: string
|
|
type: array
|
|
clusters:
|
|
description: Clusters contains a list of clusters that the window
|
|
will apply to
|
|
items:
|
|
type: string
|
|
type: array
|
|
duration:
|
|
description: Duration is the amount of time the sync window will
|
|
be open
|
|
type: string
|
|
kind:
|
|
description: Kind defines if the window allows or blocks syncs
|
|
type: string
|
|
manualSync:
|
|
description: ManualSync enables manual syncs when they would otherwise
|
|
be blocked
|
|
type: boolean
|
|
namespaces:
|
|
description: Namespaces contains a list of namespaces that the
|
|
window will apply to
|
|
items:
|
|
type: string
|
|
type: array
|
|
schedule:
|
|
description: Schedule is the time the window will begin, specified
|
|
in cron format
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
required:
|
|
- metadata
|
|
- spec
|
|
type: object
|
|
version: v1alpha1
|
|
versions:
|
|
- name: v1alpha1
|
|
served: true
|
|
storage: true
|