DevFW-CICD/argocd-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(argocd-image-updater): add ssh signing key support to deployment, updated README with instructions to add SSH keys for signing

Browse source 
Signed-off-by: Dustin Lactin <dustin.lactin@gmail.com>
This commit is contained in:
Dustin Lactin 2024-05-13 14:03:36 -06:00
parent 510261328f
commit 2e22efe7e1
No known key found for this signature in database
GPG key ID: 236126B17DE46989
5 changed files with 146 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
charts/argocd-image-updater/Chart.yaml
View file

@ -2,7 +2,7 @@ apiVersion: v2
name: argocd-image-updater name: argocd-image-updater
description: A Helm chart for Argo CD Image Updater, a tool to automatically update the container images of Kubernetes workloads which are managed by Argo CD description: A Helm chart for Argo CD Image Updater, a tool to automatically update the container images of Kubernetes workloads which are managed by Argo CD
type: application type: application
version: 0.9.7 version: 0.9.8
appVersion: v0.12.2 appVersion: v0.12.2
home: https://github.com/argoproj-labs/argocd-image-updater home: https://github.com/argoproj-labs/argocd-image-updater
icon: https://argocd-image-updater.readthedocs.io/en/stable/assets/logo.png icon: https://argocd-image-updater.readthedocs.io/en/stable/assets/logo.png
@ -20,3 +20,5 @@ annotations:
artifacthub.io/changes: | artifacthub.io/changes: |
- kind: added - kind: added
description: Allow defining extraEnvFrom for the deployment description: Allow defining extraEnvFrom for the deployment
- kind: added
description: Added optional environment variables for commit signing configuration

62
charts/argocd-image-updater/README.md
View file

@ -64,6 +64,68 @@ If you need support for ECR, you can reference this issue, [Support ECR authenti
The `config.registries` value can be used exactly as it looks in the documentation as it gets dumped directly into a configmap in this chart. The `config.registries` value can be used exactly as it looks in the documentation as it gets dumped directly into a configmap in this chart.
### Commit Signing
Commit signing requires the repository be accessed using HTTPS or SSH with a user account.
Repositories accessed using a GitHub App can not be verified when using the git command line at this time.
Each Git commit associated with an author's name and email address can be signed via a public SSH key or GPG key.
Commit signing requires a bot account with a GPG or SSH key and the username and email address configured to match the bot account.
Commit Sign Off can be enabled by setting `git.commit-sign-off: "true"`
**SSH:**
Both private and public keys must be mounted and accessible on the `argocd-image-updater` pod.
Set `git.commit-signing-key` `argocd-image-updater-config` ConfigMap to the path of your public key:
```yaml
data:
git.commit-sign-off: "true"
git.commit-signing-key: /app/.ssh/id_rsa.pub
```
The matching private key must be available in the same location.
Create a new SSH secret or add the public key to your existing SSH secret:
```bash
kubectl -n argocd-image-updater create secret generic ssh-git-creds \
--from-file=sshPrivateKey=~/.ssh/id_rsa \
--from-file=sshPublicKey=~/.ssh/id_rsa.pub
```
**GPG:**
The GPG private key must be installed and available in the `argocd-image-updater` pod.
Set `git.commit-signing-key` in the `argocd-image-updater-config` ConfigMap to the GPG key ID you want to use:
```yaml
data:
git.commit-sign-off: "true"
git.commit-signing-key: 3AA5C34371567BD2
```
Volume configuration must be added to mount your SSH signing keys:
```yaml
volumeMounts:
- name: ssh-signing-key
mountPath: /app/.ssh/id_rsa
readOnly: true
subPath: sshPrivateKey
- name: ssh-signing-key
mountPath: /app/.ssh/id_rsa.pub
readOnly: true
subPath: sshPublicKey
volumes:
- name: ssh-signing-key
secret:
secretName: ssh-git-creds
optional: true
```
## Values ## Values
| Key | Type | Default | Description | | Key | Type | Default | Description |

63
charts/argocd-image-updater/README.md.gotmpl
View file

@ -64,6 +64,69 @@ If you need support for ECR, you can reference this issue, [Support ECR authenti
The `config.registries` value can be used exactly as it looks in the documentation as it gets dumped directly into a configmap in this chart. The `config.registries` value can be used exactly as it looks in the documentation as it gets dumped directly into a configmap in this chart.
### Commit Signing
Commit signing requires the repository be accessed using HTTPS or SSH with a user account.
Repositories accessed using a GitHub App can not be verified when using the git command line at this time.
Each Git commit associated with an author's name and email address can be signed via a public SSH key or GPG key.
Commit signing requires a bot account with a GPG or SSH key and the username and email address configured to match the bot account.
Commit Sign Off can be enabled by setting `git.commit-sign-off: "true"`
**SSH:**
Both private and public keys must be mounted and accessible on the `argocd-image-updater` pod.
Set `git.commit-signing-key` `argocd-image-updater-config` ConfigMap to the path of your public key:
```yaml
data:
git.commit-sign-off: "true"
git.commit-signing-key: /app/.ssh/id_rsa.pub
```
The matching private key must be available in the same location.
Create a new SSH secret or add the public key to your existing SSH secret:
```bash
kubectl -n argocd-image-updater create secret generic ssh-git-creds \
--from-file=sshPrivateKey=~/.ssh/id_rsa \
--from-file=sshPublicKey=~/.ssh/id_rsa.pub
```
**GPG:**
The GPG private key must be installed and available in the `argocd-image-updater` pod.
Set `git.commit-signing-key` in the `argocd-image-updater-config` ConfigMap to the GPG key ID you want to use:
```yaml
data:
git.commit-sign-off: "true"
git.commit-signing-key: 3AA5C34371567BD2
```
Volume configuration must be added to mount your SSH signing keys:
```yaml
volumeMounts:
- name: ssh-signing-key
mountPath: /app/.ssh/id_rsa
readOnly: true
subPath: sshPrivateKey
- name: ssh-signing-key
mountPath: /app/.ssh/id_rsa.pub
readOnly: true
subPath: sshPublicKey
volumes:
- name: ssh-signing-key
secret:
secretName: ssh-git-creds
optional: true
```
{{ template "chart.valuesSection" . }} {{ template "chart.valuesSection" . }}
---------------------------------------------- ----------------------------------------------

6
charts/argocd-image-updater/templates/configmap.yaml
View file

@ -27,6 +27,12 @@ data:
{{- with .Values.config.gitCommitMail }} {{- with .Values.config.gitCommitMail }}
git.email: {{ . | quote }} git.email: {{ . | quote }}
{{- end }} {{- end }}
{{- with .Values.config.gitCommitSigningKey }}
git.commit-signing-key: {{ . | quote }}
{{- end }}
{{- with .Values.config.gitCommitSignOff }}
git.commit-sign-off: {{ . | quote }}
{{- end }}
{{- with .Values.config.gitCommitTemplate }} {{- with .Values.config.gitCommitTemplate }}
git.commit-message-template: | git.commit-message-template: |
{{- nindent 4 . }} {{- nindent 4 . }}

12
charts/argocd-image-updater/templates/deployment.yaml
View file

@ -95,6 +95,18 @@ spec:
key: git.email key: git.email
name: argocd-image-updater-config name: argocd-image-updater-config
optional: true optional: true
- name: GIT_COMMIT_SIGNING_KEY
valueFrom:
configMapKeyRef:
key: git.commit-signing-key
name: argocd-image-updater-config
optional: true
- name: GIT_COMMIT_SIGN_OFF
valueFrom:
configMapKeyRef:
key: git.commit-sign-off
name: argocd-image-updater-config
optional: true
- name: IMAGE_UPDATER_KUBE_EVENTS - name: IMAGE_UPDATER_KUBE_EVENTS
valueFrom: valueFrom:
configMapKeyRef: configMapKeyRef: