Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Add guide to setup GPG commit verification #409

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[WIP] Add guide to setup GPG commit verification #409

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
70 changes: 70 additions & 0 deletions content/en/docs/guides/commit-signature-verification.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
---
title: "Setup GPG commit verification"
linkTitle: "Setup GPG commit verification"
description: "Configure GPG commit verification to add another layer of security in case of compromised GitOps repository"
weight: 100
---

You may want to add another layer of security in case your GitOps repository is compromised.
With commit signature verification, commits must be [signed](https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work) using an authorized GPG key to be applied to the cluster.

## Prerequisites

To follow this guide you'll need a Kubernetes cluster with the GitOps
toolkit controllers installed on it.
Please see the [get started guide](../get-started/index.md)
or the [installation guide](../installation/).

## Import your GPG public keys as Secret

In order to verify commit signatures, the source controller needs to have GPG **public** keys.

Create a `flux-gpg-pubkeys` secret:

```yaml
apiVersion: v1
kind: Secret
metadata:
name: flux-gpg-pubkeys
namespace: flux-system
data:
my_key.asc: <YOUR KEY IN BASE64>
```
Note: You can add multiple keys

Your GPG key may be exported as one-line base64 string using:

```sh
gpg --armor --export <KEY_ID> | base64 -w 0
```

## Configure GOTK to verify commit signature

You have to [customize flux manifests](../installation/#customize-flux-manifests) to enable signature verification.

Create a patch as `gpg-commit-verification.yaml` in `flux-system` directory:

```yaml
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
name: flux-system
namespace: flux-system
spec:
verify:
mode: head
secretRef:
name: flux-gpg-pubkeys
```

Include this patch using `patchesStrategicMerge` in `kustomization.yaml`:

```yaml
patchesStrategicMerge:
- gpg-commit-verification.yaml
```

Commit and push your changes.

Future commits must now be signed.
If a commit is not signed, it will not be applied to the cluster (an error will be showed in source controller logs)