Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-3049

AppSet Git Generator Verifies GPG signatures

XMLWordPrintable

    • Git generator GPG verification
    • False
    • None
    • False
    • To Do
    • 0% To Do, 0% In Progress, 100% Done
    • Hide
      Before this feature, users were able to create applications without verifying commit signatures via application-sets. Post this feature, users would have the ability to verify commit signatures for application-sets created using Git generators.
      Note: The signature verification will not work with templated project field in ApplicationSet Git Generator.
      Show
      Before this feature, users were able to create applications without verifying commit signatures via application-sets. Post this feature, users would have the ability to verify commit signatures for application-sets created using Git generators. Note: The signature verification will not work with templated project field in ApplicationSet Git Generator.

      Epic Goal

      The goal of this Epic is for the ApplicationSet Git Generator to verify GPG signatures in the same way that Applications already support this functionality. 

      Why is this important?

      GPG signature verification can be an important part of an organisation’s security posture: 

      • Security features should have parity across all parts of Argo CD, missing this part means that customers have a gap in their security boundary
      • Security is a vital aspect of deployment, especially for enterprise customers and many industries have regulatory requirements in this area

      One of our customers in the intelligence industry makes use of the GPG support in the other parts of Argo CD. They need the AppSet Git Generator to support it as well. Their broad requirements are:

      • Only deploy code signed by a trusted developer
      • The git server itself doesn’t need to be trusted - they can enforce that the git server only accepts signed commits, but they don’t want to need that as a workaround
      • The cluster that they operate within (build and deploy) is the trust boundary, anything that comes from outside that shouldn’t need to be trusted.

      Their organisation doesn’t require GPG keys as the answer to only deploying trusted commits. However, that’s what they’ve already got working and set up throughout their Argo CD setup and across the rest of the organisation.

      Though they would consider other options in the future, for now I think that adding support for GPG verification in the git generator is the best option. Not only will it help them satisfy their use case and reduce their workflow complexity and overhead, but it will also improve Argo CD and OpenShift GitOps’ security story overall.

      Scenarios

      1. ApplicationSet git generator pointed at their gitops repo creates microservices
      2. The git generator doesn’t validate GPG keys and will (as it is today) deploy un-signed commits to a trusted cluster

      Acceptance Criteria (Mandatory)

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • The Git generator validates GPG keys at or before sync time

      Dependencies (internal and external)

      1. ...

      Open questions:

      Done Checklist

      • Acceptance criteria are met
      • Non-functional properties of the Feature have been validated (such as performance, resource, UX, security or privacy aspects)
      • User Journey automation is delivered
      • Support and SRE teams are provided with enough skills to support the feature in production environment

              isequeir@redhat.com Ishita Sequeira
              halawren@redhat.com Harriet Lawrence
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: