diff --git a/cmd/flux/create_source_oci.go b/cmd/flux/create_source_oci.go index 5d6a5f95f2..2e24c97ec2 100644 --- a/cmd/flux/create_source_oci.go +++ b/cmd/flux/create_source_oci.go @@ -51,16 +51,18 @@ var createSourceOCIRepositoryCmd = &cobra.Command{ } type sourceOCIRepositoryFlags struct { - url string - tag string - semver string - digest string - secretRef string - serviceAccount string - certSecretRef string - ignorePaths []string - provider flags.SourceOCIProvider - insecure bool + url string + tag string + semver string + digest string + secretRef string + serviceAccount string + certSecretRef string + verifyProvider flags.SourceOCIVerifyProvider + verifySecretRef string + ignorePaths []string + provider flags.SourceOCIProvider + insecure bool } var sourceOCIRepositoryArgs = newSourceOCIFlags() @@ -80,6 +82,8 @@ func init() { createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.secretRef, "secret-ref", "", "the name of the Kubernetes image pull secret (type 'kubernetes.io/dockerconfigjson')") createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.serviceAccount, "service-account", "", "the name of the Kubernetes service account that refers to an image pull secret") createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.certSecretRef, "cert-ref", "", "the name of a secret to use for TLS certificates") + createSourceOCIRepositoryCmd.Flags().Var(&sourceOCIRepositoryArgs.verifyProvider, "verify-provider", sourceOCIRepositoryArgs.verifyProvider.Description()) + createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.verifySecretRef, "verify-secret-ref", "", "the name of a secret to use for signature verification") createSourceOCIRepositoryCmd.Flags().StringSliceVar(&sourceOCIRepositoryArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore resources (can specify multiple paths with commas: path1,path2)") createSourceOCIRepositoryCmd.Flags().BoolVar(&sourceOCIRepositoryArgs.insecure, "insecure", false, "for when connecting to a non-TLS registries over plain HTTP") @@ -156,6 +160,20 @@ func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error { } } + if secretName := sourceOCIRepositoryArgs.verifySecretRef; secretName != "" { + provider := sourceOCIRepositoryArgs.verifyProvider.String() + if provider == "" { + return fmt.Errorf("a provider must be specified for signature verification") + } + + repository.Spec.Verify = &sourcev1.OCIRepositoryVerification{ + Provider: sourceOCIRepositoryArgs.verifyProvider.String(), + SecretRef: &meta.LocalObjectReference{ + Name: secretName, + }, + } + } + if createArgs.export { return printExport(exportOCIRepository(repository)) } diff --git a/internal/flags/source_oci_verify_provider.go b/internal/flags/source_oci_verify_provider.go new file mode 100644 index 0000000000..acd57a9d2f --- /dev/null +++ b/internal/flags/source_oci_verify_provider.go @@ -0,0 +1,58 @@ +/* +Copyright 2023 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package flags + +import ( + "fmt" + "strings" + + "github.com/fluxcd/flux2/v2/internal/utils" +) + +var supportedSourceOCIVerifyProviders = []string{ + "cosign", +} + +type SourceOCIVerifyProvider string + +func (p *SourceOCIVerifyProvider) String() string { + return string(*p) +} + +func (p *SourceOCIVerifyProvider) Set(str string) error { + if strings.TrimSpace(str) == "" { + return fmt.Errorf("no source OCI verify provider given, please specify %s", + p.Description()) + } + if !utils.ContainsItemString(supportedSourceOCIVerifyProviders, str) { + return fmt.Errorf("source OCI verify provider '%s' is not supported, must be one of: %v", + str, strings.Join(supportedSourceOCIVerifyProviders, ", ")) + } + *p = SourceOCIVerifyProvider(str) + return nil +} + +func (p *SourceOCIVerifyProvider) Type() string { + return "sourceOCIVerifyProvider" +} + +func (p *SourceOCIVerifyProvider) Description() string { + return fmt.Sprintf( + "the OCI verify provider name to use for signature verification, available options are: (%s)", + strings.Join(supportedSourceOCIVerifyProviders, ", "), + ) +}