From 90d37cbf65ce1fefca87db2186bda94aafaa9724 Mon Sep 17 00:00:00 2001
From: Matheus Pimenta <matheuscscp@gmail.com>
Date: Sun, 15 Oct 2023 01:25:34 +0100
Subject: [PATCH] Add CLI flag for OCIRepo verify secret

Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
---
 cmd/flux/create_source_oci.go                | 38 +++++++++----
 internal/flags/source_oci_verify_provider.go | 58 ++++++++++++++++++++
 2 files changed, 86 insertions(+), 10 deletions(-)
 create mode 100644 internal/flags/source_oci_verify_provider.go

diff --git a/cmd/flux/create_source_oci.go b/cmd/flux/create_source_oci.go
index 5d6a5f95f2..2e24c97ec2 100644
--- a/cmd/flux/create_source_oci.go
+++ b/cmd/flux/create_source_oci.go
@@ -51,16 +51,18 @@ var createSourceOCIRepositoryCmd = &cobra.Command{
 }
 
 type sourceOCIRepositoryFlags struct {
-	url            string
-	tag            string
-	semver         string
-	digest         string
-	secretRef      string
-	serviceAccount string
-	certSecretRef  string
-	ignorePaths    []string
-	provider       flags.SourceOCIProvider
-	insecure       bool
+	url             string
+	tag             string
+	semver          string
+	digest          string
+	secretRef       string
+	serviceAccount  string
+	certSecretRef   string
+	verifyProvider  flags.SourceOCIVerifyProvider
+	verifySecretRef string
+	ignorePaths     []string
+	provider        flags.SourceOCIProvider
+	insecure        bool
 }
 
 var sourceOCIRepositoryArgs = newSourceOCIFlags()
@@ -80,6 +82,8 @@ func init() {
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.secretRef, "secret-ref", "", "the name of the Kubernetes image pull secret (type 'kubernetes.io/dockerconfigjson')")
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.serviceAccount, "service-account", "", "the name of the Kubernetes service account that refers to an image pull secret")
 	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.certSecretRef, "cert-ref", "", "the name of a secret to use for TLS certificates")
+	createSourceOCIRepositoryCmd.Flags().Var(&sourceOCIRepositoryArgs.verifyProvider, "verify-provider", sourceOCIRepositoryArgs.verifyProvider.Description())
+	createSourceOCIRepositoryCmd.Flags().StringVar(&sourceOCIRepositoryArgs.verifySecretRef, "verify-secret-ref", "", "the name of a secret to use for signature verification")
 	createSourceOCIRepositoryCmd.Flags().StringSliceVar(&sourceOCIRepositoryArgs.ignorePaths, "ignore-paths", nil, "set paths to ignore resources (can specify multiple paths with commas: path1,path2)")
 	createSourceOCIRepositoryCmd.Flags().BoolVar(&sourceOCIRepositoryArgs.insecure, "insecure", false, "for when connecting to a non-TLS registries over plain HTTP")
 
@@ -156,6 +160,20 @@ func createSourceOCIRepositoryCmdRun(cmd *cobra.Command, args []string) error {
 		}
 	}
 
+	if secretName := sourceOCIRepositoryArgs.verifySecretRef; secretName != "" {
+		provider := sourceOCIRepositoryArgs.verifyProvider.String()
+		if provider == "" {
+			return fmt.Errorf("a provider must be specified for signature verification")
+		}
+
+		repository.Spec.Verify = &sourcev1.OCIRepositoryVerification{
+			Provider: sourceOCIRepositoryArgs.verifyProvider.String(),
+			SecretRef: &meta.LocalObjectReference{
+				Name: secretName,
+			},
+		}
+	}
+
 	if createArgs.export {
 		return printExport(exportOCIRepository(repository))
 	}
diff --git a/internal/flags/source_oci_verify_provider.go b/internal/flags/source_oci_verify_provider.go
new file mode 100644
index 0000000000..12122fe4fc
--- /dev/null
+++ b/internal/flags/source_oci_verify_provider.go
@@ -0,0 +1,58 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package flags
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/fluxcd/flux2/v2/internal/utils"
+)
+
+var supportedSourceOCIVerifyProviders = []string{
+	"cosign",
+}
+
+type SourceOCIVerifyProvider string
+
+func (p *SourceOCIVerifyProvider) String() string {
+	return string(*p)
+}
+
+func (p *SourceOCIVerifyProvider) Set(str string) error {
+	if strings.TrimSpace(str) == "" {
+		return fmt.Errorf("no source OCI verify provider given, please specify %s",
+			p.Description())
+	}
+	if !utils.ContainsItemString(supportedSourceOCIVerifyProviders, str) {
+		return fmt.Errorf("source OCI verify provider '%s' is not supported, must be one of: %v",
+			str, strings.Join(supportedSourceOCIVerifyProviders, ", "))
+	}
+	*p = SourceOCIVerifyProvider(str)
+	return nil
+}
+
+func (p *SourceOCIVerifyProvider) Type() string {
+	return "sourceOCIVerifyProvider"
+}
+
+func (p *SourceOCIVerifyProvider) Description() string {
+	return fmt.Sprintf(
+		"the OCI verify provider name, available options are: (%s)",
+		strings.Join(supportedSourceOCIVerifyProviders, ", "),
+	)
+}