Signing Commits with FluxCD for Image Update Automation
Introduction
By default, the Image Update Automation of FluxCD will make commits to the configured repository without signing. In this article, I will show you how to configure the signing key for FluxCD to use when signing the commits (GitHub).
Prerequisites
- A K8s cluster.
- Flux System installed. See this article.
- Sealed secrets installed.
- A GitHub account.
Step-by-step Guide
-
Generate the GPG key:
gpg --full-generate-keyUse your GitHub username and email, select the default key type, set the key size to 4096, and choose no expiration.
-
Export the GPG key:
To save the GPG keys in the current folder:
gpg --armor --output pub.asc --export [email protected] gpg --armor --output git.asc --export-secret-keys [email protected] -
Add the public GPG key to GitHub:
Follow this document to add the GPG key to your Github account.
-
Create the secret for the signing key:
kubectl create secret generic --dry-run=client \ fluxcd-signing-key \ --namespace=your_name_space \ --from-file=git.asc \ -o yaml | kubeseal --format=yaml > signing-key.sealed-secret.yaml -
Create the
ImageUpdateAutomation:I use
mrgitopsas the GitHub username and[email protected]as the GitHub email for theImageUpdateAutomationin thedefaultnamespace. Feel free to adjust these to suit your requirements.apiVersion: image.toolkit.fluxcd.io/v1beta2 kind: ImageUpdateAutomation metadata: name: default namespace: default spec: interval: 1m0s sourceRef: kind: GitRepository name: flux-system namespace: flux-system git: checkout: ref: branch: main commit: author: email: [email protected] name: mrgitops signingKey: secretRef: name: fluxcd-signing-key messageTemplate: '{{range .Updated.Images}}{{println .}}{{end}}' push: branch: main update: path: ./clusters/pi/default strategy: Setters
Conclusion
You've configured the signing key for FluxCD Image Update Automation, enhancing your professionalism.