Flux: GitLab push rules rejects Flux commit signatures

Created on 10 Mar 2020  路  4Comments  路  Source: fluxcd/flux

Describe the bug

Commits GPG signed by Flux are rejected by the GitLab "Reject unsigned commits" Push Rule even though the signatures show as Verified when the rule is disabled.

To Reproduce

Steps to reproduce the behaviour:

  1. Install Flux with an appropriate user SSH private key and GPG private key
  2. Add a HelmRelease with the fluxcd.io/automated: true annotation and an appropriate glob pattern pointing at a GitLab EE repo with the "Committer restriction", "Reject unsigned commits" and "Check whether author is a GitLab user" Push Rules enabled
  3. Wait for the initial version to deploy
  4. Push a new version of the image to the registry

Expected behavior

Flux updates the image.tag value, commits with a signature and pushes successfully to GitLab

Logs

flux-fluxtest-54555f9888-kpr9p flux ts=2020-03-10T15:05:41.66914859Z caller=loop.go:145 component=sync-loop jobID=84c18f9c-2763-9cf1-2161-4de495d9c42c state=done success=false err="git push git@gitlab-server:group/repo.git [master refs/notes/flux]: failed to push some refs to 'git@gitlab-server:group/repo.git', full output:\n remote: GitLab: Commit must be signed with a GPG key \nTo gitlab-server:group/repo.git\n ! [remote rejected] master -> master (pre-receive hook declined)\n ! [remote rejected] refs/notes/flux -> refs/notes/flux (pre-receive hook declined)\nerror: failed to push some refs to 'git@gitlab-server:group/repo.git'\n"

Additional context

  • Flux version: 1.17.1
  • Kubernetes version: v1.14.9-eks-502bfb
  • Git provider: Gitlab 12.7.0-ee
  • Container registry provider: Nexus OSS 3.18.1-01
blocked-needs-validation bug
Source
picture GJKrupa

Most helpful comment

The problem is that we do not sign our Git notes but only our commits, while GitLab also verifies the notes that are pushed to refs/notes/flux.

I will need to look into the details of also signing our notes to determine what the right solution would be.

picture hiddeco on 16 Mar 2020
👍2

All 4 comments

This is likely due to the GPG key and/or configured automation user not being known to GitLab, see 'How GitLab handles GPG'.

hiddeco picture hiddeco on 10 Mar 2020

Both are known. I'm using a user synced from LDAP with an SSH key applied directly to the user (not a deploy key). Same with the GPG key. As stated in the ticket, if I disable the push rule, GitLab shows the commits made by the user as fully verified.

image

GJKrupa picture GJKrupa on 10 Mar 2020

I've also raised this issue against GitLab. We would appreciate any solution either team could provide: https://gitlab.com/gitlab-org/gitlab/-/issues/211355

GJKrupa picture GJKrupa on 16 Mar 2020

The problem is that we do not sign our Git notes but only our commits, while GitLab also verifies the notes that are pushed to refs/notes/flux.

I will need to look into the details of also signing our notes to determine what the right solution would be.

hiddeco picture hiddeco on 16 Mar 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

guzmo picture guzmo  路  4Comments
brantb picture brantb  路  3Comments
phoppe93 picture phoppe93  路  4Comments
anwarchk picture anwarchk  路  4Comments
astraldragon picture astraldragon  路  3Comments