GitLab push rules rejects Flux commit signatures

[GJKrupa]

Describe the bug

Commits GPG signed by Flux are rejected by the GitLab "Reject unsigned commits" Push Rule even though the signatures show as Verified when the rule is disabled.

To Reproduce

Steps to reproduce the behaviour:

1. Install Flux with an appropriate user SSH private key and GPG private key
2. Add a HelmRelease with the fluxcd.io/automated: true annotation and an appropriate glob pattern pointing at a GitLab EE repo with the "Committer restriction", "Reject unsigned commits" and "Check whether author is a GitLab user" Push Rules enabled
3. Wait for the initial version to deploy
4. Push a new version of the image to the registry

Expected behavior

Flux updates the image.tag value, commits with a signature and pushes successfully to GitLab

Logs

flux-fluxtest-54555f9888-kpr9p flux ts=2020-03-10T15:05:41.66914859Z caller=loop.go:145 component=sync-loop jobID=84c18f9c-2763-9cf1-2161-4de495d9c42c state=done success=false err="git push git@gitlab-server:group/repo.git [master refs/notes/flux]: failed to push some refs to 'git@gitlab-server:group/repo.git', full output:\n remote: GitLab: Commit must be signed with a GPG key \nTo gitlab-server:group/repo.git\n ! [remote rejected] master -> master (pre-receive hook declined)\n ! [remote rejected] refs/notes/flux -> refs/notes/flux (pre-receive hook declined)\nerror: failed to push some refs to 'git@gitlab-server:group/repo.git'\n"

Additional context

• Flux version: 1.17.1
• Kubernetes version: v1.14.9-eks-502bfb
• Git provider: Gitlab 12.7.0-ee
• Container registry provider: Nexus OSS 3.18.1-01

[hiddeco]

This is likely due to the GPG key and/or configured automation user not being known to GitLab, see 'How GitLab handles GPG'.

[GJKrupa]

Both are known. I'm using a user synced from LDAP with an SSH key applied directly to the user (not a deploy key). Same with the GPG key. As stated in the ticket, if I disable the push rule, GitLab shows the commits made by the user as fully verified.

[GJKrupa]

I've also raised this issue against GitLab. We would appreciate any solution either team could provide: https://gitlab.com/gitlab-org/gitlab/-/issues/211355

[hiddeco]

The problem is that we do not sign our Git notes but only our commits, while GitLab also verifies the notes that are pushed to refs/notes/flux.

I will need to look into the details of also signing our notes to determine what the right solution would be.

[kingdonb]

Hi! Are you able to upgrade to Flux v2?

I cannot promise this will solve the issue, I just want to establish whether this issue is still affecting anyone before I close it out unceremoniously (and whether it has been solved in Flux 2 already, which I'm unsure about.)

As Flux v1 is in maintenance mode now and Flux v2 is the place where all our development efforts are being focused, at this point a resolution in Flux v1 is unlikely without a PR or an interested user to help push it forward. If this is still an issue in Flux v2, (I'd be surprised, since Flux devs have gone to great lengths to be sure that all known issues are addressed from Flux v1 in the rewritten codebase...) we will be interested in solving it.

Will happily reopen or discuss in another venue, but since this is not a Flux v1 maintenance issue I'm closing this out.

[GJKrupa]

We're planning to move to Flux 2 at some point but it will be a while (we're still using Helm 2 so we have to migrate to 3 first). Until then we can live with disabling the signature check on our Flux config repos.