Allow GPG verification per source #17749
Description
Summary
Allow GPG verification per source. If the project enforces GPG verification, then it is enabled by default and it should be possible to disable it per source via something like disableVerification.
If GPG verification is disabled disableVerification will just be ignored.
Motivation
I see an issue with GPG verification when using a multi-source application.
If we use an external helm chart with values taken from an internal repository.
For example:
Source 1: superset helm chart @ http://apache.github.io/superset/
Source 2: my own repository @ https://github.com/abc/myvalues
Source 2 will always be signed with my GPG key, e.g ABCEXAMPLE while Source 1 is not signed since its a helm repository. Argocd will not sync because the target at Source 1 is not signed.
Is there any workaround for this?
Proposal
Make it possible to disable GPG verification per source. E.g. the project enforces GPG verification but I disable it for the helm source (source 1) and some other external source (source 2). My own source containing the values.yaml will be verified.
Example:
spec:
project: high-priority
sources:
- chart: cert-manager
disableVerification: true # this is new
repoURL: https://charts.jetstack.io
targetRevision: 1.14.*
helm:
releaseName: cert-manager
valueFiles:
- $values/cert-manager/resources/values.yaml
- repoURL: https://github.com/rzadjad/applications.git
targetRevision: HEAD
ref: values
- repoURL: https://github.com/someone-else/cert-manager.git
disableVerification: true # this is new
targetRevision: HEAD
path: resources