feat(source-integrity): Implement Source Integrity checking

[olivergondza]

Implements #25148

This replaces the former GPG feature with a more general mechanism to enforce integrity. The design enables introducing various kinds of sources (OCI/Helm) and using various verification mechanisms in the future.

• This maintains the manifest API functionality (AppProject's .spec.signatureKeys), but it is interpreting it using the new implementation (no duplicated code, some regression risk)
  • It is applied to all git-based application sources - not just the first one.
• The AppProject GPG signing keys management is labeled deprecated from now on (UI, CLI, CR), encouraging users to switch to Source Integrity managed through project manifest.
• The ability to manage Source Integrity criteria through UI and CLI is left out - only configurable through the Custom Resource. Adding/removing GPG keys (repo-server keyring management) is left unchanged.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Title of the PR
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• [WIP] I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• [WIP] I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• [n.a] Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

---

Presentation of an application failing Source Integrity criteria:

[bunnyshell]

❌ Preview Environment undeployed from Bunnyshell

Available commands (reply to this comment):

• 🚀 /bns:deploy to deploy the environment

[olivergondza]

This is still WIP. Filed for CI feedback...

[codecov]

Codecov Report

❌ Patch coverage is 77.90179% with 99 lines in your changes missing coverage. Please review.
✅ Project coverage is 62.68%. Comparing base (c13ba1e) to head (fabce0a).
⚠️ Report is 1 commits behind head on master.

Files with missing lines	Patch %	Lines
util/git/client.go	67.66%	39 Missing and 15 partials ⚠️
pkg/apis/application/v1alpha1/source_integrity.go	59.25%	11 Missing ⚠️
reposerver/repository/repository.go	70.00%	4 Missing and 5 partials ⚠️
util/sourceintegrity/source_integrity.go	91.81%	5 Missing and 4 partials ⚠️
cmd/util/project.go	0.00%	4 Missing ⚠️
controller/state.go	83.33%	3 Missing and 1 partial ⚠️
cmd/argocd/commands/project.go	57.14%	3 Missing ⚠️
server/gpgkey/gpgkey.go	0.00%	3 Missing ⚠️
server/application/application.go	60.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #25371      +/-   ##
==========================================
+ Coverage   62.66%   62.68%   +0.02%     
==========================================
  Files         412      414       +2     
  Lines       55564    55795     +231     
==========================================
+ Hits        34818    34976     +158     
- Misses      17424    17478      +54     
- Partials     3322     3341      +19     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[blakepettersson]

All in all I think this is great, awesome work!

I've added a few questions/thoughts, LMK what you think

[olivergondza]

@jannfis, @blakepettersson, @pasha-codefresh, the implementation is complete. Please review.

[olivergondza]

Tests moved to app_management_source_integrity_test.go‎ and extended.

[olivergondza]

Tests moved to app_multiple_sources_source_integrity_test.go.

[olivergondza]

Moved from the old location, renamed, unchanged.

[crenshaw-dev]

I believe mkdocs supports redirects for dropped pages. Can you add a redirect for the old gpg verification page?

[olivergondza]

Good point. I see we do not use the redirect plugin, and I do not want to pull it in just for this. So I kept nothing but a note on the old location informing about the eventual removal, and linked to the new approach.

[blakepettersson]

I think this in general is in great shape!

I do think we need to have at least CLI support for source integrity, by adding new CLI commands, and ideally (if possible) we should migrate the existing commands to set/unset source-integrity (if the legacy signature keys are not already in use, then that should instead be used).

I'll defer the nitty-gritty of the GPG signing logic to @jannfis

[blakepettersson]

I do think we should at least have CLI support for this, if not also UI (which we'd default to use source integrity if not already used)

[olivergondza]

I agree, and CLI is something I intend to work on next. Although, I propose to add it in a separate PR once this is merged, not to add few hundreds LOC to this already giant PR. WDYT?

[blakepettersson]

I'd be fine having this in a separate PR 👍

[crenshaw-dev]

This would be a breaking API change. Do we have a path to deprecate/remove the old verify style API results?

[olivergondza]

Thanks. Let me re-add verifyResult and signatureInfo here.

[olivergondza]

@crenshaw-dev, backward compatibility is restored.