Resolve "signature of the commits"
What does this MR do and why?
Demonstrate how to verify the signature of the commits, taking GPG key as reference for Flux CD validation.
Signing a commit is meant to address the security need of integrity, i.e. it mitigates the risk to unwilling commit or tag that has been tampered.
Validation of commits is based on a list of referenced developers (using their pub key).
Related reference(s)
- https://fluxcd.io/flux/components/source/gitrepositories/#verification
- https://docs.gitlab.com/ee/user/project/repository/signed_commits/gpg.html
Test coverage
Deploying a Sylva unit without a commit signature must fail when Flux CD verification is configured. Deploying a Sylva unit with a commit signature not in the authorized list must fail when Flux CD verification is configured. Deploying a Sylva unit with a commit signature in the authorized list must be successful when Flux CD verification is configured.
Closes #551 (closed)