fix: add the --key flag to the init cmd (zarf-dev#2259)

## Description This adds the `-key` flag to `zarf init` command. ## Related Issue Fixes zarf-dev#2248 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/zarf/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Co-authored-by: Wayne Starr <[email protected]>
daniel-palmer-gu · Feb 3, 2024 · b053fe6 · b053fe6
1 parent 0e8ecf5
commit b053fe6
Show file tree

Hide file tree

Showing 4 changed files with 58 additions and 0 deletions.
diff --git a/docs/2-the-zarf-cli/100-cli-commands/zarf_init.md b/docs/2-the-zarf-cli/100-cli-commands/zarf_init.md
@@ -62,6 +62,7 @@ $ zarf init --artifact-push-password={PASSWORD} --artifact-push-username={USERNA
       --git-push-username string        Username to access to the git server Zarf is configured to use. User must be able to create repositories via 'git push' (default "zarf-git-user")
       --git-url string                  External git server url to use for this Zarf cluster
   -h, --help                            help for init
+  -k, --key string                      Path to public key file for validating signed packages
       --nodeport int                    Nodeport to access a registry internal to the k8s cluster. Between [30000-32767]
       --registry-pull-password string   Password for the pull-only user to access the registry
       --registry-pull-username string   Username for pull-only access to the registry

diff --git a/src/cmd/initialize.go b/src/cmd/initialize.go
@@ -220,5 +220,7 @@ func init() {
 
 	initCmd.Flags().DurationVar(&pkgConfig.DeployOpts.Timeout, "timeout", v.GetDuration(common.VPkgDeployTimeout), lang.CmdPackageDeployFlagTimeout)
 
+	initCmd.Flags().StringVarP(&pkgConfig.PkgOpts.PublicKeyPath, "key", "k", v.GetString(common.VPkgPublicKey), lang.CmdPackageFlagFlagPublicKey)
+
 	initCmd.Flags().SortFlags = true
 }
diff --git a/src/test/e2e/35_custom_init_package_test.go b/src/test/e2e/35_custom_init_package_test.go
@@ -0,0 +1,47 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2021-Present The Zarf Authors
+
+// Package test provides e2e tests for Zarf.
+package test
+
+import (
+	"fmt"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestCustomInit(t *testing.T) {
+	t.Log("E2E: Custom Init Package")
+	e2e.SetupWithCluster(t)
+	buildPath := filepath.Join("src", "test", "packages", "35-custom-init-package")
+	pkgName := fmt.Sprintf("zarf-init-%s-%s.tar.zst", e2e.Arch, e2e.GetZarfVersion(t))
+	privateKeyFlag := "--signing-key=src/test/packages/zarf-test.prv-key"
+	publicKeyFlag := "--key=src/test/packages/zarf-test.pub"
+
+	stdOut, stdErr, err := e2e.Zarf("package", "create", buildPath, privateKeyFlag, "--confirm")
+	require.NoError(t, err, stdOut, stdErr)
+	defer e2e.CleanFiles(pkgName)
+
+	/* Test operations during package inspect */
+	// Test that we can inspect the yaml of the package without the private key
+	stdOut, stdErr, err = e2e.Zarf("package", "inspect", pkgName)
+	require.NoError(t, err, stdOut, stdErr)
+
+	// Test that we don't get an error when we remember to provide the public key
+	stdOut, stdErr, err = e2e.Zarf("package", "inspect", pkgName, publicKeyFlag)
+	require.NoError(t, err, stdOut, stdErr)
+	require.Contains(t, stdErr, "Verified OK")
+
+	/* Test operations during package deploy */
+	// Test that we get an error when trying to deploy a package without providing the public key
+	stdOut, stdErr, err = e2e.Zarf("init", "--confirm")
+	require.Error(t, err, stdOut, stdErr)
+	require.Contains(t, stdErr, "unable to load the package: package is signed but no key was provided - add a key with the --key flag or use the --insecure flag and run the command again")
+
+	/* Test operations during package deploy */
+	// Test that we can deploy the package with the public key
+	stdOut, stdErr, err = e2e.Zarf("init", "--confirm", publicKeyFlag)
+	require.NoError(t, err, stdOut, stdErr)
+}
diff --git a/src/test/packages/35-custom-init-package/zarf.yaml b/src/test/packages/35-custom-init-package/zarf.yaml
@@ -0,0 +1,8 @@
+kind: ZarfInitConfig
+metadata:
+  name: init
+  description: Used to establish a new Zarf cluster
+
+components:
+  - name: nothing
+