From d015895caabe5088a78baffd996ae5e671f0ee8a Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Thu, 20 Oct 2022 15:40:57 +0300 Subject: [PATCH] RFC-0002: Add Cosign verification for Helm OCI charts Signed-off-by: Stefan Prodan --- rfcs/0002-helm-oci/README.md | 50 ++++++++++++++++++++++++++++++++++-- 1 file changed, 48 insertions(+), 2 deletions(-) diff --git a/rfcs/0002-helm-oci/README.md b/rfcs/0002-helm-oci/README.md index 7c6c5b72..518eaae5 100644 --- a/rfcs/0002-helm-oci/README.md +++ b/rfcs/0002-helm-oci/README.md @@ -4,7 +4,7 @@ **Creation date:** 2022-03-30 -**Last update:** 2022-08-24 +**Last update:** 2022-10-20 ## Summary @@ -22,6 +22,7 @@ they do today for container images. ### Goals - Add support for fetching Helm charts stored as OCI artifacts with minimal API changes to Flux. +- Add support for verifying the authenticity of Helm OCI charts signed with Cosign. - Make it easy for users to switch from [HTTP/S Helm repositories](https://github.com/helm/helm-www/blob/416fabea6ffab8dc156b6a0c5eb5e8df5f5ef7dc/content/en/docs/topics/chart_repository.md) to OCI repositories. @@ -40,7 +41,6 @@ Introduce an optional field called `provider` for [context-based authorization](https://fluxcd.io/flux/security/contextual-authorization/) to AWS, Azure and Google Cloud. The `spec.provider` is ignored when `spec.type` is set to `default`. - ### Pull charts from private repositories #### Basic auth @@ -92,6 +92,51 @@ controller will use a specific cloud SDK for authentication purposes. If both `spec.secretRef` and a non-generic provider are present in the definition, the controller will use the static credentials from the referenced secret. +### Verify Helm charts + +To verify the authenticity of the Helm OCI charts, Flux will use the Sigstore Go SDK and implement verification +for artifacts which were either signed with keys generated by Cosign or signed using the Cosign +[keyless method](https://github.com/sigstore/cosign/blob/main/KEYLESS.md). + +To enable signature verification, the Cosign public keys can be supplied with: + +```yaml +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmChart +metadata: + name: +spec: + verify: + provider: cosign + secretRef: + name: cosign-public-keys +``` + +Note that the Kubernetes secret containing the Cosign public keys, must use `.pub` extension: + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: cosign-public-keys +type: Opaque +stringData: + key1.pub: + key2.pub: +``` + +For verifying public Helm charts which are signed using the keyless method, +the `spec.verify.secretRef` field must be omitted: + +```yaml +spec: + verify: + provider: cosign +``` + +When using the keyless method, Flux will verify the signatures in the Rekor +transparency log instance hosted at [rekor.sigstore.dev](https://rekor.sigstore.dev/). + ### User Stories #### Story 1 @@ -231,6 +276,7 @@ The feature is enabled by default. * **2022-06-06** First implementation released with [flux2 v0.31.0](https://github.com/fluxcd/flux2/releases/tag/v0.31.0) * **2022-08-11** Resolve chart dependencies from OCI released with [flux2 v0.32.0](https://github.com/fluxcd/flux2/releases/tag/v0.32.0) * **2022-08-29** Contextual login for AWS, Azure and GCP released with [flux2 v0.33.0](https://github.com/fluxcd/flux2/releases/tag/v0.33.0) +* **2022-10-21** Verifying Helm charts with Cosign released with [flux2 v0.36.0](https://github.com/fluxcd/flux2/releases/tag/v0.36.0) ### TODOs