Mirrors/flux2
1
0
Fork 0
mirror of synced 2026-02-06 19:05:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

RFC-0002: Add Cosign verification for Helm OCI charts

Browse Source 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
This commit is contained in:
Stefan Prodan
2022-10-20 15:40:57 +03:00
parent 64e76a23c6
commit d015895caa
1 changed files with 48 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
rfcs/0002-helm-oci/README.md
View File

@@ -4,7 +4,7 @@
**Creation date:** 2022-03-30
**Last update:** 2022-08-24
**Last update:** 2022-10-20
## Summary
@@ -22,6 +22,7 @@ they do today for container images.
### Goals
- Add support for fetching Helm charts stored as OCI artifacts with minimal API changes to Flux.
- Add support for verifying the authenticity of Helm OCI charts signed with Cosign.
- Make it easy for users to switch from [HTTP/S Helm repositories](https://github.com/helm/helm-www/blob/416fabea6ffab8dc156b6a0c5eb5e8df5f5ef7dc/content/en/docs/topics/chart_repository.md)
to OCI repositories.
@@ -40,7 +41,6 @@ Introduce an optional field called `provider` for
[context-based authorization](https://fluxcd.io/flux/security/contextual-authorization/)
to AWS, Azure and Google Cloud. The `spec.provider` is ignored when `spec.type` is set to `default`.
### Pull charts from private repositories
#### Basic auth
@@ -92,6 +92,51 @@ controller will use a specific cloud SDK for authentication purposes.
If both `spec.secretRef` and a non-generic provider are present in the definition,
the controller will use the static credentials from the referenced secret.
### Verify Helm charts
To verify the authenticity of the Helm OCI charts, Flux will use the Sigstore Go SDK and implement verification
for artifacts which were either signed with keys generated by Cosign or signed using the Cosign
[keyless method](https://github.com/sigstore/cosign/blob/main/KEYLESS.md).
To enable signature verification, the Cosign public keys can be supplied with:
```yaml
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmChart
metadata:
name: <chart-name>
spec:
verify:
provider: cosign
secretRef:
name: cosign-public-keys
```
Note that the Kubernetes secret containing the Cosign public keys, must use `.pub` extension:
```yaml
apiVersion: v1
kind: Secret
metadata:
name: cosign-public-keys
type: Opaque
stringData:
key1.pub: <pub-key-1>
key2.pub: <pub-key-2>
```
For verifying public Helm charts which are signed using the keyless method,
the `spec.verify.secretRef` field must be omitted:
```yaml
spec:
verify:
provider: cosign
```
When using the keyless method, Flux will verify the signatures in the Rekor
transparency log instance hosted at [rekor.sigstore.dev](https://rekor.sigstore.dev/).
### User Stories
#### Story 1
@@ -231,6 +276,7 @@ The feature is enabled by default.
* **2022-06-06** First implementation released with [flux2 v0.31.0](https://github.com/fluxcd/flux2/releases/tag/v0.31.0)
* **2022-08-11** Resolve chart dependencies from OCI released with [flux2 v0.32.0](https://github.com/fluxcd/flux2/releases/tag/v0.32.0)
* **2022-08-29** Contextual login for AWS, Azure and GCP released with [flux2 v0.33.0](https://github.com/fluxcd/flux2/releases/tag/v0.33.0)
* **2022-10-21** Verifying Helm charts with Cosign released with [flux2 v0.36.0](https://github.com/fluxcd/flux2/releases/tag/v0.36.0)
### TODOs