k8sgpt-operator icon indicating copy to clipboard operation
k8sgpt-operator copied to clipboard

Published 20 hours ago verified publisher icon k8sgpt-ai

[Feature]: Sign Helm Charts

Open bradmccoydev opened this issue 2 years ago • 4 comments

Checklist

  • [X] I've searched for similar issues and couldn't find anything matching
  • [X] I've discussed this feature request in the K8sGPT Slack and got positive feedback

Is this feature request related to a problem?

No

Problem Description

Helm Provenance and Integrity

Helm has provenance tools which help chart users verify the integrity and origin of a package. Using industry-standard tools based on PKI, GnuPG, and well-respected package managers, Helm can generate and verify signature files.

Integrity is established by comparing a chart to a provenance record. Provenance records are stored in provenance files, which are stored alongside a packaged chart. For example, if a chart is named myapp-1.2.3.tgz, its provenance file will be myapp-1.2.3.tgz.prov.

Provenance files are generated at packaging time (helm package --sign ...), and can be checked by multiple commands, notably helm install --verify.

Right now there in ArtifactHub there it is showing as the helm chart is not signed. This could stop some people from adopting it. https://artifacthub.io/packages/helm/k8sgpt/k8sgpt-operator

It is easy to do so I propose that we do it. We can add this capability on to the helm-chart-releaser that we already use.

Solution Description

  • [ ] Create GPG Key and passpharse
  • [ ] Upload them to Github Secrets
  • [ ] Update GitHub action to sign the chart

Benefits

People will trust the charts more and enterprises with proper security processes and practices will be able to tick their compliance boxes and adopt it.

Potential Drawbacks

No Drawbacks

Additional Information

No response

bradmccoydev avatar May 05 '23 11:05 bradmccoydev

We will need a maintainer to add the following environment variables for this task: HELM_SIGNING_PRIVATE_KEY HELM_SIGNING_PRIVATE_KEY_PASSPHRASE

They can make the key themselves or I can send it to them to upload as I do not have access, and then I can make the PR

bradmccoydev avatar May 07 '23 23:05 bradmccoydev

I have no access to do it @thschue you own the repo on artifact hub

AlexsJones avatar May 09 '23 08:05 AlexsJones

it is actually the Github repo secrets. sorry I wasn't clear. Then we only need to add the annotations on the chart.yaml for the public key

bradmccoydev avatar May 09 '23 09:05 bradmccoydev

Hey @AlexsJones ! I'd like to work on this issue.

nox1134 avatar Jan 25 '24 09:01 nox1134