helm-push icon indicating copy to clipboard operation
helm-push copied to clipboard
verified publisher icon chartmuseum

[Question] Is the plugin supposed to push the provenance file?

Open quantumlicht opened this issue 7 years ago • 9 comments

Hello I started using the push plugin (Thanks!).

It seems like the plugin does not handle pushing the provenance file. Am I missing something? How would you advise to do that?

quantumlicht avatar Jul 23 '18 19:07 quantumlicht

@quantumlicht Hi. There is currently no support for provenance file with the plugin.

Could you describe how you would expect UX to look for this? Something like

helm push --sign mychart/ chartmuseum

?

jdolitsky avatar Jul 23 '18 20:07 jdolitsky

This would be a decent way to build that. However, in the case that you want to push a release that is already packaged and signed, I think the flag might be somewhat misleading in terms of naming.

In terms of expected behavior, if I run this command:

helm push mychart-0.1.0.tgz chartmuseum

I would expect this to push mychart-0.1.0.tgz, but also mychart-0.1.0.tgz.prov, if it's available. Would it make sense?

You might want to enforce verification just to make sure that we only push valid signed releases. In that case, you would also need to provide an option to specify the keyring to use (similar to helm verify)

quantumlicht avatar Jul 23 '18 20:07 quantumlicht

If I can help with anything, please let me know.

quantumlicht avatar Jul 24 '18 15:07 quantumlicht

@quantumlicht if you want to try implementing your suggestion above, please feel free.

I'm looking through the code- the only challenge I can see is that the chart uploaded via this plugin is actually one that created dynamically by the plugin. This piece is required in order for us to support the --version flag (supplying a custom version).

You would essentially need to apply this version substitution to the provenance file as well, which may not be trivial. Or, alternatively, do not try to upload the .prov file if the --version flag is provided.

jdolitsky avatar Jul 24 '18 15:07 jdolitsky

@jdolitsky @quantumlicht

I think we can make it a little simpler. As you suggested, once the user append a flag like --sign,

helm push --sign mychart-0.1.0.tgz chartmuseum

we just locate the valid corresponding prov file mychart-0.1.0.tgz.prov exitsing and then upload it together with chart file to the repo server.

For pushing dir,

helm push --sign ./mychart chartmuseum

an error can be displayed directly like the helm install does to tell user this mode is not supported.

The prov file generation should be take cared by the helm package --sign and verification should be covered by helm verify / helm install --verify. If the push command touch these things, there might be more flags needed to supprt it, like --key w/ --keystring etc.

steven-zou avatar Aug 01 '18 05:08 steven-zou

@jdolitsky hi, may i know if you have plans on this provenance support? Or are we supposed to wait for helm v3? Thanks!

xh4n3 avatar Apr 15 '19 09:04 xh4n3

Is the support for provenance present in helm v3?

D:\temp\harbor-helm>helm push --username admin --password xxx --sign abc-1.4.0-dev.tgz mytestlibrary
Error: unknown flag: --sign
Error: plugin "push" exited with error

jjacob27 avatar Dec 02 '20 13:12 jjacob27

Also wondering about this functionality

nuriel77 avatar Dec 26 '21 09:12 nuriel77

It would be great to have this functionality.

IGZangelcostales avatar May 24 '22 13:05 IGZangelcostales