node-feature-discovery icon indicating copy to clipboard operation
node-feature-discovery copied to clipboard
verified publisher icon kubernetes-sigs

Request: Upload Helm chart to OCI registry

Open joryirving opened this issue 9 months ago • 4 comments

What would you like to be added: With Helm v3.8.0, the OCI support became GA, which is an excellent chance to start publishing Helm charts to OCI-compliant registries. Quay / Dockerhub / GHCR supports OCI artifacts and a lot of projects have been using them to publish their helm charts as OCI artifacts.

Why is this needed: It brings an opportunity to sign Helm charts stored as OCI Artifacts with cosign to provide their integrity and use GitOps tooling such as Flux to reconcile them as they were stored as OCI artifacts. Flux can reconcile OCI Artifacts and verify their integrity before reconciling them.

joryirving avatar Mar 14 '25 16:03 joryirving

Thank you @joryirving for creating this issue. I want this, too. Just requires some work behind the scenes.

marquiz avatar Mar 19 '25 19:03 marquiz

/assign @ozhuraki

#2151 worked!

helm install nfd oci://gcr.io/k8s-staging-nfd/charts/node-feature-discovery:0.18.0-devel-208-ge289f4c

marquiz avatar May 09 '25 07:05 marquiz

@marquiz: GitHub didn't allow me to assign the following users: ozhuraki.

Note that only kubernetes-sigs members with read permissions, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. For more information please see the contributor guide

In response to this:

/assign @ozhuraki

#2151 worked!

helm install nfd oci://gcr.io/k8s-staging-nfd/charts/node-feature-discovery:0.18.0-devel-208-ge289f4c

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-ci-robot avatar May 09 '25 07:05 k8s-ci-robot

I think it would be very nice to be able to enable automatic signing with some kubernetes test-infra/prow account. I'm just totally lost on the details.

@joryirving do you have experience on cosign and how to integrate it in gcb-based infrastructure?

@ozhuraki please reach out to the #testing-ops channel in kubernetes slack and ask for help/instrutions. Some questions quickly coming into my mind:

  • has cosign been used in k8s infrastructure by any project?
  • is there a gcb identity/service account that we could use for signing and/or how could we create an nfd-specific identity for that?
  • if we get to the point of signing staging images, does the image promoter also promote the signature blob?

Any thoughts?

marquiz avatar May 09 '25 08:05 marquiz

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Aug 07 '25 09:08 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Sep 06 '25 09:09 k8s-triage-robot

/remove-lifecycle rotten

jcpunk avatar Sep 06 '25 17:09 jcpunk

I did some investigation last week and realized that the k8s test-infra image promoter signs (oci) helm charts. Those can be verified with cosign. Unfortunately cosign is not supported as part of the standard helm workflow. There's no way to make helm work with keyless sigstore signing that could be integrated with the k8s test-infra. Ref: https://github.com/helm/helm/issues/11496

I'd suggest that we could close this issue. Leave signed charts to a later exercise when Helm is ready to support that.

marquiz avatar Sep 08 '25 12:09 marquiz

This looks to be available now

https://github.com/kubernetes-sigs/node-feature-discovery/releases/tag/v0.18.0

onedr0p avatar Oct 02 '25 20:10 onedr0p

@joryirving this can ben closed ❤️

onedr0p avatar Oct 03 '25 01:10 onedr0p