cosign icon indicating copy to clipboard operation
cosign copied to clipboard
verified publisher icon sigstore

Helm Plugin

Open developer-guy opened this issue 4 years ago • 4 comments

Description

There are very detailed guides about developing Helm plugins, so, AFAIK, this is all about providing a meta-data file called plugin.yaml.

We (w/@dentrax) thought that we can develop a helm plugin to allow signing all of the container images that are managed through the Helm Chart.

$ helm create my-chart

$ helm cosign sign --key (or keyless) my-chart
# we'll run the helm template command to get the whole manifest YAML file.
# we'll traverse the manifest YAML file, and extract the container images that we're going to sign
# sign them with cosign one by one.

WDYT?

References

  • https://helm.sh/docs/topics/plugins/
  • https://www.datree.io/resources/how-to-build-a-helm-plugin-in-minutes

developer-guy avatar Dec 01 '21 12:12 developer-guy

Question: how do you identify all the images referenced in a Helm chart?

Separately, Helm currently supports OpenPGP-based provenance files. Would it make sense to specify a mechanism of signing Helm charts with cosign (particularly since they can be stored in OCI repositories)?

evankanderson avatar Aug 11 '23 22:08 evankanderson

@evankanderson We have https://github.com/sigstore/helm-sigstore. I think this is what you were looking.

hectorj2f avatar Aug 12 '23 14:08 hectorj2f

Have we tried to add a link to helm-sigstore from the Helm docs yet? If not, I'm happy to send a PR.

evankanderson avatar Aug 14 '23 16:08 evankanderson

@evankanderson I don't know if we haven't done that to be honest.

hectorj2f avatar Aug 14 '23 16:08 hectorj2f