Merge pull request #925 from souleb/cosign-verify-helm

implement Cosign verification for HelmCharts
fluxcd · Oct 21, 2022 · 09cae78 · 09cae78
2 parents d372531 + 06a5559
commit 09cae78
Show file tree

Hide file tree

Showing 22 changed files with 805 additions and 115 deletions.
diff --git a/api/v1beta2/helmchart_types.go b/api/v1beta2/helmchart_types.go
@@ -86,6 +86,14 @@ type HelmChartSpec struct {
 	// NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092
 	// +optional
 	AccessFrom *acl.AccessFrom `json:"accessFrom,omitempty"`
+
+	// Verify contains the secret name containing the trusted public keys
+	// used to verify the signature and specifies which provider to use to check
+	// whether OCI image is authentic.
+	// This field is only supported when using HelmRepository source with spec.type 'oci'.
+	// Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.
+	// +optional
+	Verify *OCIRepositoryVerification `json:"verify,omitempty"`
 }
 
 const (

diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go
diff --git a/config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml b/config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml
@@ -403,6 +403,34 @@ spec:
                 items:
                   type: string
                 type: array
+              verify:
+                description: Verify contains the secret name containing the trusted
+                  public keys used to verify the signature and specifies which provider
+                  to use to check whether OCI image is authentic. This field is only
+                  supported when using HelmRepository source with spec.type 'oci'.
+                  Chart dependencies, which are not bundled in the umbrella chart
+                  artifact, are not verified.
+                properties:
+                  provider:
+                    default: cosign
+                    description: Provider specifies the technology used to sign the
+                      OCI Artifact.
+                    enum:
+                    - cosign
+                    type: string
+                  secretRef:
+                    description: SecretRef specifies the Kubernetes Secret containing
+                      the trusted public keys.
+                    properties:
+                      name:
+                        description: Name of the referent.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                required:
+                - provider
+                type: object
               version:
                 default: '*'
                 description: Version is the chart version semver expression, ignored

diff --git a/config/testdata/helmchart-from-oci/source.yaml b/config/testdata/helmchart-from-oci/source.yaml
@@ -19,3 +19,17 @@ spec:
     name: podinfo
   version: '6.1.*'
   interval: 1m
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmChart
+metadata:
+  name: podinfo-keyless
+spec:
+  chart: podinfo
+  sourceRef:
+    kind: HelmRepository
+    name: podinfo
+  version: '6.2.1'
+  interval: 1m
+  verify:
+    provider: cosign