The signature of the artifacts containing helm charts is not verified by flux

Summary

In case of a deployment with OCI artifacts, we verify the signature of the kustomize-units artifact, but not the signature of the artifacts containing the helm charts.

This verification can be enabled at the helmrelease level:

units:
  <unit_name>:
    helmrelease_spec:
      chart:
        spec:
          verify:
            provider: cosign
            secretRef:
              name: cosign-public-keys

The verify object in the helm release spec has the same format as what was added on the OCIrepository for !1234 (merged)

See https://fluxcd.io/flux/components/helm/api/v2/#helm.toolkit.fluxcd.io/v2.HelmChartTemplate

Putting a bad key in the secret indeed leads to failure of the helmrelease with the message:

message: 'HelmChart ''sylva-system/sylva-system-loki'' is not ready: chart verification error: failed to verify oci://172.20.136.39/proxy_cache_registry.gitlab.com/sylva-projects/sylva-core/loki:v3.3.2: no matching signatures: invalid signature when validating ASN.1 encoded signature'

But the creation of the helmrelease succeeds if the secret contains a public key signing the artifact.

related references

!1234 (merged)

The signature of the artifacts containing helm charts is not verified by flux

Summary

related references

Details