Sign Helm charts pushed in the OCI registry (!651) · Merge requests · Sylva-projects / sylva-core · GitLab

What does this MR do and why?

This MR signs helm charts pushed to the OCI registry if, and only if, the Gitlab variables COSIGN_PRIVATE_KEY is set.

This is the first piece of the full picture described in:

https://fluxcd.io/blog/2022/11/verify-the-integrity-of-the-helm-charts-stored-as-oci-artifacts-before-reconciling-them-with-flux/

Related reference(s)

RFE https://gitlab.com/sylva-projects/sylva/-/tree/rfe-supply-chain-security/RFE?ref_type=heads

Test coverage

Signature upload tested in the project https://gitlab.com/sylva-projects/sylva-elements/diskimage-builder
Script push-helm-charts-artifacts.sh with signature ran manually
CI launched without signature to check that the MR does not break the actual behaviour

Edited Jul 20, 2023 by Pierrick Seite