Deploying BigBang and BigBang packages using Signed HelmRepository artifactsπ
Artifact Signing Introductionπ
Kubernetes and Flux2 both support ways to verify artifacts are signed according to the SigStore Cosign signature published with their Release Artifacts on Gitlab.
As part of the existing BigBang Releases, packages and BigBang Release artifacts will now also have cosign signatures published to registry1. This is only available for use when your packages are set to use sourceType: helmRepo
(default is βgitβ). Combined with <package_name>.helmRepo.cosignVerify: true
flux2 will verify signatures of HelmRepositories installed in the cluster.
The following example shows how to configure and enable public key verification for Helm Repositories:
helmRepositories:
- name: "registry1"
repository: "oci://registry1.dso.mil/bigbang"
existingSecret: "private-registry"
type: "oci"
username: ""
password: ""
email: ""
cosignPublicKeys:
key1: |
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIE7v9J6ttQus6itUoyfMCqMjaIqm
R8XrntaedsdEhPPchOQuFzqTyyAPGifV1SaEu8medVRi6mVICWbVwOteNg==
-----END PUBLIC KEY-----
- name: "registry2"
repository: "oci://registry1.dso.mil/bigbang"
existingSecret: "private-registry"
type: "oci"
username: ""
password: ""
email: ""
cosignPublicKeys:
registry2-key: |
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
registry2-key2: |
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
- name: "registry3"
repository: "oci://registry1.dso.mil/bigbang"
existingSecret: "private-registry"
type: "oci"
username: ""
password: ""
email: ""
cosignPublicKeys: []
- name: "registry4"
repository: "oci://registry1.dso.mil/bigbang"
existingSecret: "private-registry"
type: "oci"
username: ""
password: ""
email: ""
cosignPublicKeys:
registry4-public: |
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
istio:
sourceType: "helmRepo"
helmRepo:
cosignVerify: true
istioOperator:
sourceType: "helmRepo"
helmRepo:
cosignVerify: true
kiali:
sourceType: "helmRepo"
helmRepo:
repoName: "registry2"
cosignVerify: true
kyverno:
sourceType: "helmRepo"
helmRepo:
repoName: "registry3"
cosignVerify: true
More Readingπ
Last update:
2024-01-16 by Ryan Garcia