You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've searched for similar issues and couldn't find anything matching
I've discussed this feature request in the K8sGPT Slack and got positive feedback
Is this feature request related to a problem?
No
Problem Description
Helm Provenance and Integrity
Helm has provenance tools which help chart users verify the integrity and origin of a package. Using industry-standard tools based on PKI, GnuPG, and well-respected package managers, Helm can generate and verify signature files.
Integrity is established by comparing a chart to a provenance record. Provenance records are stored in provenance files, which are stored alongside a packaged chart. For example, if a chart is named myapp-1.2.3.tgz, its provenance file will be myapp-1.2.3.tgz.prov.
Provenance files are generated at packaging time (helm package --sign ...), and can be checked by multiple commands, notably helm install --verify.
It is easy to do so I propose that we do it. We can add this capability on to the helm-chart-releaser that we already use.
Solution Description
Create GPG Key and passpharse
Upload them to Github Secrets
Update GitHub action to sign the chart
Benefits
People will trust the charts more and enterprises with proper security processes and practices will be able to tick their compliance boxes and adopt it.
Potential Drawbacks
No Drawbacks
Additional Information
No response
The text was updated successfully, but these errors were encountered:
Checklist
Is this feature request related to a problem?
No
Problem Description
Helm Provenance and Integrity
Helm has provenance tools which help chart users verify the integrity and origin of a package. Using industry-standard tools based on PKI, GnuPG, and well-respected package managers, Helm can generate and verify signature files.
Integrity is established by comparing a chart to a provenance record. Provenance records are stored in provenance files, which are stored alongside a packaged chart. For example, if a chart is named myapp-1.2.3.tgz, its provenance file will be myapp-1.2.3.tgz.prov.
Provenance files are generated at packaging time (helm package --sign ...), and can be checked by multiple commands, notably helm install --verify.
Right now there in ArtifactHub there it is showing as the helm chart is not signed. This could stop some people from adopting it. https://artifacthub.io/packages/helm/k8sgpt/k8sgpt-operator
It is easy to do so I propose that we do it. We can add this capability on to the helm-chart-releaser that we already use.
Solution Description
Benefits
People will trust the charts more and enterprises with proper security processes and practices will be able to tick their compliance boxes and adopt it.
Potential Drawbacks
No Drawbacks
Additional Information
No response
The text was updated successfully, but these errors were encountered: