Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-8097

Source Integrity Policies: Helm/OCI

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • None
    • Source Integrity Policies: Helm/OCI
    • L
    • False
    • Hide

      None

      Show
      None
    • False
    • GITOPS-8846Source Integrity Policies
    • In Progress
    • GITOPS-8846 - Source Integrity Policies
    • 43% To Do, 29% In Progress, 29% Done

      Epic Goal


      • This extends the Source Integrity Policies SECFLOWOTL-229 to support verification of Helm charts and OCI artifacts in Argo CD. This enables organizations to enforce cryptographic verification of Helm charts and OCI artifacts before they are deployed, ensuring only signed and trusted artifacts can be synced.

      Why is this important?

      • Prevent Helm/OCI deployments from unverified contributors in Argo CD, ensuring only trusted, signed artifacts can be deployed to your clusters.

      Use Cases

      1. Users who use sources other than Git
      2. Users who use multi-source applications
      3. Users who have elevated security requirements
        • Organizations with compliance needs or strict security policies can enforce verification selectively, i.e. requiring signatures for production while allowing flexibility in development environments.

      Other Considerations

      Out of Scope

      • Keyless Verification (Cosign keyless mode using Fulcio certificates) - future enhancement
      • Chart Dependencies (Sub-charts) are not verified (only top-level chart)
      • Other Chart Versions verification (Only the specific chart version being deployed is verified)
         

      internal and external dependencies

      • PR #25148
      • Cosign Go Library (new)
      • GPG/OpenPGP Libraries (exists)
      • Helm CLI (exists)

      Upstream issues

      Definition of Ready

      • The epic has been broken down into stories.
      • Stories have been scoped.
      • The epic has been stack ranked.

      Definition of Done

      • Code Complete:
        • All code has been written, reviewed, and approved.
      • Tested:
        • Unit tests have been written and passed.
        • Integration tests have been completed.
        • System tests have been conducted, and all critical bugs have been fixed.
        • Tested on OpenShift either upstream or downstream on a local build
      • Documentation:
        • User documentation or release notes have been written.
      • Build:
        • Code has been successfully built and integrated into the main repository / project
      • Review:
        • Code has been peer-reviewed and meets coding standards.
        • All acceptance criteria defined in the user story have been met.
        • Tested by reviewer on OpenShift
      • Deployment:
        • The feature has been deployed on OpenShift cluster for testing
      • Acceptance:
        • Product Manager or stakeholder has reviewed and accepted the work.

              rh-ee-atali Atif Ali
              ogondza@redhat.com Oliver Gondza
              Tangerine
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: