-
Epic
-
Resolution: Done
-
Normal
-
None
-
None
-
Helm Chart certification without publishing
-
False
-
False
-
To Do
-
100
-
100%
Problem:
Some partners are considering certifying their charts without publishing their chart in our https://charts.openshift.io/ repository. The reasoning behind this ask is that their charts have a unique delivery mechanism for their customers that does not necessarily involves having the chart in a chart repository. Some of them use FTP for this delivery.
Goal:
Since the chart is not to be publish we will created another index file that will not be exposed as a repository. This index file will contain the same information as our main index file. The partner will send a report only submission as generated by chart verifier. We also need to define the process of exposing the Hash of the charts in a public page so that their clients can verify the Hash of the charts they get with the Hash of the certified chart. We also need to harden our logic to avoid certification to be tamper proofed, this might include additional changes to chart verifier.
To accomplish this we also need to add a flag in the OWNERS file that lets us know that the chart being certified is not to be published
Why is it important?
Partners will like to get a certification stamp from RedHat by maintain control of the chart delivery mechanism.
Use cases
Telco that wants to certify chart delivers their chart via FTP to their clients. Clients will install their charts in their cluster using local file system. No repository required in this case.
Acceptance criteria
- We can certify charts that are not published in our repo
- We can publish this charts in a public website with name, version and hash of the chart.
- We reject publish requests which are not report only but set as not publish
- New options are documented.
Dependencies (External/Internal)
NA
Design Artifacts
NA
Exploration
NA