XML

Word

Printable

Type: Story
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Component/s: Helm
Labels:
None

Story Points:
5
Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
Support Chart Signature Verification on ODC backend
Release Note Type:
If Release Note Needed, Set a Value
Release Note Status:
Set a Value

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Owner: Architect:

David Peraza

Story (Required)

As an ODC user I will like to be able to verify signature for charts that are signed, so I can validate its origin and integrity.

Background (Required)

We have already integrate chart verifier with ODC and we are already adding the chart signature check to chart verifier. The idea with this story is to enable the availability of the public key to use for chart verification.

Glossary

Providence File: As defined by helm docs, the file containing the signature bits for the chart. It is always expected to be in the same directory of the chart URL.

Out of scope

UI components.
K8 API changes

In Scope

Helm backend changes
oc helm changes
The CRD changes are available and managed by console operator

Approach(Required)

There are two way the public key could be made available:

Like with the providence file, key can be published in the same directory of chart url. The naming convention could be like this [chart_tar_name].key. There should be a timeout to get the file.
The HelmChartRepository and ProjectHelmChartRepository CRDs are extended to accept a list of ConfigMaps containing the keys for the repo. More that one key need to be supported to support key rotation and charts being signed with different private keys for other reasons.

The Helm backend code will need to first attempt to read the key from chart url. If this fails it should try to read key from repository and if this fails no key is passed to chart verifier call. Chart verifier will realized that even when the chart is signed there is no key for verification and it will skip the check.

Demo requirements(Required)

A great demo for this would be to show two charts, one that fails the signature check and one that passes the signature check. Would also be nice to show two different mechanisms to share the key.

Dependencies

Edge Case

Acceptance Criteria

Can verify signature of charts via oc helm plugin verify call.

Unit Test to cover 3 states of signature checks (pass, fail, skip) and 2 key storage.

Upstream Docs: Yes. oc helm documentation.

Downstream: No. No ui changes.
Release Notes Type: Enhancement, no release note required

INVEST Checklist

Dependencies identified

Blockers noted and expected delivery timelines set

Design is implementable

Acceptance criteria agreed upon

Story estimated

Legend

Unknown

Verified

Unsatisfied

is blocked by

HELM-432 Make signature key changes to helm repository CRD

Backlog

HELM-410 Implement Helm Signature verification in chart verifier

Closed

Assignee:: Kartikey Mamgain (Inactive)

Reporter:: David Peraza

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2022/10/10 11:45 AM

Updated:: 2022/10/18 12:50 PM

Details

Description

Owner: Architect:

Story (Required)

Background (Required)

Glossary

Out of scope

In Scope

Approach(Required)

Demo requirements(Required)

Dependencies

Edge Case

Acceptance Criteria

INVEST Checklist

Legend

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates