Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: sign helm chart [HYB-731] #45

Merged
merged 1 commit into from
Nov 18, 2024
Merged

fix: sign helm chart [HYB-731] #45

merged 1 commit into from
Nov 18, 2024

Conversation

soniqua
Copy link
Contributor

@soniqua soniqua commented Nov 15, 2024
edited
Loading

What

  • Sign the Helm Chart with cosign, leveraging keyless signature via OIDC

Why

  • Maintaining a key requires additional operational considerations

More

Keyless signatures are beneficial as:

  • No private key material must be maintained or rotated
  • No public key material must be made avaialble to end users

How

The GitHub Actions OIDC token is supported by cosign as an OIDC provider - no additional configuration is required aside from specifying the id-token: write permission. This is why we need to sign OCI artefacts in a GitHub Actions workflow.

The CircleCI OIDC token does not support the required fields to be leveraged by cosign as a native OIDC provider (sigstore/fulcio#591).

Refs

@soniqua soniqua marked this pull request as ready for review November 15, 2024 15:26
@soniqua soniqua requested a review from a team as a code owner November 15, 2024 15:26
@soniqua soniqua requested review from aarlaud and saumilmac November 15, 2024 15:26
@soniqua soniqua force-pushed the fix/sign-helm-chart branch from b9a4352 to 7d82276 Compare November 15, 2024 15:27
@soniqua soniqua force-pushed the fix/sign-helm-chart branch from 7d82276 to c62f85e Compare November 15, 2024 15:40
@soniqua soniqua merged commit 742ee34 into rc Nov 18, 2024
6 checks passed
@soniqua soniqua deleted the fix/sign-helm-chart branch November 18, 2024 15:30
@soniqua soniqua changed the title fix: sign helm chart fix: sign helm chart [HYB-731] Nov 21, 2024
soniqua added a commit that referenced this pull request Nov 28, 2024
@soniqua @saumilmac
feat: initial release [HYB-698] (#51)
355a73f 
* feat: uni broker helm chart

* chore: [skip ci] remove tag

* fix: ci and release config (#17)

* fix: ci and release config

* chore: editorconfig

* fix: disable helm chart publishing

* chore: remove test cases doc

* fix: update ca cert trust settings (#18)

* fix: update ca cert trust settings

* fix: docs to readme, correct var to disable cert trust

* fix: correct dockerhub password

* fix: support ACCEPTS_ (#19)

* fix: support ACCEPTS_

* fix: dockerhub password

* chore: expand dockerhub password (#20)

* fix: correct serviceAccount format (#25)

* fix: add missing serviceName field (#26)

* ci: move kubeconform to validate step (#27)

* fix: correct tenant to region (#23)

* fix: custom docker registry (#35)

* fix: specify universal broker platform auth and credential references (#24)

* fix: implement ingress and service (#29)

* fix: implement ingress and service

* fix: high availability mode, limits and requests, tolerations, affinities (#30)

* fix: high availability mode, limits and requests

* fix: tolerations, selectors, affinities

* fix: security context, openshift adaptation (#28)

* fix: enable commit signing (#21)

* fix: broker serve tls (#22)

* fix: support outbound proxy config (#31)

* fix: extra k8s objects, sidecars, initContainers (#32)

* fix: add logging levels, probe definitions (#33)

* fix: insecure downstream mode (#34)

* fix: preflight checks (#36)

* fix: preflight checks

* fix: remove preflight checks disable value

* fix: strict schema checking, cleanup (#40)

* ci: enable deploy and test (#37)

* ci: adds a queue step to prevent concurrent deploy/test cycles

* ci: upsize executor

* ci: helmignore

* ci: remove useless log

* fix: add runtimeclass and priorityclass (#39)

* ci: enable helm push (#43)

* chore: apply prettier formatting (#41)

* chore: fix precommit config for prettier

* chore: prettier

* ci: add security gates (#42)

* ci: add gates to PR workflow

* ci: add template for IaC scan

* fix: sign helm chart (#45)

* docs: LICENSE (#46)

* fix: publish and sign jobs (#47)

* fix: add missing gh context

* fix: change trigger from check_suite to release

* ci: use team-hybrid-common for github token (#48)

* fix: strip v from tag (#49)

* fix: remove registry-1.docker.io prefix (#50)

* fix: ensure post install notes reflect the Snyk region (#52)

---------

Co-authored-by: saumil Macwan <[email protected]>
soniqua added a commit that referenced this pull request Nov 28, 2024
@soniqua @saumilmac
feat: initial release [HYB-698] (#51)
ff58b45 
* feat: uni broker helm chart

* fix: ci and release config (#17)

* fix: ci and release config

* chore: editorconfig

* fix: disable helm chart publishing

* chore: remove test cases doc

* fix: update ca cert trust settings (#18)

* fix: update ca cert trust settings

* fix: docs to readme, correct var to disable cert trust

* fix: correct dockerhub password

* fix: support ACCEPTS_ (#19)

* fix: support ACCEPTS_

* fix: dockerhub password

* chore: expand dockerhub password (#20)

* fix: correct serviceAccount format (#25)

* fix: add missing serviceName field (#26)

* ci: move kubeconform to validate step (#27)

* fix: correct tenant to region (#23)

* fix: custom docker registry (#35)

* fix: specify universal broker platform auth and credential references (#24)

* fix: implement ingress and service (#29)

* fix: implement ingress and service

* fix: high availability mode, limits and requests, tolerations, affinities (#30)

* fix: high availability mode, limits and requests

* fix: tolerations, selectors, affinities

* fix: security context, openshift adaptation (#28)

* fix: enable commit signing (#21)

* fix: broker serve tls (#22)

* fix: support outbound proxy config (#31)

* fix: extra k8s objects, sidecars, initContainers (#32)

* fix: add logging levels, probe definitions (#33)

* fix: insecure downstream mode (#34)

* fix: preflight checks (#36)

* fix: preflight checks

* fix: remove preflight checks disable value

* fix: strict schema checking, cleanup (#40)

* ci: enable deploy and test (#37)

* ci: adds a queue step to prevent concurrent deploy/test cycles

* ci: upsize executor

* ci: helmignore

* ci: remove useless log

* fix: add runtimeclass and priorityclass (#39)

* ci: enable helm push (#43)

* chore: apply prettier formatting (#41)

* chore: fix precommit config for prettier

* chore: prettier

* ci: add security gates (#42)

* ci: add gates to PR workflow

* ci: add template for IaC scan

* fix: sign helm chart (#45)

* docs: LICENSE (#46)

* fix: publish and sign jobs (#47)

* fix: add missing gh context

* fix: change trigger from check_suite to release

* ci: use team-hybrid-common for github token (#48)

* fix: strip v from tag (#49)

* fix: remove registry-1.docker.io prefix (#50)

* fix: ensure post install notes reflect the Snyk region (#52)

---------

Co-authored-by: saumil Macwan <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@saumilmac saumilmac saumilmac approved these changes

@aarlaud aarlaud Awaiting requested review from aarlaud aarlaud is a code owner automatically assigned from snyk/hybrid

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@soniqua @saumilmac