Merge pull request #3229 from fluxcd/rfc-0002-cosign

RFC-0002: Add Cosign verification for Helm OCI charts
fluxcd · Oct 24, 2022 · 6d110cd · 6d110cd
2 parents 64e76a2 + d015895
commit 6d110cd
Showing 1 changed file with 48 additions and 2 deletions.
diff --git a/rfcs/0002-helm-oci/README.md b/rfcs/0002-helm-oci/README.md
@@ -4,7 +4,7 @@
 
 **Creation date:** 2022-03-30
 
-**Last update:** 2022-08-24
+**Last update:** 2022-10-20
 
 ## Summary
 
@@ -22,6 +22,7 @@ they do today for container images.
 ### Goals
 
 - Add support for fetching Helm charts stored as OCI artifacts with minimal API changes to Flux.
+- Add support for verifying the authenticity of Helm OCI charts signed with Cosign.
 - Make it easy for users to switch from [HTTP/S Helm repositories](https://github.com/helm/helm-www/blob/416fabea6ffab8dc156b6a0c5eb5e8df5f5ef7dc/content/en/docs/topics/chart_repository.md)
   to OCI repositories.
 
@@ -40,7 +41,6 @@ Introduce an optional field called `provider` for
 [context-based authorization](https://fluxcd.io/flux/security/contextual-authorization/)
 to AWS, Azure and Google Cloud. The `spec.provider` is ignored when `spec.type` is set to `default`.
 
-
 ### Pull charts from private repositories
 
 #### Basic auth
@@ -92,6 +92,51 @@ controller will use a specific cloud SDK for authentication purposes.
 If both `spec.secretRef` and a non-generic provider are present in the definition,
 the controller will use the static credentials from the referenced secret.
 
+### Verify Helm charts
+
+To verify the authenticity of the Helm OCI charts, Flux will use the Sigstore Go SDK and implement verification
+for artifacts which were either signed with keys generated by Cosign or signed using the Cosign
+[keyless method](https://github.com/sigstore/cosign/blob/main/KEYLESS.md).
+
+To enable signature verification, the Cosign public keys can be supplied with:
+
+```yaml
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmChart
+metadata:
+  name: <chart-name>
+spec:
+  verify:
+    provider: cosign
+    secretRef:
+      name: cosign-public-keys
+```
+
+Note that the Kubernetes secret containing the Cosign public keys, must use `.pub` extension:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cosign-public-keys
+type: Opaque
+stringData:
+  key1.pub: <pub-key-1>
+  key2.pub: <pub-key-2>
+```
+
+For verifying public Helm charts which are signed using the keyless method,
+the `spec.verify.secretRef` field must be omitted:
+
+```yaml
+spec:
+  verify:
+    provider: cosign
+```
+
+When using the keyless method, Flux will verify the signatures in the Rekor
+transparency log instance hosted at [rekor.sigstore.dev](https://rekor.sigstore.dev/).
+
 ### User Stories
 
 #### Story 1
@@ -231,6 +276,7 @@ The feature is enabled by default.
 * **2022-06-06** First implementation released with [flux2 v0.31.0](https://github.com/fluxcd/flux2/releases/tag/v0.31.0)
 * **2022-08-11** Resolve chart dependencies from OCI released with [flux2 v0.32.0](https://github.com/fluxcd/flux2/releases/tag/v0.32.0)
 * **2022-08-29** Contextual login for AWS, Azure and GCP released with [flux2 v0.33.0](https://github.com/fluxcd/flux2/releases/tag/v0.33.0)
+* **2022-10-21** Verifying Helm charts with Cosign released with [flux2 v0.36.0](https://github.com/fluxcd/flux2/releases/tag/v0.36.0)
 
 ### TODOs