Currently, when we release a chart we do not publish a provenance file alongside that is required to ensure the chart integrity (e.g. when calling helm install --verify kong/kong). To read more about the topic, check out the Helm docs on it: https://helm.sh/docs/topics/provenance/.
Without the provenance file distributed alongside the chart tgz, it fails like so:
helm pull --verify kong/kong
Error: failed to fetch provenance “https://github.com/Kong/charts/releases/download/kong-2.33.2/kong-2.33.2.tgz.prov”
Description
Currently, when we release a chart we do not publish a provenance file alongside that is required to ensure the chart integrity (e.g. when calling
helm install --verify kong/kong). To read more about the topic, check out the Helm docs on it: https://helm.sh/docs/topics/provenance/.Without the provenance file distributed alongside the chart tgz, it fails like so:
Proposed solution
An example of how to configure the
helm/chart-releaser-actionGitHub action to sign the chart: https://github.com/inaccel/helm/commit/71b1408864cf45a47c6db171a8e6e7dc64b08abaThat would require generating a GPG key, storing it and its passphrase in the repository secrets, and using it as it's done in the example.
Acceptance criteria
helm pull --verify kong/kongcommand, it succeeds.