Helm Plugin

[developer-guy]

Description

There are very detailed guides about developing Helm plugins, so, AFAIK, this is all about providing a meta-data file called plugin.yaml.

We (w/@dentrax) thought that we can develop a helm plugin to allow signing all of the container images that are managed through the Helm Chart.

$ helm create my-chart

$ helm cosign sign --key (or keyless) my-chart
# we'll run the helm template command to get the whole manifest YAML file.
# we'll traverse the manifest YAML file, and extract the container images that we're going to sign
# sign them with cosign one by one.

WDYT?

References

• https://helm.sh/docs/topics/plugins/
• https://www.datree.io/resources/how-to-build-a-helm-plugin-in-minutes

[evankanderson]

Question: how do you identify all the images referenced in a Helm chart?

Separately, Helm currently supports OpenPGP-based provenance files. Would it make sense to specify a mechanism of signing Helm charts with cosign (particularly since they can be stored in OCI repositories)?

[hectorj2f]

@evankanderson We have https://github.com/sigstore/helm-sigstore. I think this is what you were looking.

[evankanderson]

Have we tried to add a link to helm-sigstore from the Helm docs yet? If not, I'm happy to send a PR.

[hectorj2f]

@evankanderson I don't know if we haven't done that to be honest.