Open developer-guy opened 2 years ago
Question: how do you identify all the images referenced in a Helm chart?
Separately, Helm currently supports OpenPGP-based provenance files. Would it make sense to specify a mechanism of signing Helm charts with cosign
(particularly since they can be stored in OCI repositories)?
@evankanderson We have https://github.com/sigstore/helm-sigstore. I think this is what you were looking.
Have we tried to add a link to helm-sigstore
from the Helm docs yet? If not, I'm happy to send a PR.
@evankanderson I don't know if we haven't done that to be honest.
Description
There are very detailed guides about developing Helm plugins, so, AFAIK, this is all about providing a meta-data file called
plugin.yaml
.We (w/@dentrax) thought that we can develop a helm plugin to allow signing all of the container images that are managed through the Helm Chart.
WDYT?
References