...
Code Block |
---|
cosign sign --key cosign.key <registry-host>/<org>/charts/<app-name>:<app-version>
ex:
cosign sign --key cosign.key ncydacrinprogress.azurecr.io/charts/kowl:22.0.1-4040670 |
Add the public key to the cluster
Code Block |
---|
kubectl -n flux-system create secret generic cosign-pub --from-file=cosign.pub=cosign.pub
ex:
cd ~/cosign
kubectl -n ncyd-flux create secret generic cosign-pub --from-file=cosign.pub=cosign.pub
|
Modify helmrelease to verify the helmchart
Code Block |
---|
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: <app-name>
spec:
interval: 1h
chart:
spec:
chart: <app-name>
version: <app-version>
sourceRef:
kind: HelmRepository
name: helm-charts
verify:
provider: cosign
secretRef:
name: cosign-pub |
When using a customization override
Code Block |
---|
language | yml |
---|
title | kowl.yaml |
---|
|
---
# set $patch: delete to exclude from installation
#$patch: delete
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: kowl
namespace: ncyd-flux
spec:
chart:
spec:
version: '22.0.1-4040670'
verify:
provider: cosign
secretRef:
name: cosign-pub
values:
imagePullSecrets:
- name: regcred
image:
registry: ncydacrinprogress.azurecr.io
|
References