Versions Compared

Old Version 19

changes.mady.by.user John

Saved on

compared with

New Version 20

changes.mady.by.user John

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

I think we need to define an oci repository. Currently we have a helm repository.


Definen OCI Repository

Use it..


Code Block
languageyml
titlekowl.yaml
---
# set $patch: delete to exclude from installation
#$patch: delete

apiVersion: sourcehelm.toolkit.fluxcd.io/v1beta2v2beta1
kind: HelmRepositoryHelmRelease
metadata:
  name: ncyd-oci-virtualkowl
  namespace: ncyd-flux
spec:
  typechart: "oci"
  interval: 1m0s
  secretRefspec:
    name: regcred
  urlversion: oci://ncydacrinprogress.azurecr.io/charts

Use it..

Code Block
languageyml
titlekowl.yaml
---
# set $patch: delete to exclude from installation
#$patch: delete

apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: kowl
  namespace: ncyd-flux
spec:
  chart:
    spec'22.0.1-4040670'

      sourceRef:
        kind: HelmRepository
        name: ncyd-oci-virtual
      verify:
      version  provider: '22.0.1-4040670'

cosign
      sourceRef:
        kind: HelmRepository
        name: ncyd-oci-virtual
      verify:
        provider: cosign
        secretRef:
          name: cosign-pub

  values:
    imagePullSecrets:
      - name: regcred
    image:
      registry: ncydacrinprogress.azurecr.io

...

Code Block
> kubectl events -n ncyd-flux --watch

0s (x4 over 20s)       Warning   ChartVerificationError       HelmChart/ncyd-flux-kowl                     chart verification error: failed to verify oci://ncydacrinprogress.azurecr.io/charts/kowl:22.0.1-4042072: no matching signatures: invalid signature when validating ASN.1 encoded signature


> f logs -f source-controller-f7dbc4597-vwwj2

{"level":"error","ts":"2024-03-15T16:08:05.400Z","msg":"Reconciler error","controller":"helmchart","controllerGroup":"source.toolkit.fluxcd.io","controllerKind":"HelmChart","HelmChart":{"name":"ncyd-flux-kowl","namespace":"ncyd-flux"},"namespace":"ncyd-flux","name":"ncyd-flux-kowl","reconcileID":"c29c0b58-cf10-4d1d-a290-ecb997acf1ac","error":"chart verification error: failed to verify oci://ncydacrinprogress.azurecr.io/charts/kowl:22.0.1-4042072: no matching signatures: invalid signature when validating ASN.1 encoded signature"}


Process for Using Cosign with Flux

- Need to generate keys

Code Block
themeEmacs
cosign generate-key-pair

- Need to store public key in k8s

Code Block
kubectl -n flux-system create secret generic cosign-pub --from-file=cosign.pub=cosign.pub

ex:
cd ~/cosign
kubectl -n ncyd-flux create secret generic cosign-pub --from-file=cosign.pub=cosign.pub

- Need to use OCI  helmrepository

Code Block
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
  name: ncyd-oci-virtual
  namespace: ncyd-flux
spec:
  type: "oci"
  interval: 1m0s
  secretRef:
    name: regcred
  url: oci://ncydacrinprogress.azurecr.io/charts

- Need to sign helmchart

Code Block
cosign sign --key cosign.key <registry-host>/<org>/charts/<app-name>:<app-version>

ex:
cosign sign --key cosign.key ncydacrinprogress.azurecr.io/charts/kowl:22.0.1-4040670

- Need to update helm releases to use OCI and reference cosign public key

Code Block
languageyml
titlekowl.yaml
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: kowl
  namespace: ncyd-flux
spec:
  chart:
    spec:
      sourceRef:
        kind: HelmRepository
        name: ncyd-oci-virtual
      verify:
        provider: cosign
        secretRef:
          name: cosign-pub
  values:
...

References

ReferenceURL
Cosign Quickstarthttps://docs.sigstore.dev/signing/quickstart/
Prove the Authenticity of OCI Artifactshttps://fluxcd.io/blog/2022/10/prove-the-authenticity-of-oci-artifacts/
Signing and Verifying OCI Artifactshttps://fluxcd.io/flux/cheatsheets/oci-artifacts/#signing-and-verification