...
I think we need to define an oci repository. Currently we have a helm repository.
Definen OCI Repository
Use it..
Code Block |
---|
language | yml |
---|
title | kowl.yaml |
---|
|
---
# set $patch: delete to exclude from installation
#$patch: delete
apiVersion: sourcehelm.toolkit.fluxcd.io/v1beta2v2beta1
kind: HelmRepositoryHelmRelease
metadata:
name: ncyd-oci-virtualkowl
namespace: ncyd-flux
spec:
typechart: "oci"
interval: 1m0s
secretRefspec:
name: regcred
urlversion: oci://ncydacrinprogress.azurecr.io/charts |
Use it..
Code Block |
---|
language | yml |
---|
title | kowl.yaml |
---|
|
---
# set $patch: delete to exclude from installation
#$patch: delete
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: kowl
namespace: ncyd-flux
spec:
chart:
spec'22.0.1-4040670'
sourceRef:
kind: HelmRepository
name: ncyd-oci-virtual
verify:
version provider: '22.0.1-4040670'
cosign
sourceRef:
kind: HelmRepository
name: ncyd-oci-virtual
verify:
provider: cosign
secretRef:
name: cosign-pub
values:
imagePullSecrets:
- name: regcred
image:
registry: ncydacrinprogress.azurecr.io
|
...
Code Block |
---|
> kubectl events -n ncyd-flux --watch
0s (x4 over 20s) Warning ChartVerificationError HelmChart/ncyd-flux-kowl chart verification error: failed to verify oci://ncydacrinprogress.azurecr.io/charts/kowl:22.0.1-4042072: no matching signatures: invalid signature when validating ASN.1 encoded signature
> f logs -f source-controller-f7dbc4597-vwwj2
{"level":"error","ts":"2024-03-15T16:08:05.400Z","msg":"Reconciler error","controller":"helmchart","controllerGroup":"source.toolkit.fluxcd.io","controllerKind":"HelmChart","HelmChart":{"name":"ncyd-flux-kowl","namespace":"ncyd-flux"},"namespace":"ncyd-flux","name":"ncyd-flux-kowl","reconcileID":"c29c0b58-cf10-4d1d-a290-ecb997acf1ac","error":"chart verification error: failed to verify oci://ncydacrinprogress.azurecr.io/charts/kowl:22.0.1-4042072: no matching signatures: invalid signature when validating ASN.1 encoded signature"} |
Process for Using Cosign with Flux
- Need to generate keys
Code Block |
---|
|
cosign generate-key-pair |
- Need to store public key in k8s
Code Block |
---|
kubectl -n flux-system create secret generic cosign-pub --from-file=cosign.pub=cosign.pub
ex:
cd ~/cosign
kubectl -n ncyd-flux create secret generic cosign-pub --from-file=cosign.pub=cosign.pub
|
- Need to use OCI helmrepository
Code Block |
---|
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: ncyd-oci-virtual
namespace: ncyd-flux
spec:
type: "oci"
interval: 1m0s
secretRef:
name: regcred
url: oci://ncydacrinprogress.azurecr.io/charts |
- Need to sign helmchart
Code Block |
---|
cosign sign --key cosign.key <registry-host>/<org>/charts/<app-name>:<app-version>
ex:
cosign sign --key cosign.key ncydacrinprogress.azurecr.io/charts/kowl:22.0.1-4040670 |
- Need to update helm releases to use OCI and reference cosign public key
Code Block |
---|
language | yml |
---|
title | kowl.yaml |
---|
|
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: kowl
namespace: ncyd-flux
spec:
chart:
spec:
sourceRef:
kind: HelmRepository
name: ncyd-oci-virtual
verify:
provider: cosign
secretRef:
name: cosign-pub
values:
...
|
References