UNCLASSIFIED - NO CUI

Skip to content

add new helper function to find publickey in helmRepository, update...

Package Merge Request

Package Changes

This MR adds the following functionality to the existing 1780-cosign-cert-secret branch:

  • Adds new helper function to find cosign.publicKey in helmRepository if it exists
  • Updates HelmReleases to skip cosign verify if public key does not exist or if cosignVerify is explicitly set to false. If cosignVerify does not exist, the default behavior is to add the verify block to the HelmRelease if other conditions are met

Override values used to test (anchore only):

helmRepositories:
- name: "registry1"
  repository: "oci://registry1.dso.mil/bigbang"
  existingSecret: "private-registry"
  type: "oci"
  username: ""
  password: ""
  email: ""
  cosignPublicKey: |
      -----BEGIN PUBLIC KEY-----
      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIE7v9J6ttQus6itUoyfMCqMjaIqm
      R8XrntaedsdEhPPchOQuFzqTyyAPGifV1SaEu8medVRi6mVICWbVwOteNg==
      -----END PUBLIC KEY-----

addons:
  anchore:
    # -- Toggle deployment of Anchore.
    enabled: true
    sourceType: "helmRepo"
    git: {}
    helmRepo:
      repoName: "registry1"
      chartName: "anchore"
      tag: "1.27.4-bb.6"
      cosignVerify: true

Test cases:

  1. cosignVerify is false - no verify block in HelmRelease
  2. cosignVerify is true - verify block is included in HelmRelease
  3. cosignVerify is omitted completely - verify block is included in HelmRelease
  4. cosignPublicKey is undefined - no verify block
  5. cosignPublicKey exists and is not an empty string - verify block is included

Package MR

(Link to Package MR here)

For Issue

Closes (link to issue here)

Edited by Tim Seagren

Merge request reports

Loading