Tim Seagren requested to merge 1780-cosign-cert-secret-cosign-opt-out into 1780-cosign-cert-secret Dec 15, 2023

Package Merge Request

Package Changes

This MR adds the following functionality to the existing 1780-cosign-cert-secret branch:

Adds new helper function to find cosign.publicKey in helmRepository if it exists
Updates HelmReleases to skip cosign verify if public key does not exist or if cosignVerify is explicitly set to false. If cosignVerify does not exist, the default behavior is to add the verify block to the HelmRelease if other conditions are met

Override values used to test (anchore only):

helmRepositories:
- name: "registry1"
  repository: "oci://registry1.dso.mil/bigbang"
  existingSecret: "private-registry"
  type: "oci"
  username: ""
  password: ""
  email: ""
  cosignPublicKey: |
      -----BEGIN PUBLIC KEY-----
      MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIE7v9J6ttQus6itUoyfMCqMjaIqm
      R8XrntaedsdEhPPchOQuFzqTyyAPGifV1SaEu8medVRi6mVICWbVwOteNg==
      -----END PUBLIC KEY-----

addons:
  anchore:
    # -- Toggle deployment of Anchore.
    enabled: true
    sourceType: "helmRepo"
    git: {}
    helmRepo:
      repoName: "registry1"
      chartName: "anchore"
      tag: "1.27.4-bb.6"
      cosignVerify: true

Test cases:

cosignVerify is false - no verify block in HelmRelease
cosignVerify is true - verify block is included in HelmRelease
cosignVerify is omitted completely - verify block is included in HelmRelease
cosignPublicKey is undefined - no verify block
cosignPublicKey exists and is not an empty string - verify block is included

Package MR

(Link to Package MR here)

For Issue

Closes (link to issue here)

Edited Dec 15, 2023 by Tim Seagren

Admin message

add new helper function to find publickey in helmRepository, update...

Package Merge Request

Package Changes

Package MR

For Issue

Merge request reports