[P1BIGROCKS-2280](https://jira.il2.dso.mil/browse/P1BIGROCKS-2280) ## Action Items - [x] Create Pipeline for packages that releases each Package as an OCI artifact and push to the package project's container registry - [x] Obtain permission from Iron Bank to push to `registry1.dso.mil/big-bang` - [x] Adjust pipelines to push to registry1 once we have a production environment to build artifacts in - [x] Update BigBang to provide an option to have `HelmReleases` use the `HelmRepository` instead of `GitRepository`. The `HelmRepository` should use the OCI object default relased by the package pipeline. - [ ] Have default switch to the `HelmRepository` as part of the 2.0 release. - [x] Release BigBang as OCI object - [x] Update `base` folder to reference `HelmRelease` instead of `GitRepository` Helm can release helm charts as OCI artifacts: https://helm.sh/docs/topics/registries/ ## Signing of Helm Charts https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/sigstore The OCI object being signed in this demo is actually BigBang's helm chart, which enables easily signing the artifacts being produced by BigBang ## AirGap The Airgap solution is complicated by the use of Git repos as the deployment mechanism, requiring a Git server and conversion of git URLs to wherever they're mirrored to. * Images and Helm Charts that are needed for a deployment can be aggregated with the same tool since everything is an OCI object * Only a Docker registry is needed to host both Helm Charts and Images * OCI Mirroring would (???) enable OCI mirroring to prevent the need to re-write the path of the Helm Charts during the airgap deployment ## SBOMs As OCI spec enables SBOMs in the future, the inclusion of SBOMs could be native in our release artifacts * https://github.com/opencontainers/artifacts/pull/29 * https://github.com/opencontainers/image-spec/issues/827 ## Blockers * Flux SourceController can't use OCI objects yet [https://github.com/fluxcd/source-controller/issues/124]. This could be mitigated by Zarf's appliance mode since it doesn't like using Flux anyways. Credit to @blake.burkhart. ## Iron Bank Signed Images ### Iron Bank Image Artifacts ### Signatures As we continue to mature the signing process in P1, newly signed IronBank images could be signed via cosign and validated both in the airgap, or at runtime using controllers like https://github.com/sse-secure-systems/connaisseur ### Vulnerabilities The vulnerability reports from the VAT should be available as part of the artifact list to include * Scanners used * Date * Vulnerabilities found * justifications provided * accepting authority Future tools could use these vulnerability reports to upload to Prisma Cloud to whitelist vulnerabilities that were accepted by IronBank:  ### Bill of Materials The Bill of Materials for each IronBank image should be built and provided by IronBank and bundled with the release artifacts.