[jira] [Created] (FLINK-38798) Add Helm chart provenance (.prov) files for flink-kubernetes-operator releases

Wed, 10 Dec 2025 04:09:11 -0800 

Avi Sanwal created FLINK-38798:
----------------------------------

             Summary: Add Helm chart provenance (.prov) files for 
flink-kubernetes-operator releases
                 Key: FLINK-38798
                 URL: https://issues.apache.org/jira/browse/FLINK-38798
             Project: Flink
          Issue Type: Improvement
         Environment: These are some environments where this could help:

* GitOps-based deployments (Argo CD / Flux) pulling charts from Git or remote 
Helm/OCI repos, where we want to verify chart signatures before reconciling to 
clusters.
* Enterprise CI/CD pipelines that package and promote Helm charts across 
multiple stages (dev → staging → prod), using helm install --verify to enforce 
that only signed charts are deployed.
* Air-gapped or restricted-network Kubernetes clusters that mirror public Helm 
repos into private registries; provenance ensures mirrored artifacts are 
authentic and unchanged before use.
* Multi-cluster / multi-tenant platform setups where a central platform team 
curates shared operators (like the Flink operator) and needs signed artifacts 
as part of their supply-chain policies.
* Regulated or security-sensitive environments that require cryptographically 
signed artifacts for all third-party components, aligning with Helm’s 
provenance/signing model.

            Reporter: Avi Sanwal


Consumers of the flink-kubernetes-operator Helm chart currently cannot verify 
the integrity and origin of the chart using Helm’s built-in provenance 
mechanism, because no .prov files are published alongside the chart tarballs.

Helm supports signing charts and generating provenance files (.tgz.prov) that 
provide cryptographic verification of the chart package and its metadata. This 
enables users to use commands such as helm verify or helm install --verify to 
ensure charts have not been tampered with and are published by a trusted signer.

*Request*
 * Update the Flink release/CI process for flink-kubernetes-operator to:
 ** Sign the Helm chart on release.
 ** Publish the corresponding .tgz.prov file alongside each chart version in 
the Helm repository.
 * Document the signing key and verification steps for users (e.g. using helm 
verify / helm install --verify).

*References*
 
 * Helm provenance and chart signing docs:
https://helm.sh/docs/topics/provenance/

 * helm verify documentation (verification using provenance files):
https://helm.sh/docs/helm/helm_verify/



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to