[
https://issues.apache.org/jira/browse/FLINK-38798?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Avi Sanwal updated FLINK-38798:
-------------------------------
Affects Version/s: kubernetes-operator-1.13.0
> Add Helm chart provenance (.prov) files for flink-kubernetes-operator releases
> ------------------------------------------------------------------------------
>
> Key: FLINK-38798
> URL: https://issues.apache.org/jira/browse/FLINK-38798
> Project: Flink
> Issue Type: Improvement
> Components: Kubernetes Operator
> Affects Versions: kubernetes-operator-1.13.0
> Environment: These are some environments where this could help:
> * GitOps-based deployments (Argo CD / Flux) pulling charts from Git or remote
> Helm/OCI repos, where we want to verify chart signatures before reconciling
> to clusters.
> * Enterprise CI/CD pipelines that package and promote Helm charts across
> multiple stages (dev → staging → prod), using helm install --verify to
> enforce that only signed charts are deployed.
> * Air-gapped or restricted-network Kubernetes clusters that mirror public
> Helm repos into private registries; provenance ensures mirrored artifacts are
> authentic and unchanged before use.
> * Multi-cluster / multi-tenant platform setups where a central platform team
> curates shared operators (like the Flink operator) and needs signed artifacts
> as part of their supply-chain policies.
> * Regulated or security-sensitive environments that require cryptographically
> signed artifacts for all third-party components, aligning with Helm’s
> provenance/signing model.
> Reporter: Avi Sanwal
> Priority: Major
> Labels: security
>
> Consumers of the flink-kubernetes-operator Helm chart currently cannot verify
> the integrity and origin of the chart using Helm’s built-in provenance
> mechanism, because no .prov files are published alongside the chart tarballs.
> Helm supports signing charts and generating provenance files (.tgz.prov) that
> provide cryptographic verification of the chart package and its metadata.
> This enables users to use commands such as helm verify or helm install
> --verify to ensure charts have not been tampered with and are published by a
> trusted signer.
> *Request*
> * Update the Flink release/CI process for flink-kubernetes-operator to:
> ** Sign the Helm chart on release.
> ** Publish the corresponding .tgz.prov file alongside each chart version in
> the Helm repository.
> * Document the signing key and verification steps for users (e.g. using helm
> verify / helm install --verify).
> *References*
>
> * Helm provenance and chart signing docs:
> https://helm.sh/docs/topics/provenance/
> * helm verify documentation (verification using provenance files):
> https://helm.sh/docs/helm/helm_verify/
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
