[
https://issues.apache.org/jira/browse/FLINK-38798?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Avi Sanwal updated FLINK-38798:
-------------------------------
Description:
Consumers of the flink-kubernetes-operator Helm chart currently cannot verify
the integrity and origin of the chart using Helm’s built-in provenance
mechanism, because no .prov files are published alongside the chart tarballs.
Helm supports signing charts and generating provenance files (.tgz.prov) that
provide cryptographic verification of the chart package and its metadata. This
enables users to use commands such as helm verify or helm install --verify to
ensure charts have not been tampered with and are published by a trusted signer.
*Request*
* Update the Flink release/CI process for flink-kubernetes-operator to:
** Sign the Helm chart on release.
** Publish the corresponding .tgz.prov file alongside each chart version in
the Helm repository.
* Document the signing key and verification steps for users (e.g. using helm
verify / helm install --verify).
*Current Behavior*
{code:sh}
$ helm repo add flink-operator-repo
https://downloads.apache.org/flink/flink-kubernetes-operator-1.13.0/
"flink-operator-repo" has been added to your repositories
$ helm install --verify flink-kubernetes-operator
flink-operator-repo/flink-kubernetes-operator
level=WARN msg="unable to find exact version; falling back to closest available
version" chart=flink-kubernetes-operator requested="" selected=1.13.0
Error: INSTALLATION FAILED: failed to fetch provenance
"https://downloads.apache.org/flink/flink-kubernetes-operator-1.13.0/flink-kubernetes-operator-1.13.0-helm.tgz.prov";
{code}
*References*
* Helm provenance and chart signing docs:
[https://helm.sh/docs/topics/provenance/]
* helm verify documentation (verification using provenance files):
[https://helm.sh/docs/helm/helm_verify/]
was:
Consumers of the flink-kubernetes-operator Helm chart currently cannot verify
the integrity and origin of the chart using Helm’s built-in provenance
mechanism, because no .prov files are published alongside the chart tarballs.
Helm supports signing charts and generating provenance files (.tgz.prov) that
provide cryptographic verification of the chart package and its metadata. This
enables users to use commands such as helm verify or helm install --verify to
ensure charts have not been tampered with and are published by a trusted signer.
*Request*
* Update the Flink release/CI process for flink-kubernetes-operator to:
** Sign the Helm chart on release.
** Publish the corresponding .tgz.prov file alongside each chart version in
the Helm repository.
* Document the signing key and verification steps for users (e.g. using helm
verify / helm install --verify).
*References*
* Helm provenance and chart signing docs:
[https://helm.sh/docs/topics/provenance/]
* helm verify documentation (verification using provenance files):
[https://helm.sh/docs/helm/helm_verify/]
> Add Helm chart provenance (.prov) files for flink-kubernetes-operator releases
> ------------------------------------------------------------------------------
>
> Key: FLINK-38798
> URL: https://issues.apache.org/jira/browse/FLINK-38798
> Project: Flink
> Issue Type: Improvement
> Components: Kubernetes Operator
> Affects Versions: kubernetes-operator-1.13.0
> Environment: These are some environments where this could help:
> * GitOps-based deployments (Argo CD / Flux) pulling charts from Git or remote
> Helm/OCI repos, where we want to verify chart signatures before reconciling
> to clusters.
> * Enterprise CI/CD pipelines that package and promote Helm charts across
> multiple stages (dev → staging → prod), using helm install --verify to
> enforce that only signed charts are deployed.
> * Air-gapped or restricted-network Kubernetes clusters that mirror public
> Helm repos into private registries; provenance ensures mirrored artifacts are
> authentic and unchanged before use.
> * Multi-cluster / multi-tenant platform setups where a central platform team
> curates shared operators (like the Flink operator) and needs signed artifacts
> as part of their supply-chain policies.
> * Regulated or security-sensitive environments that require cryptographically
> signed artifacts for all third-party components, aligning with Helm’s
> provenance/signing model.
> Reporter: Avi Sanwal
> Priority: Major
> Labels: security
>
> Consumers of the flink-kubernetes-operator Helm chart currently cannot verify
> the integrity and origin of the chart using Helm’s built-in provenance
> mechanism, because no .prov files are published alongside the chart tarballs.
> Helm supports signing charts and generating provenance files (.tgz.prov) that
> provide cryptographic verification of the chart package and its metadata.
> This enables users to use commands such as helm verify or helm install
> --verify to ensure charts have not been tampered with and are published by a
> trusted signer.
> *Request*
> * Update the Flink release/CI process for flink-kubernetes-operator to:
> ** Sign the Helm chart on release.
> ** Publish the corresponding .tgz.prov file alongside each chart version in
> the Helm repository.
> * Document the signing key and verification steps for users (e.g. using helm
> verify / helm install --verify).
> *Current Behavior*
> {code:sh}
> $ helm repo add flink-operator-repo
> https://downloads.apache.org/flink/flink-kubernetes-operator-1.13.0/
> "flink-operator-repo" has been added to your repositories
> $ helm install --verify flink-kubernetes-operator
> flink-operator-repo/flink-kubernetes-operator
> level=WARN msg="unable to find exact version; falling back to closest
> available version" chart=flink-kubernetes-operator requested=""
> selected=1.13.0
> Error: INSTALLATION FAILED: failed to fetch provenance
> "https://downloads.apache.org/flink/flink-kubernetes-operator-1.13.0/flink-kubernetes-operator-1.13.0-helm.tgz.prov";
> {code}
> *References*
> * Helm provenance and chart signing docs:
> [https://helm.sh/docs/topics/provenance/]
> * helm verify documentation (verification using provenance files):
> [https://helm.sh/docs/helm/helm_verify/]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
