[Security]: Provide Helm Provenance to mitigate supply chain attacks

[PrivatePuffin]

It would be nice if automated Helm-Provenance is provided with the Chart.
This ensures users can verify the origin of the Helm-Charts and prevents some supply chain attacks.
More info: https://helm.sh/docs/topics/provenance/

Even more so when bundled with signing the images as well.

--

As a downstream, the current unsecure distribution prevents us from directly referencing these Helm charts, as it doesn't qualify our security policy. Which requires correct signing of images and provenance on helm charts.

[phisco]

We would probably need to switch GitHub action we use for publishing releases, https://github.com/marketplace/actions/helm-chart-releaser could be a good candidate. We should also consider pushing the chart to an OCI registry instead of gh pages.

[PrivatePuffin]

We would probably need to switch GitHub action we use for publishing releases, https://github.com/marketplace/actions/helm-chart-releaser could be a good candidate. We should also consider pushing the chart to an OCI registry instead of gh pages.

Agreed, it would be best to just refactor that part of the CI all in one go.
No need to spend needless developer time on small pieces.

[PrivatePuffin]

Here is our setup, including provnance:
https://github.com/truecharts/helm-staging/blob/main/.github/workflows/release.yaml

[PrivatePuffin]

We would probably need to switch GitHub action we use for publishing releases, https://github.com/marketplace/actions/helm-chart-releaser could be a good candidate. We should also consider pushing the chart to an OCI registry instead of gh pages.

Can this and the OCI push please be given more attention?
It's just one morning worth of work and we now have to keep legacy helm based dependencies up JUST for this and a bare few other slow projects

[phisco]

@itay-grudev is actually on it, but you should definitely think about contributing one of your mornings worth of work to those "slow projects" next time, if it's so important to you, @Ornias1993.

[PrivatePuffin]

@itay-grudev is actually on it,

Would be nice to have that in an issue comment next time, that would definately have sufficed :)

but you should definitely think about contributing one of your mornings worth of work to those "slow projects" next time, if it's so important to you, @Ornias1993.

That agressive remark is not needed at all.

• Most of the work cannot be easily done without maintainer access afaik
• I already shared mostly copy-pastable code (except maintainer access/certs/keys required) above
• I already spend about 120 hours (if not more) in Q3 and Q4 2023 on CNPG related work, to improve its implementation in the TrueCharts common library and its many consuming charts.
• On the slow projects, I did spend time today to contact each and every-one of them and where needed I would also share example code there.

Acting like I don't contribute anything for the improvement/adoption of CNPG or this issue is not a reasonable statement in any way.

[phisco]

Would be nice to have that in an issue comment next time, that would definately have sufficed :)

@itay-grudev took the chance to address this too as part of the rework to the release process for the Cluster Chart after we discussed it yesterday. See the changes to the workflows in #188.

I already shared mostly copy-pastable code (except maintainer access/certs/keys required) above

As you can see in the above PR the "mostly copy-pastable" code was not so "copy-pastable". And @itay-grudev doesn't have access to repositories secret either.

That agressive remark is not needed at all.

Sorry to hear you read it as aggressive, that wasn't my intention, it was just a sincere suggestion. Thanks for your valuable contribution :)

[PrivatePuffin]

Would be nice to have that in an issue comment next time, that would definately have sufficed :)

@itay-grudev took the chance to address this too as part of the rework to the release process for the Cluster Chart after we discussed it yesterday. See the changes to the workflows in #188.

Ahh that explains why it wasn't linked back here, as it's so fresh.
No problem

I already shared mostly copy-pastable code (except maintainer access/certs/keys required) above

As you can see in the above PR the "mostly copy-pastable" code was not so "copy-pastable". And @itay-grudev doesn't have access to repositories secret either.

Well, it's pretty-much the standard chart-releaser setup most helm repos use.
I think a complete custom release pipeline is a tad overdone for cnpg helm charts tbh.

That agressive remark is not needed at all.

Sorry to hear you read it as aggressive, that wasn't my intention, it was just a sincere suggestion. Thanks for your valuable contribution :)

No offense taken or bad intent assumed at all, nor worries :)