Add cosign verification to the chart Template

If implemented users can reconcile charts with cosign verification
enabled.

Signed-off-by: Soule BA <bah.soule@gmail.com>

Author: souleb

api/go.mod

@@ -5,12 +5,14 @@ go 1.18
 require (
 	github.com/fluxcd/pkg/apis/kustomize v0.6.0
 	github.com/fluxcd/pkg/apis/meta v0.16.0
+	github.com/fluxcd/source-controller/api v0.30.1
 	k8s.io/apiextensions-apiserver v0.25.2
 	k8s.io/apimachinery v0.25.2
 	sigs.k8s.io/controller-runtime v0.13.0
 )
 
 require (
+	github.com/fluxcd/pkg/apis/acl v0.1.0 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect

api/go.sum

@@ -1,10 +1,14 @@
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/fluxcd/pkg/apis/acl v0.1.0 h1:EoAl377hDQYL3WqanWCdifauXqXbMyFuK82NnX6pH4Q=
+github.com/fluxcd/pkg/apis/acl v0.1.0/go.mod h1:zfEZzz169Oap034EsDhmCAGgnWlcWmIObZjYMusoXS8=
 github.com/fluxcd/pkg/apis/kustomize v0.6.0 h1:Afxv3Uv+xiuettzqm3sP0ceWikDZTfHdHtLv6u2nFM8=
 github.com/fluxcd/pkg/apis/kustomize v0.6.0/go.mod h1:iY0zSpK6eUiPfNt/yR6g0q/wQP+wH+Ax/L7KBOx5x2M=
 github.com/fluxcd/pkg/apis/meta v0.16.0 h1:6Mj9rB0TtvCeTe3IlQDc1i2DH75Oosea9yUqS7XafVg=
 github.com/fluxcd/pkg/apis/meta v0.16.0/go.mod h1:GrOVzWXiu22XjLNgLLe2EBYhQPqZetes5SIADb4bmHE=
+github.com/fluxcd/source-controller/api v0.30.1 h1:ykRiMBGcoEy3hIJY5YwL1Mhzmmab1rN+goDgFRLFuxk=
+github.com/fluxcd/source-controller/api v0.30.1/go.mod h1:UkjAqQ6QAXNNesNQDTArTeiTp+UuhOUIA+JyFhGP/+Q=
 github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
 github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=

api/v2beta1/helmrelease_types.go

@@ -28,6 +28,7 @@ import (
 
 	"github.com/fluxcd/pkg/apis/kustomize"
 	"github.com/fluxcd/pkg/apis/meta"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 
 const HelmReleaseKind = "HelmRelease"
@@ -286,6 +287,14 @@ type HelmChartTemplateSpec struct {
 	// +optional
 	// +deprecated
 	ValuesFile string `json:"valuesFile,omitempty"`
+
+	// Verify contains the secret name containing the trusted public keys
+	// used to verify the signature and specifies which provider to use to check
+	// whether OCI image is authentic.
+	// This field is only supported for OCI sources.
+	// Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.
+	// +optional
+	Verify *sourcev1.OCIRepositoryVerification `json:"verify,omitempty"`
 }
 
 // GetInterval returns the configured interval for the v1beta2.HelmChart,

api/v2beta1/zz_generated.deepcopy.go

@@ -117,6 +117,34 @@ spec:
                         items:
                           type: string
                         type: array
+                      verify:
+                        description: Verify contains the secret name containing the
+                          trusted public keys used to verify the signature and specifies
+                          which provider to use to check whether OCI image is authentic.
+                          This field is only supported for OCI sources. Chart dependencies,
+                          which are not bundled in the umbrella chart artifact, are
+                          not verified.
+                        properties:
+                          provider:
+                            default: cosign
+                            description: Provider specifies the technology used to
+                              sign the OCI Artifact.
+                            enum:
+                            - cosign
+                            type: string
+                          secretRef:
+                            description: SecretRef specifies the Kubernetes Secret
+                              containing the trusted public keys.
+                            properties:
+                              name:
+                                description: Name of the referent.
+                                type: string
+                            required:
+                            - name
+                            type: object
+                        required:
+                        - provider
+                        type: object
                       version:
                         default: '*'
                         description: Version semver expression, ignored for charts

config/crd/bases/helm.toolkit.fluxcd.io_helmreleases.yaml

@@ -211,6 +211,7 @@ func buildHelmChartFromTemplate(hr *v2.HelmRelease) *sourcev1.HelmChart {
 			ReconcileStrategy: template.Spec.ReconcileStrategy,
 			ValuesFiles:       template.Spec.ValuesFiles,
 			ValuesFile:        template.Spec.ValuesFile,
+			Verify:            template.Spec.Verify,
 		},
 	}
 }
@@ -239,6 +240,8 @@ func helmChartRequiresUpdate(hr *v2.HelmRelease, chart *sourcev1.HelmChart) bool
 		return true
 	case template.Spec.ValuesFile != chart.Spec.ValuesFile:
 		return true
+	case !reflect.DeepEqual(template.Spec.Verify, chart.Spec.Verify):
+		return true
 	default:
 		return false
 	}

controllers/helmrelease_controller_chart.go

@@ -18,9 +18,11 @@ package controllers
 
 import (
 	"context"
+	"fmt"
 	"testing"
 	"time"
 
+	"github.com/fluxcd/pkg/apis/meta"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 	"github.com/go-logr/logr"
 	. "github.com/onsi/gomega"
@@ -371,6 +373,39 @@ func Test_buildHelmChartFromTemplate(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "take cosign verification into account",
+			modify: func(hr *v2.HelmRelease) {
+				hr.Spec.Chart.Spec.Verify = &sourcev1.OCIRepositoryVerification{
+					Provider: "cosign",
+					SecretRef: &meta.LocalObjectReference{
+						Name: "cosign-key",
+					},
+				}
+			},
+			want: &sourcev1.HelmChart{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "default-test-release",
+					Namespace: "default",
+				},
+				Spec: sourcev1.HelmChartSpec{
+					Chart:   "chart",
+					Version: "1.0.0",
+					SourceRef: sourcev1.LocalHelmChartSourceReference{
+						Name: "test-repository",
+						Kind: "HelmRepository",
+					},
+					Interval:    metav1.Duration{Duration: 2 * time.Minute},
+					ValuesFiles: []string{"values.yaml"},
+					Verify: &sourcev1.OCIRepositoryVerification{
+						Provider: "cosign",
+						SecretRef: &meta.LocalObjectReference{
+							Name: "cosign-key",
+						},
+					},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -398,6 +433,9 @@ func Test_helmChartRequiresUpdate(t *testing.T) {
 						Kind: "HelmRepository",
 					},
 					Interval: &metav1.Duration{Duration: 2 * time.Minute},
+					Verify: &sourcev1.OCIRepositoryVerification{
+						Provider: "cosign",
+					},
 				},
 			},
 		},
@@ -469,16 +507,26 @@ func Test_helmChartRequiresUpdate(t *testing.T) {
 			},
 			want: true,
 		},
+		{
+			name: "detects verify change",
+			modify: func(hr *v2.HelmRelease, hc *sourcev1.HelmChart) {
+				hr.Spec.Chart.Spec.Verify.Provider = "foo-bar"
+			},
+			want: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			g := NewWithT(t)
 
 			hr := hrWithChartTemplate.DeepCopy()
 			hc := buildHelmChartFromTemplate(hr)
+			// second copy to avoid modifying the original
+			hr = hrWithChartTemplate.DeepCopy()
 			g.Expect(helmChartRequiresUpdate(hr, hc)).To(Equal(false))
 
 			tt.modify(hr, hc)
+			fmt.Println("verify", hr.Spec.Chart.Spec.Verify.Provider, hc.Spec.Verify.Provider)
 			g.Expect(helmChartRequiresUpdate(hr, hc)).To(Equal(tt.want))
 		})
 	}

controllers/helmrelease_controller_chart_test.go

@@ -566,6 +566,22 @@ for backwards compatibility the file defined here is merged before the
 ValuesFiles items. Ignored when omitted.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>verify</code><br>
+<em>
+github.com/fluxcd/source-controller/api/v1beta2.OCIRepositoryVerification
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Verify contains the secret name containing the trusted public keys
+used to verify the signature and specifies which provider to use to check
+whether OCI image is authentic.
+This field is only supported for OCI sources.
+Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.</p>
+</td>
+</tr>
 </table>
 </td>
 </tr>
@@ -688,6 +704,22 @@ for backwards compatibility the file defined here is merged before the
 ValuesFiles items. Ignored when omitted.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>verify</code><br>
+<em>
+github.com/fluxcd/source-controller/api/v1beta2.OCIRepositoryVerification
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Verify contains the secret name containing the trusted public keys
+used to verify the signature and specifies which provider to use to check
+whether OCI image is authentic.
+This field is only supported for OCI sources.
+Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.</p>
+</td>
+</tr>
 </tbody>
 </table>
 </div>

docs/api/helmrelease.md

@@ -4,13 +4,18 @@ go 1.18
 
 replace github.com/fluxcd/helm-controller/api => ./api
 
+replace (
+	github.com/fluxcd/source-controller/api => github.com/souleb/source-controller/api v0.18.1-0.20221018233402-c3f71095a4eb
+	github.com/fluxcd/source-controller/api/v1beta2 => github.com/souleb/source-controller/api/v1beta2 v0.18.1-0.20221018233402-c3f71095a4eb
+)
+
 require (
 	github.com/fluxcd/helm-controller/api v0.25.0
 	github.com/fluxcd/pkg/apis/acl v0.1.0
 	github.com/fluxcd/pkg/apis/kustomize v0.6.0
 	github.com/fluxcd/pkg/apis/meta v0.16.0
 	github.com/fluxcd/pkg/runtime v0.19.0
-	github.com/fluxcd/source-controller/api v0.30.0
+	github.com/fluxcd/source-controller/api v0.30.1
 	github.com/go-logr/logr v1.2.3
 	github.com/hashicorp/go-retryablehttp v0.7.1
 	github.com/onsi/gomega v1.20.2

go.mod

@@ -184,8 +184,6 @@ github.com/fluxcd/pkg/apis/meta v0.16.0 h1:6Mj9rB0TtvCeTe3IlQDc1i2DH75Oosea9yUqS
 github.com/fluxcd/pkg/apis/meta v0.16.0/go.mod h1:GrOVzWXiu22XjLNgLLe2EBYhQPqZetes5SIADb4bmHE=
 github.com/fluxcd/pkg/runtime v0.19.0 h1:4lRlnZfJFhWvuaNWgNsAkPQg09633xCRCf9d0SgXIWk=
 github.com/fluxcd/pkg/runtime v0.19.0/go.mod h1:9Kh46LjwQeUu6o1DUQulLGyo5e5wfQxeFf4ONNobT3U=
-github.com/fluxcd/source-controller/api v0.30.0 h1:rPVPpwXcYG2n0DTRcRagfGDiccvCib5S09K5iMjlpRU=
-github.com/fluxcd/source-controller/api v0.30.0/go.mod h1:UkjAqQ6QAXNNesNQDTArTeiTp+UuhOUIA+JyFhGP/+Q=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI=
 github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU=
@@ -562,6 +560,8 @@ github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
+github.com/souleb/source-controller/api v0.18.1-0.20221018233402-c3f71095a4eb h1:Nl2nOYgwek7QdItVdJvdpbaG7jZDkaT1zYgfT0RN5yI=
+github.com/souleb/source-controller/api v0.18.1-0.20221018233402-c3f71095a4eb/go.mod h1:UkjAqQ6QAXNNesNQDTArTeiTp+UuhOUIA+JyFhGP/+Q=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
 github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=