Support for verification of GPG signed Helm packages

[jannfis]

Summary

Following up the verification of GPG signatures on Git commits (#3242), we should also support the verification of signatures on charts in Helm repositories, as described in https://helm.sh/docs/topics/provenance/

Motivation

Many people use Helm charts with ArgoCD and could benefit from this feature, when they require that only signed packages are allowed to be installed on their clusters.

This is most likely less relevant for many OTS charts. However, organisations building and hosting their own charts might have those requirements.

Proposal

We should leverage the key management and many of the mechanisms introduced with #3242 for validating GPG signatures on Helm charts, too.

[aelbarkani]

I agree, it's an important security feature.

[aelbarkani]

Any plans to make this feature available ?

[moosh3]

+1, and updates here?

[btrepp]

---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: dash
  namespace: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
spec:
  destination:
    server: https://kubernetes.default.svc
    namespace: dash 
  project: core
  source:
    chart: kubernetes-dashboard
    repoURL: https://kubernetes.github.io/dashboard/
    targetRevision: 5.3.1
    helm:
      releaseName: kubernetes-dashboard
  syncPolicy:
    syncOptions:
    - CreateNamespace=true
    automated:
      prune: true
      selfHeal: true

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: core
  namespace: argocd
spec:
  clusterResourceWhitelist:
  - group: '*'
    kind: '*'
  destinations:
  - namespace: argocd
    server: 'https://kubernetes.default.svc'
  - namespace: authentik
    server: 'https://kubernetes.default.svc'
  - namespace: registry
    server: 'https://kubernetes.default.svc'
  - namespace: tunnel
    server: 'https://kubernetes.default.svc'
  - namespace: dash
    server: 'https://kubernetes.default.svc'
  - namespace: traefik
    server: 'https://kubernetes.default.svc'
  signatureKeys:
  - keyID: 906F464D532BA3E1
  sourceRepos:
  - "https://git.sr.ht/~btrepp/infrastructure"
  - "https://kubernetes.github.io/dashboard/"
  - "https://helm.traefik.io/traefik"
  - "https://charts.goauthentik.io/"

status:
  conditions:
  - lastTransitionTime: "2022-04-02T08:08:09Z"
    message: Target revision 5.3.1 in Git is not signed, but a signature is required
    type: ComparisonError
  - lastTransitionTime: "2022-04-02T08:13:20Z"
    message: 'Failed sync attempt to 5.3.1: ComparisonError: Target revision 5.3.1
      in Git is not signed, but a

Did this sneak in somehow?. Documentation says this won't be checked, but it's throwing an error that it's not signed.

Either I have found a bug, or this feature is implemented :).

[brackend]

Any update on this? I see commits can be verified already but don’t see helm chart verification.
seems like chart signature verifications are absent and represent a gap in the verification of deployments.

[joebowbeer]

Related to SLSA in Kubernetes 1.24?

https://github.com/sigstore/helm-sigstore

[michaelasper]

I'm interested in hearing if people have found their own solutions for this via argocd plugin or fork, would be nice to see OCI attestation in Argo CD