Open
Description
We need to integrate in-toto attestations into our GitOps workflow to improve the integrity of our Helm chart deployments. This will provide cryptographic proof that rendered Helm charts originate from an authorized and reproducible build process.
Acceptance Criteria:
- A plan for a keyed signing approach to generated attestations in a regulated environment is written and committed to the project docs as a markdown document. It should describe the following items.
- Adding the capability to generate in-toto attestations to the CI container image.
- Generating in-toto attestations for Helm charts in the CI pipeline.
- Signing attestations using a keyless approach in the sandbox environment.
- Storing attestations alongside the rendered charts in the
polar-deployrepository. - Implement verification of attestations before applying manifests.
Draft of Implementation Plan:
1️⃣ Generate an in-toto Attestation in CI/CD
- Modify the GitLab CI pipeline to run
in-toto-runafter generating Helm charts. - Capture the materials (Dhall inputs) and products (rendered manifests).
- Sign the attestation using keyless signing (OIDC-based signing).
2️⃣ Store Attestations in the Deployment Repository
- Ensure that the
polar-deployrepository includes attestations alongside the rendered Helm charts. - Structure example:
polar-deploy/ ├── environments/ │ ├── dev/ │ │ ├── Chart.yaml │ │ ├── attestation.json │ ├── prod/ │ │ ├── Chart.yaml │ │ ├── attestation.json
3️⃣ Verify Attestations Before Deployment
- Implement attestation verification in GitOps tooling (e.g., FluxCD, ArgoCD).
- Ensure that only verified manifests can be applied to clusters.
4️⃣ Plan for Keyed Signing (Future Work)
- Evaluate switching to keyed signing in regulated environments.
- Investigate in-toto policy enforcement for Helm releases.
Dependencies & Risks:
- CI image must have
in-toto-runandin-toto-verifyinstalled. - Pipeline must have OIDC authentication for keyless signing.
- Ensure compatibility with the Helm release pipeline