@@ -7,20 +7,29 @@ latest stable version on Kubernetes.
77## Flagger OCI artifacts
88
99Flagger OCI artifacts (container images, Helm charts, Kustomize overlays) are published to
10- GitHub Container Registry, and they are signed with Cosign at every release.
10+ GitHub Container Registry, and they are signed with [ Cosign] ( https://docs.sigstore.dev/cosign/ )
11+ and GitHub Actions OIDC at every release.
1112
1213OCI artifacts
1314
1415- ` ghcr.io/fluxcd/flagger:<version> ` multi-arch container images
15- - ` ghcr.io/fluxcd/flagger-manifest :<version> ` Kubernetes manifests
16+ - ` ghcr.io/fluxcd/flagger-manifests :<version> ` Kubernetes manifests
1617- ` ghcr.io/fluxcd/charts/flagger:<version> ` Helm charts
1718
19+ Starting with Flagger 1.43, artifacts are signed with Cosign v3 using the
20+ [ sigstore bundle format] ( https://github.com/sigstore/cosign/blob/main/specs/BUNDLE_SPEC.md ) .
21+ Verifying these signatures with Flux requires ** Flux 2.8 or later** .
22+
1823## Prerequisites
1924
2025To follow this guide you’ll need a Kubernetes cluster with Flux installed on it.
2126Please see the Flux [ get started guide] ( https://fluxcd.io/flux/get-started/ )
2227or the Flux [ installation guide] ( https://fluxcd.io/flux/installation/ ) .
2328
29+ To verify the Flagger OCI artifacts at reconciliation time, Flux 2.8 or later is
30+ required. Earlier versions ship Cosign v2 and cannot verify the sigstore bundles
31+ produced by the Flagger 1.43+ release workflow.
32+
2433## Deploy Flagger with Flux
2534
2635First define the namespace where Flagger will be installed:
5160 operation: copy
5261 ref:
5362 semver: "1.x" # update to the latest version
63+ verify:
64+ provider: cosign
65+ matchOIDCIdentity:
66+ - issuer: ^https://token\. actions\. githubusercontent\. com$
67+ subject: ^https://github\. com/fluxcd/flagger/\. github/workflows/release\. yml@refs/tags/v\d +\.\d +\.\d +$
5468` ` `
5569
70+ The `.spec.verify` block instructs Flux to perform Cosign keyless verification and to
71+ reject the artifact unless it was signed by the Flagger release workflow running on a
72+ tagged release (`vX.Y.Z`). See the Flux
73+ [OCIRepository verification](https://fluxcd.io/flux/components/source/ocirepositories/#verification)
74+ documentation for more details.
75+
5676Define a Flux `HelmRelease` that verifies and installs Flagger's latest version on the cluster :
5777
5878` ` ` yaml
@@ -115,8 +135,16 @@ spec:
115135 url: oci://ghcr.io/fluxcd/flagger-manifests
116136 ref:
117137 semver: "*" # update to the latest version
138+ verify:
139+ provider: cosign
140+ matchOIDCIdentity:
141+ - issuer: ^https://token\. actions\. githubusercontent\. com$
142+ subject: ^https://github\. com/fluxcd/flagger/\. github/workflows/release\. yml@refs/tags/v\d +\.\d +\.\d +$
118143` ` `
119144
145+ As with the Helm chart, the `.spec.verify` block ensures that only manifests signed by
146+ the official Flagger release workflow are fetched and applied to the cluster.
147+
120148Define a Flux `Kustomization` that deploys the Flagger load tester to the `apps` namespace :
121149
122150` ` ` yaml
0 commit comments