Seldomly, we have changes to the CRDs definitions. These are shipped as part of kubewarden-controller releases, under a file called CRDS.tar.gz.
Contrary to other artifacts that the helm charts consume (such as container image tags, for example policy-server:v1.5.0 or kubewarden-controller:v1.5.0), the CRDs definitions are taking as files. We should verify them cryptographically prior to consumption.
Note:
Even if we currently don't verify the signature, the consumption of the CRDs definitions happens via a PR, that is reviewed by a human.
Acceptance Criteria
Check that the CRDS.tar.gz matches with that one listed in kubewarden-controller-sbom.spdx (SPDXID: SPDXRef-File-kubewarden-controller-CRDS.tar.gz), and that the spdx file signature is valid.
Seldomly, we have changes to the CRDs definitions. These are shipped as part of kubewarden-controller releases, under a file called CRDS.tar.gz.
Contrary to other artifacts that the helm charts consume (such as container image tags, for example
policy-server:v1.5.0orkubewarden-controller:v1.5.0), the CRDs definitions are taking as files. We should verify them cryptographically prior to consumption.Note:
Even if we currently don't verify the signature, the consumption of the CRDs definitions happens via a PR, that is reviewed by a human.
Acceptance Criteria
Check that the CRDS.tar.gz matches with that one listed in
kubewarden-controller-sbom.spdx(SPDXID: SPDXRef-File-kubewarden-controller-CRDS.tar.gz), and that the spdx file signature is valid.