Skip to content

Commit 83e92c6

Browse files
feat: start verifying charts before use (#2738)
* feat: start verifying charts before use * add make target for updating public key * Apply suggestion from @petewall Co-authored-by: Pete Wall <pete.wall@grafana.com> * chore: regenerate kubernetes-manifests example output for k8s-manifest-tail 0.1.5 * chore: add changelog entry for k8s-manifest-tail 0.1.5 --------- Co-authored-by: Pete Wall <pete.wall@grafana.com>
1 parent 7df20d7 commit 83e92c6

13 files changed

Lines changed: 69 additions & 12 deletions

File tree

.github/workflows/release.yml

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,26 @@ on:
77
permissions: {}
88

99
jobs:
10+
verify-signatures:
11+
runs-on: ubuntu-latest
12+
permissions:
13+
contents: read
14+
steps:
15+
- name: Checkout
16+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
17+
with:
18+
persist-credentials: 'false'
19+
20+
- name: Set up Helm
21+
uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
22+
with:
23+
version: v4.1.4
24+
25+
- name: Verify signed chart dependencies
26+
run: make -C charts/k8s-monitoring verify-signatures
27+
1028
release-chart:
29+
needs: verify-signatures
1130
# Pinned to the hackathon branch: this version of the shared workflow packages, signs,
1231
# pushes to GHCR, regenerates the helm repo index, and creates the canonical release on
1332
# grafana/helm-charts. The source-repo `release` job below only links back to it.

Makefile

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,13 @@ clean: ## Clean all charts
3333
build: check-helm-version ## Build all charts
3434
make -C charts/k8s-monitoring $@;
3535

36+
##@ Keys
37+
.PHONY: update-signing-keys
38+
update-signing-keys: keys/grafana-helm-charts-pubkey.gpg ## Refresh signing keys in keys/ from 1Password (requires the op CLI)
39+
40+
keys/grafana-helm-charts-pubkey.gpg:
41+
op --account grafana.1password.com read "op://Helm Maintainers/Helm Chart Signing Key/gpg-public-key.asc" | gpg --dearmor > keys/grafana-helm-charts-pubkey.gpg
42+
3643
##@ Install
3744
.PHONY: install
3845
install: ## Install dependencies

charts/k8s-monitoring/CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
* Fix the Beyla `SecurityContextConstraints` on OpenShift to set `allowHostPorts: true`. Beyla runs with host networking when context propagation or the `network` preset is enabled, which OpenShift treats as host-port usage. Without it, the Beyla DaemonSet pods fail SCC admission with `Host ports are not allowed to be used`. (#2734) (@petewall)
66
* Fix the OTLP destination `timeout` setting rendering inside the `client` block for `protocol: grpc`, which Alloy rejects. It now renders as a top-level argument for gRPC and inside `client` for HTTP. (#2710) (@petewall)
77
* Add `openTelemetryConversion.keepIdentifyingResourceAttributes` option to `otelcol.exporter.prometheus` component to optionally preserve `service.name`, `service.namespace`, and `service.instance.id` attributes as labels on `target_info` metric during OTLP to Prometheus conversion. (#2718) (@rlankfo)
8+
* Update k8s-manifest-tail to 0.1.5 (@TylerHelmuth)
89

910
## 4.1.6
1011

charts/k8s-monitoring/Makefile

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -271,6 +271,11 @@ build-features:
271271
make -C $$chart build; \
272272
done
273273

274+
# Verify the signatures of signed Grafana chart dependencies.
275+
.PHONY: verify-signatures
276+
verify-signatures:
277+
make -C charts/telemetry-services verify-signatures
278+
274279
# Build targets
275280
.PHONY: build
276281
build: build-features values.schema.json templates/destinations/_destination_types.tpl collectors/upstream/alloy-values.yaml build-docs examples integration-test-checks platform-test-checks

charts/k8s-monitoring/charts/telemetry-services/Chart.lock

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,6 @@ dependencies:
1616
version: 2.5.23
1717
- name: k8s-manifest-tail
1818
repository: https://grafana.github.io/helm-charts
19-
version: 0.1.4
20-
digest: sha256:1ae281a14a84db859e442bfe2bface7e5d7b64521e6382880bd9932a25633e6b
21-
generated: "2026-06-16T09:40:42.698796-05:00"
19+
version: 0.1.5
20+
digest: sha256:db919004fbac4ec689a26a28f380fc97828cefc5726b97fcc6523f235f9d1251
21+
generated: "2026-06-24T11:17:43.077795-06:00"

charts/k8s-monitoring/charts/telemetry-services/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,6 @@ dependencies:
3737
condition: opencost.deploy
3838
- alias: k8s-manifest-tail
3939
name: k8s-manifest-tail
40-
version: 0.1.4
40+
version: 0.1.5
4141
repository: https://grafana.github.io/helm-charts
4242
condition: k8s-manifest-tail.deploy

charts/k8s-monitoring/charts/telemetry-services/Makefile

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,11 +7,14 @@ endif
77

88
HAS_HELM_UNITTEST := $(shell $(HELM) plugin list | grep unittest 2> /dev/null)
99

10+
K8S_MANIFEST_TAIL_VERSION := $(shell yq '.dependencies[] | select(.name == "k8s-manifest-tail") | .version' Chart.yaml)
11+
GRAFANA_HELM_CHARTS_KEYRING := ../../../../keys/grafana-helm-charts-pubkey.gpg
12+
1013
.SECONDEXPANSION:
1114
README.md: values.yaml Chart.yaml $$(wildcard README.md.gotmpl)
1215
docker run --rm --platform linux/amd64 --volume $(shell pwd):/chart ghcr.io/grafana/helm-chart-toolbox-doc-generator --chart /chart > $@
1316

14-
Chart.lock: Chart.yaml
17+
Chart.lock: Chart.yaml | verify-signatures
1518
$(HELM) dependency update .
1619
@touch Chart.lock # Ensure the timestamp is updated
1720

@@ -25,6 +28,14 @@ clean:
2528
.PHONY: build
2629
build: README.md Chart.lock values.schema.json $(ALLOW_LISTS)
2730

31+
.PHONY: verify-signatures
32+
verify-signatures: ## Verify the signature of the signed k8s-manifest-tail chart dependency
33+
$(HELM) pull k8s-manifest-tail \
34+
--repo https://grafana.github.io/helm-charts \
35+
--version $(K8S_MANIFEST_TAIL_VERSION) \
36+
--verify --keyring $(GRAFANA_HELM_CHARTS_KEYRING) \
37+
--destination "$$(mktemp -d)"
38+
2839
.PHONY: test
2940
test: build
3041
$(HELM) repo add prometheus-community https://prometheus-community.github.io/helm-charts

charts/k8s-monitoring/charts/telemetry-services/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ telemetryServices:
3636

3737
| Repository | Name | Version |
3838
|------------|------|---------|
39-
| https://grafana.github.io/helm-charts | k8s-manifest-tail(k8s-manifest-tail) | 0.1.4 |
39+
| https://grafana.github.io/helm-charts | k8s-manifest-tail(k8s-manifest-tail) | 0.1.5 |
4040
| https://opencost.github.io/opencost-helm-chart | opencost | 2.5.23 |
4141
| https://prometheus-community.github.io/helm-charts | kube-state-metrics | 7.5.1 |
4242
| https://prometheus-community.github.io/helm-charts | node-exporter(prometheus-node-exporter) | 4.55.0 |
Binary file not shown.
Binary file not shown.

0 commit comments

Comments
 (0)