Skip to content

docs: verify-on-deploy path for signed bundles #1156

Description

@lockwobr

Problem

Signing and aicr verify cover create-time and CLI-time verification, but the V1 acceptance bar includes a deploy-time verification path: a bundle should be verifiable (and ideally enforced) at the point it is applied to a cluster, across deployers (Helm, Argo CD, Flux). There is no documented verify-on-deploy story today.

Proposal

Document (and where needed, provide) a deploy-time verification path for each signing mode, so a cluster only applies bundles whose provenance has been verified.

Scope

  • Document how to gate deployment on aicr verify for each deployer (e.g. CI step before argocd app sync / flux reconcile, or helm install).
  • Evaluate admission-control / policy-engine enforcement (e.g. an admission webhook or Gatekeeper/Kyverno policy verifying the bundle attestation) and document the recommended pattern.
  • Cover all three trust environments (public, private, air-gapped), reusing the verifier KMS / private-trust-root / offline work.

Dependencies

  • Builds on the verifier sub-issues (KMS, private trust root, offline) in this epic.

Success criteria

  • A documented, reproducible deploy-time verification path exists for each deployer and trust environment.

Metadata

Metadata

Assignees

No one assigned

    Fields

    No fields configured for Documentation.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions