Platform engineering is the discipline of designing and building toolchains and workflows that enable self-service capabilities for software engineering organizations in the cloud-native era.

Platform Engineering

Polling the hivemind: anyone have any experience with signing Helm charts?

I saw that it was a thing: <https://helm.sh/docs/topics/provenance/>

I'm wondering how easy it is to bake that into a pipeline when I'm pulling down third party helm charts, and if it's enough value to be worthwhile?

I dont know of many third party charts that implement the helm provenance but now that many charts are stored as OCI artifacts signing with cosign is a good practice and we have seen some people and companies starting to do this

For their internal stuff or for artifacts they provide to other consumers?

Both. Also when bringing in third party apps to the org after vetting a chart via a pipeline with security scans etc, it signs the artofact with their keys that way they can validate what came in legitimately and what someone brought in unofficially

And then flux for example can verify the oci artifact at deployment time