From ab96997bbc8a438ce29aa0de6f769a147caa8273 Mon Sep 17 00:00:00 2001
From: Steve Hipwell <steve.hipwell@gmail.com>
Date: Sat, 2 Mar 2024 21:34:04 +0000
Subject: [PATCH] feat(chart): Added cosign verify docs (#5759)

Signed-off-by: Steve Hipwell <steve.hipwell@gmail.com>
Co-authored-by: Jonathan Innis <joinnis@amazon.com>
---
 charts/karpenter/README.md                       | 16 ++++++++++++++++
 charts/karpenter/README.md.gotmpl                | 14 ++++++++++++++
 hack/release/common.sh                           |  2 +-
 .../getting-started-with-karpenter/_index.md     | 12 ++++++++++++
 website/hugo.yaml                                |  2 +-
 .../partials/navbar-version-selector.html        |  2 +-
 6 files changed, 45 insertions(+), 3 deletions(-)

diff --git a/charts/karpenter/README.md b/charts/karpenter/README.md
index 8d1aec3043eb..f2bc66c634b0 100644
--- a/charts/karpenter/README.md
+++ b/charts/karpenter/README.md
@@ -22,6 +22,20 @@ helm upgrade --install --namespace karpenter --create-namespace \
   --wait
 ```
 
+### Verification
+
+As the OCI Helm chart is signed by [Cosign](https://github.com/sigstore/cosign) as part of the release process you can verify the chart before installing it by running the following command.
+
+```shell
+cosign verify public.ecr.aws/karpenter/karpenter:0.35.0 \
+  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+  --certificate-identity-regexp='https://github\.com/aws/karpenter-provider-aws/\.github/workflows/release\.yaml@.+' \
+  --certificate-github-workflow-repository=aws/karpenter-provider-aws \
+  --certificate-github-workflow-name=Release \
+  --certificate-github-workflow-ref=refs/tags/v0.35.0 \
+  --annotations version=0.35.0
+```
+
 ## Values
 
 | Key | Type | Default | Description |
@@ -97,3 +111,5 @@ helm upgrade --install --namespace karpenter --create-namespace \
 | webhook.metrics.port | int | `8001` | The container port to use for webhook metrics. |
 | webhook.port | int | `8443` | The container port to use for the webhook. |
 
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.13.0](https://github.com/norwoodj/helm-docs/releases/v1.13.0)
diff --git a/charts/karpenter/README.md.gotmpl b/charts/karpenter/README.md.gotmpl
index 19f7e7754dba..1e641e1ee586 100644
--- a/charts/karpenter/README.md.gotmpl
+++ b/charts/karpenter/README.md.gotmpl
@@ -21,6 +21,20 @@ helm upgrade --install --namespace karpenter --create-namespace \
   --wait
 ```
 
+### Verification
+
+As the OCI Helm chart is signed by [Cosign](https://github.com/sigstore/cosign) as part of the release process you can verify the chart before installing it by running the following command.
+
+```shell
+cosign verify public.ecr.aws/karpenter/karpenter:{{ template "chart.version" . }} \
+  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+  --certificate-identity-regexp='https://github\.com/aws/karpenter-provider-aws/\.github/workflows/release\.yaml@.+' \
+  --certificate-github-workflow-repository=aws/karpenter-provider-aws \
+  --certificate-github-workflow-name=Release \
+  --certificate-github-workflow-ref=refs/tags/v{{ template "chart.version" . }} \
+  --annotations version={{ template "chart.version" . }}
+```
+
 {{ template "chart.requirementsSection" . }}
 
 {{ template "chart.valuesSection" . }}
diff --git a/hack/release/common.sh b/hack/release/common.sh
index 6f8f5346bacf..e81170125114 100644
--- a/hack/release/common.sh
+++ b/hack/release/common.sh
@@ -192,7 +192,7 @@ removeOldWebsiteDirectories() {
 editWebsiteConfig() {
   local version="${1}"
 
-  yq -i ".params.latest_release_version = \"v${version}\"" website/hugo.yaml
+  yq -i ".params.latest_release_version = \"${version}\"" website/hugo.yaml
 }
 
 # editWebsiteVersionsMenu sets relevant releases in the version dropdown menu of the website
diff --git a/website/content/en/preview/getting-started/getting-started-with-karpenter/_index.md b/website/content/en/preview/getting-started/getting-started-with-karpenter/_index.md
index 7384f2864575..f3473409cadf 100644
--- a/website/content/en/preview/getting-started/getting-started-with-karpenter/_index.md
+++ b/website/content/en/preview/getting-started/getting-started-with-karpenter/_index.md
@@ -90,6 +90,18 @@ See [Enabling Windows support](https://docs.aws.amazon.com/eks/latest/userguide/
 
 {{% script file="./content/en/{VERSION}/getting-started/getting-started-with-karpenter/scripts/step08-apply-helm-chart.sh" language="bash"%}}
 
+As the OCI Helm chart is signed by [Cosign](https://github.com/sigstore/cosign) as part of the release process you can verify the chart before installing it by running the following command.
+
+```bash
+cosign verify public.ecr.aws/karpenter/karpenter:{{< param "latest_release_version" >}} \
+  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+  --certificate-identity-regexp='https://github\.com/aws/karpenter-provider-aws/\.github/workflows/release\.yaml@.+' \
+  --certificate-github-workflow-repository=aws/karpenter-provider-aws \
+  --certificate-github-workflow-name=Release \
+  --certificate-github-workflow-ref=refs/tags/v{{< param "latest_release_version" >}} \
+  --annotations version={{< param "latest_release_version" >}}
+```
+
 {{% alert title="DNS Policy Notice" color="warning" %}}
 Karpenter uses the `ClusterFirst` pod DNS policy by default. This is the Kubernetes cluster default and this ensures that Karpetner can reach-out to internal Kubernetes services during its lifetime. There may be cases where you do not have the DNS service that you are using on your cluster up-and-running before Karpenter starts up. The most common case of this is you want Karpenter to manage the node capacity where your DNS service pods are running.
 
diff --git a/website/hugo.yaml b/website/hugo.yaml
index ff34053f90bd..f4f62b857a8e 100644
--- a/website/hugo.yaml
+++ b/website/hugo.yaml
@@ -76,7 +76,7 @@ params:
         url: "https://slack.k8s.io/"
         icon: fab fa-slack
         desc: "Chat with us on Slack in the #aws-provider channel"
-  latest_release_version: v0.35.0
+  latest_release_version: 0.35.0
   latest_k8s_version: 1.29
   versions:
     - v0.35
diff --git a/website/layouts/partials/navbar-version-selector.html b/website/layouts/partials/navbar-version-selector.html
index 5f4380d5ab16..08b4d896b907 100644
--- a/website/layouts/partials/navbar-version-selector.html
+++ b/website/layouts/partials/navbar-version-selector.html
@@ -1,7 +1,7 @@
 {{ $pageDir := index (split (path.Dir .Page.RelPermalink) "/") 1 }}
 <!-- special treatment for the homepage. we treat it same as latest docs //-->
 {{ if or (eq $pageDir "docs") (eq $pageDir "") }}
-	{{ $pageDir = printf "%s.%s" ( index ( split .Site.Params.latest_release_version "." ) 0 ) ( index ( split .Site.Params.latest_release_version "." ) 1 ) }}
+	{{ $pageDir = printf "v%s.%s" ( index ( split .Site.Params.latest_release_version "." ) 0 ) ( index ( split .Site.Params.latest_release_version "." ) 1 ) }}
 {{ end }}
 {{ $pagePath := replace .Page.RelPermalink "docs" "" }}
 {{ $pagePath = replace $pagePath $pageDir "" }}