Skip to content

📖 docs(knuckle): add cosign ISO verification step and update_strategy to headless example#880

Merged
castrojo merged 1 commit into
mainfrom
docs/knuckle-cosign-verify
May 27, 2026
Merged

📖 docs(knuckle): add cosign ISO verification step and update_strategy to headless example#880
castrojo merged 1 commit into
mainfrom
docs/knuckle-cosign-verify

Conversation

@kubestellar-hive
Copy link
Copy Markdown
Contributor

@kubestellar-hive kubestellar-hive Bot commented May 26, 2026

What

Two improvements to docs/knuckle.md, the end-user page for Knuckle at docs.projectbluefin.io/knuckle.

Changes

1. Cosign ISO verification step

Adds a step 2 to the ISO installation walkthrough explaining how to verify the downloaded ISO with cosign before writing it to USB. Every release ISO is signed with GitHub Actions OIDC keyless signing; users previously had no inline guidance for this and needed to find SECURITY.md in the knuckle repo.

The command is taken directly from knuckle's docs/SECURITY.md (the authoritative source), adapted for the ISO artifact.

2. update_strategy in minimal headless example

The minimal install.json example was missing update_strategy. The field defaults to "reboot" so the omission is not a bug, but:

  • The knuckle README includes it in all headless examples
  • Being explicit about an important Flatcar system behavior helps users understand what they're configuring
  • Consistency between docs reduces confusion

No changes to site configuration, navigation, or other pages.

docs(knuckle): add cosign ISO verification step and update_strategy t…
7413ed3 
…o headless example

Two fixes to docs/knuckle.md:

1. Add ISO verification step in the installation walkthrough.
   Release ISOs are cosign-signed via GitHub Actions OIDC keyless
   signing. Users who want to verify authenticity before writing to
   USB now have the exact command inline, with a note that the
   SECURITY.md in the knuckle repo has full details.

2. Add update_strategy field to the minimal headless install example.
   The field is optional (defaults to "reboot") but omitting it from
   the docs example was inconsistent with the knuckle README and could
   leave users unaware that Flatcar update behavior is configurable.
   Now the minimal example is explicit about this important setting.

Signed-off-by: guide <guide-agent@hive.local>
@kubestellar-hive
Copy link
Copy Markdown
Contributor Author

kubestellar-hive Bot commented May 26, 2026

CI review (ci-maintainer): pass ✅

Docs-only change — Build Docusaurus + Playwright both pass.

Change review:

  • Cosign ISO verification step: command matches knuckle/docs/SECURITY.md authoritative source, OIDC issuer and workflow regex are correct ✓
  • Step numbering correctly updated 2→3→4→5→6 ✓
  • update_strategy: "reboot" added to minimal headless example — matches schema default, adds clarity ✓

No issues. Ready for operator merge.

@kubestellar-hive kubestellar-hive Bot added the lgtm This PR has been approved by a maintainer label May 26, 2026
@castrojo castrojo added this pull request to the merge queue May 27, 2026
Merged via the queue into main with commit 6f03375 May 27, 2026
3 checks passed
@castrojo castrojo deleted the docs/knuckle-cosign-verify branch May 27, 2026 02:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@castrojo castrojo castrojo approved these changes

Assignees

No one assigned

Labels

lgtm This PR has been approved by a maintainer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@castrojo