fix(collabora): Add chart validation

docs/security.md

@@ -15,13 +15,14 @@ This document should cover the current status of security measurements.
 
 # Helm Chart Trust Chain
 
-Helm charts are signed and validated against GPG keys which could be found in `helmfile/files/gpg-pubkeys`.
+Helm charts are signed and validated against GPG keys which can be found in `helmfile/files/gpg-pubkeys`.
 
-All charts except these are verifiable:
+For more details on Chart validation please visit: https://helm.sh/docs/topics/provenance/
+
+All charts except the ones mentioned below are verifiable:
 
 | Repository        | Verifiable |
 |-------------------|:----------:|
-| collabora-repo    |     no     |
 | open-xchange-repo |     no     |
 
 # Kubernetes Security Enforcements

helmfile/apps/collabora/helmfile.yaml

@@ -8,6 +8,8 @@ repositories:
   # Collabora Online
   # Source: https://github.com/CollaboraOnline/online
   - name: "collabora-online-repo"
+    keyring: "../../files/gpg-pubkeys/collaboraoffice-com.gpg"
+    verify: {{ .Values.charts.collabora.verify }}
     username: {{ env "OD_PRIVATE_REGISTRY_USERNAME" | quote }}
     password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
     oci: true

helmfile/environments/default/charts.yaml

@@ -47,6 +47,7 @@ charts:
     repository: "bmi/opendesk/components/supplier/collabora/charts-mirror"
     name: "collabora-online"
     version: "1.1.11"
+    verify: true
     # @supplier: "Collabora"
     # @mirrorFilter: '^(\d+)\.(\d+)\.(\d+)$'
     # @mirrorFrom: ['1', '1', '8']

helmfile/files/gpg-pubkeys/README.md

@@ -0,0 +1,6 @@
+# GPG public keys
+
+Place GPG public keys in binary format into this directory and reference them in the respective `helmfile.yaml`.
+
+In case you have only an ASCII Armored file you can just base64 decode the payload of that file, but remember to
+**not include** the 4-letter checksum that is prefixed with an `=` sign at the end of the payload.