Quenchworks

Air-gapped install

Everything lives at ghcr.io/quenchworks as standard OCI artifacts, so any registry or pull-through cache can hold a copy. Mirror what you need, repoint the charts, and the signatures and attestations come along so you keep verifying inside the perimeter.

The whole procedure is four moves; each one is spelled out below.

  1. Mirror the image with cosign copy so the signature and attestations travel with it.
  2. Mirror the chart with helm pull and helm push.
  3. Repoint the chart at your registry with --set image.repository=..., keeping the pinned digest.
  4. Verify inside the perimeter against your own registry.

Mirror an image

Use cosign copy so the signature and the SBOM and provenance attestations travel with the image, not just the layers:

Terminal window
# copies the image, its cosign signature, and the SBOM + provenance attestations
cosign copy \
  ghcr.io/quenchworks/images/redis:8.8.0 \
  registry.internal/quenchworks/redis:8.8.0

If you only need the bits and will verify before the copy, crane or skopeo also work and preserve the multi-arch index:

Terminal window
# image only (no signature/attestations); preserves the multi-arch index
crane copy \
  ghcr.io/quenchworks/images/redis:8.8.0 \
  registry.internal/quenchworks/redis:8.8.0

Pin by digest where you can. The version tag is convenient, but a digest is what guarantees the mirrored bytes match what was scanned and signed. Resolve one with crane digest (see Pin by digest).

Mirror a chart

Charts are OCI artifacts too. Pull a version, then push it to your registry:

Terminal window
helm pull oci://ghcr.io/quenchworks/charts/redis --version 0.0.5
helm push redis-0.0.5.tgz oci://registry.internal/charts

Repoint the chart at your registry

A chart references its image by digest under a configurable repository. Override the repository to your mirror at install time, keeping the same digest:

Terminal window
helm install my-redis oci://registry.internal/charts/redis --version 0.0.5 \
  --set image.repository=registry.internal/quenchworks/redis

The quench-common library refuses a tag-only image reference on purpose, so your mirror must carry the digest the chart pins. Mirroring by digest (or mirroring the exact tag the chart resolves) keeps that contract intact.

Verify inside the perimeter

The signer identity does not change when you mirror, so the same check works against your registry:

Terminal window
cosign verify registry.internal/quenchworks/redis:8.8.0 \
  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

Verification still contacts the public Sigstore transparency log (Rekor) and Fulcio roots. In a fully disconnected network, verify on the way in (at the mirror boundary, where you have egress) rather than at deploy time, or run an internal Rekor mirror. See Verify a signature and SBOM & provenance.

Pull-through cache

If your registry supports it, a pull-through cache pointed at ghcr.io avoids copying anything by hand: pulls populate the cache on first use and serve from it afterward. Pin by digest so a cached entry is never ambiguous.

Edit this page on GitHub