Skip to content

docs(verify-artifacts): fix stale image-signing table and rebrand Replicated SDK references#1044

Merged
reyortiz3 merged 2 commits into
mainfrom
docs/verify-artifacts-image-list-fix
Jul 18, 2026
Merged

docs(verify-artifacts): fix stale image-signing table and rebrand Replicated SDK references#1044
reyortiz3 merged 2 commits into
mainfrom
docs/verify-artifacts-image-list-fix

Conversation

@reyortiz3

@reyortiz3 reyortiz3 commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Description

The "Which images are signed" table in the artifact-verification guide had drifted from reality:

  • thv (the CLI/API server image) was missing entirely — it's built and signed via _release-image.yml just like operator/proxyrunner.
  • Envoy Gateway, Envoy Ratelimit, and Presidio were listed under "third-party, not re-signed." That was true once, but since stacklok/stacklok-enterprise-platform#2332 they're repackaged and Stacklok-signed (signature + SBOM + provenance + OpenVEX) through _release-upstream-repackaged.yml, same as ai-gateway-controller/ai-gateway-extproc. Telling a customer to check the upstream publisher's signature instead of Stacklok's for these images was actively misleading.
  • Added the newly-corrected images to the "verify across all images" loop script.

connector-gateway is intentionally not added — it's still pre-release and not yet customer-facing.

A follow-up commit also rebrands the "Replicated SDK" display name to "Stacklok License Manager" throughout the page, matching stacklok/stacklok-enterprise-platform#2167, which set nameOverride: stacklok-license-manager on the SDK subchart — the component now appears as stacklok-license-manager-* in kubectl get pods, not replicated-*. The underlying image name/pull path (replicated-sdk-image, pulled directly from proxy.replicated.com, not through image-proxy.stacklok.com) is unchanged and called out explicitly — that's the vendor's own artifact name, not ours to rename. It remains the only genuine third-party passthrough image in the table.

Type of change

  • Documentation update
  • Bug fix (typo, broken link, etc.)

Verification

Verified live against the actual v0.7.0 release, through the real customer path (docker login image-proxy.stacklok.com with a live license, then cosign verify / cosign verify-attestation through the proxy) — not just against the origin registry. For every image touched by the first commit (thv, envoy-gateway, envoy-ratelimit, presidio-analyzer), confirmed all four artifacts present and valid: signature, SBOM (spdxjson), SLSA provenance (slsaprovenance1), and OpenVEX.

The rebrand commit is a display-name/prose change only (no new commands to verify) — confirmed the new pod-name claim against the vendored Replicated SDK chart's _helpers.tpl (nameOverride replaces the resource name outright, no prefix).

This follows up on a customer report of a missing OpenVEX attestation, root-caused and fixed in stacklok/stacklok-enterprise-platform#2477 (a staging-tag race in the release pipeline); this PR corrects the docs' image inventory and naming that were found stale while validating that fix.

Related issues/PRs

stacklok/stacklok-enterprise-platform#2477
stacklok/stacklok-enterprise-platform#2167
stacklok/stacklok-enterprise-platform#2500 (same rebrand, install-helm.md)

Submitter checklist

Content and formatting

  • I have reviewed the content for technical accuracy
  • I have reviewed the content for spelling, grammar, and style

- Add `thv` to the _release-image.yml row — it's signed and vex-attested
  just like operator/proxyrunner, but was missing from the table.
- Move Envoy Gateway, Envoy Ratelimit, and Presidio out of the "third-party,
  not re-signed" bucket into the _release-image-repackaged.yml row. Since
  stacklok/stacklok-enterprise-platform#2332 these are repackaged and
  Stacklok-signed (signature + SBOM + provenance + OpenVEX) like
  ai-gateway-controller/extproc, so the old guidance to check the
  upstream publishers' signatures instead was actively wrong.
- Correct the Replicated SDK note: it isn't rewritten through
  image-proxy.stacklok.com at all (unlike every other image on this
  page) — it's pulled directly from proxy.replicated.com. It remains
  the only genuine third-party passthrough image.
- Add thv/envoy-gateway/envoy-ratelimit/presidio-analyzer to the
  "verify across all images" loop.

Verified live against v0.7.0 through the actual customer path
(image-proxy.stacklok.com with a real license) for every image
touched by this change: signature, SBOM, SLSA provenance, and
OpenVEX attestations all present and valid.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@vercel

vercel Bot commented Jul 17, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs-website Ready Ready Preview, Comment Jul 17, 2026 9:38pm

Request Review

… License Manager

The umbrella chart set nameOverride: stacklok-license-manager on the
Replicated SDK subchart (stacklok/stacklok-enterprise-platform#2167),
renaming its Deployment/Service in-cluster. Update the display name here
to match what customers actually see via `kubectl get pods`, and note
that the underlying image name/pull path are unchanged (that's the
vendor's own artifact, not ours to rename).

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@reyortiz3 reyortiz3 changed the title docs(verify-artifacts): fix stale image-signing table docs(verify-artifacts): fix stale image-signing table and rebrand Replicated SDK references Jul 17, 2026
@reyortiz3
reyortiz3 merged commit 2700850 into main Jul 18, 2026
4 checks passed
@reyortiz3
reyortiz3 deleted the docs/verify-artifacts-image-list-fix branch July 18, 2026 00:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants