From 5d4faa8198c959b2cf66180bf82c8603908cb966 Mon Sep 17 00:00:00 2001
From: Gerrit <tirreg91@googlemail.com>
Date: Mon, 1 Jun 2026 10:25:09 +0200
Subject: [PATCH 1/4] Update some release vector overwrites.

---
 inventories/group_vars/all/release_vector.yaml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/inventories/group_vars/all/release_vector.yaml b/inventories/group_vars/all/release_vector.yaml
index f801fffc..539c80bd 100644
--- a/inventories/group_vars/all/release_vector.yaml
+++ b/inventories/group_vars/all/release_vector.yaml
@@ -15,6 +15,8 @@ metal_stack_release_vectors:
 # metal_api_image_tag:
 # metal_apiserver_image_name:
 # metal_apiserver_image_tag:
+# metal_tenant_apiserver_image_name:
+# metal_tenant_apiserver_image_tag:
 # metal_metalctl_image_name:
 # metal_metalctl_image_tag:
 # metal_masterdata_api_image_name:
@@ -45,7 +47,7 @@ metal_stack_release_vectors:
 ## helm charts
 ##
 
-# metal_helm_chart_version:
-# metal_helm_chart_repo:
+# metal_helm_chart_tag:
+# metal_helm_chart:
 # further overrides can be looked up in metal-roles where the mapping is defined:
 # https://github.com/metal-stack/metal-roles/blob/master/common/roles/defaults/defaults/main.yaml

From a36220297319e29f16fd749e53bf051b2e1e911c Mon Sep 17 00:00:00 2001
From: Gerrit <tirreg91@googlemail.com>
Date: Tue, 16 Jun 2026 08:28:08 +0200
Subject: [PATCH 2/4] Run cosign verify outside the deployment container.

---
 Makefile     | 11 ++++++++++-
 compose.yaml |  2 --
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index 9b9bc51f..dc29251f 100644
--- a/Makefile
+++ b/Makefile
@@ -74,7 +74,7 @@ COMPOSE_ARGS += $(if $(MINI_LAB_HELM_CHARTS),-f compose.dev/helm-charts.yaml)
 endif
 
 .PHONY: up
-up: env gen-certs control-plane-bake partition-bake
+up: env gen-certs verify-deployment-image control-plane-bake partition-bake
 	@chmod 600 files/ssh/id_ed25519
 	docker compose $(COMPOSE_ARGS) up --pull=always --abort-on-container-failure --remove-orphans --force-recreate control-plane partition
 	@$(MAKE)	--no-print-directory	start-machines
@@ -150,6 +150,15 @@ endif
 		sudo --preserve-env=MINI_LAB_SONIC_IMAGE --preserve-env=MINI_LAB_DELL_SONIC_VERSION --preserve-env=MINI_LAB_VM_IMAGE $(CONTAINERLAB) deploy --topo $(LAB_TOPOLOGY) --reconfigure && \
 		./scripts/deactivate_offloading.sh; fi
 
+.PHONY: verify-deployment-image
+verify-deployment-image: env
+	@if which cosign 1> /dev/null 2> /dev/null; then \
+		echo -e "\033[0;32mcosign is installed, verifying deployment base image\033[0m" && \
+		cosign verify --key files/cosign.pub ghcr.io/metal-stack/metal-deployment-base:$$DEPLOYMENT_BASE_IMAGE_TAG; \
+	else \
+		echo -e "\033[1;33mcosign is not installed, install it in order to verify the deployment base image prior to your deployments\033[0m\n"; \
+	fi
+
 .PHONY: external_network
 external_network:
 	@if ! docker network ls | grep -q mini_lab_ext; then \
diff --git a/compose.yaml b/compose.yaml
index a2f0d224..8fd3e0d9 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -23,7 +23,6 @@ services:
       - /bin/bash
       - -ce
       - |
-        cosign verify --key files/cosign.pub ghcr.io/metal-stack/metal-deployment-base:${DEPLOYMENT_BASE_IMAGE_TAG}
         ansible -m metalstack.base.metal_stack_release_vector localhost --extra-vars "@.extra_vars.yaml"
         ansible-playbook deploy_control_plane.yaml --extra-vars "@.extra_vars.yaml"
 
@@ -46,7 +45,6 @@ services:
       - /bin/bash
       - -ce
       - |
-        cosign verify --key files/cosign.pub ghcr.io/metal-stack/metal-deployment-base:${DEPLOYMENT_BASE_IMAGE_TAG}
         ansible -m metalstack.base.metal_stack_release_vector localhost --extra-vars "@.extra_vars.yaml"
         ansible-playbook deploy_partition.yaml --extra-vars "@.extra_vars.yaml"
 

From ae85c9090d9e9577b76de5ac8f70c7174a6f05d8 Mon Sep 17 00:00:00 2001
From: Gerrit <tirreg91@googlemail.com>
Date: Tue, 16 Jun 2026 08:33:01 +0200
Subject: [PATCH 3/4] Install Cosign

---
 .github/workflows/integration.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml
index 0b6d186d..448a52da 100644
--- a/.github/workflows/integration.yaml
+++ b/.github/workflows/integration.yaml
@@ -129,6 +129,9 @@ jobs:
         username: ${{ secrets.R_METALSTACK_IO_READ_USER }}
         password: ${{ secrets.R_METALSTACK_IO_READ_PASSWORD }}
 
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@v4.1.2
+
     - name: Checkout
       uses: actions/checkout@v4
 

From 22107e38bc7048f354959c77c0eb2f9707d7fd9b Mon Sep 17 00:00:00 2001
From: Gerrit <tirreg91@googlemail.com>
Date: Tue, 16 Jun 2026 08:53:40 +0200
Subject: [PATCH 4/4] Source it.

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index dc29251f..1939aa3a 100644
--- a/Makefile
+++ b/Makefile
@@ -154,7 +154,7 @@ endif
 verify-deployment-image: env
 	@if which cosign 1> /dev/null 2> /dev/null; then \
 		echo -e "\033[0;32mcosign is installed, verifying deployment base image\033[0m" && \
-		cosign verify --key files/cosign.pub ghcr.io/metal-stack/metal-deployment-base:$$DEPLOYMENT_BASE_IMAGE_TAG; \
+		. ./.env && cosign verify --key files/cosign.pub ghcr.io/metal-stack/metal-deployment-base:$$DEPLOYMENT_BASE_IMAGE_TAG; \
 	else \
 		echo -e "\033[1;33mcosign is not installed, install it in order to verify the deployment base image prior to your deployments\033[0m\n"; \
 	fi