From 67fb5ae94a0001ad1fd179ca651c47743b38d3af Mon Sep 17 00:00:00 2001
From: Steve Hipwell <steve.hipwell@gmail.com>
Date: Fri, 1 Mar 2024 13:15:45 +0000
Subject: [PATCH 1/2] feat(chart): Added cosign verify docs

Signed-off-by: Steve Hipwell <steve.hipwell@gmail.com>
---
 charts/karpenter/README.md                       | 16 ++++++++++++++++
 charts/karpenter/README.md.gotmpl                | 14 ++++++++++++++
 .../getting-started-with-karpenter/_index.md     | 12 ++++++++++++
 3 files changed, 42 insertions(+)

diff --git a/charts/karpenter/README.md b/charts/karpenter/README.md
index 8d1aec3043eb..f2bc66c634b0 100644
--- a/charts/karpenter/README.md
+++ b/charts/karpenter/README.md
@@ -22,6 +22,20 @@ helm upgrade --install --namespace karpenter --create-namespace \
   --wait
 ```
 
+### Verification
+
+As the OCI Helm chart is signed by [Cosign](https://github.com/sigstore/cosign) as part of the release process you can verify the chart before installing it by running the following command.
+
+```shell
+cosign verify public.ecr.aws/karpenter/karpenter:0.35.0 \
+  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+  --certificate-identity-regexp='https://github\.com/aws/karpenter-provider-aws/\.github/workflows/release\.yaml@.+' \
+  --certificate-github-workflow-repository=aws/karpenter-provider-aws \
+  --certificate-github-workflow-name=Release \
+  --certificate-github-workflow-ref=refs/tags/v0.35.0 \
+  --annotations version=0.35.0
+```
+
 ## Values
 
 | Key | Type | Default | Description |
@@ -97,3 +111,5 @@ helm upgrade --install --namespace karpenter --create-namespace \
 | webhook.metrics.port | int | `8001` | The container port to use for webhook metrics. |
 | webhook.port | int | `8443` | The container port to use for the webhook. |
 
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.13.0](https://github.com/norwoodj/helm-docs/releases/v1.13.0)
diff --git a/charts/karpenter/README.md.gotmpl b/charts/karpenter/README.md.gotmpl
index 19f7e7754dba..1e641e1ee586 100644
--- a/charts/karpenter/README.md.gotmpl
+++ b/charts/karpenter/README.md.gotmpl
@@ -21,6 +21,20 @@ helm upgrade --install --namespace karpenter --create-namespace \
   --wait
 ```
 
+### Verification
+
+As the OCI Helm chart is signed by [Cosign](https://github.com/sigstore/cosign) as part of the release process you can verify the chart before installing it by running the following command.
+
+```shell
+cosign verify public.ecr.aws/karpenter/karpenter:{{ template "chart.version" . }} \
+  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+  --certificate-identity-regexp='https://github\.com/aws/karpenter-provider-aws/\.github/workflows/release\.yaml@.+' \
+  --certificate-github-workflow-repository=aws/karpenter-provider-aws \
+  --certificate-github-workflow-name=Release \
+  --certificate-github-workflow-ref=refs/tags/v{{ template "chart.version" . }} \
+  --annotations version={{ template "chart.version" . }}
+```
+
 {{ template "chart.requirementsSection" . }}
 
 {{ template "chart.valuesSection" . }}
diff --git a/website/content/en/preview/getting-started/getting-started-with-karpenter/_index.md b/website/content/en/preview/getting-started/getting-started-with-karpenter/_index.md
index 7384f2864575..f3473409cadf 100644
--- a/website/content/en/preview/getting-started/getting-started-with-karpenter/_index.md
+++ b/website/content/en/preview/getting-started/getting-started-with-karpenter/_index.md
@@ -90,6 +90,18 @@ See [Enabling Windows support](https://docs.aws.amazon.com/eks/latest/userguide/
 
 {{% script file="./content/en/{VERSION}/getting-started/getting-started-with-karpenter/scripts/step08-apply-helm-chart.sh" language="bash"%}}
 
+As the OCI Helm chart is signed by [Cosign](https://github.com/sigstore/cosign) as part of the release process you can verify the chart before installing it by running the following command.
+
+```bash
+cosign verify public.ecr.aws/karpenter/karpenter:{{< param "latest_release_version" >}} \
+  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+  --certificate-identity-regexp='https://github\.com/aws/karpenter-provider-aws/\.github/workflows/release\.yaml@.+' \
+  --certificate-github-workflow-repository=aws/karpenter-provider-aws \
+  --certificate-github-workflow-name=Release \
+  --certificate-github-workflow-ref=refs/tags/v{{< param "latest_release_version" >}} \
+  --annotations version={{< param "latest_release_version" >}}
+```
+
 {{% alert title="DNS Policy Notice" color="warning" %}}
 Karpenter uses the `ClusterFirst` pod DNS policy by default. This is the Kubernetes cluster default and this ensures that Karpetner can reach-out to internal Kubernetes services during its lifetime. There may be cases where you do not have the DNS service that you are using on your cluster up-and-running before Karpenter starts up. The most common case of this is you want Karpenter to manage the node capacity where your DNS service pods are running.
 

From b827ee9500bb84f9eaa3e13880fe170311faed98 Mon Sep 17 00:00:00 2001
From: Jonathan Innis <joinnis@amazon.com>
Date: Sat, 2 Mar 2024 13:16:13 -0800
Subject: [PATCH 2/2] Fix auto-updated release version

---
 hack/release/common.sh                                | 2 +-
 website/hugo.yaml                                     | 2 +-
 website/layouts/partials/navbar-version-selector.html | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/hack/release/common.sh b/hack/release/common.sh
index 6f8f5346bacf..e81170125114 100644
--- a/hack/release/common.sh
+++ b/hack/release/common.sh
@@ -192,7 +192,7 @@ removeOldWebsiteDirectories() {
 editWebsiteConfig() {
   local version="${1}"
 
-  yq -i ".params.latest_release_version = \"v${version}\"" website/hugo.yaml
+  yq -i ".params.latest_release_version = \"${version}\"" website/hugo.yaml
 }
 
 # editWebsiteVersionsMenu sets relevant releases in the version dropdown menu of the website
diff --git a/website/hugo.yaml b/website/hugo.yaml
index ff34053f90bd..f4f62b857a8e 100644
--- a/website/hugo.yaml
+++ b/website/hugo.yaml
@@ -76,7 +76,7 @@ params:
         url: "https://slack.k8s.io/"
         icon: fab fa-slack
         desc: "Chat with us on Slack in the #aws-provider channel"
-  latest_release_version: v0.35.0
+  latest_release_version: 0.35.0
   latest_k8s_version: 1.29
   versions:
     - v0.35
diff --git a/website/layouts/partials/navbar-version-selector.html b/website/layouts/partials/navbar-version-selector.html
index 5f4380d5ab16..08b4d896b907 100644
--- a/website/layouts/partials/navbar-version-selector.html
+++ b/website/layouts/partials/navbar-version-selector.html
@@ -1,7 +1,7 @@
 {{ $pageDir := index (split (path.Dir .Page.RelPermalink) "/") 1 }}
 <!-- special treatment for the homepage. we treat it same as latest docs //-->
 {{ if or (eq $pageDir "docs") (eq $pageDir "") }}
-	{{ $pageDir = printf "%s.%s" ( index ( split .Site.Params.latest_release_version "." ) 0 ) ( index ( split .Site.Params.latest_release_version "." ) 1 ) }}
+	{{ $pageDir = printf "v%s.%s" ( index ( split .Site.Params.latest_release_version "." ) 0 ) ( index ( split .Site.Params.latest_release_version "." ) 1 ) }}
 {{ end }}
 {{ $pagePath := replace .Page.RelPermalink "docs" "" }}
 {{ $pagePath = replace $pagePath $pageDir "" }}