feat: add how-to about verifying component versions with controllers

[frewilhelm]

What this PR does / why we need it

Add a How-To guide for verifying component version signatures using the OCM Kubernetes controller. Currently only CLI-based verification is documented (ocm verify cv). This guide covers the declarative approach via the Component custom resource's verify field.

The guide includes:

• Two approaches via tabs: inline public key value and Kubernetes Secret reference
• How the controller transitively verifies referenced component versions via embedded digests
• Troubleshooting with actual error messages from the controller

Also fixes typos in workerpool verification error messages.

Which issue(s) this PR fixes

Fixes #2234

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Updates controller signature verification error messages, adds a new how-to documenting controller-based component version signature verification, and modifies the controller Helm install instructions in the setup docs.

Changes

Cohort / File(s)	Summary
Signature verification message kubernetes/controller/internal/resolution/workerpool/workerpool.go	Reworded human-facing error strings emitted by verifySignatures for digest and signature verification failures; no change to error wrapping or control flow.
Controller Helm install docs website/content/docs/getting-started/setup-controller-environment.md	Updated Helm install snippet to use OCI chart reference without :<pre-release>, refreshed example output (resolved chart version, digest, deployment time), and adjusted "Registry Access" guidance wording.
How‑To: verify component versions (controller) website/content/docs/how-to/verify-component-version-controller.md	Added a new how-to describing transferring signed component versions to OCI, base64 PEM public key usage, Repository and Component CR examples with verify[] (inline or secretRef), verification checks, digest semantics, and a troubleshooting matrix.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• chore(doc): update install instructions for helm install #1931 — Related update to Helm install instructions referencing the OCI chart.

Suggested labels

kind/chore, size/s

Suggested reviewers

• jakobmoellerdev
• morri-son
• fabianburth

Poem

🐰 Soft paws tap keys beneath the moon,
I tidy docs and hum a nimble tune,
Charts find their home, signatures snug and bright,
Read, verify, and sleep well through the night. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding a how-to guide for controller-based component version verification, which aligns with the changeset.
Description check	✅ Passed	The description is well-related to the changeset, explaining what the PR does, why it's needed, what the guide includes, and noting the typo fixes in workerpool error messages.
Linked Issues check	✅ Passed	The PR successfully addresses all objectives from issue #2234: adds the controller-based verification how-to guide with inline and secret-reference approaches, explains transitive verification via digests, includes troubleshooting examples, and fixes related error messages.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with the PR objectives: the new how-to guide, documentation updates to the setup guide, and workerpool error message typo fixes address the stated goals without introducing unrelated modifications.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (3)

website/content/docs/getting-started/setup-controller-environment.md (1)

236-243: Make expected Helm output less version-specific to reduce doc churn.

Since the command does not pin a chart version, fixed version/digest/timestamp values can age quickly.

Suggested resilient output wording

-<summary>You should see this output</summary>
+<summary>You should see similar output (version, digest, and timestamp may differ)</summary>

 ```text
-Pulled: ghcr.io/open-component-model/kubernetes/controller/chart:0.4.0
-Digest: sha256:eac0dc587a1d288f36ef1961bb69f0ffb2791e0153f86d1fdbe54ae2f36f1194
+Pulled: ghcr.io/open-component-model/kubernetes/controller/chart:<resolved-version>
+Digest: sha256:<resolved-digest>
 NAME: ocm-k8s-toolkit
-LAST DEPLOYED: Tue Apr 28 17:42:51 2026
+LAST DEPLOYED: <current-date-time>

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @website/content/docs/getting-started/setup-controller-environment.md around
lines 236 - 243, Replace the version-, digest-, and timestamp-specific Helm
output in the "You should see this output" example with generic placeholders so
the doc doesn’t age; specifically update the Pulled line (currently referencing
chart:0.4.0) to use chart:, the Digest line to
sha256:, and the LAST DEPLOYED line to
(keep NAME: ocm-k8s-toolkit as-is) in the example block in
setup-controller-environment.md so the output stays resilient when the chart is
not pinned.

</details>

</blockquote></details>
<details>
<summary>website/content/docs/how-to/verify-component-version-controller.md (2)</summary><blockquote>

`232-244`: **Use “Symptom contains” wording to match wrapped controller errors.**

These messages are typically prefixes in logs (followed by extra context). Wording them as exact strings can mislead copy/paste troubleshooting.


<details>
<summary>Proposed doc wording tweak</summary>

```diff
-### Symptom: "signature verification failed for signature default"
+### Symptom contains: `signature verification failed for signature default:`

 ...
-### Symptom: "signature default not found in component"
+### Symptom contains: `signature default not found in component`

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@website/content/docs/how-to/verify-component-version-controller.md` around
lines 232 - 244, Update the two symptom headings and any exact-match example
phrases so they indicate partial/wrapped log matching by using "Symptom
contains: ..." instead of exact quoted strings; specifically change the headings
currently showing "signature verification failed for signature default" and
"signature default not found in component" to "Symptom contains: 'signature
verification failed for signature default'" and "Symptom contains: 'signature
default not found in component'", and update the surrounding guidance (including
the `verify` configuration mention and the `ocm get cv ...` example) to state
these are prefix/contains matches for wrapped controller errors rather than
exact strings.

---

230-273: Consider adding a digest-verification troubleshooting entry.

You already document signature and secret failures; adding the digest-failure case would complete the common controller verification errors.

Suggested section addition

 ## Troubleshooting

+### Symptom contains: `digest verification failed for signature "default"`
+
+**Cause:** The signed descriptor content no longer matches the digest embedded in the signature payload.
+
+**Fix:** Recreate/sign the component version after descriptor changes, transfer it again, and ensure the referenced version is the newly signed one.
+
 ### Symptom: "signature verification failed for signature default"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@website/content/docs/how-to/verify-component-version-controller.md` around
lines 230 - 273, Add a troubleshooting entry for digest verification failures:
describe the symptom (e.g., "digest verification failed" or "manifest digest
mismatch"), explain the cause (the component's recorded digest doesn't match the
actual artifact digest or the `digest` field in the `verify` configuration is
wrong), and give concise remediation steps referencing the `verify`
configuration, the `digest` field, and the ComponentVersion (CV) output from
`ocm get cv ... -o yaml` to inspect the recorded digest and `signatures:` block;
include instructions to fetch the artifact's actual digest from the registry
(e.g., using an image inspection tool) and to update either the `verify.digest`
value or the component's published metadata so the digests match.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@website/content/docs/getting-started/setup-controller-environment.md`:
- Around line 236-243: Replace the version-, digest-, and timestamp-specific
Helm output in the "You should see this output" example with generic
placeholders so the doc doesn’t age; specifically update the Pulled line
(currently referencing chart:0.4.0) to use chart:<resolved-version>, the Digest
line to sha256:<resolved-digest>, and the LAST DEPLOYED line to
<current-date-time> (keep NAME: ocm-k8s-toolkit as-is) in the example block in
setup-controller-environment.md so the output stays resilient when the chart is
not pinned.

In `@website/content/docs/how-to/verify-component-version-controller.md`:
- Around line 232-244: Update the two symptom headings and any exact-match
example phrases so they indicate partial/wrapped log matching by using "Symptom
contains: ..." instead of exact quoted strings; specifically change the headings
currently showing "signature verification failed for signature default" and
"signature default not found in component" to "Symptom contains: 'signature
verification failed for signature default'" and "Symptom contains: 'signature
default not found in component'", and update the surrounding guidance (including
the `verify` configuration mention and the `ocm get cv ...` example) to state
these are prefix/contains matches for wrapped controller errors rather than
exact strings.
- Around line 230-273: Add a troubleshooting entry for digest verification
failures: describe the symptom (e.g., "digest verification failed" or "manifest
digest mismatch"), explain the cause (the component's recorded digest doesn't
match the actual artifact digest or the `digest` field in the `verify`
configuration is wrong), and give concise remediation steps referencing the
`verify` configuration, the `digest` field, and the ComponentVersion (CV) output
from `ocm get cv ... -o yaml` to inspect the recorded digest and `signatures:`
block; include instructions to fetch the artifact's actual digest from the
registry (e.g., using an image inspection tool) and to update either the
`verify.digest` value or the component's published metadata so the digests
match.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 348c79db-1c86-41ca-a4ca-3271bb0de21d

📥 Commits

Reviewing files that changed from the base of the PR and between eaae334 and 40e1971.

📒 Files selected for processing (3)

• kubernetes/controller/internal/resolution/workerpool/workerpool.go
• website/content/docs/getting-started/setup-controller-environment.md
• website/content/docs/how-to/verify-component-version-controller.md

[netlify]

✅ Deploy Preview for ocm-website ready!

Name	Link
🔨 Latest commit	980075e
🔍 Latest deploy log	https://app.netlify.com/projects/ocm-website/deploys/69f3468cf6dc7700085acdd2
😎 Deploy Preview	https://deploy-preview-2407--ocm-website.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[frewilhelm]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[frewilhelm]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[matthiasbruns]

looks pretty good - just a few nits

[Skarlso]

Looks okay, aside from what Matthias already said. :) I agree with those.