WG06 Meeting minutes 15/01/2026

Agenda

• Introduction to whitestack (unitizing 6Wind)
• Back on Supply Chain (Orange)

Supports

• Replay
• Whitestack: Packaging CNF with Sylva Unit
• Orange back on the supply chain

Intro

iIn the video you can move to minute 10' as it takes time to find the option to unrestrict the access to the meeting. It was a new meeting to be compatible with Sout America region. We were very happy to welcom Whitestack contributors.

Packaging CNF with Sylva Unit

Joris made an introduction of Whitestack. The company is hosting a Sylva test lab and already using GitOps to deploy CNF. Luis detailed how they successfully packaged a 6wind vSR using a Sylva unit sharing the yaml descriptors. For 6wind they create 2 units (common stuff to be deployed using Kustomize including the creation of the namespace and a unit for the Helm Chart with customized values)

Morgan asked if it would not be too difficult with functions with lots of components. Luis inidcated that they were able to package a CNF from Summa Networks, including severla functions of the core networks. At the end more units must be created and the dependencies properly managed at the unit level. It is possible, but in case of uninstalling we must pay attention of the order and the dependencies.

Supply Chain

Orange shared its view to build a secure Vendor CNF supply chain. The 3 main stages are described:

• OCI Artifact collection:
• collection mechanism from the vendor to a centralized Orange registry either in pull over Internet through a whitelisted access or a pull mode from a vendor public registry
• the promotion mechanism: by default OCI artifacts are untrusted, a compliance pipeline is used to check the validity of the Helm chart (yaml parting of the templated objects), the CVE and effiecieny of the docker images. the OCI format is also verified
• Deployment through Automation Enabler using only the OCI artifacts from the centralized and its local/proxy cache
• CVE and Cluster topology: Through a job added in each GitOps deployement of a CNF, an inventory of the OCI images used in runtime is done and the results centralized in a Git Repository. Security team executes scans of the stored images based on the list of runtimes OCI artifacts. As a consequence any cluster hosting an image impacted by a new CVE will be quickly identified

during the session Orange indicates that a Sigstore component will be added in the Open Source automation enabler published in Open Source to ensure the capability to verify the signature of the images. François asked if the signature is expected from the vendors or is internal. Richard answered that both are expected: a check of vendor signeture (public SSH key hosted in the sisgstore) to ensure that the images are the ones signed by the vendors + one from Orange validation team to indicate that the OCI artifacts are ready for production.