helm chart可以使用provenance file进行出处与完整性验证
首先需要在生成helm chart地时候设置--sign表明我要进行进行签名
helm package --sign --key "my_helm_user@${MY_DOMAIN}" --keyring ${GNUPGHOME}/secring.gpg --destination . ./gitea/
这里进行签名需要提供一个secret, 这个secret可以使用gpg生成
先创建gpg的key
export GNUPGHOME=$PWD/.gnupg
mkdir ${GNUPGHOME} && chmod 0700 $PWD/.gnupg
cat > ${GNUPGHOME}/my_gpg_key << EOF
%echo Generating a basic OpenPGP key
Key-Type: RSA
Key-Length: 2048
Subkey-Type: RSA
Subkey-Length: 2048
Name-Real: Helm User
Name-Comment: User
Name-Email: my_helm_user@${MY_DOMAIN}
Expire-Date: 0
%no-protection
%commit
EOF
gpg2 --verbose --batch --gen-key ${GNUPGHOME}/my_gpg_key
查看gpg key
$ gpg2 --list-secret-keys
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
/home/pruzicka/git/k8s-harbor/tmp/.gnupg/pubring.kbx
----------------------------------------------------
sec rsa2048 2019-07-19 [SCEA]
4DA54853FC984FF42EDD2C9B6733D8DA847797FE
uid [ultimate] Helm User (User) <my_helm_user@mylabs.dev>
ssb rsa2048 2019-07-19 [SEA]
helm不支持gpg2, 需要再导出gpg key
$ gpg2 --export-secret-keys > ${GNUPGHOME}/secring.gpg
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/home/pruzicka/git/k8s-harbor/tmp/.gnupg/secring.gpg' to gpg-agent
gpg: migration succeeded
然后使用导出的gpg文件再进行打包并签名生成chart和prov文件,push到helm repo
有以下两种方式进行验证chart包的来源与完整性,验证本地的chart包,默认会找chart包同路径下的prov文件
helm verify
helm install --verify
