mojaloop
feat: add helm provenance and integrity
Helm Provenance and Integrity
Helm has provenance tools which help chart users verify the integrity and origin of a package. Using industry-standard tools based on PKI, GnuPG, and well-respected package managers, Helm can generate and verify signature files.
Overview
Integrity is established by comparing a chart to a provenance record. Provenance records are stored in provenance files, which are stored alongside a packaged chart. For example, if a chart is named myapp-1.2.3.tgz, its provenance file will be myapp-1.2.3.tgz.prov.
Provenance files are generated at packaging time (helm package --sign ...), and can be checked by multiple commands, notably helm install --verify.
The workflow
1. Prerequisites
Installing GnuPG
- macOS:
brew install gnupg - Debian-based systems:
sudo apt-get install gnupg
Generating a GPG Key Pair
To create a new GPG key pair, run the following command:
gpg --full-generate-key
You will be prompted to configure the following options:
- Key type – Choose the type of key to generate. (Defaut: RSA and RSA(sign and encrypt))
- Key size – Define the key length (Default: 3072 bits for RSA).
- Key validity period – Specify how long the key should remain valid.
- User identification – Provide details including your name (User ID), email, and a comment.
- Passphrase - A passphrase is required to access the secret key or generate a signature.
Viewing GPG Keys
- List public keys:
gpg --list-keys - List secret (private) keys:
gpg --list-secret-keys
Exporting Keys to the Keyring
- Export public key:
gpg --export > ~/.gnupg/pubring.gpg - Export secret (private) key:
gpg --export-secret-keys > ~/.gnupg/secring.gpg
Displaying the Secret Key (Base64 Encoded)
To output the secret key in a Base64-encoded format(copy this):
cat ~/.gnupg/secring.gpg | base64
2. Helm Package
These commands are incorporated in publish.sh and .circleci/publish_helm_charts.sh
-
Set the Secret Key as an Environment Variable
-
Save the passphrase in
passphrase.txtto avoid multiple prompts. -
Install GnuPG
-
Save the Secret Key to the Keyring
-
Package the Helm Chart with a Signed Provenance File
helm package --sign --key <user_name> --keyring ~/.gnupg/secring.gpg --passphrase-file ./passphrase.txt -u -d ./repo <chart_name> --version <version>--sign: Signs the package using the specified GPG key.--key 'user_name': Specifies the GPG key to use for signing.--keyring ~/.gnupg/secring.gpg: Defines the keyring location where the secret key is stored.--passphrase-file ./passphrase.txt: Uses a file containing the passphrase to sign the package.-u: Updates the index file if it exists.-d ./repo: Specifies the destination directory for the packaged chart.--version <version>: Specifies the chart version, which can be a development release.
This command generates
.tgz(Helm chart archive) and.prov(provenance) files. -
Push the Generated Files to the GitHub Pages Branch
3. Helm Install and Helm Verify
-
Add mojaloop repo to your Helm config:
helm repo add mojaloop https://mojaloop.io/helm/repo/ -
Test installation without deploying it
helm --namespace demo install --verify moja mojaloop/mojaloop --create-namespace --dry-run -
Installing and verifying the latest version
helm --namespace demo install --verify moja mojaloop/mojaloop --create-namespace -
Installing and verifying development versions
helm --namespace demo install --verify moja mojaloop/mojaloop --create-namespace --devel
Quality Gate passed
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code
See analysis details on SonarQube Cloud
![sonarqubecloud[bot] avatar](https://avatars.githubusercontent.com/in/12526?v=4 "Published by a pub.dev verified publisher"){kind=small}
Quality Gate passed
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code
See analysis details on SonarQube Cloud