創建自定義Chart簽名打包

創建自定義Chart簽名打包
參考：https://www.kubernetes.org.cn/3913.html
https://github.com/helm/helm/blob/master/docs/provenance.md
http://www.ruanyifeng.com/blog/2013/07/gpg.html
https://docs.helm.sh/developing_charts/

安裝GnuPG：

# 安裝版本不要使用2.1及以上版本（在2.1及以上版本中，關於祕鑰的寫方式有點問題，可參考官方文檔 ）
$ yum install gnupg2-2.0.22-5.el7_5.x86_64 -y       ## 此處安裝GnuPG 2.0.22版本
$ gpg --version
gpg (GnuPG) 2.0.22
libgcrypt 1.5.3
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
 
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ?, ?, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
 
 
###############################################################################
##    生成密鑰   ###
$ gpg --gen-key                                 ## 產生一對密鑰
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
 
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?                                 ## 算法選擇默認的1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)                ## 密鑰長度，越長越安全，但加密和解密消耗的資源和時間也較長
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)                           ## 密鑰過期時間，默認永不過期
Key does not expire at all
Is this correct? (y/N) y                        ## 確認祕鑰 永不過期
 
GnuPG needs to construct a user ID to identify your key.
 
Real name: HouFei                               ## 添加祕鑰信息
Email address: [email protected]
Comment: Chart needs to configure GunPG
You selected this USER-ID:
    "HouFei (Chart needs to configure GunPG) <[email protected]>"
 
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O       ## 確認O
 
 
## 在這裏輸入兩次密碼，然後產生密鑰對，可以需要你去（敲鍵盤，移動鼠標等去增加隨機數)
 
You need a Passphrase to protect your secret key.
 
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
 
 
## 密鑰生成
gpg: key 20C5CD26 marked as ultimately trusted
public and secret key created and signed.
 
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
pub   2048R/20C5CD26 2019-01-31                             ## "用戶ID"的Hash字符串，可以用來替代"用戶ID"，比如這裏gpg: 密鑰 20C5CD26被標記爲絕對信任的, 20C5CD26就是我的用戶ID。
      Key fingerprint = C502 775B C080 4273 BE22  B0CF DC2C 6162 20C5 CD26
uid                  HouFei (Chart needs to configure GunPG) <[email protected]>
sub   2048R/9E15C764 2019-01-31
 
######################################################
######   常用命令  #########
 
 
gpg --list-keys         ## 查看公鑰
gpg -k                  ## 查看公鑰
gpg --list-secret-keys  ## 查看私鑰
gpg -K                  ## 查看私鑰
gpg --armor --output public-key-gmail.txt --export MASTERKEYID              ## 導出公鑰
gpg --armor --output secret-key-gmail.txt --export-secret-keys MASTERKEYID  ## 導出私鑰
gpg --export-secret-keys > secring.gpg                                       ## 請使用以下命令將鑰匙keyring轉換爲傳統的gpg格式

 

自定義Chart，並打包簽名

$ gpg --export-secret-keys > secring.gpg     ## 導出轉換爲傳統的gpg格式
$ helm create mychart                           ## 創建一個具有給定名稱的新chart，此處不做修改，此次僅做打包簽名測試
  Creating mychart
$ helm  package --sign=true --key "HouFei" --keyring secring.gpg  mychart           ## 進行打包簽名
 Successfully packaged chart and saved it to: /root/.helm/cache/archive/mychart-0.1.0.tgz
Password for key "HouFei(Chart needs to configure GunPG) <[email protected]>" >        ## 輸入密碼（創建祕鑰的時候填寫的密碼）
 
 
$ ll
drwxr-xr-x. 4 root root    93 Jan 30 20:45 mychart
-rw-r--r--. 1 root root  2785 Jan 30 21:58 mychart-0.1.0.tgz                        ## 包
-rwxr-xr-x. 1 root root   711 Jan 30 21:59 mychart-0.1.0.tgz.prov                   ## 簽名文件
-rw-r--r--. 1 root root  2572 Jan 30 21:56 secring.gpg                              ## 剛纔導出的gpg格式的私鑰

 

上傳並添加源

上傳包和簽名文件

將創建好的mychart-0.1.0.tgz，mychart-0.1.0.tgz.prov上傳到Harbor chart倉庫

 

添加Chart倉庫

$ helm repo add sunlinechart  --username admin --password Harbor12345 https://registry.odc.sunline.cn/chartrepo/test
"sunlinechart" has been added to your repositories
$ helm  search  mychart
NAME                    CHART VERSION   APP VERSION DESCRIPTION               
local/mychart           0.1.0           1.0         A Helm chart for Kubernetes
sunlinechart/mychart    0.1.0           1.0         A Helm chart for Kubernetes