創建自定義Chart簽名打包
參考:https://www.kubernetes.org.cn/3913.html
https://github.com/helm/helm/blob/master/docs/provenance.md
http://www.ruanyifeng.com/blog/2013/07/gpg.html
https://docs.helm.sh/developing_charts/
安裝GnuPG:
# 安裝版本不要使用2.1及以上版本(在2.1及以上版本中,關於祕鑰的寫方式有點問題,可參考官方文檔 )
$ yum install gnupg2-2.0.22-5.el7_5.x86_64 -y ## 此處安裝GnuPG 2.0.22版本
$ gpg --version
gpg (GnuPG) 2.0.22
libgcrypt 1.5.3
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ?, ?, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
###############################################################################
## 生成密鑰 ###
$ gpg --gen-key ## 產生一對密鑰
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? ## 算法選擇默認的1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) ## 密鑰長度,越長越安全,但加密和解密消耗的資源和時間也較長
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) ## 密鑰過期時間,默認永不過期
Key does not expire at all
Is this correct? (y/N) y ## 確認祕鑰 永不過期
GnuPG needs to construct a user ID to identify your key.
Real name: HouFei ## 添加祕鑰信息
Email address: [email protected]
Comment: Chart needs to configure GunPG
You selected this USER-ID:
"HouFei (Chart needs to configure GunPG) <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O ## 確認O
## 在這裏輸入兩次密碼,然後產生密鑰對,可以需要你去(敲鍵盤,移動鼠標等去增加隨機數)
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
## 密鑰生成
gpg: key 20C5CD26 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
pub 2048R/20C5CD26 2019-01-31 ## "用戶ID"的Hash字符串,可以用來替代"用戶ID",比如這裏gpg: 密鑰 20C5CD26被標記爲絕對信任的, 20C5CD26就是我的用戶ID。
Key fingerprint = C502 775B C080 4273 BE22 B0CF DC2C 6162 20C5 CD26
uid HouFei (Chart needs to configure GunPG) <[email protected]>
sub 2048R/9E15C764 2019-01-31
######################################################
###### 常用命令 #########
gpg --list-keys ## 查看公鑰
gpg -k ## 查看公鑰
gpg --list-secret-keys ## 查看私鑰
gpg -K ## 查看私鑰
gpg --armor --output public-key-gmail.txt --export MASTERKEYID ## 導出公鑰
gpg --armor --output secret-key-gmail.txt --export-secret-keys MASTERKEYID ## 導出私鑰
gpg --export-secret-keys > secring.gpg ## 請使用以下命令將鑰匙keyring轉換爲傳統的gpg格式
自定義Chart,並打包簽名
$ gpg --export-secret-keys > secring.gpg ## 導出轉換爲傳統的gpg格式
$ helm create mychart ## 創建一個具有給定名稱的新chart,此處不做修改,此次僅做打包簽名測試
Creating mychart
$ helm package --sign=true --key "HouFei" --keyring secring.gpg mychart ## 進行打包簽名
Successfully packaged chart and saved it to: /root/.helm/cache/archive/mychart-0.1.0.tgz
Password for key "HouFei(Chart needs to configure GunPG) <[email protected]>" > ## 輸入密碼(創建祕鑰的時候填寫的密碼)
$ ll
drwxr-xr-x. 4 root root 93 Jan 30 20:45 mychart
-rw-r--r--. 1 root root 2785 Jan 30 21:58 mychart-0.1.0.tgz ## 包
-rwxr-xr-x. 1 root root 711 Jan 30 21:59 mychart-0.1.0.tgz.prov ## 簽名文件
-rw-r--r--. 1 root root 2572 Jan 30 21:56 secring.gpg ## 剛纔導出的gpg格式的私鑰
上傳並添加源
上傳包和簽名文件
將創建好的mychart-0.1.0.tgz,mychart-0.1.0.tgz.prov上傳到Harbor chart倉庫
添加Chart倉庫
$ helm repo add sunlinechart --username admin --password Harbor12345 https://registry.odc.sunline.cn/chartrepo/test
"sunlinechart" has been added to your repositories
$ helm search mychart
NAME CHART VERSION APP VERSION DESCRIPTION
local/mychart 0.1.0 1.0 A Helm chart for Kubernetes
sunlinechart/mychart 0.1.0 1.0 A Helm chart for Kubernetes