helm-sigstore-sign-verify-demo
Demonstration of packaging and signing Helm charts using tools such as Tekton and sigstore.
Deployment
Kustomize is used to deploy resources to a Kubernetes environment. Use the following steps to facilitate the deployment.
Prerequisites
- Tekton must be deployed to the environment. Follow these steps to install Tekton to the Kubernetes environment.
- A GitHub Personal Access Token must be available to enable publishing the release to GitHub.
- PGP based encryption is used to sign the Helm chart. A sample public and private keypair is provided. Alternatively, a user provided keypair can be used. No additional action is needed when using the provided keypair.
- rekor-cli, helm and of course kubectl will need to be installed locally to execute this demo.
Release Pipeline
A Tekton pipeline is available to perform the packaging and signing of a Helm chart. Use the following steps to deploy to a Kubernetes.
- Fork this repository or use a repository of your own (Additional configurations required)
- Add your GitHub Personal Access Token to install/release/base/github-token
- Deploy resources to your cluster:
Depending on whether you are providing PGP keys of your own will determine which command to execute. If you are using the default PGP keys, execute the following command:
kubectl apply -k install/release/overlays/defaultIf you are providing PGP keys of your own, execute the following:
kubectl apply -k install/release/overlays/pgp-providedA new namespace called helm-release will be created containing all of the resources.
Add PGP Keys (Optional)
If you providing PGP keys of your own, execute the following command:
kubectl create secret generic -n helm-release --from-file=private.pgp=<file>Execution
Once the assets have been deployed to the cluster, a PipelineRun resource is available in the install/release/base/tekton/pipelineruns/pipelinerun.yaml directory. Apply any modifications to suite the location of your repository and configuration and then execute the following command to add it to your cluster and start the Pipeline.
kubectl create -f install/release/base/tekton/pipelineruns/pipelinerun.yamlYou can monitor the pipeline by using the Tekton CLI (tkn).
tkn -n helm-demo pipelinerun logs -L -fOnce complete, the following actions will be performed:
- Publishing a new GitHub Release
- Tag the repository for the chart release
- Update the
index.yamlfile in thegh-pagesbranch - Using the helm sigstore plugin to upload the chart to Rekor.
Verification
The following steps can be used to verify the chart
- Add the chart repository to interact with the published chart (be sure to replace
user_or_organization)
helm repo add helm-sigstore-sign-verify-demo https://<user_or_organization>.github.io/helm-sigstore-sign-verify-demo- Update the local chart cache
helm repo update- Pull the chart locally (along with the provenance file)
helm pull helm-sigstore-sign-verify-demo/podinfo --prov- Verify the chart with Helm
Note: If the provided PGP key was used to sign the chart, the public key must be imported into the keyring before executing the following command
helm verify --keyring=<keyring> <packaged_chart>- Verify the chart using the sigstore helm plugin
Install the sigstore helm plugin
helm plugin install https://github.com/sigstore/helm-sigstoreVerify the chart
Note: The public key does not need to be added to the keyring. It can be explicitly specified using the --key parameter
helm sigstore verify --keyring=<keyring> <packaged_chart>Viewing the record in the transparency log
The record published in the Rekor transparency log can be show by first obtaining the UUID from the Tekton PipelineRun results and then querying Rekor.
Obtain the UUID
REKOR_UUID=$(oc -n helm-demo get pipelinerun $(kubectl -n helm-demo get pipelinerun --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") -o jsonpath='{ .status.pipelineResults[?(@.name=="sigstore-rekor-uuid")].value }')View the UUID:
echo $REKOR_UUIDUse the Rekor CLI to view the record:
rekor-cli get --uuid=$REKOR_UUID