Provenance and Integrity in Helm Charts
Verifying Charts Before Installation
When installing a chart, you can verify its provenance using the --verify flag with the helm install command:
helm install my-release hello-world-0.1.0.tgz --verify
However, for verification to succeed, Helm needs access to the signer's public key. You can use a server-side key management system or distribute the public keys securely to all users who will be installing charts.
These are the steps you need to follow:
Use the gpg --send-keys command to share your public key with a key server.
Let's follow these steps. First, find your key ID and export your public key to a variable (we will use this later). The ID is the last 8 characters of the fingerprint (e.g., D454C9B9 in D6C227C2ED137845170879DBC6F85C29D454C9B9):
export KEY_ID=D454C9B9
Upload your public key to a key server. We will use keyserver.ubuntu.com here, but you can choose any other public or private key server.
gpg --keyserver keyserver.ubuntu.com \
--send-keys $KEY_ID
Verify that the key has been uploaded successfully by searching for it on the key server:
gpg --keyserver keyserver.ubuntu.com \
--search-keys $KEY_ID
Helm in Practice
Designing, Deploying, and Operating Kubernetes Applications at ScaleEnroll now to unlock current content and receive all future updates for free. Your purchase supports the author and fuels the creation of more exciting content. Act fast, as the price will rise as the course nears completion!
Hurry! This limited time offer ends in:
To redeem this offer, copy the coupon code below and apply it at checkout: