This article explains how to package and sign Helm charts for sharing Kubernetes applications securely.
In this lesson, we’ll walk through the process of packaging and uploading Helm charts, a key step for sharing your Kubernetes applications. Once your charts are built, the next step is to package them and then upload the resulting archive to an online chart repository so that other users can easily download and install them.Our chart is located in the directory “nginx-chart” and contains the following items:
Chart.yaml
values.yaml
README.md
LICENSE
templates (directory)
charts (directory)
To package the chart, run the following command:
Copy
Ask AI
$ ls nginx-chartcharts Chart.yaml templates values.yaml README.md LICENSE$ helm package ./nginx-chartSuccessfully packaged chart and saved it to:/vagrant/nginx-chart-0.1.0.tgz
The version number (0.1.0) is automatically taken from the version field in the Chart.yaml file. The resulting file has the .tgz extension, which indicates that it is a tar archive compressed using gzip. You can extract this archive with any archive manager available on your platform, such as WinRAR, 7-Zip, or common Linux archive utilities. This single archive file neatly bundles all your chart files for easy distribution.
Before uploading your chart to a repository, it is strongly recommended that you sign it. Signing helps users verify the integrity and authenticity of the package.
When you download files from the internet, there is always a risk of tampering. By cryptographically signing your Helm chart, you assure your users that the package is genuine and has not been altered. Helm uses a private key held exclusively by the chart developer to generate a digital signature. This signature is then stored in a separate provenance file accompanying your chart archive.
Start by generating a private key and its corresponding public key using GPG (GNU Privacy Guard). The following command quickly generates both keys:
Copy
Ask AI
$ gpg --quick-generate-key "John Smith"gpg: keybox '/home/vagrant/.gnupg/pubring.kbx' createdAbout to create a key for:"John Smith"Continue? (Y/n) Ygpg: /home/vagrant/.gnupg/trustdb.gpg: trustdb createdgpg: key 70D5188339885A0B marked as ultimately trustedgpg: directory '/home/vagrant/.gnupg/openpgp-revocs.d' createdgpg: revocation certificate stored as '/home/vagrant/.gnupg/openpgp-revocs.d/20F2395A3176A22DD33D45470D5188339885A0B.rev'public and secret key created and signed.pub rsa3072 2021-12-01 [SC] [expires: 2023-12-01] 20F2395A3176A22DD33D45470D5188339885A0Buid John Smithsub rsa3072 2021-12-01 [E]
In a production environment, you might prefer to use a more robust key generation command:
Copy
Ask AI
$ gpg --full-generate-key "John Smith"
After generating your keys, you may need to convert the new secret keyring format (from GNU PG v2) to the older format preferred by Helm. Export your secret keys into a file called secring.gpg with the following command:
Copy
Ask AI
$ gpg --export-secret-keys >~/.gnupg/secring.gpggpg: starting migration from earlier GnuPG versionsgpg: exporting secret keys from '/home/vagrant/.gnupg/secring.gpg' to gpg-agentgpg: migration succeeded
Now that your keys are ready, you can package your chart again, this time signing it with your GPG key. Use your key’s full name or the associated email, along with the path to your keyring file:
Copy
Ask AI
$ helm package --sign --key 'John Smith' --keyring ~/.gnupg/secring.gpg ./nginx-chartSuccessfully packaged chart and saved it to: /vagrant/nginx-chart-0.1.0.tgz
After executing the command, you will see not only the chart archive (.tgz) but also an additional file with the .tgz.prov extension. This provenance file holds important information, including:
A SHA256 hash of the chart archive
A PGP signature verifying the archive’s integrity
Below is an example snippet from a provenance file:
Copy
Ask AI
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512apiVersion: v2appVersion: 1.16.0description: A Helm chart for Kubernetesmaintainers: - email: [email protected] name: john smithname: nginx-charttype: applicationversion: 0.1.0files: nginx-chart-0.1.0.tgz: sha256:b7d0502a9617ab953a3246bc7ba6a9de9d4286b2e78e3ea7975cc54698c4274-----BEGIN PGP SIGNATURE-----...-----END PGP SIGNATURE-----
The SHA256 hash ensures that even a minor change to any byte of the chart will result in a different hash, signaling potential tampering. The PGP signature in the provenance file further protects the integrity of the package by tying it to your private key. Users can later verify the signature with your public key to ensure authenticity.
When uploading your chart to an online repository, always include both the .tgz archive and the corresponding .tgz.prov provenance file.
To verify the integrity and authenticity of your signed chart, you can use the following commands. Note that an initial verification attempt might result in an error, because Helm expects the public key in the older pubring.gpg format:
Copy
Ask AI
$ helm verify ./nginx-chart-0.1.0.tgzError: failed to load keyring: open /home/vagrant/.gnupg/pubring.gpg: no such file or directory
To resolve this, export your public key to a file and then use it with the verification command:
In real-world usage, users would typically download your public key from a public key server (e.g., keyserver.ubuntu.com) and use the --verify parameter during chart installation. If verification fails, the chart installation process is aborted, ensuring that only trusted charts are installed.
That concludes our lesson on packaging and signing Helm charts. Next, we will explore how to upload your charts to an online repository, making them accessible to the Kubernetes community.For more detailed information, refer to the Helm documentation and other trusted Kubernetes resources.Happy charting!
