1
00:00:00,000 --> 00:00:07,933
Hi, Lets understand about Helm Provenance and Integrity management.

2
00:00:07,933 --> 00:00:13,999
It's a tool provided for the chart users to verify the integrity and origin of the package.

3
00:00:14,000 --> 00:00:21,466
It uses the industry standard tools like PKI or GNUPG keys to verify whether the helm chart originated

4
00:00:21,466 --> 00:00:27,199
from the authentic person or not. I can generate my own key or

5
00:00:27,200 --> 00:00:31,566
Use the key provided by the organization and sign the package

6
00:00:31,566 --> 00:00:34,732
When I'm making the package from the charts.

7
00:00:34,733 --> 00:00:40,966
And once the package is done, it's going to generate the provenance file as well along with the package

8
00:00:40,966 --> 00:00:46,599
And using that specific package, I should be in a position to verify whether the package is an authentic

9
00:00:46,600 --> 00:00:51,600
package or not. Let me go ahead and create a sample chart.

10
00:00:51,600 --> 00:00:58,566
I'm going to create a chart with the name helm create signchartdemo

11
00:00:58,566 --> 00:01:02,332
A chart would get created. Before that, I need to have my own key.

12
00:01:02,333 --> 00:01:05,799
The key either it can be generated or provided by the organization.

13
00:01:05,800 --> 00:01:10,433
Most of the time, it will be provided by the organization specific to the project or specific to the

14
00:01:10,433 --> 00:01:18,566
person. For demo purpose I am going to create my own key. So I'll use the command gpg--gen-key

15
00:01:18,566 --> 00:01:23,399
This will give the option what kind of key I wanted to generate default is RSA

16
00:01:23,400 --> 00:01:26,400
I will go with the default value and how many bids to use

17
00:01:26,400 --> 00:01:28,933
I will go with the default value again.

18
00:01:28,933 --> 00:01:30,999
And what should be the expiry of the key

19
00:01:31,000 --> 00:01:36,800
I'll keep it as zero. That's the default. So that the key doesn't expire at all.

20
00:01:36,800 --> 00:01:42,133
And it will ask for the confirmation whether I wanted to generate a key which doesn't expire.
Yes.

21
00:01:42,133 --> 00:01:45,066
The default is no so explicitly I have to provide Y

22
00:01:45,066 --> 00:01:52,399
and what should be the name. So this will be the ID for this specific key.

23
00:01:52,400 --> 00:02:06,066
Let me go ahead and give a name helmkeydemo, it will ask for the e-mail address
and a comment to the key.

24
00:02:06,066 --> 00:02:12,732
And it is going to use this specific key helmkeydemo and this specific e-mail address.

25
00:02:12,733 --> 00:02:16,799
It will ask for the confirmation whether it's ok or needs to be changed.

26
00:02:16,800 --> 00:02:24,566
I will give o for ok and it needs to have a passphrase to protect the key.

27
00:02:24,566 --> 00:02:29,999
Let me go ahead and give the passphrase depending on the SSH tool that you are using automatically

28
00:02:30,000 --> 00:02:36,866
this would get prompted. In case if you use putty, you may have to give this particular option along with the putty itself.

29
00:02:36,866 --> 00:02:42,599
Let me give a passphrase, since it's a test mode I provided a shorter one.

30
00:02:42,600 --> 00:02:51,866
It's giving a warning. Anyway, let me go ahead and proceed with the same passphrase.

31
00:02:51,866 --> 00:03:00,332
Again, it's another warning. It doesn't have a digit. I'll go with the existing passphrase itself.

32
00:03:00,333 --> 00:03:06,466
And need to re-enter the passphrase. Passphrase is nothing, but it's like a password

33
00:03:06,466 --> 00:03:12,399
for the key that is getting generated, so it's going to generate the key.

34
00:03:12,400 --> 00:03:17,800
And it'll provide the fingerprint and all the key will be stored in this specific location within the
route.

35
00:03:17,800 --> 00:03:23,000
It's going to have all the files I can list. Within the home page

36
00:03:23,000 --> 00:03:30,700
It's going to have a folder .gnupg where it will be having all the keys stored and the keys

37
00:03:30,700 --> 00:03:34,366
will be added as a part of the secring.gpg

38
00:03:34,366 --> 00:03:39,899
This is what this will be used to sign that package.

39
00:03:39,900 --> 00:03:48,833
Now we have generated the package and we do have the package. The package that we have over here is signchartdemo

40
00:03:48,833 --> 00:03:54,999
Let me go ahead and package it. While packaging, I need to provide what is the key to be used to sign it.

41
00:03:55,000 --> 00:04:01,500
And I can get the list of keys that are available within this particular system using the gpg command

42
00:04:01,500 --> 00:04:13,066
gpg --list-secret-keys so I do have helmkeydemo over here and when it was created the other information.

43
00:04:13,066 --> 00:04:18,932
I'm going to use this specific key and where the key ring is available that is the specific location and

44
00:04:18,933 --> 00:04:23,199
the file name that is secring.gpg

45
00:04:23,200 --> 00:04:33,233
I will provide while doing the packaging. Let me go ahead and do the packaging.

46
00:04:33,233 --> 00:04:40,366
So the command is helm package --sign and use the key --key name of the key and where

47
00:04:40,366 --> 00:04:45,799
the key ring is available. It's going to ask for the passphrase. It's like a password.

48
00:04:45,800 --> 00:04:53,866
As I mentioned earlier, let me provide the passphrase and successfully it created the package.

49
00:04:53,866 --> 00:04:57,832
If I look into this specific folder, I should have the actual package along with that I should

50
00:04:57,833 --> 00:05:03,566
have another file with extension .prov which is going to be the provenance

51
00:05:03,566 --> 00:05:08,299
file where this file should also get added along with the chart.

52
00:05:08,300 --> 00:05:14,300
And this is what the file will be used to do the verification and where ever I'm going to add the chart

53
00:05:14,300 --> 00:05:21,000
I need to add this particular package as well as this particular provenance file as well into the repository.

54
00:05:21,000 --> 00:05:26,000
And once the file is downloaded I can verify using the command helm verify

55
00:05:26,000 --> 00:05:28,700
So we completed the first part that is signing the package.

56
00:05:28,700 --> 00:05:31,833
And I can add it into the repository.

57
00:05:31,833 --> 00:05:35,566
The next part is how to do the verification.

58
00:05:35,566 --> 00:05:40,866
Now, let me go ahead and do the verification helm verify and name of the package.

59
00:05:40,866 --> 00:05:45,366
So that's going to give the information with what key it was signed and the fingerprint

60
00:05:45,366 --> 00:05:52,366
In case if it is tampered with I'm going to have error message for the chart hash key. Here

61
00:05:52,366 --> 00:05:55,766
I'm getting a confirmation saying chart hash verified.

62
00:05:55,766 --> 00:05:58,232
Otherwise it will give an error message.

63
00:05:58,233 --> 00:06:04,999
So in a quick summary we have seen how to use the gpg key to sign the package and how to leverage the

64
00:06:05,000 --> 00:06:10,733
provenance and make sure the package that we are making is safe and secure

65
00:06:10,733 --> 00:06:15,033
Also we saw how to use the verify command to verify the package.