1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/node-feature-discovery.git synced 2025-03-05 08:17:04 +00:00

scripts/prepare-release: use gpg for signing Helm chart

Need to create the provenance file by hand as we mangle the name of the
chart archive. However, this also provides better user experience (for
the release manager) as gpg version 2.1 and later are supported.
This commit is contained in:
Markus Lehtonen 2021-03-16 21:48:14 +02:00
parent 8cf9367798
commit fd2dcc2275

View file

@ -5,26 +5,31 @@ this=`basename $0`
usage () {
cat << EOF
Usage: $this [-h] RELEASE_VERSION GPG_KEY GPG_KEYRING
Usage: $this [-h] RELEASE_VERSION GPG_KEY
Options:
-h show this help and exit
Example:
$this v0.1.2 "Jane Doe <jane.doe@example.com>" ~/.gnupg/secring.gpg
$this v0.1.2 "Jane Doe <jane.doe@example.com>"
NOTE: The GPG key should be associated with the signer's Github account.
NOTE: Helm is not compatible with GnuPG v2 and you need to export the secret
keys in order for Helm to be able to sign the package:
gpg --export-secret-keys > ~/.gnupg/secring.gpg
EOF
}
sign_helm_chart() {
local chart="$1"
echo "Signing Helm chart $chart"
local sha256=`openssl dgst -sha256 "$chart" | awk '{ print $2 }'`
local yaml=`tar xf $chart -O node-feature-discovery/Chart.yaml`
echo "$yaml
...
files:
$chart: sha256:$sha256" | gpg -u "$key" --clearsign -o "$chart.prov"
}
#
# Parse command line
#
@ -41,11 +46,11 @@ done
shift "$((OPTIND - 1))"
# Check that no extra args were provided
if [ $# -ne 3 ]; then
if [ $# -lt 3 ]; then
if [ $# -ne 2 ]; then
if [ $# -lt 2 ]; then
echo -e "ERROR: too few arguments\n"
else
echo -e "ERROR: unknown arguments: ${@:4}\n"
echo -e "ERROR: unknown arguments: ${@:3}\n"
fi
usage
exit 1
@ -53,8 +58,7 @@ fi
release=$1
key="$2"
keyring="$3"
shift 3
shift 2
container_image=k8s.gcr.io/nfd/node-feature-discovery:$release
@ -107,12 +111,11 @@ sed -e s'!"nfd\.repo",.*,!"nfd.repo", "k8s.gcr.io/nfd/node-feature-discovery",!'
#
# Create release assets to be uploaded
#
helm package deployment/node-feature-discovery/ --version $semver --sign \
--key "$key" --keyring "$keyring"
helm package deployment/node-feature-discovery/ --version $semver
chart_name="node-feature-discovery-chart-$semver.tgz"
mv node-feature-discovery-$semver.tgz $chart_name
mv node-feature-discovery-$semver.tgz.prov $chart_name.prov
sign_helm_chart $chart_name
cat << EOF