Skip to content

workflow-helm-charts.md

Latest commit

 

History

History
75 lines (51 loc) · 2.85 KB

workflow-helm-charts.md

File metadata and controls

75 lines (51 loc) · 2.85 KB

Workflow Helm charts

As of Workflow v2.8.0, Deis has released Kubernetes Helm charts for Workflow and for each of its components.

Installation

Once Helm is installed and its server component is running on a Kubernetes cluster, one may install Workflow with the following steps:

$ helm repo add deis https://charts.deis.com/workflow  # add the workflow charts repo

$ helm install deis/workflow --version=v2.8.0 --namespace=deis -f <optional values file>  # injects resources into your cluster

Chart Provenance

Helm provides tools for establishing and verifying chart integrity. (For an overview, see the Provenance doc.) All release charts from the Deis Workflow team are now signed using this mechanism.

The full Deis, Inc. (Helm chart signing key) <security@deis.com> public key can be found here, as well as the pgp.mit.edu keyserver and the official Deis Keybase account. The key's fingerprint can be cross-checked against all of these sources.

Verifying a signed chart

The public key mentioned above must exist in a local keyring before a signed chart can be verified.

To add it to the default ~/.gnupg/pubring.gpg keyring, any of the following commands will work:

$ # via our hosted location
$ curl https://deis.com/workflow/docs/security/1d6a97d0.txt | gpg --import

$ # via the pgp.mit.edu keyserver
$ gpg --keyserver pgp.mit.edu --recv-keys 1D6A97D0

$ # via Keybase with account...
$ keybase follow deis
$ keybase pgp pull

$ # via Keybase by curl
$ curl https://keybase.io/deis/key.asc | gpg --import

Charts signed with this key can then be verified when fetched:

$ helm repo add deis https://charts.deis.com/workflow
"deis" has been added to your repositories

$ helm fetch --verify deis/workflow && echo
Verification: &{0xc820563e50 sha256:060d66fa95b6badad98b37572a887723ed49a153dd636dce0f2c4ff667022586 workflow-v2.8.0.tgz}

One can then inspect the fetched workflow-v2.8.0.tgz.prov provenance file.

If the chart was not signed, the command above would result in:

Error: Failed to fetch provenance "https://charts.deis.com/workflow/workflow-v2.8.0.tgz.prov"

Alternatively, the chart can also be verified at install time:

$ helm install --verify deis/workflow --namespace deis
Fetched deis/workflow to workflow-v2.8.0.tgz
NAME: olfactory-star
LAST DEPLOYED: Thu Nov 10 11:45:44 2016
NAMESPACE: deis
STATUS: DEPLOYED
...

Having done so, one is assured of the origin and authenticity of any installed Workflow chart released by Deis.