docs(*): add doc on signed helm charts

As well as self-hosted public key used to sign charts.
deis · Nov 8, 2016 · cf66fdf · cf66fdf
1 parent 57b3eb8
commit cf66fdf
Show file tree

Hide file tree

Showing 7 changed files with 157 additions and 0 deletions.
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -32,6 +32,7 @@ pages:
     - Configuring Object Storage: installing-workflow/configuring-object-storage.md
     - Configuring Postgres: installing-workflow/configuring-postgres.md
     - Configuring the Registry: installing-workflow/configuring-registry.md
+    - Workflow Helm Charts: installing-workflow/workflow-helm-charts.md
   - Users:
     - Command Line Interface: users/cli.md
     - Users and Registration: users/registration.md

diff --git a/src/installing-workflow/index.md b/src/installing-workflow/index.md
@@ -83,6 +83,8 @@ $ helmc install workflow-v2.8.0               # injects resources into
 
     	$ helm install deis/workflow --version=v2.8.0 --namespace=deis -f <optional values file>  # injects resources into your cluster
 
+  See also our section on [Workflow chart provenance](workflow-helm-charts.md#chart-provenance)
+
 Helm Classic will install a variety of Kubernetes resources in the `deis` namespace.
 Wait for the pods that Helm Classic launched to be ready. Monitor their status by running:
 

diff --git a/src/installing-workflow/workflow-helm-charts.md b/src/installing-workflow/workflow-helm-charts.md
@@ -0,0 +1,56 @@
+# Workflow Helm charts
+
+As of Workflow [v2.8.0](../changelogs/v2.8.0.md), Deis has released [Kubernetes Helm][helm] charts for Workflow
+and for each of its [components](../understanding-workflow/components.md).
+
+## Installation
+
+Once [Helm][helm] is installed and its server component is running on a Kubernetes cluster, one may install Workflow with the following steps:
+```
+$ helm repo add deis https://charts.deis.com/workflow  # add the workflow charts repo
+
+$ helm install deis/workflow --version=v2.8.0 --namespace=deis -f <optional values file>  # injects resources into your cluster
+```
+
+## Chart Provenance
+
+Helm provides tools for establishing and verifying chart integrity.  (For an overview, see the [Provenance](https://github.com/kubernetes/helm/blob/master/docs/provenance.md) doc.)  All release charts from the Deis Workflow team are now signed using this mechanism.  
+
+The full `Deis, Inc. (Helm chart signing key) <[email protected]>` public key can be found [here](../security/1d6a97d0.txt), as well as the [pgp.mit.edu](http://pgp.mit.edu/pks/lookup?op=vindex&fingerprint=on&search=0x17E526B51D6A97D0) keyserver and the official Deis Keybase [account][deis-keybase].  The key's fingerprint can be cross-checked against all of these sources.
+
+### Verifying a signed chart
+
+The public key mentioned above must exist in a local keyring before a signed chart can be verified.
+
+To add it to the default `~/.gnupg/pubring.gpg` keyring, any of the following commands will work:
+
+```
+$ # via our hosted location
+$ curl https://deis.com/workflow/docs/security/1d6a97d0.txt | gpg --import
+
+$ # via the pgp.mit.edu keyserver
+$ gpg --keyserver pgp.mit.edu --recv-keys 1D6A97D0
+
+$ # via Keybase with account...
+$ keybase follow deis
+$ keybase pgp pull
+
+$ # via Keybase by curl
+$ curl https://keybase.io/deis/key.asc | gpg --import
+```
+
+Charts signed with this key can then be verified at install time:
+
+```
+$ helm repo add deis https://charts.deis.com/workflow
+$ helm install --verify deis/workflow --namespace deis
+
+$ helm repo add router https://charts.deis.com/router
+$ helm install --verify router/router --namespace deis
+$ # etc.
+```
+
+Having done so, one is assured of the origin and authenticity of any installed Workflow chart released by Deis.
+
+[helm]: https://github.com/kubernetes/helm/blob/master/docs/install.md
+[deis-keybase]: https://keybase.io/deis
diff --git a/src/quickstart/provider/aws/install-aws.md b/src/quickstart/provider/aws/install-aws.md
@@ -60,6 +60,8 @@ $ helmc install workflow-v2.8.0               # injects resources into
 
     	$ helm install deis/workflow --version=v2.8.0 --namespace=deis -f <optional values file>  # injects resources into your cluster
 
+  See also our section on [Workflow chart provenance](../../../installing-workflow/workflow-helm-charts.md#chart-provenance)
+
 Helm Classic will install a variety of Kubernetes resources in the `deis` namespace.
 You'll need to wait for the pods that it launched to be ready. Monitor their status
 by running:

diff --git a/src/quickstart/provider/gke/install-gke.md b/src/quickstart/provider/gke/install-gke.md
@@ -55,6 +55,8 @@ $ helmc install workflow-v2.8.0               # injects resources into
 
     	$ helm install deis/workflow --version=v2.8.0 --namespace=deis -f <optional values file>  # injects resources into your cluster
 
+  See also our section on [Workflow chart provenance](../../../installing-workflow/workflow-helm-charts.md#chart-provenance)
+
 Helm Classic will install a variety of Kubernetes resources in the `deis` namespace.
 You'll need to wait for the pods that it launched to be ready. Monitor their status
 by running:

diff --git a/src/quickstart/provider/vagrant/install-vagrant.md b/src/quickstart/provider/vagrant/install-vagrant.md
@@ -55,6 +55,8 @@ $ helmc install workflow-v2.8.0               # injects resources into
 
     	$ helm install deis/workflow --version=v2.8.0 --namespace=deis -f <optional values file>  # injects resources into your cluster
 
+  See also our section on [Workflow chart provenance](../../../installing-workflow/workflow-helm-charts.md#chart-provenance)
+
 Helm will install a variety of Kubernetes resources in the `deis` namespace.
 You'll need to wait for the pods that it launched to be ready. Monitor their status
 by running:

diff --git a/src/security/1d6a97d0.txt b/src/security/1d6a97d0.txt
@@ -0,0 +1,92 @@
+sec   4096R/1D6A97D0 2016-11-03
+      Key fingerprint = 41AF 6B6A 9489 9B58 1EB6  9ED1 17E5 26B5 1D6A 97D0
+uid                  Deis, Inc. (Helm chart signing key) <[email protected]>
+ssb   4096R/2CA931B0 2016-11-03
+ssb   4096R/41C9CA1E 2016-11-03 [expires: 2024-11-01]
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQINBFgbpCIBEACeZsh7wsilg+gAGPUrL3u0YUO66qWPP2fjj72MYbv8Cmqd8lEf
+t7uC7+foUhEtnS2Y+xxjNlEtPi3etE6wheGJdIhHunWQKarU/tZtuh1bkPrVeLdT
+aXslefS9SXWTHxqHZESJyJR1bFNrFBdND1rmTNqYi3Bkh22sgcmSsb+GgWly8JzI
+qphl9xg26VuAgMJ8IsILgNbi6CvgmBzFZqVgYU/gtR8cD6VDSCBKnFm9eFzBu39q
+nIa6Hdtf/MsspgyrcYfPTjt6/77FNtC3ThI361zSxVtUBBdOF4Dutwsl5QfdFryA
+hOY9ix7kNerLIXNturmLqoXLiszlpJL/yC9TGNzbi553T+JDCdK/qzfOsrcmAWhd
+L7txnGwSs5KkzVnknZw2c65UGrKheFlT2LjZrtTBZ3ZLJ9n6KvRUOqTwNs6/oKCb
+hPyq1nUIO8l8LstKJmlW8tTSceVvsYJV1jNwSFNPlNWW0mgRB2v2wUNpPToSTsFP
+bzwjnsOOVezbOoUnq02SIWXO7dCC0S8v5wZaRPmUN3xEEd129GHI8/LW7qdxpimh
+npbgUShB3zuA8N/X0VGkw3OfWdzS0beeQbSgVtxYDM6/2TIf4Hx9aDsKkRZe8aIk
+LhF6+zUEjr3oMjcFWVXKxYJSRc9KsXtsJr+RF6qC59phmLkZtTHk4k+aAQARAQAB
+tDdEZWlzLCBJbmMuIChIZWxtIGNoYXJ0IHNpZ25pbmcga2V5KSA8c2VjdXJpdHlA
+ZGVpcy5jb20+iQI5BBMBCAAjBQJYG6QiAhsDBwsJCAcDAgEGFQgCCQoLBBYCAwEC
+HgECF4AACgkQF+UmtR1ql9CeFw//WPlST2zv3TaZ5b+khWp3vv61yRiUH35Dq6uH
+4oCHLCr/H7pEJX1KE/AXJzFyTrQV+VZVzgIjyNZqyKd6s8Ny4zfXVwCLPAh9Qnfz
+deb8WHXdXxNta69egeiGAKpjJh5H9LOMHwfKL1L60d+TmlCPkg5Se9YMW4cPikYp
+6qspIOa90xrF3slzvbnp2cYV02R7BMPgEMHRkmZDLXQ0ckEGRV+KV42vzB04OiBf
+A9GpLmVn1n8v45Wo9akGQvpOg1Z9RQC/+wiRjy60TtHZm+G03Z5cel0f2J3Pb3TB
+xBjVo7s7DedddxAHlEBNLZPrxIGig8fWwWsILow/s16bfRSP+Qoo+rTaQkTkh/1m
+6mYrnji/SRwafZ1gRcBYwUyiAv7rEsINOr5DEI6S+pTuTKl+hdA0SgvSGwQ3fCTJ
+YQxghdK/dsZn80dxZj2xBApHd7NxuvPl94hIiYjEF3OeCZio/El5a3Aj+C83JSkv
+KOPd7S8fakQBuCAD0QqPSGXuv0gFXwiodqjjpePpZhIcuqvPWT7rkxJewJgIUBlY
+0AL8rUdHZa4zMI+eGD6FX22VrutpTciaX786CN/5jlVDxIKCZASHkHn6rprOZo9b
+1+3a9Xe0K+NpZ62F28A/nhQ+e2SB0n1SI/0J4N9BO866i5RybFyKhLWaeLCWm37J
+j9PoHMm5Ag0EWBukIgEQALr3f5QBpNQUoqEtWwewR4hXrk66zR+sBpcspunldB6a
+avUCFFCoUS7tbnlOeA4i5LFX8IZ8UXKz2wLpCWwuAqjwTA3YzI6KGwLao7lg18le
+nomTThwDbOBrZ/tmMsh71310SGhnpwNaDr0jzH1XduzvljpP7tZNcIAyQOqfWaES
+74qmGb4LfTofjbpKrg0zPh1P08VXcR8bjFSNf4M/Vlprb27US/ExPn8Fgpf7ddgo
+L0rTG6cVxAbwM1KThRhM0zopQcl9owA9aulXEx0bb5VAfAyjG86QVhUOYpKccDYm
+1PdLqAxXLZGWOsU/miDlTjWY4CbC0HZPAK4yyABafgdWf0sRBv6sAXtElu3zOQqy
+pIBaQdq5HomseOqrb5HZs1TFz7fGDLsbT6E2CJHbMM5xUhdDwr3OlWLkJjn6mAkQ
+Z0VWYjYyMAuvHIAdJZ6OwRcaJ1xKKc1GMEujeyColVVdKEGSE31ROvDZaR+zUM1m
+2YGK+XYHXO6nJyHjcvQ3Uh1dCnqeQvgIFyUwLQi+FwEeYgc86BPzeK8ouIjPHQY0
+MinmSJv/kbHJn4DhsdaIdQVMhgDVOWwBfJS8+osDrU/Js2j+kiq/BjPV3gXuctOM
+aJYWMPNgMTLx0ROrso5wU7NHsQUVCN5Qv+6iJjpaHr9aQu2YuUO7eONtAD35B2MZ
+ABEBAAGJAh8EGAEIAAkFAlgbpCICGwwACgkQF+UmtR1ql9ByLA/+JRYLt8uioAzd
+ySBFap/w7ntNq7A6cOU2zmHt0AA9JX3NT2r4tfmIE54CNH8WxjAnnXsr13tdOPoN
+bbg2cdKYEdK6xaOg84kqrNiZ2+n93ll5I2Puhh2/eip8EiWURnPfKtM6PX7o6cPS
+EDZ8EyJ9lDSwUfIiMg8sNEv8OBKq3prl9b4B7JzLr9QLE/S9ek5z4mri6MBXwb/I
++XKuY/YTQswRX7os7XRk8MbQuppRLfyTXH9aM5AwNMZXmU5MIK5Gu4sv41wGUIzu
+4GqeGVOmLFUnYUE/rNNZFH1HEAQj9QH6DqCqkgDLUNMQUGaWZRmmgHRZRyfCLkM0
+f/wVIGiCPuMF0vxqAVA/QQVPn92Ul1SmznNjAf9nnjZwKC+ubEIQ7cXphkNJAql9
+ccNRIdGxhEQzjzRnySkxHQsWw8Ly2Bwz/NzumPzkoNZ1a3X7dHVeKaYo/HIUMAph
+Um4N5yBvXSiZY8/94FfDVSstXGqt3kZhK82h2yvqiHIpUcFMxNLFpTXcdzRHrSnN
+ATzk/4Au1krHIj1KcxyjXYt2M+alXkSsLyK8nf3vrPX+zzbB1ZQwKPohPwmKCFFj
+u9fo6JM921U98SuWduRe5u0pU7ZBQB9NPsSrXSz8mZ5lfPJP90sKxFYBHDN6bSaD
+G5d76sWHAg/xaw8kfPNc0GSbtudOFGm5Ag0EWBukpAEQAKRxaVOfurtp9ZK9kBQf
+dlAUz7I18OCtGS01rPM64kvSdIOB91sjPDiDs81C6nX/Bqso8QM112Ms9PLeTANy
+Rs2BhnwprG1BMqCFUyykzrR2Fpkq3C0aqLMLId8SVisCasOxi5w3CjvEulfqDeZN
+e7dA+/sFwNryU8q65eQTd43JOQZtX0xrdfv/RQkSgsLlQb7txIcPayM87yWzIn6U
+pBvwaMV6K4Puq7LCNsNt/vF62xUhttjlv0De23THkeiieOBtS0cL8Wmp1XtilNpF
+BzwjaKl/tP9G+/TJr3jx8G02nvR9/STXxW6SUb9su5reRmP5Jk42tRTVI857xX6j
+oOmGtbec8tbEBzOoCBHOOGK+FqjHT1FiPn6EY8BGnqFy0ArBuEGyvpw/X2QZC03D
+tIl6k3vj8Lz8X2ucCWwzqTZJ+/IKaA6HBF5glWl8U3aNspCi+SnPsTJVQ9cQtxdc
+DLzRXXmyb6q1LZlpig+wWqr6LqLTtjgeGRh64mKNVUkSDT108B9mplRA6HYjZQw9
+YbWAs6EQFfDesObhjVjhdDKsU7dri1nVtbzdVEOPN6Rz4Uogzr8flYLchgkHyBJG
+EO9bYzqeu7F2vFzZmTaWimai8xqyXliClBTZwUB3LfujDpWbNteNA7LaPYk1DNsY
+mOpY9UWPRlpBQXCGINDyCpQrABEBAAGJBEQEGAEIAA8FAlgbpKQCGwIFCQ8JnAAC
+KQkQF+UmtR1ql9DBXSAEGQEIAAYFAlgbpKQACgkQJ8N4N0HJyh6JkA//cshmimC/
+8z+wepXIyTkphlvtmxHUoJHReqoWM4ofN542M3Txyr3UouBdE8sYtIx30DXVu12F
+WJjLPXXYD/mENpmvRP+0ScbKcKYnVK8A2vmtCl5GBRkIKN3qqEUUGPWeWfzpAZOH
+rw+f0/EdpzRxQqDdXtKUO2CM6k2ao5k7KVcGLq2aI6zr80EsyPc+nOx4k7IQBuPz
+lRvlFK3QQVL4F8SqrOcbuYClaUGcx0YoL6tY6uTrZvVDzsr71h2IfgzyoxWLyzuo
+FB/wABHUhnAJQB0T6kv89xUOogpK6dgGCDHbq2P7jDdbCbLgjKwMYbG780M0KKud
+2eAJg2pSRgQxcVbdKS4CSXBCfmRXVJuHPDhi9BXrUMcYqUPCpicXhNgKd0EdOu22
+exKrL7a3Tpz0pHLiRTrUU4zEvZEASQJzaaL3Qvf62m0PR4STb0wmGJ40DxrwFmWp
+pDA2k7VPAf3LST4YGt9ytwG372oF/02NclrXRah8DeJkokjxHA9vuY3mm2MqYccu
+qL9aSM8qmutpnxVEIFhOZWtmxN6WNsAK37/T59LIdnBX3UA787ydztSHJm2L8EPN
+g4jTKAzeVGTQzd2fbIxPidqQCZn5btkjpFvwE6nH5RVojhvipgFf4udsWxPPMSmU
+/ezoPxrWps08CqWPG2qPJL+sV3A6P5NwdbBfCw//YnHF5fa2azPSjIKBrftpCoyC
+mSJnxOj23Kk9gD7w/a/D+ODxNyxzRjFs/xpceJZi0SIcbKw+9rOPYsrunH27abxb
+IPXgvSFLNTbLx9jcSXaW+fkNdlDYEZcWhqTHDyRau9BoXdgSm2nY3luMAkxMIQAC
+m2HvHsB63fIxSEPRM0QEmi7yBk3f2QyUPvus7IcgEidbSmEpZxaOY8D79nzgfgh/
+WzggxpvZPdT664s6nhTLGxp2UD6wAlA2lSkIWrCPB3ZT5p58KcIBULtpb6mN5rWs
+D0UEEEMOMIwWlBqgDyrYylemPMks9GuMC1X7ANsbpjhwxjikyMLFFUBHa301CpHy
+k2fqCwvhidCoz8Y9e5V1sUSuoHtHeiikK7chUTDBH6no6bUT+8JZNScqw8jYV9cD
+4F01NhHO5OAuECIf0IszwslD6t1jVdTbwVL7hrRATDPMtxsPsFir8sPrT2EAk0MV
+lM1wNw60FMVgl23ok88EH02Q8a0Vp/P3zzMzK3Vj0DqcERpWIm+QR4wJhQnC397K
+o4Z4WknuB0oPZqVqgJzi8j5JTW8phgT/0rxFj1KA1yBiwudJBaRofQNQqK3NSYWe
+VB/69T2Srvd3e4V7dtSLuWI/JGjoIoC8TTK+OsDC4RN3w+5mYyfBwAZCABRrTXB+
+K8I9jWQf2UCagoUuV3w=
+=qap/
+-----END PGP PUBLIC KEY BLOCK-----