feat(helm): add $HELM_KEY_PASSPHRASE environment variable for signing helm charts (#4778)

* feat(helm): add $HELM_KEY_PASSPHRASE environment variable for signing helm charts

If $HELM_KEY_PASSPHRASE is set then helm package sign command will not prompt the
user to enter the passphrase for the private key

Signed-off-by: Anumita Shenoy <ansheno@microsoft.com>

* docs(helm):  added documentation for HELM_KEY_PASSPHRASE

Added description for HELM_KEY_PASSPHRASE

Signed-off-by: Anumita Shenoy <ansheno@microsoft.com>
pull/4791/head
Anumita Shenoy 6 years ago committed by Matt Butcher
parent 8061227ce1
commit 1e26b5300b

@ -71,6 +71,9 @@ Environment:
$HELM_TLS_KEY path to TLS client key file for authenticating to Tiller (default "$HELM_HOME/key.pem") $HELM_TLS_KEY path to TLS client key file for authenticating to Tiller (default "$HELM_HOME/key.pem")
$HELM_TLS_VERIFY enable TLS connection between Helm and Tiller and verify Tiller server certificate (default "false") $HELM_TLS_VERIFY enable TLS connection between Helm and Tiller and verify Tiller server certificate (default "false")
$HELM_TLS_ENABLE enable TLS connection between Helm and Tiller (default "false") $HELM_TLS_ENABLE enable TLS connection between Helm and Tiller (default "false")
$HELM_KEY_PASSPHRASE set HELM_KEY_PASSPHRASE to the passphrase of your PGP private key. If set, you will not be prompted for
the passphrase while signing helm charts
` `
func newRootCmd(args []string) *cobra.Command { func newRootCmd(args []string) *cobra.Command {

@ -215,7 +215,7 @@ func (p *packageCmd) clearsign(filename string) error {
return err return err
} }
if err := signer.DecryptKey(promptUser); err != nil { if err := signer.DecryptKey(passphraseFetcher); err != nil {
return err return err
} }
@ -229,8 +229,13 @@ func (p *packageCmd) clearsign(filename string) error {
return ioutil.WriteFile(filename+".prov", []byte(sig), 0755) return ioutil.WriteFile(filename+".prov", []byte(sig), 0755)
} }
// promptUser implements provenance.PassphraseFetcher // passphraseFetcher implements provenance.PassphraseFetcher
func promptUser(name string) ([]byte, error) { func passphraseFetcher(name string) ([]byte, error) {
var passphrase = settings.HelmKeyPassphrase()
if passphrase != "" {
return []byte(passphrase), nil
}
fmt.Printf("Password for key %q > ", name) fmt.Printf("Password for key %q > ", name)
pw, err := terminal.ReadPassword(int(syscall.Stdin)) pw, err := terminal.ReadPassword(int(syscall.Stdin))
fmt.Println() fmt.Println()

@ -31,6 +31,9 @@ Environment:
$HELM_TLS_KEY path to TLS client key file for authenticating to Tiller (default "$HELM_HOME/key.pem") $HELM_TLS_KEY path to TLS client key file for authenticating to Tiller (default "$HELM_HOME/key.pem")
$HELM_TLS_VERIFY enable TLS connection between Helm and Tiller and verify Tiller server certificate (default "false") $HELM_TLS_VERIFY enable TLS connection between Helm and Tiller and verify Tiller server certificate (default "false")
$HELM_TLS_ENABLE enable TLS connection between Helm and Tiller (default "false") $HELM_TLS_ENABLE enable TLS connection between Helm and Tiller (default "false")
$HELM_KEY_PASSPHRASE set HELM_KEY_PASSPHRASE to the passphrase of your PGP private key. If set, you will not be prompted for
the passphrase while signing helm charts
### Options ### Options
@ -75,4 +78,4 @@ Environment:
* [helm verify](helm_verify.md) - verify that a chart at the given path has been signed and is valid * [helm verify](helm_verify.md) - verify that a chart at the given path has been signed and is valid
* [helm version](helm_version.md) - print the client/server version information * [helm version](helm_version.md) - print the client/server version information
###### Auto generated by spf13/cobra on 4-Sep-2018 ###### Auto generated by spf13/cobra on 16-Oct-2018

@ -26,7 +26,9 @@ Prerequisites:
- Keybase command line tools (optional) - Keybase command line tools (optional)
**NOTE:** If your PGP private key has a passphrase, you will be prompted to enter **NOTE:** If your PGP private key has a passphrase, you will be prompted to enter
that passphrase for any commands that support the `--sign` option. that passphrase for any commands that support the `--sign` option. You can set the
HELM_KEY_PASSPHRASE environment variable to that passphrase in case you don't want
to be prompted to enter the passphrase.
**NOTE:** The keyfile format for GnuPG changed in version 2.1. Prior to that release **NOTE:** The keyfile format for GnuPG changed in version 2.1. Prior to that release
it was unnecessary to export keys out of GnuPG, and you could instead point Helm it was unnecessary to export keys out of GnuPG, and you could instead point Helm

@ -138,6 +138,14 @@ func (s EnvSettings) PluginDirs() string {
return s.Home.Plugins() return s.Home.Plugins()
} }
// HelmKeyPassphrase is the passphrase used to sign a helm chart.
func (s EnvSettings) HelmKeyPassphrase() string {
if d, ok := os.LookupEnv("HELM_KEY_PASSPHRASE"); ok {
return d
}
return ""
}
// setFlagFromEnv looks up and sets a flag if the corresponding environment variable changed. // setFlagFromEnv looks up and sets a flag if the corresponding environment variable changed.
// if the flag with the corresponding name was set during fs.Parse(), then the environment // if the flag with the corresponding name was set during fs.Parse(), then the environment
// variable is ignored. // variable is ignored.

Loading…
Cancel
Save