feat(helm): add $HELM_KEY_PASSPHRASE environment variable for signing helm charts (#4778)

* feat(helm): add $HELM_KEY_PASSPHRASE environment variable for signing helm charts If $HELM_KEY_PASSPHRASE is set then helm package sign command will not prompt the user to enter the passphrase for the private key Signed-off-by: Anumita Shenoy <ansheno@microsoft.com> * docs(helm): added documentation for HELM_KEY_PASSPHRASE Added description for HELM_KEY_PASSPHRASE Signed-off-by: Anumita Shenoy <ansheno@microsoft.com>
7 years ago · 1e26b5300b
parent 8061227ce1
commit 1e26b5300b
5 changed files with 46 additions and 25 deletions
--- a/cmd/helm/helm.go
+++ b/cmd/helm/helm.go
@ -61,16 +61,19 @@ Common actions from this point include:
 - helm list:      list releases of charts
 Environment:
-  $HELM_HOME          set an alternative location for Helm files. By default, these are stored in ~/.helm
+  $HELM_HOME           set an alternative location for Helm files. By default, these are stored in ~/.helm
-  $HELM_HOST          set an alternative Tiller host. The format is host:port
+  $HELM_HOST           set an alternative Tiller host. The format is host:port
-  $HELM_NO_PLUGINS    disable plugins. Set HELM_NO_PLUGINS=1 to disable plugins.
+  $HELM_NO_PLUGINS     disable plugins. Set HELM_NO_PLUGINS=1 to disable plugins.
-  $TILLER_NAMESPACE   set an alternative Tiller namespace (default "kube-system")
+  $TILLER_NAMESPACE    set an alternative Tiller namespace (default "kube-system")
-  $KUBECONFIG         set an alternative Kubernetes configuration file (default "~/.kube/config")
+  $KUBECONFIG          set an alternative Kubernetes configuration file (default "~/.kube/config")
-  $HELM_TLS_CA_CERT   path to TLS CA certificate used to verify the Helm client and Tiller server certificates (default "$HELM_HOME/ca.pem")
+  $HELM_TLS_CA_CERT    path to TLS CA certificate used to verify the Helm client and Tiller server certificates (default "$HELM_HOME/ca.pem")
-  $HELM_TLS_CERT      path to TLS client certificate file for authenticating to Tiller (default "$HELM_HOME/cert.pem")
+  $HELM_TLS_CERT       path to TLS client certificate file for authenticating to Tiller (default "$HELM_HOME/cert.pem")
-  $HELM_TLS_KEY       path to TLS client key file for authenticating to Tiller (default "$HELM_HOME/key.pem")
+  $HELM_TLS_KEY        path to TLS client key file for authenticating to Tiller (default "$HELM_HOME/key.pem")
-  $HELM_TLS_VERIFY    enable TLS connection between Helm and Tiller and verify Tiller server certificate (default "false")
+  $HELM_TLS_VERIFY     enable TLS connection between Helm and Tiller and verify Tiller server certificate (default "false")
-  $HELM_TLS_ENABLE    enable TLS connection between Helm and Tiller (default "false")
+  $HELM_TLS_ENABLE     enable TLS connection between Helm and Tiller (default "false")
  $HELM_KEY_PASSPHRASE set HELM_KEY_PASSPHRASE to the passphrase of your PGP private key. If set, you will not be prompted for
                       the passphrase while signing helm charts
 `
 func newRootCmd(args []string) *cobra.Command {
--- a/cmd/helm/package.go
+++ b/cmd/helm/package.go
@ -215,7 +215,7 @@ func (p *packageCmd) clearsign(filename string) error {
 		return err
 	}
-	if err := signer.DecryptKey(promptUser); err != nil {
+	if err := signer.DecryptKey(passphraseFetcher); err != nil {
 		return err
 	}
@ -229,8 +229,13 @@ func (p *packageCmd) clearsign(filename string) error {
 	return ioutil.WriteFile(filename+".prov", []byte(sig), 0755)
 }
-// promptUser implements provenance.PassphraseFetcher
+// passphraseFetcher implements provenance.PassphraseFetcher
-func promptUser(name string) ([]byte, error) {
+func passphraseFetcher(name string) ([]byte, error) {
 	var passphrase = settings.HelmKeyPassphrase()
 	if passphrase != "" {
 		return []byte(passphrase), nil
 	}
 	fmt.Printf("Password for key %q >  ", name)
 	pw, err := terminal.ReadPassword(int(syscall.Stdin))
 	fmt.Println()
--- a/docs/helm/helm.md
+++ b/docs/helm/helm.md
@ -21,16 +21,19 @@ Common actions from this point include:
 - helm list:      list releases of charts
 Environment:
-  $HELM_HOME          set an alternative location for Helm files. By default, these are stored in ~/.helm
+  $HELM_HOME           set an alternative location for Helm files. By default, these are stored in ~/.helm
-  $HELM_HOST          set an alternative Tiller host. The format is host:port
+  $HELM_HOST           set an alternative Tiller host. The format is host:port
-  $HELM_NO_PLUGINS    disable plugins. Set HELM_NO_PLUGINS=1 to disable plugins.
+  $HELM_NO_PLUGINS     disable plugins. Set HELM_NO_PLUGINS=1 to disable plugins.
-  $TILLER_NAMESPACE   set an alternative Tiller namespace (default "kube-system")
+  $TILLER_NAMESPACE    set an alternative Tiller namespace (default "kube-system")
-  $KUBECONFIG         set an alternative Kubernetes configuration file (default "~/.kube/config")
+  $KUBECONFIG          set an alternative Kubernetes configuration file (default "~/.kube/config")
-  $HELM_TLS_CA_CERT   path to TLS CA certificate used to verify the Helm client and Tiller server certificates (default "$HELM_HOME/ca.pem")
+  $HELM_TLS_CA_CERT    path to TLS CA certificate used to verify the Helm client and Tiller server certificates (default "$HELM_HOME/ca.pem")
-  $HELM_TLS_CERT      path to TLS client certificate file for authenticating to Tiller (default "$HELM_HOME/cert.pem")
+  $HELM_TLS_CERT       path to TLS client certificate file for authenticating to Tiller (default "$HELM_HOME/cert.pem")
-  $HELM_TLS_KEY       path to TLS client key file for authenticating to Tiller (default "$HELM_HOME/key.pem")
+  $HELM_TLS_KEY        path to TLS client key file for authenticating to Tiller (default "$HELM_HOME/key.pem")
-  $HELM_TLS_VERIFY    enable TLS connection between Helm and Tiller and verify Tiller server certificate (default "false")
+  $HELM_TLS_VERIFY     enable TLS connection between Helm and Tiller and verify Tiller server certificate (default "false")
-  $HELM_TLS_ENABLE    enable TLS connection between Helm and Tiller (default "false")
+  $HELM_TLS_ENABLE     enable TLS connection between Helm and Tiller (default "false")
  $HELM_KEY_PASSPHRASE set HELM_KEY_PASSPHRASE to the passphrase of your PGP private key. If set, you will not be prompted for
                       the passphrase while signing helm charts
 ### Options
@ -75,4 +78,4 @@ Environment:
 * [helm verify](helm_verify.md)	 - verify that a chart at the given path has been signed and is valid
 * [helm version](helm_version.md)	 - print the client/server version information
-###### Auto generated by spf13/cobra on 4-Sep-2018
+###### Auto generated by spf13/cobra on 16-Oct-2018
--- a/docs/provenance.md
+++ b/docs/provenance.md
@ -26,7 +26,9 @@ Prerequisites:
 - Keybase command line tools (optional)
 **NOTE:** If your PGP private key has a passphrase, you will be prompted to enter
-that passphrase for any commands that support the `--sign` option.
+that passphrase for any commands that support the `--sign` option. You can set the
 HELM_KEY_PASSPHRASE environment variable to that passphrase in case you don't want 
 to be prompted to enter the passphrase.
 **NOTE:** The keyfile format for GnuPG changed in version 2.1. Prior to that release
 it was unnecessary to export keys out of GnuPG, and you could instead point Helm
--- a/pkg/helm/environment/environment.go
+++ b/pkg/helm/environment/environment.go
@ -138,6 +138,14 @@ func (s EnvSettings) PluginDirs() string {
 	return s.Home.Plugins()
 }
 // HelmKeyPassphrase is the passphrase used to sign a helm chart.
 func (s EnvSettings) HelmKeyPassphrase() string {
 	if d, ok := os.LookupEnv("HELM_KEY_PASSPHRASE"); ok {
 		return d
 	}
 	return ""
 }
 // setFlagFromEnv looks up and sets a flag if the corresponding environment variable changed.
 // if the flag with the corresponding name was set during fs.Parse(), then the environment
 // variable is ignored.