Skip to content

Commit bf2609f

Browse files
authored
feat: verify prometheus-community charts (#2740)
* feat: verify prometheus-community charts * add the key
1 parent 83e92c6 commit bf2609f

4 files changed

Lines changed: 36 additions & 2 deletions

File tree

Makefile

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,11 +35,14 @@ build: check-helm-version ## Build all charts
3535

3636
##@ Keys
3737
.PHONY: update-signing-keys
38-
update-signing-keys: keys/grafana-helm-charts-pubkey.gpg ## Refresh signing keys in keys/ from 1Password (requires the op CLI)
38+
update-signing-keys: keys/grafana-helm-charts-pubkey.gpg keys/prometheus-community-pubkey.gpg ## Refresh signing keys in keys/ (Grafana key requires the op CLI)
3939

4040
keys/grafana-helm-charts-pubkey.gpg:
4141
op --account grafana.1password.com read "op://Helm Maintainers/Helm Chart Signing Key/gpg-public-key.asc" | gpg --dearmor > keys/grafana-helm-charts-pubkey.gpg
4242

43+
keys/prometheus-community-pubkey.gpg:
44+
curl -sL https://prometheus-community.github.io/helm-charts/pubkey.gpg | gpg --dearmor > keys/prometheus-community-pubkey.gpg
45+
4346
##@ Install
4447
.PHONY: install
4548
install: ## Install dependencies

charts/k8s-monitoring/charts/telemetry-services/Makefile

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,11 @@ endif
88
HAS_HELM_UNITTEST := $(shell $(HELM) plugin list | grep unittest 2> /dev/null)
99

1010
K8S_MANIFEST_TAIL_VERSION := $(shell yq '.dependencies[] | select(.name == "k8s-manifest-tail") | .version' Chart.yaml)
11+
KUBE_STATE_METRICS_VERSION := $(shell yq '.dependencies[] | select(.name == "kube-state-metrics") | .version' Chart.yaml)
12+
NODE_EXPORTER_VERSION := $(shell yq '.dependencies[] | select(.name == "prometheus-node-exporter") | .version' Chart.yaml)
13+
WINDOWS_EXPORTER_VERSION := $(shell yq '.dependencies[] | select(.name == "prometheus-windows-exporter") | .version' Chart.yaml)
1114
GRAFANA_HELM_CHARTS_KEYRING := ../../../../keys/grafana-helm-charts-pubkey.gpg
15+
PROMETHEUS_COMMUNITY_KEYRING := ../../../../keys/prometheus-community-pubkey.gpg
1216

1317
.SECONDEXPANSION:
1418
README.md: values.yaml Chart.yaml $$(wildcard README.md.gotmpl)
@@ -29,12 +33,27 @@ clean:
2933
build: README.md Chart.lock values.schema.json $(ALLOW_LISTS)
3034

3135
.PHONY: verify-signatures
32-
verify-signatures: ## Verify the signature of the signed k8s-manifest-tail chart dependency
36+
verify-signatures: ## Verify the signatures of the signed chart dependencies
3337
$(HELM) pull k8s-manifest-tail \
3438
--repo https://grafana.github.io/helm-charts \
3539
--version $(K8S_MANIFEST_TAIL_VERSION) \
3640
--verify --keyring $(GRAFANA_HELM_CHARTS_KEYRING) \
3741
--destination "$$(mktemp -d)"
42+
$(HELM) pull kube-state-metrics \
43+
--repo https://prometheus-community.github.io/helm-charts \
44+
--version $(KUBE_STATE_METRICS_VERSION) \
45+
--verify --keyring $(PROMETHEUS_COMMUNITY_KEYRING) \
46+
--destination "$$(mktemp -d)"
47+
$(HELM) pull prometheus-node-exporter \
48+
--repo https://prometheus-community.github.io/helm-charts \
49+
--version $(NODE_EXPORTER_VERSION) \
50+
--verify --keyring $(PROMETHEUS_COMMUNITY_KEYRING) \
51+
--destination "$$(mktemp -d)"
52+
$(HELM) pull prometheus-windows-exporter \
53+
--repo https://prometheus-community.github.io/helm-charts \
54+
--version $(WINDOWS_EXPORTER_VERSION) \
55+
--verify --keyring $(PROMETHEUS_COMMUNITY_KEYRING) \
56+
--destination "$$(mktemp -d)"
3857

3958
.PHONY: test
4059
test: build

keys/README.md

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,3 +12,15 @@ from `https://grafana.github.io/helm-charts`, such as `k8s-manifest-tail`,
1212
Key fingerprint `DDFB 6E2B E7ED 4FB1 1AA7 24C0 1D7C DC27 7F44 2050`. The key
1313
expires 2028-06-21. Confirm this fingerprint from a trusted, independent
1414
source before you replace the key.
15+
16+
## prometheus-community-pubkey.gpg
17+
18+
The "Prometheus Community Helm Charts" signing key. It verifies chart
19+
dependencies pulled from `https://prometheus-community.github.io/helm-charts`,
20+
such as `kube-state-metrics`, `prometheus-node-exporter`, and
21+
`prometheus-windows-exporter`.
22+
23+
Published at <https://prometheus-community.github.io/helm-charts/pubkey.gpg>.
24+
Key fingerprint `E2F1 02EF A9AC D882 585B FE1A 2725 2B16 8248 743B`. The key
25+
does not expire. Confirm this fingerprint from a trusted, independent source
26+
before you replace the key.
1.13 KB
Binary file not shown.

0 commit comments

Comments
 (0)