-
Notifications
You must be signed in to change notification settings - Fork 60
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* add prov docs * cap --------- Co-authored-by: jamie zieziula <[email protected]>
- Loading branch information
1 parent
b118aa4
commit 1904f18
Showing
1 changed file
with
48 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -113,6 +113,54 @@ Development versions of the Helm chart will always be available directly from th | |
| helm upgrade ... --set postgresql.postgresqlPassword=$POSTGRESQL_PASSWORD | ||
| ``` | ||
| ## Chart Provenance | ||
| You can verify the integrity and origin of Prefect Helm charts by using [Helm provenance](https://helm.sh/docs/topics/provenance/). | ||
| The official Prefect Helm Chart public signing key must be used to verify the provenance of the Prefect Helm charts. Prefect uses [Keybase](https://keybase.io/) to host the public signing key. The key must first be downloaded and then imported into a local keyring. | ||
| ### Download the Public Signing Key | ||
| ```bash | ||
| curl https://keybase.io/prefecthq/pgp_keys.asc | gpg --import | ||
| ``` | ||
| ### Verify a Chart | ||
| A Prefect Helm chart can be verified either by: | ||
| - Downloading the chart and running `helm verify`. | ||
| - Using the `--verify` option during chart installation. | ||
| #### Verify a Downloaded Chart | ||
| You can use the `helm verify` command to verify a downloaded chart. To download a verifiable chart, use the `helm pull --prov` command. For example: | ||
| ```bash | ||
| helm pull --prov prefect/prefect-worker | ||
| ``` | ||
| You can then use the `helm verify` command to verify the downloaded chart. | ||
| ```bash | ||
| helm verify prefect-worker-<version>.tgz | ||
| Signed by: Jamie Zieziula <[email protected]> | ||
| Signed by: Jamie Zieziula <[email protected]> | ||
| Using Key With Fingerprint: 062AA2CFEFB2A02D54975B528DBDDA7074C40C6A | ||
| Chart Hash Verified: sha256:90eecaf6650ec08045b82c1f3dbf75529105de1a7fb0e64927ab648752746cea | ||
| ``` | ||
| #### Verify a Chart During Installation | ||
| You can verify a chart during installation by using the `--verify` option to either the `helm install` or `helm upgrade` command. | ||
| ```bash | ||
| # During installation | ||
| helm install prefect-worker --verify prefect/prefect-worker | ||
| # During upgrade | ||
| helm upgrade prefect-worker --verify prefect/prefect-worker | ||
| ``` | ||
| ## Options: | ||
| See comments in `values.yaml`. | ||
|
|
||