Provenance and integrity of Helm charts in deployment pipelines

We’re excited to announce the availability of Helm attestation for Oracle Cloud Infrastructure (OCI) DevOps. The integrity of applications on Kubernetes clusters is business critical for many enterprises. The Helm charts used to deploy those applications are in the chain-of-trust. By verifying a Helm chart before deployment, OCI DevOps deploy pipelines can now stop unverified charts from being deployed.

You can also now perform additional Helm actions including a dry-run preview to a new Helm chart before deploying, upgrade the Helm chart version, or change the configuration of your Helm release during deployment.

Overview of OCI DevOps Helm attestation

Verification includes checking that a Helm chart came from a trusted build source and hasn’t been modified after being published by the trusted build source. The trusted build source can be an OCI DevOps build pipeline, Helm, or other build sources capable of packaging and signing a Helm chart.

This new feature set extends the OCI DevOps Helm stage for deployment pipelines to support helm attestation, new helm command arguments, and a helm-diff dry-run option. The Helm attestation feature uses mechanisms supported by the helm command line tool, Provenance and Verify.

How does Helm Attestation work?

This feature uses the mechanisms in the Helm command line tool for Helm Provenance and Integrity using a valid pretty good privacy (PGP) key pair in a binary format. You can store the public key in an OCI vault or specified inline. The process uses the following steps:

1. Outside of OCI DevOps, when Helm charts are packaged and signed with a PGP key pair, a provenance record is created and stored alongside a packaged chart.

2. The Helm chart and provenance is then pushed to the OCI Container Registry (OCIR).

3. Optionally, you can store the public key part of the key-pair in OCI Vault, which is used during verification.

4. During deployment, the chart’s provenance is downloaded when the OCI DevOps deployment pipeline pulls the helm chart.

5. The deployment pipeline then uses the specified public key and the provenance to verify the helm chart has not been tampered.

If the public key is specified while adding the Helm chart artifact, OCI DevOps validates the artifact before deploying. If the verification fails, the Helm chart isn’t deployed.

Helm chart dry runs and upgrades

The dry run for Helm stage deployments simulates a release to preview the changes that you’re proposing, so you can try before you apply. In the Oracle Cloud Console, select the Enable Dry Run check box in the Helm deploy stage to preview the changes in the Helm chart without applying the changes to the target cluster.

You can also now upgrade the packages in your Helm chart or change the configuration of your Helm release by passing arguments to the helm upgrade command during deployment.

Example Helm chart attestation troubleshooting

$ helm verify --keyring ./public_key ./helm-chart-to-be-signed-0.1.0.tgz
   Signed by: helm_user <helm_user@oracle.com>
   Using Key With Fingerprint: 9E96FD82029B6B4F89A789689F0EE7A07AFDCD0E
   Chart Hash Verified: sha256:7463804cd71bd2620126ed1dbb649f4e9b852ec82f004ffb583ee890853b6a3e

$ helm verify --keyring ./public_key ./helm-chart-to-be-signed-0.1.0.tgz
   Error: could not load provenance file ./helm-chart-to-be-signed-0.1.0.tgz.prov: stat ./helm-chart-to-be-signed-0.1.0.tgz.prov: no such file or directory

$ helm verify --keyring ./bad_public_key ./helm-chart-to-be-signed-0.1.0.tgz
   Error: failed to load keyring: openpgp: invalid data: tag byte does not have MSB set</helm_user@oracle.com>

What is Helm

Helm is the package manager for Kubernetes, the most popular way to deploy apps to Kubernetes (K8s) and a graduated Cloud Native Computing Foundation (CNCF) project. Helm simplifies application deployment to Kubernetes with Helm Charts to bring infrastructure-as-code principals to Kubernetes and avoid manual processes that frequently lead to errors. By codifying and templating the configuration of a Kubernetes application, teams can version, share, and roll back to earlier configurations.

Helm charts are templated yaml files, which are parsed into API calls and sent to the Kubernetes API server. The helm command uses Helm charts to deploy Docker containers to an OKE cluster. For more information on how to upgrade a release to the newest version of a chart, see Helm Upgrade.

Learn more

To get started with OCI DevOps service in your Oracle Cloud Infrastructure account, use the automated Quick Start reference architecture to deploy and run a DevOps pipeline.

For more information, see the following resources:

• Use Helm with OCI DevOps to deploy to Kubernetes clusters

• OCI DevOps Deploy with a Helm Chart documentation

• Learn more about Helm at helm.sh