This document has information relevant to the maintainers of this repository.
End-user technical documentation should live within the charts themselves or in the gh-pages
branch.
Release automation signs Helm chart releases using a GPG key stored in a GitHub Actions secret.
Only repository administrators have permissions to update secrets.
Release automation uses the GPG_KEY_BASE64
secret to sign the packages.
The GPG_KEY_BASE64
is a base64 encoded GPG key.
It expires on 2023-03-30.
Grafana Labs employees may access the private key using the company 1password.
-
Write the contents of the
Loki Helm GPG Key
1password secret into a file. -
Import the key into a separate keyring.
$ gpg --no-default-keyring --keyring ~/.gnupg/helm-charts.gpg --import <PATH TO GPG KEY> gpg: key 7054A9559D3CFB0B: public key "Grafana Loki <loki-team@googlegroups.com>" imported gpg: key 7054A9559D3CFB0B: secret key imported gpg: Total number processed: 1 gpg: imported: 1 gpg: secret keys read: 1 gpg: secret keys unchanged: 1
-
Export the key into the format for Helm packaging tool
gpg --keyring ~/.gnupg/helm-charts.gpg --export-secret-keys >~/.gnupg/secring.gpg
-
Encode the key with BASE64 and place into clipboard
This instruction works best on Linux X11 desktop.
base64 ~/.gnupg/secring.gpg | xclip -selection clipboard -i
-
Set up a secret in github where the value is the content of the clipboard.
Grafana Labs employees can extend the expiry of the private key using the gpg
command line tool.
-
Write the contents of the
Loki Helm GPG Key
1password secret into a file. -
Import the key into a separate keyring.
$ gpg --no-default-keyring --keyring ~/.gnupg/helm-charts.gpg --import <PATH TO GPG KEY> gpg: key 7054A9559D3CFB0B: public key "Grafana Loki <loki-team@googlegroups.com>" imported gpg: key 7054A9559D3CFB0B: secret key imported gpg: Total number processed: 1 gpg: imported: 1 gpg: secret keys read: 1 gpg: secret keys unchanged: 1
-
Run the
gpg
interactive prompt to edit the 'Grafana Loki' key.$ gpg --no-default-keyring --keyring ~/.gnupg/helm-charts.gpg --edit-key 'Grafana Loki' gpg (GnuPG) 2.3.4; Copyright (C) 2021 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. sec rsa2048/7054A9559D3CFB0B created: 2020-03-29 expires: 2023-03-30 usage: SC trust: unknown validity: ultimate ssb rsa2048/4A6B2462555868C7 created: 2020-03-29 expires: 2023-03-30 usage: E [ultimate] (1). Grafana Loki <loki-team@googlegroups.com> gpg>
-
At the
gpg
interactive prompt, run theexpire
command and follow the prompt to extend expiry.gpg> expire Changing expiration time for the primary key. Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? <VALIDITY PERIOD>
-
At the
gpg
interactive prompt, select the subkey.gpg> key 1 sec rsa2048/7054A9559D3CFB0B created: 2020-03-29 expires: 2023-04-01 usage: SC trust: unknown validity: ultimate ssb* rsa2048/4A6B2462555868C7 created: 2020-03-29 expires: 2023-03-30 usage: E [ultimate] (1). Grafana Loki <loki-team@googlegroups.com>
-
At the
gpg
interactive prompt, and with the subkey selected, run theexpire
command and follow the prompt to extend expiry of the subkey.gpg> expire Changing expiration time for the primary key. Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? <VALIDITY PERIOD>
-
At the
gpg
interactive prompt, run thesave
command to save changes and quit the program.gpg> save
-
Base64 encode the keyring, placing the result into your clipboard.
$ base64 ~/.gnupg/helm-charts.gpg | xclip -selection clipboard -i
-
Update the
GPG_KEY_BASE64
GitHub Actions secret with the contents of your clipboard. -
Export the private key to your clipboard.
$ gpg --no-default-keyring --keyring ~/.gnupg/helm-charts.gpg --export-secret-key -a | xclip -selection clipboard -i
-
Update the
Loki Helm GPG Key
secret in 1password with the contents of your clipboard.