Sign helm package with GPG. (#1864)

* Sign helm package with GPG.

Also add GPG to the build image and fixes dlv not pinned (this was causing issue using latest 1.4).

Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>

* Regen drone config.

Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>

* Testing CI.

Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>

* Test CI.

Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>

* Include .prov files for charts.

Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>

* Revert testing changes.

Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>

* Add public GPG key for verifying helm charts.

Signed-off-by: Cyril Tovena <cyril.tovena@gmail.com>

.circleci/config.yml

@@ -1,7 +1,7 @@
 version: 2
 
 .tags: &tags # tags need to be explicitely defined (whitelist)
-  tags: {only: "/.*/"}
+  tags: { only: "/.*/" }
 
 .only-tags: &only-tags
   <<: *tags
@@ -11,7 +11,8 @@ version: 2
   branches: { only: master }
   <<: *tags
 
-.no-master: &no-master # contrary to tags, the branches must be excluded (blacklist)
+.no-master:
+  &no-master # contrary to tags, the branches must be excluded (blacklist)
   branches: { ignore: master }
 
 workflows:
@@ -20,34 +21,33 @@ workflows:
     jobs:
       # publish jobs depend on this as well,
       # thus tags need to be allowed for these
-      - test: {filters: {<<: *tags}}
+      - test: { filters: { <<: *tags } }
 
       - build/promtail-windows:
-          requires: [ test ]
+          requires: [test]
 
       - build/docker-driver:
-          requires: [ test ]
-          filters: {<<: *no-master}
+          requires: [test]
+          filters: { <<: *no-master }
       - publish/docker-driver:
-          requires: [ test ]
+          requires: [test]
           filters: { <<: *tag-or-master }
 
       - publish/binaries:
-          requires: [ test ]
+          requires: [test]
           filters: { <<: *only-tags }
 
       - test-helm:
-          requires: [ test ]
-          filters: {<<: *tags}
+          requires: [test]
+          filters: { <<: *tags }
       - publish-helm:
-          requires: [ test-helm ]
-          filters: {<<: *tag-or-master}
-
+          requires: [test-helm]
+          filters: { <<: *tag-or-master }
 
 # https://circleci.com/blog/circleci-hacks-reuse-yaml-in-your-circleci-config-with-yaml/
 .defaults: &defaults
   docker:
-    - image: grafana/loki-build-image:0.9.1
+    - image: grafana/loki-build-image:0.9.2
   working_directory: /src/loki
 
 jobs:
@@ -146,4 +146,10 @@ jobs:
           fingerprints:
             - "5a:d3:08:5e:f7:53:a0:c4:e9:5d:83:c6:02:6a:d9:bd"
       - checkout
-      - run: make helm-publish
+      - run:
+          name: import GPG key
+          command: echo -e "$GPG_KEY" | gpg --import
+      - run:
+          name: export  GPG key
+          command: gpg --export-secret-key loki-team@googlegroups.com  > ~/.gnupg/secring.gpg
+      - run: PACKAGE_ARGS='--sign --key "Grafana Loki" --keyring ~/.gnupg/secring.gpg' make helm-publish

.drone/drone.yml

@@ -12,28 +12,28 @@ workspace:
 
 steps:
 - name: test
-  image: grafana/loki-build-image:0.9.1
+  image: grafana/loki-build-image:0.9.2
   commands:
   - make BUILD_IN_CONTAINER=false test
   depends_on:
   - clone
 
 - name: lint
-  image: grafana/loki-build-image:0.9.1
+  image: grafana/loki-build-image:0.9.2
   commands:
   - make BUILD_IN_CONTAINER=false lint
   depends_on:
   - clone
 
 - name: check-generated-files
-  image: grafana/loki-build-image:0.9.1
+  image: grafana/loki-build-image:0.9.2
   commands:
   - make BUILD_IN_CONTAINER=false check-generated-files
   depends_on:
   - clone
 
 - name: check-mod
-  image: grafana/loki-build-image:0.9.1
+  image: grafana/loki-build-image:0.9.2
   commands:
   - make BUILD_IN_CONTAINER=false check-mod
   depends_on:
@@ -561,7 +561,7 @@ platform:
 
 steps:
 - name: trigger
-  image: grafana/loki-build-image:0.9.1
+  image: grafana/loki-build-image:0.9.2
   commands:
   - ./tools/deploy.sh
   environment:
@@ -588,7 +588,7 @@ platform:
 
 steps:
 - name: trigger
-  image: grafana/loki-build-image:0.9.1
+  image: grafana/loki-build-image:0.9.2
   commands:
   - go run ./tools/delete_tags.go -max-age=2160h -repo grafana/loki -delete
   - go run ./tools/delete_tags.go -max-age=2160h -repo grafana/promtail -delete

Makefile

@@ -38,7 +38,7 @@ IMAGE_NAMES := $(foreach dir,$(DOCKER_IMAGE_DIRS),$(patsubst %,$(IMAGE_PREFIX)%,
 # make BUILD_IN_CONTAINER=false target
 # or you can override this with an environment variable
 BUILD_IN_CONTAINER ?= true
-BUILD_IMAGE_VERSION := 0.9.1
+BUILD_IMAGE_VERSION := 0.9.2
 
 # Docker image info
 IMAGE_PREFIX ?= grafana
@@ -319,14 +319,15 @@ endif
 
 CHARTS := production/helm/loki production/helm/promtail production/helm/fluent-bit production/helm/loki-stack
 
+helm: PACKAGE_ARGS ?=
 helm:
 	-rm -f production/helm/*/requirements.lock
 	@set -e; \
 	helm init -c; \
 	for chart in $(CHARTS); do \
 		helm dependency build $$chart; \
 		helm lint $$chart; \
-		helm package $$chart; \
+		helm package $(PACKAGE_ARGS) $$chart; \
 	done
 	rm -f production/helm/*/requirements.lock
 
@@ -349,7 +350,7 @@ helm-publish: helm
 	git config user.name "${CIRCLE_USERNAME}"
 	git checkout gh-pages || (git checkout --orphan gh-pages && git rm -rf . > /dev/null)
 	mkdir -p charts
-	mv *.tgz index.md charts/
+	mv *.tgz *.tgz.prov index.md charts/
 	helm repo index charts/
 	git add charts/
 	git commit -m "[skip ci] Publishing helm charts: ${CIRCLE_SHA1}"

loki-build-image/Dockerfile

@@ -23,10 +23,10 @@ RUN GO111MODULE=on go get github.com/drone/drone-cli/drone@1fad337d74ca0ecf42099
 FROM golang:1.13.4-stretch
 RUN apt-get update && \
     apt-get install -qy \
-      musl \
-      file zip unzip jq gettext\
-      protobuf-compiler libprotobuf-dev \
-      libsystemd-dev && \
+    musl gnupg \
+    file zip unzip jq gettext\
+    protobuf-compiler libprotobuf-dev \
+    libsystemd-dev && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 COPY --from=docker /usr/bin/docker /usr/bin/docker
@@ -43,7 +43,7 @@ RUN GO111MODULE=on go get \
     github.com/golang/protobuf/protoc-gen-go@v1.3.0 \
     github.com/gogo/protobuf/protoc-gen-gogoslick@v1.2.1 \
     github.com/gogo/protobuf/gogoproto@v1.2.1 \
-    github.com/go-delve/delve/cmd/dlv \
+    github.com/go-delve/delve/cmd/dlv@v1.3.2 \
     # Due to the lack of a proper release tag, we use the commit hash of
     # https://github.com/golang/tools/releases v0.1.7
     golang.org/x/tools/cmd/goyacc@58d531046acdc757f177387bc1725bfa79895d69 \

production/helm/public.pgp

@@ -0,0 +1,31 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBF5/50EBCAC3Pab5BojOdLJT+6aJmfWF3HbVbI4l/TOIxMdvI8jneCA+wBX7
+Pp3x4LoSUWX968fX4Mfqyf/fqgHxQltzm5S+MCakROnVkmy5ecsbm61plcvGA1uU
+PiYtsWccXvq+cO22onNieSTV7z/330jAFwOGYRrT/utIVmEOefD64uQx6YXhglEU
+PmE2N6OVdajd8mlfKStaq/ef1NCwnax4EgWXBnVMrRfouZX//ouguYOyDaQ7IqcG
+kFvEaSVqF5hYyVR2Ot+C7hH4/JNy2q6cf6J2N2JS8PE9aMkc7W6VE7BDi0CTweQ4
+0ejK7Y8oRUrKNZH/fsJK5SpqW8kai0NBKDPDABEBAAG0KUdyYWZhbmEgTG9raSA8
+bG9raS10ZWFtQGdvb2dsZWdyb3Vwcy5jb20+iQFUBBMBCAA+FiEEZzewM0g2wzSd
+/y3UcFSpVZ08+wsFAl5/50ECGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgEC
+F4AACgkQcFSpVZ08+wudGAf+OU26FHzudVMd4uMWHlQZGSCAGQWriGeFntYke1Ri
+str5cjJo78kLYcMKUXfHGrILBEpO7WYr/VEPMxnKNkW8qC9sV/W+Gz+OpEZ7Zuli
+3Y9vRI44kJ18Wo7vDryucy9WLR99GmHn0W7C/PMpuXa8P+X5jEQUs5WAm8Rkd3vC
+gS0niAf/k3AwWSPxJV+VEy/rAqSuA61tiPiTXOhaD3OpfsCgCigT4epqr/YBLuYF
+K728443pJZbxf1TrT8sBacPPg7KK9UkuafZapC/cQ4+0b8/o4CSbPiOPRbysKYmP
+9nwg36lFlR0VSI9y68H6KPHe0dTjfgZISUD7QU1okdTVQbkBDQRef+dBAQgA8+h8
+GneZ6QjLrDSVDndNkukP7q0d2abiSx4hzA65mr6lwfGwg20jHKPeYbuYt0n7wUg8
+e3cIkbN2b/CKojgAesLQMHo/TmH0blY3VWoI6WWyTioOWPII9qc4cKnKZGjA8fG1
+CBse3ZNUbHDtvJP/qBbQd4j6waEjIwODaTCwpWGboKDG0o7Zoemx+YwGN7678g1B
+E1f8ckwL1FoHZ8ID+bNsBBEUYO+Iup/gcdhZUVsJ1TdTmDfYdpDNMeQ7fyeRyl6O
+kUk+Za/ieJhc6Tv+EdPbXmWiTcQDCwiCb7lrQOqcv68q8zcRRjRaqF03dUz8onOl
+dhUUqWpIxGdh1+gXTQARAQABiQE8BBgBCAAmFiEEZzewM0g2wzSd/y3UcFSpVZ08
++wsFAl5/50ECGwwFCQPCZwAACgkQcFSpVZ08+wssFwgAobGpA0FgW+uJ7N05q9lm
+WB4ohlUnPSCUaxvzeLxxDPdw0xlxr5rMDwqD9Zvg546fzVx0xxbHka+l/toIV1oI
+yQEPIQSPWNUxt5AYfgi/+uhX1qHhFzFU+ebvwWCxxwCM7WBmItswoAFkPfwFbbu9
+7L3HUaRWZbXneaYfPCrg+mv/20r8BGXD8TMTBmkKPwHqmfO1XhwWFEvRRNeYWUMe
+GzLqvocxJoZWulgemrdTj4QNIb9HY+UhZuMxkRk3Lvz34dURK4bg86V/KgR3h0Y5
+wWovQyy1DnH+QryT//MT8lMfbD19bjfsuEwRTCEvEWUptg0Y9EfYNe8cHQADTBHE
+Hg==
+=pugM
+-----END PGP PUBLIC KEY BLOCK-----