All the stuff for the web key

Signed-off-by: Martyn Ranyard <m@rtyn.berlin>
main
Martyn 2 years ago
parent 6f5b2f6298
commit 85f61bcc03

@ -0,0 +1,3 @@
FROM nginx:1-alpine
ADD .well-known /usr/share/nginx/html/.well-known

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

@ -0,0 +1,5 @@
apiVersion: v1
appVersion: "1.0"
description: A Helm chart for Kubernetes
name: wkd4pgp
version: 0.1.0

@ -0,0 +1,21 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range $host := .Values.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
{{- end }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "wkd4pgp.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "wkd4pgp.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "wkd4pgp.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "wkd4pgp.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl port-forward $POD_NAME 8080:80
{{- end }}

@ -0,0 +1,56 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "wkd4pgp.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "wkd4pgp.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "wkd4pgp.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "wkd4pgp.labels" -}}
app.kubernetes.io/name: {{ include "wkd4pgp.name" . }}
helm.sh/chart: {{ include "wkd4pgp.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "wkd4pgp.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "wkd4pgp.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}

@ -0,0 +1,57 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "wkd4pgp.fullname" . }}
labels:
{{ include "wkd4pgp.labels" . | indent 4 }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "wkd4pgp.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ include "wkd4pgp.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "wkd4pgp.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: 80
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

@ -0,0 +1,41 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "wkd4pgp.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{ include "wkd4pgp.labels" . | indent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ . }}
backend:
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}

@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "wkd4pgp.fullname" . }}
labels:
{{ include "wkd4pgp.labels" . | indent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: {{ include "wkd4pgp.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}

@ -0,0 +1,8 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "wkd4pgp.serviceAccountName" . }}
labels:
{{ include "wkd4pgp.labels" . | indent 4 }}
{{- end -}}

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "wkd4pgp.fullname" . }}-test-connection"
labels:
{{ include "wkd4pgp.labels" . | indent 4 }}
annotations:
"helm.sh/hook": test-success
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['{{ include "wkd4pgp.fullname" . }}:{{ .Values.service.port }}']
restartPolicy: Never

@ -0,0 +1,74 @@
# Default values for wkd4pgp.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
image:
repository: imartyn/wkd4pgp
tag: 0.1
pullPolicy: IfNotPresent
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name:
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 80
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-origin: "*"
hosts:
- host: rtyn.berlin
paths:
- /.well-known/openpgpkey/
- host: openpgpkey.rtyn.berlin
paths:
- /.well-known/openpgpkey/
tls:
- secretName: chart-example-tls
hosts:
- rtyn.berlin
- openpgpkey.rtyn.berlin
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}

@ -0,0 +1,146 @@
#!/usr/bin/python3
#
# generate-openpgpkey-hu-3
# Copyright 2017, W. Martin Borgert <debacle@debian.org>
# License: GPL-3+
#
# This script has the same purpose as generate-openpgpkey-hu by Thomas
# Arendsen Hein and Andre Heinecke of Intevation GmbH, but:
# - is Python 3 instead of Python 2
# - uses python-gnupg instead of python-pyme (removed from Debian)
# - is licensed GPL-3+ (like GnuPG) or later instead of GPL-2+
# - uses encode_zbase32 function by Tocho Tochev
# - is PEP8 clean :~)
import argparse
import email.utils
import functools
import hashlib
import itertools
import logging
import os
import sys
try:
import gnupg
except ImportError:
gnupg = None
def getargs():
ap = argparse.ArgumentParser(
description='generate contents of https://.../.well-known/openpgpkey/'
+ 'hu/ for OpenPGP Web Key Directory (WKD) from GnuPG keyring',
formatter_class=argparse.ArgumentDefaultsHelpFormatter)
ap.add_argument('-a', '--address', action='append',
help='specific email address, more than one possible')
ap.add_argument('-d', '--debug', action='store_true',
help='print debug output')
ap.add_argument('-e', '--exist-ok', action='store_true',
help='accept, if target directory already exists')
ap.add_argument('-k', '--keyring',
help='keyring to parse (or use default GnuPG keyring)')
ap.add_argument('-m', '--mail-domain',
help='mail domain to filter keys')
ap.add_argument('-o', '--output-dir', default="hu",
help='directory to write keys')
ap.add_argument('-x', '--include-expired', action='store_true',
help='include expired keys')
return ap.parse_args()
# Source: https://gist.githubusercontent.com/tochev/99f19d9ce062f1c7e203
# /raw/0077ec38adc350e0fd1207e6a525de482b40df7e/zbase32.py
# Copyright: Tocho Tochev <tocho AT tochev DOT net>
# Licence: MIT
# See http://philzimmermann.com/docs/human-oriented-base-32-encoding.txt
def encode_zbase32(bs):
"""
Encode bytes bs using zbase32 encoding.
Returns: bytearray
>>> encode_zbase32(b'\\xd4z\\x04') == b'4t7ye'
True
"""
ALPTHABET = b"ybndrfg8ejkmcpqxot1uwisza345h769"
result = bytearray()
for word in itertools.zip_longest(*([iter(bs)] * 5)):
padding_count = word.count(None)
n = functools.reduce(lambda x, y: (x << 8) + (y or 0), word, 0)
for i in range(0, (40 - 8 * padding_count), 5):
result.append(ALPTHABET[(n >> (35 - i)) & 0x1F])
return result
def localpart2zbase32(s):
"""transforms local part to lower case, SHA1s it, and encodes zbase32
See https://tools.ietf.org/id/draft-koch-openpgp-webkey-service-01.html
>>> localpart2zbase32('Joe.Doe')
'iy9q119eutrkn8s1mk4r39qejnbu3n5q'
"""
return encode_zbase32(
hashlib.sha1(s.lower().encode("utf-8")).digest()).decode("utf-8")
class HU:
def __init__(self, debug, keyring, output_dir):
try:
os.makedirs(output_dir, exist_ok=args.exist_ok)
except FileExistsError:
print("Output directory " + output_dir
+ " already exists, exiting!", file=sys.stderr)
sys.exit(1)
if debug:
gnupg.logger.setLevel(logging.DEBUG)
gnupg.logger.addHandler(logging.StreamHandler())
self.debug = debug
self.gpg = gnupg.GPG(gpgbinary="/usr/bin/gpg2",keyring=keyring)
self.output_dir = output_dir
def get_fps(self, mail_domain, include_expired, addresses):
"""return dict of localpart: fingerprint"""
fps = {}
for key in self.gpg.list_keys():
for uid in key.get('uids', []):
addr = email.utils.parseaddr(uid)[1]
if '@' not in addr:
continue
local, domain = addr.split("@", 1)
# trust: 'd' = disabled, 'e' = expired, 'r' = revoked
if mail_domain and domain.lower() != mail_domain.lower() \
or key['trust'] in ['d', 'r'] \
or not include_expired and key['trust'] == 'e' \
or addresses and addr not in addresses:
continue
if local in fps and fps[local] != key['fingerprint']:
print("Multiple options for %s! None used." % local,
file=sys.stderr)
del fps[local]
else:
fps[local] = key['fingerprint']
return fps
def write_keys(self, fps):
for local, fingerprint in fps.items():
with open(os.path.join(self.output_dir,
localpart2zbase32(local)), "wb") as f:
f.write(self.gpg.export_keys(fingerprint, armor=False))
print("Wrote %d keys to directory '%s'" % (len(fps), self.output_dir))
if __name__ == "__main__":
args = getargs()
if gnupg is None:
print("Please 'apt install python3-gnupg'!", file=sys.stderr)
sys.exit(1)
hu = HU(args.debug, args.keyring, args.output_dir)
fps = hu.get_fps(args.mail_domain, args.include_expired, args.address)
hu.write_keys(fps)
Loading…
Cancel
Save