All the stuff for the web key

Signed-off-by: Martyn Ranyard <m@rtyn.berlin>

.well-known/openpgpkey/rtyn.berlin/hu

@@ -0,0 +1 @@
+../hu

Dockerfile

@@ -0,0 +1,3 @@
+FROM nginx:1-alpine 
+
+ADD .well-known /usr/share/nginx/html/.well-known

deploy/wkd4pgp/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

deploy/wkd4pgp/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "1.0"
+description: A Helm chart for Kubernetes
+name: wkd4pgp
+version: 0.1.0

deploy/wkd4pgp/templates/NOTES.txt

@@ -0,0 +1,21 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "wkd4pgp.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "wkd4pgp.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "wkd4pgp.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "wkd4pgp.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl port-forward $POD_NAME 8080:80
+{{- end }}

deploy/wkd4pgp/templates/_helpers.tpl

@@ -0,0 +1,56 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "wkd4pgp.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "wkd4pgp.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "wkd4pgp.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "wkd4pgp.labels" -}}
+app.kubernetes.io/name: {{ include "wkd4pgp.name" . }}
+helm.sh/chart: {{ include "wkd4pgp.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "wkd4pgp.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "wkd4pgp.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}

deploy/wkd4pgp/templates/deployment.yaml

@@ -0,0 +1,57 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "wkd4pgp.fullname" . }}
+  labels:
+{{ include "wkd4pgp.labels" . | indent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "wkd4pgp.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "wkd4pgp.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+    {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      serviceAccountName: {{ template "wkd4pgp.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}

deploy/wkd4pgp/templates/ingress.yaml

@@ -0,0 +1,41 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "wkd4pgp.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+{{ include "wkd4pgp.labels" . | indent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+{{- if .Values.ingress.tls }}
+  tls:
+  {{- range .Values.ingress.tls }}
+    - hosts:
+      {{- range .hosts }}
+        - {{ . | quote }}
+      {{- end }}
+      secretName: {{ .secretName }}
+  {{- end }}
+{{- end }}
+  rules:
+  {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+        {{- range .paths }}
+          - path: {{ . }}
+            backend:
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+        {{- end }}
+  {{- end }}
+{{- end }}

deploy/wkd4pgp/templates/service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "wkd4pgp.fullname" . }}
+  labels:
+{{ include "wkd4pgp.labels" . | indent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: {{ include "wkd4pgp.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}

deploy/wkd4pgp/templates/serviceaccount.yaml

@@ -0,0 +1,8 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "wkd4pgp.serviceAccountName" . }}
+  labels:
+{{ include "wkd4pgp.labels" . | indent 4 }}
+{{- end -}}

deploy/wkd4pgp/templates/tests/test-connection.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "wkd4pgp.fullname" . }}-test-connection"
+  labels:
+{{ include "wkd4pgp.labels" . | indent 4 }}
+  annotations:
+    "helm.sh/hook": test-success
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args:  ['{{ include "wkd4pgp.fullname" . }}:{{ .Values.service.port }}']
+  restartPolicy: Never

deploy/wkd4pgp/values.yaml

@@ -0,0 +1,74 @@
+# Default values for wkd4pgp.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: imartyn/wkd4pgp
+  tag: 0.1
+  pullPolicy: IfNotPresent
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name:
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+service:
+  type: ClusterIP
+  port: 80
+
+ingress:
+  enabled: true
+  annotations: 
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+    nginx.ingress.kubernetes.io/cors-allow-origin: "*"
+  hosts:
+    - host: rtyn.berlin
+      paths: 
+      - /.well-known/openpgpkey/
+    - host: openpgpkey.rtyn.berlin
+      paths:
+      - /.well-known/openpgpkey/
+
+  tls:
+  - secretName: chart-example-tls
+    hosts:
+    - rtyn.berlin
+    - openpgpkey.rtyn.berlin
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}

generate-openpgpkey-hu-3

@@ -0,0 +1,146 @@
+#!/usr/bin/python3
+#
+# generate-openpgpkey-hu-3
+# Copyright 2017, W. Martin Borgert <debacle@debian.org>
+# License: GPL-3+
+#
+# This script has the same purpose as generate-openpgpkey-hu by Thomas
+# Arendsen Hein and Andre Heinecke of Intevation GmbH, but:
+#  - is Python 3 instead of Python 2
+#  - uses python-gnupg instead of python-pyme (removed from Debian)
+#  - is licensed GPL-3+ (like GnuPG) or later instead of GPL-2+
+#  - uses encode_zbase32 function by Tocho Tochev
+#  - is PEP8 clean :~)
+
+import argparse
+import email.utils
+import functools
+import hashlib
+import itertools
+import logging
+import os
+import sys
+
+try:
+    import gnupg
+except ImportError:
+    gnupg = None
+
+
+def getargs():
+    ap = argparse.ArgumentParser(
+        description='generate contents of https://.../.well-known/openpgpkey/'
+        + 'hu/ for OpenPGP Web Key Directory (WKD) from GnuPG keyring',
+        formatter_class=argparse.ArgumentDefaultsHelpFormatter)
+    ap.add_argument('-a', '--address', action='append',
+                    help='specific email address, more than one possible')
+    ap.add_argument('-d', '--debug', action='store_true',
+                    help='print debug output')
+    ap.add_argument('-e', '--exist-ok', action='store_true',
+                    help='accept, if target directory already exists')
+    ap.add_argument('-k', '--keyring',
+                    help='keyring to parse (or use default GnuPG keyring)')
+    ap.add_argument('-m', '--mail-domain',
+                    help='mail domain to filter keys')
+    ap.add_argument('-o', '--output-dir', default="hu",
+                    help='directory to write keys')
+    ap.add_argument('-x', '--include-expired', action='store_true',
+                    help='include expired keys')
+    return ap.parse_args()
+
+
+# Source: https://gist.githubusercontent.com/tochev/99f19d9ce062f1c7e203
+# /raw/0077ec38adc350e0fd1207e6a525de482b40df7e/zbase32.py
+# Copyright: Tocho Tochev <tocho AT tochev DOT net>
+# Licence: MIT
+# See http://philzimmermann.com/docs/human-oriented-base-32-encoding.txt
+def encode_zbase32(bs):
+    """
+    Encode bytes bs using zbase32 encoding.
+    Returns: bytearray
+
+    >>> encode_zbase32(b'\\xd4z\\x04') == b'4t7ye'
+    True
+    """
+    ALPTHABET = b"ybndrfg8ejkmcpqxot1uwisza345h769"
+    result = bytearray()
+    for word in itertools.zip_longest(*([iter(bs)] * 5)):
+        padding_count = word.count(None)
+        n = functools.reduce(lambda x, y: (x << 8) + (y or 0), word, 0)
+        for i in range(0, (40 - 8 * padding_count), 5):
+            result.append(ALPTHABET[(n >> (35 - i)) & 0x1F])
+    return result
+
+
+def localpart2zbase32(s):
+    """transforms local part to lower case, SHA1s it, and encodes zbase32
+
+    See https://tools.ietf.org/id/draft-koch-openpgp-webkey-service-01.html
+
+    >>> localpart2zbase32('Joe.Doe')
+    'iy9q119eutrkn8s1mk4r39qejnbu3n5q'
+    """
+    return encode_zbase32(
+        hashlib.sha1(s.lower().encode("utf-8")).digest()).decode("utf-8")
+
+
+class HU:
+    def __init__(self, debug, keyring, output_dir):
+        try:
+            os.makedirs(output_dir, exist_ok=args.exist_ok)
+        except FileExistsError:
+            print("Output directory " + output_dir
+                  + " already exists, exiting!", file=sys.stderr)
+            sys.exit(1)
+
+        if debug:
+            gnupg.logger.setLevel(logging.DEBUG)
+            gnupg.logger.addHandler(logging.StreamHandler())
+
+        self.debug = debug
+        self.gpg = gnupg.GPG(gpgbinary="/usr/bin/gpg2",keyring=keyring)
+        self.output_dir = output_dir
+
+    def get_fps(self, mail_domain, include_expired, addresses):
+        """return dict of localpart: fingerprint"""
+        fps = {}
+
+        for key in self.gpg.list_keys():
+            for uid in key.get('uids', []):
+                addr = email.utils.parseaddr(uid)[1]
+                if '@' not in addr:
+                    continue
+                local, domain = addr.split("@", 1)
+                # trust: 'd' = disabled, 'e' = expired, 'r' = revoked
+                if mail_domain and domain.lower() != mail_domain.lower() \
+                        or key['trust'] in ['d', 'r'] \
+                        or not include_expired and key['trust'] == 'e' \
+                        or addresses and addr not in addresses:
+                    continue
+                if local in fps and fps[local] != key['fingerprint']:
+                    print("Multiple options for %s! None used." % local,
+                          file=sys.stderr)
+                    del fps[local]
+                else:
+                    fps[local] = key['fingerprint']
+
+        return fps
+
+    def write_keys(self, fps):
+        for local, fingerprint in fps.items():
+            with open(os.path.join(self.output_dir,
+                                   localpart2zbase32(local)), "wb") as f:
+                f.write(self.gpg.export_keys(fingerprint, armor=False))
+        print("Wrote %d keys to directory '%s'" % (len(fps), self.output_dir))
+
+
+if __name__ == "__main__":
+    args = getargs()
+
+    if gnupg is None:
+        print("Please 'apt install python3-gnupg'!", file=sys.stderr)
+        sys.exit(1)
+
+    hu = HU(args.debug, args.keyring, args.output_dir)
+    fps = hu.get_fps(args.mail_domain, args.include_expired, args.address)
+    hu.write_keys(fps)