From 5333fe986e4eebb7fcbad88d897d31b94f301b9e Mon Sep 17 00:00:00 2001 From: Akash Singhal Date: Thu, 4 Jan 2024 15:05:11 -0800 Subject: [PATCH] ci: add dev helm chart publishing workflow (#1209) --- .github/workflows/publish-dev-assets.yml | 90 ++++++++++++++++++++++++ .github/workflows/publish-package.yml | 10 --- CONTRIBUTING.md | 14 +++- RELEASES.md | 6 +- dev.helmfile.yaml | 15 ++-- dev.high-availability.helmfile.yaml | 38 +++++++--- 6 files changed, 139 insertions(+), 34 deletions(-) create mode 100644 .github/workflows/publish-dev-assets.yml diff --git a/.github/workflows/publish-dev-assets.yml b/.github/workflows/publish-dev-assets.yml new file mode 100644 index 000000000..0eb6dc6e5 --- /dev/null +++ b/.github/workflows/publish-dev-assets.yml @@ -0,0 +1,90 @@ +name: publish-dev-assets + +on: + schedule: + - cron: '30 8 * * 0' # early morning (08:30 UTC) every Sunday + workflow_dispatch: + +permissions: read-all + +jobs: + build: + runs-on: ubuntu-latest + permissions: + packages: write + contents: read + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + - name: prepare + id: prepare + run: | + DATE=$(date +'%Y%m%d') + COMMIT=${{ github.sha }} + REPOSITORY=ghcr.io/${{ github.repository }} + CHART_REPOSITORY=${REPOSITORY}-chart-dev + VERSION=dev.${DATE}.${COMMIT:0:7} + SEM_VERSION=0-${VERSION} + SEM_VERSION_ROLLING=0-dev + REPOSITORY_PLUGINS=${REPOSITORY}-dev + REPOSITORYBASE=${REPOSITORY}-base-dev + REPOSITORYCRD=${REPOSITORY}-crds-dev + echo ::set-output name=version::${VERSION} + echo ::set-output name=semversion::${SEM_VERSION} + echo ::set-output name=semversionrolling::${SEM_VERSION_ROLLING} + echo ::set-output name=chartrepo::${CHART_REPOSITORY} + echo ::set-output name=ref::${REPOSITORY_PLUGINS} + echo ::set-output name=baseref::${REPOSITORYBASE} + echo ::set-output name=crdref::${REPOSITORYCRD} + - name: docker login + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: docker build ratify-crds + run: | + docker buildx create --use + docker buildx build --build-arg KUBE_VERSION="1.27.7" -f crd.Dockerfile --platform linux/amd64,linux/arm64,linux/arm/v7 --label org.opencontainers.image.revision=${{ github.sha }} -t ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }} -t ${{ steps.prepare.outputs.crdref }} --push ./charts/ratify/crds + - name: docker build ratify base + run: | + docker buildx create --use + docker buildx build -f ./httpserver/Dockerfile \ + --platform linux/amd64,linux/arm64,linux/arm/v7 \ + --build-arg LDFLAGS="-X github.com/deislabs/ratify/internal/version.Version=$(TAG)" \ + --label org.opencontainers.image.revision=${{ github.sha }} \ + -t ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }} \ + -t ${{ steps.prepare.outputs.baseref }} \ + --push . + - name: docker build ratify with plugin + run: | + docker buildx create --use + docker buildx build -f ./httpserver/Dockerfile \ + --platform linux/amd64,linux/arm64,linux/arm/v7 \ + --build-arg build_cosign=true \ + --build-arg build_sbom=true \ + --build-arg build_licensechecker=true \ + --build-arg build_schemavalidator=true \ + --build-arg build_vulnerabilityreport=true \ + --build-arg LDFLAGS="-X github.com/deislabs/ratify/internal/version.Version=$(TAG)" \ + --label org.opencontainers.image.revision=${{ github.sha }} \ + -t ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }} \ + -t ${{ steps.prepare.outputs.ref }} \ + --push . + - name: replace version + run: | + sed -i '/^ repository:/c\ repository: ghcr.io/deislabs/ratify-dev' charts/ratify/values.yaml + sed -i '/^ crdRepository:/c\ crdRepository: ghcr.io/deislabs/ratify-crds-dev' charts/ratify/values.yaml + sed -i '/^ tag:/c\ tag: ${{ steps.prepare.outputs.version }}' charts/ratify/values.yaml + - name: helm package + run: | + helm package ./charts/ratify --version ${{ steps.prepare.outputs.semversion }} + helm package ./charts/ratify --version ${{ steps.prepare.outputs.semversionrolling }} + - name: helm push + run: | + helm push ratify-${{ steps.prepare.outputs.semversion }}.tgz oci://${{ steps.prepare.outputs.chartrepo }} + helm push ratify-${{ steps.prepare.outputs.semversionrolling }}.tgz oci://${{ steps.prepare.outputs.chartrepo }} + - name: clear + if: always() + run: | + rm -f ${HOME}/.docker/config.json diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml index fce88de45..deb9664f7 100644 --- a/.github/workflows/publish-package.yml +++ b/.github/workflows/publish-package.yml @@ -4,8 +4,6 @@ on: push: tags: - v* - schedule: - - cron: '30 8 * * 0' # early morning (08:30 UTC) every Sunday workflow_dispatch: permissions: read-all @@ -24,20 +22,12 @@ jobs: run: | VERSION=${GITHUB_REF#refs/*/} BRANCH_NAME=${GITHUB_REF#refs/heads/} - DATE=$(date +'%Y%m%d') - COMMIT=${{ github.sha }} REPOSITORY=ghcr.io/${{ github.repository }} REPOSITORYBASE=ghcr.io/${{ github.repository }}-base REPOSITORYCRD=ghcr.io/${{ github.repository }}-crds if [[ "${VERSION}" == "${BRANCH_NAME}" ]]; then VERSION=$(git rev-parse --short HEAD) fi - if [[ "${{ github.event_name }}" == "workflow_dispatch" || "${{ github.event_name }}" == "schedule" ]]; then - VERSION=dev.${DATE}.${COMMIT:0:7} - REPOSITORY=${REPOSITORY}-dev - REPOSITORYBASE=${REPOSITORYBASE}-dev - REPOSITORYCRD=${REPOSITORYCRD}-dev - fi echo ::set-output name=version::${VERSION} echo ::set-output name=ref::${REPOSITORY}:${VERSION} echo ::set-output name=baseref::${REPOSITORYBASE}:${VERSION} diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 41cbfd183..a64269cce 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -155,8 +155,14 @@ docker push ${REGISTRY}/deislabs/ratify:yourtag docker push ${REGISTRY}/localbuildcrd:yourtag ``` -### Deploy using Dev Helmfile #### Update dev.helmfile.yaml +Replace Ratify `chart` and `version` with local values: +```yaml +... +chart: chart/ratify +version: # ATTENTION: Needs to match latest in Chart.yaml +... +``` Replace `repository`, `crdRepository`, and `tag` with previously built images: ```yaml - name: image.repository @@ -167,9 +173,13 @@ Replace `repository`, `crdRepository`, and `tag` with previously built images: value: ``` +### Deploy using Dev Helmfile + +Development charts + images are published weekly and latest versions are tagged with rolling tags referenced in dev helmfile. + Deploy to cluster: ```bash -helmfile sync -f dev.helmfile.yaml +helmfile sync -f git::https://github.com/deislabs/ratify.git@dev.helmfile.yaml ``` ### Deploy from local helm chart diff --git a/RELEASES.md b/RELEASES.md index 6b8f2bd2c..6487a911c 100644 --- a/RELEASES.md +++ b/RELEASES.md @@ -26,9 +26,11 @@ Example pre-release versions include `v0.1.0-alpha1`, `v0.1.0-beta2`, `v0.1.0-rc 2. If the format of the data returned for [external data calls](docs/reference/verification-result-version.md) has changed, validate change is also reflected in [`httpserver/types.go`](httpserver/types.go). -3. Delete all dev images generated since the previous release under the `ratify-dev` and `ratify-crds-dev` [packages](https://github.com/orgs/deislabs/packages?repo_name=ratify). Each dev image tag is prefixed with `dev` followed by the date of creation and then the abbreviated 7 character commit SHA (e.g a build generated on March 8, 2023 from main branch with commit SHA `4cf98388ef33c587ef86b82e05cb0f7de2da2ea8` would be tagged `dev.20230308.4cf9838`). +3. Delete all dev images generated since the previous release under the `ratify-dev` and `ratify-crds-dev` [packages](https://github.com/orgs/deislabs/packages?repo_name=ratify). Each dev image tag is prefixed with `dev` followed by the date of creation and then the abbreviated 7 character commit SHA (e.g a build generated on March 8, 2023 from main branch with commit SHA `4cf98388ef33c587ef86b82e05cb0f7de2da2ea8` would be tagged `dev.20230308.4cf9838`). The most recent images are also tagged with a rolling tag `latest`. -4. Copy contents from [`dev.helmfile.yaml`](dev.helmfile.yaml) to [`helmfile.yaml`](helmfile.yaml) & [`dev.high-availability.helmfile.yaml`](dev.high-availability.helmfile.yaml) to [`high-availability.helmfile.yaml`](high-availability.helmfile.yaml). You MUST update/remove values marked by comments in the files. The `dev` prefixed helmfiles are treated as staging files that are up to date with new changes on main branch. The primary `helmfile.yaml` and `high-availability.helmfile.yaml` MUST stay pinned to the current release since they are used by the quickstarts. Update `dev.helmfile.yaml` & `dev.high-availability.helmfile.yaml` ratify chart version to new release version. +4. Delete all dev helm charts since the previous release under the `ratify-chart-dev/ratify` [packages](https://github.com/orgs/deislabs/packages?repo_name=ratify). Each helm chart is published with a semantic version compatible tag `0-dev` followed by the date of creation and then the abbreviated 7 character commit SHA (e.g a chart generated on March 8, 2023 from main branch with commit SHA `4cf98388ef33c587ef86b82e05cb0f7de2da2ea8` would be tagged `0-dev.20230308.4cf9838`). The most recent dev chart is also tagged with the rolling tag `0-dev`. + +5. Copy contents from [`dev.helmfile.yaml`](dev.helmfile.yaml) to [`helmfile.yaml`](helmfile.yaml) & [`dev.high-availability.helmfile.yaml`](dev.high-availability.helmfile.yaml) to [`high-availability.helmfile.yaml`](high-availability.helmfile.yaml). You MUST update/remove values marked by comments in the files. The `dev` prefixed helmfiles are treated as staging files that are up to date with new changes on main branch. The primary `helmfile.yaml` and `high-availability.helmfile.yaml` MUST stay pinned to the current release since they are used by the quickstarts. Update `dev.helmfile.yaml` & `dev.high-availability.helmfile.yaml` ratify chart version to new release version. ## Git Release Flow diff --git a/dev.helmfile.yaml b/dev.helmfile.yaml index d12cb94a4..35dc39ae6 100644 --- a/dev.helmfile.yaml +++ b/dev.helmfile.yaml @@ -2,7 +2,8 @@ repositories: - name: gatekeeper url: https://open-policy-agent.github.io/gatekeeper/charts - name: ratify - url: https://deislabs.github.io/ratify + url: ghcr.io/deislabs/ratify-chart-dev # PRERELEASE: Change to 'https://deislabs.github.io/ratify' before copying to helmfile.yaml + oci: true # PRERELEASE: Remove before copying to helmfile.yaml releases: - name: gatekeeper @@ -22,8 +23,8 @@ releases: value: 10s - name: ratify namespace: gatekeeper-system - chart: charts/ratify # PRERELEASE: Change to 'ratify/ratify' before copying to helmfile.yaml - version: 1.12.0 # ATTENTION: Needs to match latest in Chart.yaml + chart: ratify/ratify + version: 0-dev # ATTENTION: Needs to match latest in Chart.yaml wait: true needs: - gatekeeper @@ -74,11 +75,3 @@ releases: value: {{ exec "curl" (list "-sSL" "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/notation.crt") | quote }} - name: featureFlags.RATIFY_CERT_ROTATION value: true - - name: image.repository # PRERELEASE: REMOVE before copying to helmfile.yaml - value: ghcr.io/deislabs/ratify-dev # PRERELEASE: REMOVE before copying to helmfile.yaml - - name: image.crdRepository # PRERELEASE: REMOVE before copying to helmfile.yaml - value: ghcr.io/deislabs/ratify-crds-dev # PRERELEASE: REMOVE before copying to helmfile.yaml - - name: image.tag # PRERELEASE: REMOVE before copying to helmfile.yaml - value: dev.20230822.cd81c6e # PRERELEASE: REMOVE before copying to helmfile.yaml - - name: image.pullPolicy # PRERELEASE: REMOVE before copying to helmfile.yaml - value: Always # PRERELEASE: REMOVE before copying to helmfile.yaml diff --git a/dev.high-availability.helmfile.yaml b/dev.high-availability.helmfile.yaml index 88b6203d4..6698a6bca 100644 --- a/dev.high-availability.helmfile.yaml +++ b/dev.high-availability.helmfile.yaml @@ -1,10 +1,13 @@ repositories: + - name: gatekeeper + url: https://open-policy-agent.github.io/gatekeeper/charts - name: dapr url: https://dapr.github.io/helm-charts/ - name: bitnami url: https://charts.bitnami.com/bitnami - name: ratify - url: https://deislabs.github.io/ratify + url: ghcr.io/deislabs/ratify-chart-dev # PRERELEASE: Change to 'https://deislabs.github.io/ratify' before copying to helmfile.yaml + oci: true # PRERELEASE: Remove before copying to helmfile.yaml releases: - name: dapr @@ -13,8 +16,24 @@ releases: chart: dapr/dapr version: 1.11.1 wait: true + - name: gatekeeper + namespace: gatekeeper-system + createNamespace: true + chart: gatekeeper/gatekeeper + version: 3.14.0 + wait: true + set: + - name: enableExternalData + value: true + - name: validatingWebhookTimeoutSeconds + value: 5 + - name: mutatingWebhookTimeoutSeconds + value: 2 + - name: externaldataProviderResponseCacheTTL + value: 10s - name: redis namespace: gatekeeper-system + createNamespace: true chart: bitnami/redis version: 17.11.6 wait: true @@ -31,12 +50,13 @@ releases: value: false - name: ratify namespace: gatekeeper-system - chart: charts/ratify/ - version: 1.12.0 # ATTENTION: Needs to match latest in Chart.yaml + chart: ratify/ratify + version: 0-dev # ATTENTION: Needs to match latest in Chart.yaml wait: true needs: - dapr-system/dapr - gatekeeper-system/redis + - gatekeeper-system/gatekeeper hooks: - events: ["presync"] showlogs: true @@ -53,6 +73,12 @@ releases: - "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/dapr/dapr-redis.yaml" - "-n" - "gatekeeper-system" + - events: ["presync"] + showlogs: true + command: "bash" + args: + - "-c" + - "kubectl apply -f https://deislabs.github.io/ratify/library/default/template.yaml && kubectl apply -f https://deislabs.github.io/ratify/library/default/samples/constraint.yaml" - events: ["postuninstall"] showlogs: true command: "kubectl" @@ -109,12 +135,6 @@ releases: - "-n" - "gatekeeper-system" set: - - name: image.repository # REMOVE before copying to high-availability.helmfile.yaml - value: ghcr.io/deislabs/ratify-dev # REMOVE before copying to high-availability.helmfile.yaml - - name: image.crdRepository # REMOVE before copying to high-availability.helmfile.yaml - value: ghcr.io/deislabs/ratify-crds-dev # REMOVE before copying to high-availability.helmfile.yaml - - name: image.tag # REMOVE before copying to high-availability.helmfile.yaml - value: dev.20230822.cd81c6e # REMOVE before copying to high-availability.helmfile.yaml - name: featureFlags.RATIFY_EXPERIMENTAL_HIGH_AVAILABILITY value: true - name: featureFlags.RATIFY_CERT_ROTATION