Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: add dev helm chart publishing workflow #1209

Merged
Merged
Show file tree
Hide file tree
Changes from 16 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
90 changes: 90 additions & 0 deletions .github/workflows/publish-dev-assets.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
name: publish-dev-assets

on:
schedule:
- cron: '30 8 * * 0' # early morning (08:30 UTC) every Sunday
workflow_dispatch:

permissions: read-all

jobs:
build:
runs-on: ubuntu-latest
permissions:
packages: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- name: prepare
id: prepare
run: |
DATE=$(date +'%Y%m%d')
COMMIT=${{ github.sha }}
REPOSITORY=ghcr.io/${{ github.repository }}
CHART_REPOSITORY=${REPOSITORY}-chart-dev
VERSION=dev.${DATE}.${COMMIT:0:7}
SEM_VERSION=0-${VERSION}
SEM_VERSION_ROLLING=0-dev
REPOSITORY_PLUGINS=${REPOSITORY}-dev
REPOSITORYBASE=${REPOSITORY}-base-dev
REPOSITORYCRD=${REPOSITORY}-crds-dev
echo ::set-output name=version::${VERSION}
echo ::set-output name=semversion::${SEM_VERSION}
echo ::set-output name=semversionrolling::${SEM_VERSION_ROLLING}
echo ::set-output name=chartrepo::${CHART_REPOSITORY}
echo ::set-output name=ref::${REPOSITORY_PLUGINS}
echo ::set-output name=baseref::${REPOSITORYBASE}
echo ::set-output name=crdref::${REPOSITORYCRD}
- name: docker login
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: docker build ratify-crds
run: |
docker buildx create --use
docker buildx build --build-arg KUBE_VERSION="1.27.7" -f crd.Dockerfile --platform linux/amd64,linux/arm64,linux/arm/v7 --label org.opencontainers.image.revision=${{ github.sha }} -t ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }} -t ${{ steps.prepare.outputs.crdref }} --push ./charts/ratify/crds
- name: docker build ratify base
run: |
docker buildx create --use
docker buildx build -f ./httpserver/Dockerfile \
--platform linux/amd64,linux/arm64,linux/arm/v7 \
--build-arg LDFLAGS="-X github.com/deislabs/ratify/internal/version.Version=$(TAG)" \
--label org.opencontainers.image.revision=${{ github.sha }} \
-t ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }} \
-t ${{ steps.prepare.outputs.baseref }} \
--push .
- name: docker build ratify with plugin
run: |
docker buildx create --use
docker buildx build -f ./httpserver/Dockerfile \
--platform linux/amd64,linux/arm64,linux/arm/v7 \
--build-arg build_cosign=true \
--build-arg build_sbom=true \
--build-arg build_licensechecker=true \
--build-arg build_schemavalidator=true \
--build-arg build_vulnerabilityreport=true \
--build-arg LDFLAGS="-X github.com/deislabs/ratify/internal/version.Version=$(TAG)" \
--label org.opencontainers.image.revision=${{ github.sha }} \
-t ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }} \
-t ${{ steps.prepare.outputs.ref }} \
--push .
- name: replace version
run: |
sed -i '/^ repository:/c\ repository: ghcr.io/deislabs/ratify-dev' charts/ratify/values.yaml
sed -i '/^ crdRepository:/c\ crdRepository: ghcr.io/deislabs/ratify-crds-dev' charts/ratify/values.yaml
sed -i '/^ tag:/c\ tag: ${{ steps.prepare.outputs.version }}' charts/ratify/values.yaml
- name: helm package
run: |
helm package ./charts/ratify --version ${{ steps.prepare.outputs.semversion }}
helm package ./charts/ratify --version ${{ steps.prepare.outputs.semversionrolling }}
- name: helm push
run: |
helm push ratify-${{ steps.prepare.outputs.semversion }}.tgz oci://${{ steps.prepare.outputs.chartrepo }}
helm push ratify-${{ steps.prepare.outputs.semversionrolling }}.tgz oci://${{ steps.prepare.outputs.chartrepo }}
- name: clear
if: always()
run: |
rm -f ${HOME}/.docker/config.json
10 changes: 0 additions & 10 deletions .github/workflows/publish-package.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,6 @@ on:
push:
tags:
- v*
schedule:
- cron: '30 8 * * 0' # early morning (08:30 UTC) every Sunday
workflow_dispatch:

permissions: read-all
Expand All @@ -24,20 +22,12 @@ jobs:
run: |
VERSION=${GITHUB_REF#refs/*/}
BRANCH_NAME=${GITHUB_REF#refs/heads/}
DATE=$(date +'%Y%m%d')
COMMIT=${{ github.sha }}
REPOSITORY=ghcr.io/${{ github.repository }}
REPOSITORYBASE=ghcr.io/${{ github.repository }}-base
REPOSITORYCRD=ghcr.io/${{ github.repository }}-crds
if [[ "${VERSION}" == "${BRANCH_NAME}" ]]; then
VERSION=$(git rev-parse --short HEAD)
fi
if [[ "${{ github.event_name }}" == "workflow_dispatch" || "${{ github.event_name }}" == "schedule" ]]; then
VERSION=dev.${DATE}.${COMMIT:0:7}
REPOSITORY=${REPOSITORY}-dev
REPOSITORYBASE=${REPOSITORYBASE}-dev
REPOSITORYCRD=${REPOSITORYCRD}-dev
fi
echo ::set-output name=version::${VERSION}
echo ::set-output name=ref::${REPOSITORY}:${VERSION}
echo ::set-output name=baseref::${REPOSITORYBASE}:${VERSION}
Expand Down
14 changes: 3 additions & 11 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -156,20 +156,12 @@ docker push ${REGISTRY}/localbuildcrd:yourtag
```

### Deploy using Dev Helmfile
#### Update dev.helmfile.yaml
Replace `repository`, `crdRepository`, and `tag` with previously built images:
```yaml
- name: image.repository
value: <YOUR RATIFY IMAGE REPOSITORY NAME>
- name: image.crdRepository
value: <YOUR RATIFY CRD IMAGE REPOSITORY NAME>
- name: image.tag
value: <YOUR IMAGES TAG NAME>
```

Development charts + images are published weekly and latest versions are tagged with rolling tags referenced in dev helmfile.

Deploy to cluster:
```bash
helmfile sync -f dev.helmfile.yaml
helmfile sync -f git::https://github.com/deislabs/ratify.git@dev.helmfile.yaml
akashsinghal marked this conversation as resolved.
Show resolved Hide resolved
```

### Deploy from local helm chart
Expand Down
6 changes: 4 additions & 2 deletions RELEASES.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,11 @@ Example pre-release versions include `v0.1.0-alpha1`, `v0.1.0-beta2`, `v0.1.0-rc

2. If the format of the data returned for [external data calls](docs/reference/verification-result-version.md) has changed, validate change is also reflected in [`httpserver/types.go`](httpserver/types.go).

3. Delete all dev images generated since the previous release under the `ratify-dev` and `ratify-crds-dev` [packages](https://github.com/orgs/deislabs/packages?repo_name=ratify). Each dev image tag is prefixed with `dev` followed by the date of creation and then the abbreviated 7 character commit SHA (e.g a build generated on March 8, 2023 from main branch with commit SHA `4cf98388ef33c587ef86b82e05cb0f7de2da2ea8` would be tagged `dev.20230308.4cf9838`).
3. Delete all dev images generated since the previous release under the `ratify-dev` and `ratify-crds-dev` [packages](https://github.com/orgs/deislabs/packages?repo_name=ratify). Each dev image tag is prefixed with `dev` followed by the date of creation and then the abbreviated 7 character commit SHA (e.g a build generated on March 8, 2023 from main branch with commit SHA `4cf98388ef33c587ef86b82e05cb0f7de2da2ea8` would be tagged `dev.20230308.4cf9838`). The most recent images are also tagged with a rolling tag `latest`.

4. Copy contents from [`dev.helmfile.yaml`](dev.helmfile.yaml) to [`helmfile.yaml`](helmfile.yaml) & [`dev.high-availability.helmfile.yaml`](dev.high-availability.helmfile.yaml) to [`high-availability.helmfile.yaml`](high-availability.helmfile.yaml). You MUST update/remove values marked by comments in the files. The `dev` prefixed helmfiles are treated as staging files that are up to date with new changes on main branch. The primary `helmfile.yaml` and `high-availability.helmfile.yaml` MUST stay pinned to the current release since they are used by the quickstarts. Update `dev.helmfile.yaml` & `dev.high-availability.helmfile.yaml` ratify chart version to new release version.
4. Delete all dev helm charts since the previous release under the `ratify-chart-dev/ratify` [packages](https://github.com/orgs/deislabs/packages?repo_name=ratify). Each helm chart is published with a semantic version compatible tag `0-dev` followed by the date of creation and then the abbreviated 7 character commit SHA (e.g a chart generated on March 8, 2023 from main branch with commit SHA `4cf98388ef33c587ef86b82e05cb0f7de2da2ea8` would be tagged `0-dev.20230308.4cf9838`). The most recent dev chart is also tagged with the rolling tag `0-dev`.

5. Copy contents from [`dev.helmfile.yaml`](dev.helmfile.yaml) to [`helmfile.yaml`](helmfile.yaml) & [`dev.high-availability.helmfile.yaml`](dev.high-availability.helmfile.yaml) to [`high-availability.helmfile.yaml`](high-availability.helmfile.yaml). You MUST update/remove values marked by comments in the files. The `dev` prefixed helmfiles are treated as staging files that are up to date with new changes on main branch. The primary `helmfile.yaml` and `high-availability.helmfile.yaml` MUST stay pinned to the current release since they are used by the quickstarts. Update `dev.helmfile.yaml` & `dev.high-availability.helmfile.yaml` ratify chart version to new release version.

## Git Release Flow

Expand Down
15 changes: 4 additions & 11 deletions dev.helmfile.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@ repositories:
- name: gatekeeper
url: https://open-policy-agent.github.io/gatekeeper/charts
- name: ratify
url: https://deislabs.github.io/ratify
url: ghcr.io/deislabs/ratify-chart-dev # PRERELEASE: Change to 'https://deislabs.github.io/ratify' before copying to helmfile.yaml
oci: true # PRERELEASE: Remove before copying to helmfile.yaml

releases:
- name: gatekeeper
Expand All @@ -22,8 +23,8 @@ releases:
value: 10s
- name: ratify
namespace: gatekeeper-system
chart: charts/ratify # PRERELEASE: Change to 'ratify/ratify' before copying to helmfile.yaml
version: 1.12.0 # ATTENTION: Needs to match latest in Chart.yaml
chart: ratify/ratify
version: 0-dev # ATTENTION: Needs to match latest in Chart.yaml
wait: true
needs:
- gatekeeper
Expand Down Expand Up @@ -74,11 +75,3 @@ releases:
value: {{ exec "curl" (list "-sSL" "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/notation.crt") | quote }}
- name: featureFlags.RATIFY_CERT_ROTATION
value: true
- name: image.repository # PRERELEASE: REMOVE before copying to helmfile.yaml
value: ghcr.io/deislabs/ratify-dev # PRERELEASE: REMOVE before copying to helmfile.yaml
- name: image.crdRepository # PRERELEASE: REMOVE before copying to helmfile.yaml
value: ghcr.io/deislabs/ratify-crds-dev # PRERELEASE: REMOVE before copying to helmfile.yaml
- name: image.tag # PRERELEASE: REMOVE before copying to helmfile.yaml
value: dev.20230822.cd81c6e # PRERELEASE: REMOVE before copying to helmfile.yaml
- name: image.pullPolicy # PRERELEASE: REMOVE before copying to helmfile.yaml
value: Always # PRERELEASE: REMOVE before copying to helmfile.yaml
38 changes: 29 additions & 9 deletions dev.high-availability.helmfile.yaml
Original file line number Diff line number Diff line change
@@ -1,10 +1,13 @@
repositories:
- name: gatekeeper
url: https://open-policy-agent.github.io/gatekeeper/charts
- name: dapr
url: https://dapr.github.io/helm-charts/
- name: bitnami
url: https://charts.bitnami.com/bitnami
- name: ratify
url: https://deislabs.github.io/ratify
url: ghcr.io/deislabs/ratify-chart-dev # PRERELEASE: Change to 'https://deislabs.github.io/ratify' before copying to helmfile.yaml
oci: true # PRERELEASE: Remove before copying to helmfile.yaml

releases:
- name: dapr
Expand All @@ -13,8 +16,24 @@ releases:
chart: dapr/dapr
version: 1.11.1
wait: true
- name: gatekeeper
namespace: gatekeeper-system
createNamespace: true
chart: gatekeeper/gatekeeper
version: 3.14.0
wait: true
set:
- name: enableExternalData
value: true
- name: validatingWebhookTimeoutSeconds
value: 5
- name: mutatingWebhookTimeoutSeconds
value: 2
- name: externaldataProviderResponseCacheTTL
value: 10s
- name: redis
namespace: gatekeeper-system
createNamespace: true
chart: bitnami/redis
version: 17.11.6
wait: true
Expand All @@ -31,12 +50,13 @@ releases:
value: false
- name: ratify
namespace: gatekeeper-system
chart: charts/ratify/
version: 1.12.0 # ATTENTION: Needs to match latest in Chart.yaml
chart: ratify/ratify
version: 0-dev # ATTENTION: Needs to match latest in Chart.yaml
wait: true
needs:
- dapr-system/dapr
- gatekeeper-system/redis
- gatekeeper-system/gatekeeper
hooks:
- events: ["presync"]
showlogs: true
Expand All @@ -53,6 +73,12 @@ releases:
- "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/dapr/dapr-redis.yaml"
- "-n"
- "gatekeeper-system"
- events: ["presync"]
showlogs: true
command: "bash"
args:
- "-c"
- "kubectl apply -f https://deislabs.github.io/ratify/library/default/template.yaml && kubectl apply -f https://deislabs.github.io/ratify/library/default/samples/constraint.yaml"
- events: ["postuninstall"]
showlogs: true
command: "kubectl"
Expand Down Expand Up @@ -109,12 +135,6 @@ releases:
- "-n"
- "gatekeeper-system"
set:
- name: image.repository # REMOVE before copying to high-availability.helmfile.yaml
value: ghcr.io/deislabs/ratify-dev # REMOVE before copying to high-availability.helmfile.yaml
- name: image.crdRepository # REMOVE before copying to high-availability.helmfile.yaml
value: ghcr.io/deislabs/ratify-crds-dev # REMOVE before copying to high-availability.helmfile.yaml
- name: image.tag # REMOVE before copying to high-availability.helmfile.yaml
value: dev.20230822.cd81c6e # REMOVE before copying to high-availability.helmfile.yaml
- name: featureFlags.RATIFY_EXPERIMENTAL_HIGH_AVAILABILITY
value: true
- name: featureFlags.RATIFY_CERT_ROTATION
Expand Down
Loading