From 6cdcc48a4b2807ed831cc34ed62652b1dcfebbe8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20B=C3=A4hler?= Date: Thu, 19 Oct 2023 14:26:02 +0200 Subject: [PATCH] feat(chart): release security and workflow updates --- .github/workflows/helm-publish.yml | 64 ++++++++++++++++++++++ .github/workflows/helm-test.yml | 69 ++++++++++++++++++++++++ charts/capsule/README.md | 20 +++++-- charts/capsule/README.md.gotmpl | 16 ++++-- charts/capsule/templates/_helpers.tpl | 6 +-- charts/capsule/templates/deployment.yaml | 2 - charts/capsule/values.yaml | 8 ++- 7 files changed, 169 insertions(+), 16 deletions(-) create mode 100644 .github/workflows/helm-publish.yml create mode 100644 .github/workflows/helm-test.yml diff --git a/.github/workflows/helm-publish.yml b/.github/workflows/helm-publish.yml new file mode 100644 index 00000000..1b1eb35c --- /dev/null +++ b/.github/workflows/helm-publish.yml @@ -0,0 +1,64 @@ +name: Publish charts +permissions: read-all +on: + push: + tags: [ "helm-v*" ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + publish-helm: + # Skip this Release on forks + if: github.repository_owner == 'capsuleproject' + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - name: Publish Helm chart + uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0 + with: + token: "${{ secrets.GITHUB_TOKEN }}" + linting: off + charts_dir: charts + charts_url: https://${{ github.repository_owner }}.github.io/charts + owner: ${{ github.repository_owner }} + repository: charts + branch: gh-pages + commit_username: ${{ github.actor }} + publish-helm-oci: + runs-on: ubuntu-20.04 + permissions: + contents: write + id-token: write + packages: write + outputs: + chart-digest: ${{ steps.helm_publish.outputs.digest }} + steps: + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 + - name: Helm | Publish + id: helm_publish + uses: oliverbaehler/github-actions/helm-oci-chart@8dfd42735c85f6c58d5d4d6f3232cd0e39d1fe73 # v0.1.0 + with: + registry: ghcr.io + repository: ${{ github.repository_owner }}/charts + name: "capsule" + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} + update-dependencies: 'true' # Defaults to false + sign-image: 'true' + signature-repository: ghcr.io/${{ github.repository_owner }}/signatures + helm-provenance: + needs: publish-helm-oci + permissions: + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 + with: + image: ghcr.io/${{ github.repository_owner }}/charts/capsule + digest: "${{ needs.publish-helm-oci.outputs.chart-digest }}" + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/helm-test.yml b/.github/workflows/helm-test.yml new file mode 100644 index 00000000..a7a61b63 --- /dev/null +++ b/.github/workflows/helm-test.yml @@ -0,0 +1,69 @@ +name: Test charts +permissions: {} + +on: + pull_request: + branches: [ "main" ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + lint: + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + with: + fetch-depth: 0 + - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3 + - name: Linting Chart + run: helm lint ./charts/capsule + - name: Setup Chart Linting + id: lint + uses: helm/chart-testing-action@e8788873172cb653a90ca2e819d79d65a66d4e76 # v2.4.0 + - name: Run chart-testing (list-changed) + id: list-changed + run: | + changed=$(ct list-changed --config ./.github/configs/ct.yaml) + if [[ -n "$changed" ]]; then + echo "::set-output name=changed::true" + fi + - name: Run chart-testing (lint) + run: ct lint --debug --config ./.github/configs/ct.yaml --lint-conf ./.github/configs/lintconf.yaml + - name: Run docs-testing (helm-docs) + id: helm-docs + run: | + make helm-docs + if [[ $(git diff --stat) != '' ]]; then + echo -e '\033[0;31mDocumentation outdated! (Run make helm-docs locally and commit)\033[0m ❌' + git diff --color + exit 1 + else + echo -e '\033[0;32mDocumentation up to date\033[0m ✔' + fi + + # ATTENTION: This is a workaround for the upcoming ApiVersion Conversions for the capsule CRDs + # With this workflow the current docker image is build and loaded into kind, otherwise the install fails + # In the future this must be removed and the chart-testing-action must be used + - name: Run chart-testing (install) + run: make helm-test + if: steps.list-changed.outputs.changed == 'true' + + ## Create KIND Cluster + - name: Create kind cluster + uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0 + if: steps.list-changed.outputs.changed == 'true' + # Install Required Operators/CRDs + - name: Prepare Cluster Operators/CRDs + run: | + # Cert-Manager CRDs + kubectl create -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml + + # Prometheus CRDs + kubectl create -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml + if: steps.list-changed.outputs.changed == 'true' + # Install Charts + - name: Run chart-testing (install) + run: ct install --debug --config ./.github/configs/ct.yaml + if: steps.list-changed.outputs.changed == 'true' diff --git a/charts/capsule/README.md b/charts/capsule/README.md index ac6bd2b0..916dc724 100644 --- a/charts/capsule/README.md +++ b/charts/capsule/README.md @@ -22,11 +22,15 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator 1. Add this repository: - $ helm repo add clastix https://clastix.github.io/charts + $ helm repo add projectcapsule https://projectcapsule.github.io/charts 2. Install the Chart: - $ helm install capsule clastix/capsule -n capsule-system --create-namespace + $ helm install capsule projectcapsule/capsule -n capsule-system --create-namespace + + or + + $ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.6 -n capsule-system --create-namespace 3. Show the status: @@ -34,7 +38,11 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator 4. Upgrade the Chart - $ helm upgrade capsule clastix/capsule -n capsule-system + $ helm upgrade capsule projectcapsule/capsule -n capsule-system + + or + + $ helm upgrade capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.7 5. Uninstall the Chart @@ -68,6 +76,7 @@ Here the values you can override: | customLabels | object | `{}` | Additional labels which will be added to all resources created by Capsule helm chart | | imagePullSecrets | list | `[]` | Configuration for `imagePullSecrets` so that you can use a private images registry. | | jobs.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the helm chart job | +| jobs.image.registry | string | `"docker.io"` | Set the image repository of the helm chart job | | jobs.image.repository | string | `"clastix/kubectl"` | Set the image repository of the helm chart job | | jobs.image.tag | string | `""` | Set the image tag of the helm chart job | | mutatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for mutating webhooks | @@ -94,7 +103,8 @@ Here the values you can override: |-----|------|---------|-------------| | manager.hostNetwork | bool | `false` | Specifies if the container should be started in hostNetwork mode. Required for use in some managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working | | manager.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy. | -| manager.image.repository | string | `"clastix/capsule"` | Set the image repository of the capsule. | +| manager.image.registry | string | `"ghcr.io"` | Set the image registry of capsule. | +| manager.image.repository | string | `"projectcapsule/capsule"` | Set the image repository of capsule. | | manager.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | manager.kind | string | `"Deployment"` | Set the controller deployment mode as `Deployment` or `DaemonSet`. | | manager.livenessProbe | object | `{"httpGet":{"path":"/healthz","port":10080}}` | Configure the liveness probe using Deployment probe spec | @@ -196,7 +206,7 @@ Capsule, as many other add-ons, defines its own set of Custom Resource Definitio You can enable the generation of certificates using `cert-manager` as follows. ``` -helm upgrade --install capsule clastix/capsule --namespace capsule-system --create-namespace \ +helm upgrade --install capsule projectcapsule/capsule --namespace capsule-system --create-namespace \ --set "certManager.generateCertificates=true" \ --set "tls.create=false" \ --set "tls.enableController=false" diff --git a/charts/capsule/README.md.gotmpl b/charts/capsule/README.md.gotmpl index 273f9989..377491a9 100644 --- a/charts/capsule/README.md.gotmpl +++ b/charts/capsule/README.md.gotmpl @@ -22,11 +22,15 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator 1. Add this repository: - $ helm repo add clastix https://clastix.github.io/charts + $ helm repo add projectcapsule https://projectcapsule.github.io/charts 2. Install the Chart: - $ helm install capsule clastix/capsule -n capsule-system --create-namespace + $ helm install capsule projectcapsule/capsule -n capsule-system --create-namespace + + or + + $ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.6 -n capsule-system --create-namespace 3. Show the status: @@ -34,7 +38,11 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator 4. Upgrade the Chart - $ helm upgrade capsule clastix/capsule -n capsule-system + $ helm upgrade capsule projectcapsule/capsule -n capsule-system + + or + + $ helm upgrade capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.7 5. Uninstall the Chart @@ -132,7 +140,7 @@ Capsule, as many other add-ons, defines its own set of Custom Resource Definitio You can enable the generation of certificates using `cert-manager` as follows. ``` -helm upgrade --install capsule clastix/capsule --namespace capsule-system --create-namespace \ +helm upgrade --install capsule projectcapsule/capsule --namespace capsule-system --create-namespace \ --set "certManager.generateCertificates=true" \ --set "tls.create=false" \ --set "tls.enableController=false" diff --git a/charts/capsule/templates/_helpers.tpl b/charts/capsule/templates/_helpers.tpl index 80d8a2e6..64680fdc 100644 --- a/charts/capsule/templates/_helpers.tpl +++ b/charts/capsule/templates/_helpers.tpl @@ -80,7 +80,7 @@ Create the name of the service account to use Create the manager fully-qualified Docker image to use */}} {{- define "capsule.managerFullyQualifiedDockerImage" -}} -{{- printf "%s:%s" .Values.manager.image.repository ( .Values.manager.image.tag | default (printf "v%s" .Chart.AppVersion) ) -}} +{{- printf "%s/%s:%s" .Values.manager.image.registry .Values.manager.image.repository ( .Values.manager.image.tag | default (printf "v%s" .Chart.AppVersion) ) -}} {{- end }} {{/* @@ -106,9 +106,9 @@ Create the jobs fully-qualified Docker image to use */}} {{- define "capsule.jobsFullyQualifiedDockerImage" -}} {{- if .Values.jobs.image.tag }} -{{- printf "%s:%s" .Values.jobs.image.repository .Values.jobs.image.tag -}} +{{- printf "%s/%s:%s" .Values.jobs.image.registry .Values.jobs.image.repository .Values.jobs.image.tag -}} {{- else }} -{{- printf "%s:%s" .Values.jobs.image.repository (include "capsule.jobsTagKubeVersion" .) -}} +{{- printf "%s/%s:%s" .Values.jobs.image.registry .Values.jobs.image.repository (include "capsule.jobsTagKubeVersion" .) -}} {{- end }} {{- end }} diff --git a/charts/capsule/templates/deployment.yaml b/charts/capsule/templates/deployment.yaml index 780876ed..d20cb20d 100644 --- a/charts/capsule/templates/deployment.yaml +++ b/charts/capsule/templates/deployment.yaml @@ -60,8 +60,6 @@ spec: secretName: {{ include "capsule.secretTlsName" . }} containers: - name: manager - command: - - /manager args: - --webhook-port={{ .Values.manager.webhookPort }} - --enable-leader-election diff --git a/charts/capsule/values.yaml b/charts/capsule/values.yaml index 29b72e3b..32456d2c 100644 --- a/charts/capsule/values.yaml +++ b/charts/capsule/values.yaml @@ -18,8 +18,10 @@ manager: kind: Deployment image: - # -- Set the image repository of the capsule. - repository: clastix/capsule + # -- Set the image registry of capsule. + registry: ghcr.io + # -- Set the image repository of capsule. + repository: projectcapsule/capsule # -- Set the image pull policy. pullPolicy: IfNotPresent # -- Overrides the image tag whose default is the chart appVersion. @@ -135,6 +137,8 @@ podSecurityPolicy: jobs: image: + # -- Set the image repository of the helm chart job + registry: docker.io # -- Set the image repository of the helm chart job repository: clastix/kubectl # -- Set the image pull policy of the helm chart job