Skip to content

Commit

Permalink
Merge branch 'main' into akashsinghal/fixvulnct
Browse files Browse the repository at this point in the history
  • Loading branch information
@akashsinghal
akashsinghal authored Jan 4, 2024
2 parents 61f7a13 + 5333fe9 commit f7e6c1d
Show file tree
Hide file tree
Showing 6 changed files with 139 additions and 34 deletions.
90 changes: 90 additions & 0 deletions .github/workflows/publish-dev-assets.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
name: publish-dev-assets

on:
schedule:
- cron: '30 8 * * 0' # early morning (08:30 UTC) every Sunday
workflow_dispatch:

permissions: read-all

jobs:
build:
runs-on: ubuntu-latest
permissions:
packages: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- name: prepare
id: prepare
run: |
DATE=$(date +'%Y%m%d')
COMMIT=${{ github.sha }}
REPOSITORY=ghcr.io/${{ github.repository }}
CHART_REPOSITORY=${REPOSITORY}-chart-dev
VERSION=dev.${DATE}.${COMMIT:0:7}
SEM_VERSION=0-${VERSION}
SEM_VERSION_ROLLING=0-dev
REPOSITORY_PLUGINS=${REPOSITORY}-dev
REPOSITORYBASE=${REPOSITORY}-base-dev
REPOSITORYCRD=${REPOSITORY}-crds-dev
echo ::set-output name=version::${VERSION}
echo ::set-output name=semversion::${SEM_VERSION}
echo ::set-output name=semversionrolling::${SEM_VERSION_ROLLING}
echo ::set-output name=chartrepo::${CHART_REPOSITORY}
echo ::set-output name=ref::${REPOSITORY_PLUGINS}
echo ::set-output name=baseref::${REPOSITORYBASE}
echo ::set-output name=crdref::${REPOSITORYCRD}
- name: docker login
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: docker build ratify-crds
run: |
docker buildx create --use
docker buildx build --build-arg KUBE_VERSION="1.27.7" -f crd.Dockerfile --platform linux/amd64,linux/arm64,linux/arm/v7 --label org.opencontainers.image.revision=${{ github.sha }} -t ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }} -t ${{ steps.prepare.outputs.crdref }} --push ./charts/ratify/crds
- name: docker build ratify base
run: |
docker buildx create --use
docker buildx build -f ./httpserver/Dockerfile \
--platform linux/amd64,linux/arm64,linux/arm/v7 \
--build-arg LDFLAGS="-X github.com/deislabs/ratify/internal/version.Version=$(TAG)" \
--label org.opencontainers.image.revision=${{ github.sha }} \
-t ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }} \
-t ${{ steps.prepare.outputs.baseref }} \
--push .
- name: docker build ratify with plugin
run: |
docker buildx create --use
docker buildx build -f ./httpserver/Dockerfile \
--platform linux/amd64,linux/arm64,linux/arm/v7 \
--build-arg build_cosign=true \
--build-arg build_sbom=true \
--build-arg build_licensechecker=true \
--build-arg build_schemavalidator=true \
--build-arg build_vulnerabilityreport=true \
--build-arg LDFLAGS="-X github.com/deislabs/ratify/internal/version.Version=$(TAG)" \
--label org.opencontainers.image.revision=${{ github.sha }} \
-t ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }} \
-t ${{ steps.prepare.outputs.ref }} \
--push .
- name: replace version
run: |
sed -i '/^ repository:/c\ repository: ghcr.io/deislabs/ratify-dev' charts/ratify/values.yaml
sed -i '/^ crdRepository:/c\ crdRepository: ghcr.io/deislabs/ratify-crds-dev' charts/ratify/values.yaml
sed -i '/^ tag:/c\ tag: ${{ steps.prepare.outputs.version }}' charts/ratify/values.yaml
- name: helm package
run: |
helm package ./charts/ratify --version ${{ steps.prepare.outputs.semversion }}
helm package ./charts/ratify --version ${{ steps.prepare.outputs.semversionrolling }}
- name: helm push
run: |
helm push ratify-${{ steps.prepare.outputs.semversion }}.tgz oci://${{ steps.prepare.outputs.chartrepo }}
helm push ratify-${{ steps.prepare.outputs.semversionrolling }}.tgz oci://${{ steps.prepare.outputs.chartrepo }}
- name: clear
if: always()
run: |
rm -f ${HOME}/.docker/config.json
10 changes: 0 additions & 10 deletions .github/workflows/publish-package.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,6 @@ on:
push:
tags:
- v*
schedule:
- cron: '30 8 * * 0' # early morning (08:30 UTC) every Sunday
workflow_dispatch:

permissions: read-all
Expand All @@ -24,20 +22,12 @@ jobs:
run: |
VERSION=${GITHUB_REF#refs/*/}
BRANCH_NAME=${GITHUB_REF#refs/heads/}
DATE=$(date +'%Y%m%d')
COMMIT=${{ github.sha }}
REPOSITORY=ghcr.io/${{ github.repository }}
REPOSITORYBASE=ghcr.io/${{ github.repository }}-base
REPOSITORYCRD=ghcr.io/${{ github.repository }}-crds
if [[ "${VERSION}" == "${BRANCH_NAME}" ]]; then
VERSION=$(git rev-parse --short HEAD)
fi
if [[ "${{ github.event_name }}" == "workflow_dispatch" || "${{ github.event_name }}" == "schedule" ]]; then
VERSION=dev.${DATE}.${COMMIT:0:7}
REPOSITORY=${REPOSITORY}-dev
REPOSITORYBASE=${REPOSITORYBASE}-dev
REPOSITORYCRD=${REPOSITORYCRD}-dev
fi
echo ::set-output name=version::${VERSION}
echo ::set-output name=ref::${REPOSITORY}:${VERSION}
echo ::set-output name=baseref::${REPOSITORYBASE}:${VERSION}
Expand Down
14 changes: 12 additions & 2 deletions CONTRIBUTING.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,8 +155,14 @@ docker push ${REGISTRY}/deislabs/ratify:yourtag
docker push ${REGISTRY}/localbuildcrd:yourtag
```

### Deploy using Dev Helmfile
#### Update dev.helmfile.yaml
Replace Ratify `chart` and `version` with local values:
```yaml
...
chart: chart/ratify
version: <INSERT VERSION> # ATTENTION: Needs to match latest in Chart.yaml
...
```
Replace `repository`, `crdRepository`, and `tag` with previously built images:
```yaml
- name: image.repository
Expand All @@ -167,9 +173,13 @@ Replace `repository`, `crdRepository`, and `tag` with previously built images:
value: <YOUR IMAGES TAG NAME>
```
### Deploy using Dev Helmfile
Development charts + images are published weekly and latest versions are tagged with rolling tags referenced in dev helmfile.
Deploy to cluster:
```bash
helmfile sync -f dev.helmfile.yaml
helmfile sync -f git::https://github.com/deislabs/ratify.git@dev.helmfile.yaml
```

### Deploy from local helm chart
Expand Down
6 changes: 4 additions & 2 deletions RELEASES.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,11 @@ Example pre-release versions include `v0.1.0-alpha1`, `v0.1.0-beta2`, `v0.1.0-rc

2. If the format of the data returned for [external data calls](docs/reference/verification-result-version.md) has changed, validate change is also reflected in [`httpserver/types.go`](httpserver/types.go).

3. Delete all dev images generated since the previous release under the `ratify-dev` and `ratify-crds-dev` [packages](https://github.com/orgs/deislabs/packages?repo_name=ratify). Each dev image tag is prefixed with `dev` followed by the date of creation and then the abbreviated 7 character commit SHA (e.g a build generated on March 8, 2023 from main branch with commit SHA `4cf98388ef33c587ef86b82e05cb0f7de2da2ea8` would be tagged `dev.20230308.4cf9838`).
3. Delete all dev images generated since the previous release under the `ratify-dev` and `ratify-crds-dev` [packages](https://github.com/orgs/deislabs/packages?repo_name=ratify). Each dev image tag is prefixed with `dev` followed by the date of creation and then the abbreviated 7 character commit SHA (e.g a build generated on March 8, 2023 from main branch with commit SHA `4cf98388ef33c587ef86b82e05cb0f7de2da2ea8` would be tagged `dev.20230308.4cf9838`). The most recent images are also tagged with a rolling tag `latest`.

4. Copy contents from [`dev.helmfile.yaml`](dev.helmfile.yaml) to [`helmfile.yaml`](helmfile.yaml) & [`dev.high-availability.helmfile.yaml`](dev.high-availability.helmfile.yaml) to [`high-availability.helmfile.yaml`](high-availability.helmfile.yaml). You MUST update/remove values marked by comments in the files. The `dev` prefixed helmfiles are treated as staging files that are up to date with new changes on main branch. The primary `helmfile.yaml` and `high-availability.helmfile.yaml` MUST stay pinned to the current release since they are used by the quickstarts. Update `dev.helmfile.yaml` & `dev.high-availability.helmfile.yaml` ratify chart version to new release version.
4. Delete all dev helm charts since the previous release under the `ratify-chart-dev/ratify` [packages](https://github.com/orgs/deislabs/packages?repo_name=ratify). Each helm chart is published with a semantic version compatible tag `0-dev` followed by the date of creation and then the abbreviated 7 character commit SHA (e.g a chart generated on March 8, 2023 from main branch with commit SHA `4cf98388ef33c587ef86b82e05cb0f7de2da2ea8` would be tagged `0-dev.20230308.4cf9838`). The most recent dev chart is also tagged with the rolling tag `0-dev`.

5. Copy contents from [`dev.helmfile.yaml`](dev.helmfile.yaml) to [`helmfile.yaml`](helmfile.yaml) & [`dev.high-availability.helmfile.yaml`](dev.high-availability.helmfile.yaml) to [`high-availability.helmfile.yaml`](high-availability.helmfile.yaml). You MUST update/remove values marked by comments in the files. The `dev` prefixed helmfiles are treated as staging files that are up to date with new changes on main branch. The primary `helmfile.yaml` and `high-availability.helmfile.yaml` MUST stay pinned to the current release since they are used by the quickstarts. Update `dev.helmfile.yaml` & `dev.high-availability.helmfile.yaml` ratify chart version to new release version.

## Git Release Flow

Expand Down
15 changes: 4 additions & 11 deletions dev.helmfile.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@ repositories:
- name: gatekeeper
url: https://open-policy-agent.github.io/gatekeeper/charts
- name: ratify
url: https://deislabs.github.io/ratify
url: ghcr.io/deislabs/ratify-chart-dev # PRERELEASE: Change to 'https://deislabs.github.io/ratify' before copying to helmfile.yaml
oci: true # PRERELEASE: Remove before copying to helmfile.yaml

releases:
- name: gatekeeper
Expand All @@ -22,8 +23,8 @@ releases:
value: 10s
- name: ratify
namespace: gatekeeper-system
chart: charts/ratify # PRERELEASE: Change to 'ratify/ratify' before copying to helmfile.yaml
version: 1.12.0 # ATTENTION: Needs to match latest in Chart.yaml
chart: ratify/ratify
version: 0-dev # ATTENTION: Needs to match latest in Chart.yaml
wait: true
needs:
- gatekeeper
Expand Down Expand Up @@ -74,11 +75,3 @@ releases:
value: {{ exec "curl" (list "-sSL" "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/notation.crt") | quote }}
- name: featureFlags.RATIFY_CERT_ROTATION
value: true
- name: image.repository # PRERELEASE: REMOVE before copying to helmfile.yaml
value: ghcr.io/deislabs/ratify-dev # PRERELEASE: REMOVE before copying to helmfile.yaml
- name: image.crdRepository # PRERELEASE: REMOVE before copying to helmfile.yaml
value: ghcr.io/deislabs/ratify-crds-dev # PRERELEASE: REMOVE before copying to helmfile.yaml
- name: image.tag # PRERELEASE: REMOVE before copying to helmfile.yaml
value: dev.20230822.cd81c6e # PRERELEASE: REMOVE before copying to helmfile.yaml
- name: image.pullPolicy # PRERELEASE: REMOVE before copying to helmfile.yaml
value: Always # PRERELEASE: REMOVE before copying to helmfile.yaml
38 changes: 29 additions & 9 deletions dev.high-availability.helmfile.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,13 @@
repositories:
- name: gatekeeper
url: https://open-policy-agent.github.io/gatekeeper/charts
- name: dapr
url: https://dapr.github.io/helm-charts/
- name: bitnami
url: https://charts.bitnami.com/bitnami
- name: ratify
url: https://deislabs.github.io/ratify
url: ghcr.io/deislabs/ratify-chart-dev # PRERELEASE: Change to 'https://deislabs.github.io/ratify' before copying to helmfile.yaml
oci: true # PRERELEASE: Remove before copying to helmfile.yaml

releases:
- name: dapr
Expand All @@ -13,8 +16,24 @@ releases:
chart: dapr/dapr
version: 1.11.1
wait: true
- name: gatekeeper
namespace: gatekeeper-system
createNamespace: true
chart: gatekeeper/gatekeeper
version: 3.14.0
wait: true
set:
- name: enableExternalData
value: true
- name: validatingWebhookTimeoutSeconds
value: 5
- name: mutatingWebhookTimeoutSeconds
value: 2
- name: externaldataProviderResponseCacheTTL
value: 10s
- name: redis
namespace: gatekeeper-system
createNamespace: true
chart: bitnami/redis
version: 17.11.6
wait: true
Expand All @@ -31,12 +50,13 @@ releases:
value: false
- name: ratify
namespace: gatekeeper-system
chart: charts/ratify/
version: 1.12.0 # ATTENTION: Needs to match latest in Chart.yaml
chart: ratify/ratify
version: 0-dev # ATTENTION: Needs to match latest in Chart.yaml
wait: true
needs:
- dapr-system/dapr
- gatekeeper-system/redis
- gatekeeper-system/gatekeeper
hooks:
- events: ["presync"]
showlogs: true
Expand All @@ -53,6 +73,12 @@ releases:
- "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/dapr/dapr-redis.yaml"
- "-n"
- "gatekeeper-system"
- events: ["presync"]
showlogs: true
command: "bash"
args:
- "-c"
- "kubectl apply -f https://deislabs.github.io/ratify/library/default/template.yaml && kubectl apply -f https://deislabs.github.io/ratify/library/default/samples/constraint.yaml"
- events: ["postuninstall"]
showlogs: true
command: "kubectl"
Expand Down Expand Up @@ -109,12 +135,6 @@ releases:
- "-n"
- "gatekeeper-system"
set:
- name: image.repository # REMOVE before copying to high-availability.helmfile.yaml
value: ghcr.io/deislabs/ratify-dev # REMOVE before copying to high-availability.helmfile.yaml
- name: image.crdRepository # REMOVE before copying to high-availability.helmfile.yaml
value: ghcr.io/deislabs/ratify-crds-dev # REMOVE before copying to high-availability.helmfile.yaml
- name: image.tag # REMOVE before copying to high-availability.helmfile.yaml
value: dev.20230822.cd81c6e # REMOVE before copying to high-availability.helmfile.yaml
- name: featureFlags.RATIFY_EXPERIMENTAL_HIGH_AVAILABILITY
value: true
- name: featureFlags.RATIFY_CERT_ROTATION
Expand Down

0 comments on commit f7e6c1d

Please sign in to comment.