Helm CI and Release jobs (#578)

* cosigned: update golang to 1.17.0 Signed-off-by: Carlos Panato <[email protected]> * helm: add jobs to lint/test/release the cosigned helm chart Signed-off-by: Carlos Panato <[email protected]> * update chart Signed-off-by: Carlos Panato <[email protected]>
sigstore · Aug 26, 2021 · 30fa296 · 30fa296
1 parent 5f6b05f
commit 30fa296
Show file tree

Hide file tree

Showing 10 changed files with 192 additions and 8 deletions.
diff --git a/.github/workflows/helm-ci.yaml b/.github/workflows/helm-ci.yaml
@@ -0,0 +1,84 @@
+name: Helm CI
+
+on:
+  pull_request:
+    branches:
+      - "*"
+
+  push:
+    branches:
+      - main
+
+jobs:
+
+  changes:
+    runs-on: ubuntu-latest
+    outputs:
+      go: ${{ steps.filter.outputs.go }}
+      charts: ${{ steps.filter.outputs.charts }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - uses: dorny/paths-filter@v2
+        id: filter
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          filters: |
+            charts:
+              - 'chart/cosigned/Chart.yaml'
+              - 'chart/cosigned/**/*'
+
+  helm:
+    name: Helm chart
+    runs-on: ubuntu-latest
+    needs:
+      - changes
+    if: |
+      (needs.changes.outputs.charts == 'true')
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v1
+        with:
+          version: v3.4.0
+
+      - uses: sigstore/[email protected]
+
+      - uses: actions/setup-python@v2
+        with:
+          python-version: 3.7
+
+      - name: Set up chart-testing
+        uses: helm/[email protected]
+
+      - name: Run chart-testing (lint)
+        run: ct lint --config chart/ct.yaml
+
+      - name: Create kind cluster
+        uses: helm/[email protected]
+
+      - name: Install Cert-Manager
+        run: |
+          helm install \
+            cert-manager jetstack/cert-manager \
+            --namespace cert-manager \
+            --create-namespace \
+            --version v1.5.0 \
+            --set installCRDs=true
+
+      - name: Create temp secret for testing
+        run: |
+          export COSIGN_PASSWORD=honk@123
+          cosign generate-key-pair
+          kubectl create secret generic ci-honk-secret -n default --from-file=cosign.pub=./cosign.pub
+          kubectl wait --for=condition=ready --timeout=300s pod --all -n cert-manager
+          kubectl get po -A
+
+      - name: Run chart-testing (install)
+        run: ct install --config chart/ct.yaml
diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml
@@ -0,0 +1,59 @@
+name: Helm Release
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+
+  changes:
+    runs-on: ubuntu-latest
+    if: |
+      (github.repository == 'sigstore/cosign')
+    outputs:
+      charts: ${{ steps.filter.outputs.charts }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - uses: dorny/paths-filter@v2
+        id: filter
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          filters: |
+            charts:
+              - 'chart/cosigned/Chart.yaml'
+              - 'chart/cosigned/**/*'
+
+  release:
+    name: Release Chart
+    runs-on: ubuntu-latest
+    needs:
+      - changes
+    if: |
+      (github.repository == 'sigstore/cosign') &&
+      (needs.changes.outputs.charts == 'true')
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+      - name: Install Helm
+        uses: azure/setup-helm@v1
+        with:
+          version: v3.4.0
+
+      - name: Run chart-releaser
+        uses: helm/[email protected]
+        with:
+          charts_dir: chart
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/Dockerfile.cosigned b/Dockerfile.cosigned
@@ -14,7 +14,7 @@
 
 ARG RUNTIME_IMAGE=gcr.io/distroless/base:debug
 
-FROM golang:1.16.6 as build
+FROM golang:1.17.0 as build
 
 WORKDIR /go/src/cosign
 ADD . /go/src/cosign
@@ -25,4 +25,4 @@ FROM $RUNTIME_IMAGE
 
 COPY --from=build /go/src/cosign/cosigned /bin/
 
-ENTRYPOINT [ "/bin/cosigned" ]
+ENTRYPOINT [ "/bin/cosigned" ]
diff --git a/chart/cosigned/Chart.yaml b/chart/cosigned/Chart.yaml
@@ -13,12 +13,14 @@
 # limitations under the License.
 
 apiVersion: v2
-appVersion: "dev"
 description: The Helm chart for Cosigned
 home: https://github.com/sigstore/cosign
+sources:
+  - https://github.com/sigstore/cosign
 name: cosigned
 type: application
-version: v0.0.0-dev
+version: v0.0.1-dev
+appVersion: "dev"
 maintainers:
   - name: dlorenc
   - name: hectorj2f
diff --git a/chart/cosigned/ci/ci-values.yaml b/chart/cosigned/ci/ci-values.yaml
@@ -0,0 +1,17 @@
+# Copyright 2021 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+webhook:
+  secretKeyRef:
+    name: k8s://default/ci-honk-secret
diff --git a/chart/cosigned/templates/webhook/certificate_webhook.yaml b/chart/cosigned/templates/webhook/certificate_webhook.yaml
@@ -41,4 +41,4 @@ metadata:
 spec:
   selfSigned: {}
 {{- end }}
-{{- end }}
+{{- end }}
diff --git a/chart/cosigned/templates/webhook/deployment_webhook.yaml b/chart/cosigned/templates/webhook/deployment_webhook.yaml
@@ -52,7 +52,7 @@ spec:
 {{- end }}
         args:
         - --tls-cert-dir=/certs/
-        - --secret-key-ref={{ .Values.webhook.secretKeyRef.name }}
+        - --secret-key-ref={{ required "Please set the secret name!" .Values.webhook.secretKeyRef.name }}
         {{- range $key, $value := .Values.webhook.extraArgs }}
         - --{{ $key }}={{ $value }}
         {{- end }}

diff --git a/chart/cosigned/templates/webhook/webhook_validating.yaml b/chart/cosigned/templates/webhook/webhook_validating.yaml
@@ -54,7 +54,7 @@ webhooks:
         - daemonset
         - statefulset
         - replicaset
-        - deployments     
+        - deployments
       - apiGroups:
         - "batch"
         apiVersions:

diff --git a/chart/cosigned/values.yaml b/chart/cosigned/values.yaml
@@ -37,7 +37,7 @@ commonTolerations: []
 
 webhook:
   secretKeyRef:
-    name: 
+    name:
   image:
     repository: hectorj2f/cosigned-admission-webhook
     tag: dev

diff --git a/chart/ct.yaml b/chart/ct.yaml
@@ -0,0 +1,22 @@
+# Copyright 2021 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# See https://github.com/helm/chart-testing#configuration
+chart-dirs:
+  - chart
+remote: origin
+target-branch: main
+chart-repos:
+  - stable=https://charts.helm.sh/stable
+  - jetstack=https://charts.jetstack.io