diff --git a/.github/workflows/helm-ci.yaml b/.github/workflows/helm-ci.yaml new file mode 100644 index 00000000000..772967534db --- /dev/null +++ b/.github/workflows/helm-ci.yaml @@ -0,0 +1,84 @@ +name: Helm CI + +on: + pull_request: + branches: + - "*" + + push: + branches: + - main + +jobs: + + changes: + runs-on: ubuntu-latest + outputs: + go: ${{ steps.filter.outputs.go }} + charts: ${{ steps.filter.outputs.charts }} + + steps: + - name: Checkout + uses: actions/checkout@v2 + - uses: dorny/paths-filter@v2 + id: filter + with: + token: ${{ secrets.GITHUB_TOKEN }} + filters: | + charts: + - 'chart/cosigned/Chart.yaml' + - 'chart/cosigned/**/*' + + helm: + name: Helm chart + runs-on: ubuntu-latest + needs: + - changes + if: | + (needs.changes.outputs.charts == 'true') + + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 0 + + - name: Set up Helm + uses: azure/setup-helm@v1 + with: + version: v3.4.0 + + - uses: sigstore/cosign-installer@v1.1.0 + + - uses: actions/setup-python@v2 + with: + python-version: 3.7 + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.0.1 + + - name: Run chart-testing (lint) + run: ct lint --config chart/ct.yaml + + - name: Create kind cluster + uses: helm/kind-action@v1.2.0 + + - name: Install Cert-Manager + run: | + helm install \ + cert-manager jetstack/cert-manager \ + --namespace cert-manager \ + --create-namespace \ + --version v1.5.0 \ + --set installCRDs=true + + - name: Create temp secret for testing + run: | + export COSIGN_PASSWORD=honk@123 + cosign generate-key-pair + kubectl create secret generic ci-honk-secret -n default --from-file=cosign.pub=./cosign.pub + kubectl wait --for=condition=ready --timeout=300s pod --all -n cert-manager + kubectl get po -A + + - name: Run chart-testing (install) + run: ct install --config chart/ct.yaml diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml new file mode 100644 index 00000000000..9755ef23777 --- /dev/null +++ b/.github/workflows/helm-release.yaml @@ -0,0 +1,59 @@ +name: Helm Release + +on: + push: + branches: + - main + workflow_dispatch: + +jobs: + + changes: + runs-on: ubuntu-latest + if: | + (github.repository == 'sigstore/cosign') + outputs: + charts: ${{ steps.filter.outputs.charts }} + + steps: + - name: Checkout + uses: actions/checkout@v2 + - uses: dorny/paths-filter@v2 + id: filter + with: + token: ${{ secrets.GITHUB_TOKEN }} + filters: | + charts: + - 'chart/cosigned/Chart.yaml' + - 'chart/cosigned/**/*' + + release: + name: Release Chart + runs-on: ubuntu-latest + needs: + - changes + if: | + (github.repository == 'sigstore/cosign') && + (needs.changes.outputs.charts == 'true') + + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 0 + + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + - name: Install Helm + uses: azure/setup-helm@v1 + with: + version: v3.4.0 + + - name: Run chart-releaser + uses: helm/chart-releaser-action@v1.2.0 + with: + charts_dir: chart + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" diff --git a/Dockerfile.cosigned b/Dockerfile.cosigned index 04f2934a938..1ff0b0dc7f7 100644 --- a/Dockerfile.cosigned +++ b/Dockerfile.cosigned @@ -14,7 +14,7 @@ ARG RUNTIME_IMAGE=gcr.io/distroless/base:debug -FROM golang:1.16.6 as build +FROM golang:1.17.0 as build WORKDIR /go/src/cosign ADD . /go/src/cosign @@ -25,4 +25,4 @@ FROM $RUNTIME_IMAGE COPY --from=build /go/src/cosign/cosigned /bin/ -ENTRYPOINT [ "/bin/cosigned" ] \ No newline at end of file +ENTRYPOINT [ "/bin/cosigned" ] diff --git a/chart/cosigned/Chart.yaml b/chart/cosigned/Chart.yaml index 1f07d66974d..a12bf0ae488 100644 --- a/chart/cosigned/Chart.yaml +++ b/chart/cosigned/Chart.yaml @@ -13,12 +13,14 @@ # limitations under the License. apiVersion: v2 -appVersion: "dev" description: The Helm chart for Cosigned home: https://github.com/sigstore/cosign +sources: + - https://github.com/sigstore/cosign name: cosigned type: application -version: v0.0.0-dev +version: v0.0.1-dev +appVersion: "dev" maintainers: - name: dlorenc - name: hectorj2f diff --git a/chart/cosigned/ci/ci-values.yaml b/chart/cosigned/ci/ci-values.yaml new file mode 100644 index 00000000000..abbe59a0280 --- /dev/null +++ b/chart/cosigned/ci/ci-values.yaml @@ -0,0 +1,17 @@ +# Copyright 2021 The Sigstore Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +webhook: + secretKeyRef: + name: k8s://default/ci-honk-secret diff --git a/chart/cosigned/templates/webhook/certificate_webhook.yaml b/chart/cosigned/templates/webhook/certificate_webhook.yaml index 33196a9461c..40c0e533e27 100644 --- a/chart/cosigned/templates/webhook/certificate_webhook.yaml +++ b/chart/cosigned/templates/webhook/certificate_webhook.yaml @@ -41,4 +41,4 @@ metadata: spec: selfSigned: {} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/chart/cosigned/templates/webhook/deployment_webhook.yaml b/chart/cosigned/templates/webhook/deployment_webhook.yaml index 750c0c97586..d19d4c401f1 100644 --- a/chart/cosigned/templates/webhook/deployment_webhook.yaml +++ b/chart/cosigned/templates/webhook/deployment_webhook.yaml @@ -52,7 +52,7 @@ spec: {{- end }} args: - --tls-cert-dir=/certs/ - - --secret-key-ref={{ .Values.webhook.secretKeyRef.name }} + - --secret-key-ref={{ required "Please set the secret name!" .Values.webhook.secretKeyRef.name }} {{- range $key, $value := .Values.webhook.extraArgs }} - --{{ $key }}={{ $value }} {{- end }} diff --git a/chart/cosigned/templates/webhook/webhook_validating.yaml b/chart/cosigned/templates/webhook/webhook_validating.yaml index 24908328533..6b80495ff73 100644 --- a/chart/cosigned/templates/webhook/webhook_validating.yaml +++ b/chart/cosigned/templates/webhook/webhook_validating.yaml @@ -54,7 +54,7 @@ webhooks: - daemonset - statefulset - replicaset - - deployments + - deployments - apiGroups: - "batch" apiVersions: diff --git a/chart/cosigned/values.yaml b/chart/cosigned/values.yaml index 85b11388a97..41dba682741 100644 --- a/chart/cosigned/values.yaml +++ b/chart/cosigned/values.yaml @@ -37,7 +37,7 @@ commonTolerations: [] webhook: secretKeyRef: - name: + name: image: repository: hectorj2f/cosigned-admission-webhook tag: dev diff --git a/chart/ct.yaml b/chart/ct.yaml new file mode 100644 index 00000000000..9574ce10a2c --- /dev/null +++ b/chart/ct.yaml @@ -0,0 +1,22 @@ +# Copyright 2021 The Sigstore Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# See https://github.com/helm/chart-testing#configuration +chart-dirs: + - chart +remote: origin +target-branch: main +chart-repos: + - stable=https://charts.helm.sh/stable + - jetstack=https://charts.jetstack.io