feat(chart): release security and workflow updates

projectcapsule · Oct 19, 2023 · 6cdcc48 · 6cdcc48
1 parent c30de4b
commit 6cdcc48
Show file tree

Hide file tree

Showing 7 changed files with 169 additions and 16 deletions.
diff --git a/.github/workflows/helm-publish.yml b/.github/workflows/helm-publish.yml
@@ -0,0 +1,64 @@
+name: Publish charts
+permissions: read-all
+on:
+  push:
+    tags: [ "helm-v*" ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  publish-helm:
+    # Skip this Release on forks
+    if: github.repository_owner == 'capsuleproject'
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      - name: Publish Helm chart
+        uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0
+        with:
+          token: "${{ secrets.GITHUB_TOKEN }}"
+          linting: off
+          charts_dir: charts
+          charts_url: https://${{ github.repository_owner }}.github.io/charts
+          owner: ${{ github.repository_owner }}
+          repository: charts
+          branch: gh-pages
+          commit_username: ${{ github.actor }}
+  publish-helm-oci:
+    runs-on: ubuntu-20.04
+    permissions:
+      contents: write
+      id-token: write
+      packages: write
+    outputs:
+      chart-digest: ${{ steps.helm_publish.outputs.digest }}
+    steps:
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+      - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
+      - name: Helm | Publish
+        id: helm_publish
+        uses: oliverbaehler/github-actions/helm-oci-chart@8dfd42735c85f6c58d5d4d6f3232cd0e39d1fe73 # v0.1.0
+        with:
+          registry: ghcr.io
+          repository: ${{ github.repository_owner }}/charts
+          name: "capsule"
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.GITHUB_TOKEN }}
+          update-dependencies: 'true' # Defaults to false
+          sign-image: 'true'
+          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
+  helm-provenance:
+    needs: publish-helm-oci
+    permissions:
+      id-token: write   # To sign the provenance.
+      packages: write   # To upload assets to release.
+      actions: read     # To read the workflow path.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/charts/capsule
+      digest: "${{ needs.publish-helm-oci.outputs.chart-digest }}"
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/helm-test.yml b/.github/workflows/helm-test.yml
@@ -0,0 +1,69 @@
+name: Test charts
+permissions: {}
+
+on:
+  pull_request:
+    branches: [ "main" ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        with:
+          fetch-depth: 0
+      - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
+      - name: Linting Chart
+        run: helm lint ./charts/capsule
+      - name: Setup Chart Linting
+        id: lint
+        uses: helm/chart-testing-action@e8788873172cb653a90ca2e819d79d65a66d4e76 # v2.4.0
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --config ./.github/configs/ct.yaml)
+          if [[ -n "$changed" ]]; then
+            echo "::set-output name=changed::true"
+          fi
+      - name: Run chart-testing (lint)
+        run: ct lint --debug --config ./.github/configs/ct.yaml --lint-conf ./.github/configs/lintconf.yaml
+      - name: Run docs-testing (helm-docs)
+        id: helm-docs
+        run: |
+          make helm-docs
+          if [[ $(git diff --stat) != '' ]]; then
+            echo -e '\033[0;31mDocumentation outdated! (Run make helm-docs locally and commit)\033[0m ❌'
+            git diff --color
+            exit 1
+          else
+            echo -e '\033[0;32mDocumentation up to date\033[0m ✔'
+          fi
+
+      # ATTENTION: This is a workaround for the upcoming ApiVersion Conversions for the capsule CRDs
+      # With this workflow the current docker image is build and loaded into kind, otherwise the install fails
+      # In the future this must be removed and the chart-testing-action must be used
+      - name: Run chart-testing (install)
+        run: make helm-test
+        if: steps.list-changed.outputs.changed == 'true'
+
+      ## Create KIND Cluster
+      - name: Create kind cluster
+        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
+        if: steps.list-changed.outputs.changed == 'true'
+      # Install Required Operators/CRDs
+      - name: Prepare Cluster Operators/CRDs
+        run: |
+          # Cert-Manager CRDs
+          kubectl create -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml
+          
+          # Prometheus CRDs
+          kubectl create -f https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.58.0/bundle.yaml
+        if: steps.list-changed.outputs.changed == 'true'
+      # Install Charts
+      - name: Run chart-testing (install)
+        run: ct install --debug --config ./.github/configs/ct.yaml
+        if: steps.list-changed.outputs.changed == 'true'
diff --git a/charts/capsule/README.md b/charts/capsule/README.md
@@ -22,19 +22,27 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator
 
 1. Add this repository:
 
-        $ helm repo add clastix https://clastix.github.io/charts
+        $ helm repo add projectcapsule https://projectcapsule.github.io/charts
 
 2. Install the Chart:
 
-        $ helm install capsule clastix/capsule -n capsule-system --create-namespace
+        $ helm install capsule projectcapsule/capsule -n capsule-system --create-namespace
+
+        or
+
+        $ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.6  -n capsule-system --create-namespace
 
 3. Show the status:
 
         $ helm status capsule -n capsule-system
 
 4. Upgrade the Chart
 
-        $ helm upgrade capsule clastix/capsule -n capsule-system
+        $ helm upgrade capsule projectcapsule/capsule -n capsule-system
+
+        or
+
+        $ helm upgrade capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.7
 
 5. Uninstall the Chart
 
@@ -68,6 +76,7 @@ Here the values you can override:
 | customLabels | object | `{}` | Additional labels which will be added to all resources created by Capsule helm chart |
 | imagePullSecrets | list | `[]` | Configuration for `imagePullSecrets` so that you can use a private images registry. |
 | jobs.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy of the helm chart job |
+| jobs.image.registry | string | `"docker.io"` | Set the image repository of the helm chart job |
 | jobs.image.repository | string | `"clastix/kubectl"` | Set the image repository of the helm chart job |
 | jobs.image.tag | string | `""` | Set the image tag of the helm chart job |
 | mutatingWebhooksTimeoutSeconds | int | `30` | Timeout in seconds for mutating webhooks |
@@ -94,7 +103,8 @@ Here the values you can override:
 |-----|------|---------|-------------|
 | manager.hostNetwork | bool | `false` | Specifies if the container should be started in hostNetwork mode.  Required for use in some managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working |
 | manager.image.pullPolicy | string | `"IfNotPresent"` | Set the image pull policy. |
-| manager.image.repository | string | `"clastix/capsule"` | Set the image repository of the capsule. |
+| manager.image.registry | string | `"ghcr.io"` | Set the image registry of capsule. |
+| manager.image.repository | string | `"projectcapsule/capsule"` | Set the image repository of capsule. |
 | manager.image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
 | manager.kind | string | `"Deployment"` | Set the controller deployment mode as `Deployment` or `DaemonSet`. |
 | manager.livenessProbe | object | `{"httpGet":{"path":"/healthz","port":10080}}` | Configure the liveness probe using Deployment probe spec |
@@ -196,7 +206,7 @@ Capsule, as many other add-ons, defines its own set of Custom Resource Definitio
 You can enable the generation of certificates using `cert-manager` as follows.
 
 ```
-helm upgrade --install capsule clastix/capsule --namespace capsule-system --create-namespace \
+helm upgrade --install capsule projectcapsule/capsule --namespace capsule-system --create-namespace \
   --set "certManager.generateCertificates=true" \
   --set "tls.create=false" \
   --set "tls.enableController=false"

diff --git a/charts/capsule/README.md.gotmpl b/charts/capsule/README.md.gotmpl
@@ -22,19 +22,27 @@ The Capsule Operator Chart can be used to instantly deploy the Capsule Operator
 
 1. Add this repository:
 
-        $ helm repo add clastix https://clastix.github.io/charts
+        $ helm repo add projectcapsule https://projectcapsule.github.io/charts
 
 2. Install the Chart:
 
-        $ helm install capsule clastix/capsule -n capsule-system --create-namespace
+        $ helm install capsule projectcapsule/capsule -n capsule-system --create-namespace
+
+        or
+
+        $ helm install capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.6  -n capsule-system --create-namespace
 
 3. Show the status:
 
         $ helm status capsule -n capsule-system
 
 4. Upgrade the Chart
 
-        $ helm upgrade capsule clastix/capsule -n capsule-system
+        $ helm upgrade capsule projectcapsule/capsule -n capsule-system
+
+        or
+
+        $ helm upgrade capsule oci://ghcr.io/projectcapsule/charts/capsule --version 0.4.7
 
 5. Uninstall the Chart
 
@@ -132,7 +140,7 @@ Capsule, as many other add-ons, defines its own set of Custom Resource Definitio
 You can enable the generation of certificates using `cert-manager` as follows.
 
 ```
-helm upgrade --install capsule clastix/capsule --namespace capsule-system --create-namespace \
+helm upgrade --install capsule projectcapsule/capsule --namespace capsule-system --create-namespace \
   --set "certManager.generateCertificates=true" \
   --set "tls.create=false" \
   --set "tls.enableController=false"

diff --git a/charts/capsule/templates/_helpers.tpl b/charts/capsule/templates/_helpers.tpl
@@ -80,7 +80,7 @@ Create the name of the service account to use
 Create the manager fully-qualified Docker image to use
 */}}
 {{- define "capsule.managerFullyQualifiedDockerImage" -}}
-{{- printf "%s:%s" .Values.manager.image.repository ( .Values.manager.image.tag | default (printf "v%s" .Chart.AppVersion) ) -}}
+{{- printf "%s/%s:%s" .Values.manager.image.registry  .Values.manager.image.repository ( .Values.manager.image.tag | default (printf "v%s" .Chart.AppVersion) ) -}}
 {{- end }}
 
 {{/*
@@ -106,9 +106,9 @@ Create the jobs fully-qualified Docker image to use
 */}}
 {{- define "capsule.jobsFullyQualifiedDockerImage" -}}
 {{- if .Values.jobs.image.tag }}
-{{- printf "%s:%s" .Values.jobs.image.repository .Values.jobs.image.tag -}}
+{{- printf "%s/%s:%s" .Values.jobs.image.registry .Values.jobs.image.repository .Values.jobs.image.tag -}}
 {{- else }}
-{{- printf "%s:%s" .Values.jobs.image.repository (include "capsule.jobsTagKubeVersion" .) -}}
+{{- printf "%s/%s:%s" .Values.jobs.image.registry .Values.jobs.image.repository (include "capsule.jobsTagKubeVersion" .) -}}
 {{- end }}
 {{- end }}
 

diff --git a/charts/capsule/templates/deployment.yaml b/charts/capsule/templates/deployment.yaml
@@ -60,8 +60,6 @@ spec:
             secretName: {{ include "capsule.secretTlsName" . }}
       containers:
         - name: manager
-          command:
-          - /manager
           args:
           - --webhook-port={{ .Values.manager.webhookPort }}
           - --enable-leader-election

diff --git a/charts/capsule/values.yaml b/charts/capsule/values.yaml
@@ -18,8 +18,10 @@ manager:
   kind: Deployment
 
   image:
-    # -- Set the image repository of the capsule.
-    repository: clastix/capsule
+     # -- Set the image registry of capsule.
+    registry: ghcr.io
+    # -- Set the image repository of capsule.
+    repository: projectcapsule/capsule
     # -- Set the image pull policy.
     pullPolicy: IfNotPresent
     # -- Overrides the image tag whose default is the chart appVersion.
@@ -135,6 +137,8 @@ podSecurityPolicy:
 
 jobs:
   image:
+    # -- Set the image repository of the helm chart job
+    registry: docker.io
     # -- Set the image repository of the helm chart job
     repository: clastix/kubectl
     # -- Set the image pull policy of the helm chart job