From 6e61b830faa46620f62730bba596b3454e972c29 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Fri, 19 Sep 2025 09:54:39 +0100 Subject: [PATCH] build(release): update release process for CyberArk Discovery and Context - Add ARK image and chart outputs to GitHub Actions workflow - Refactor Makefile variables for ARK image/chart repositories and digests - Update image annotations for CyberArk branding and documentation links - Adjust e2e test script to use new ARK image/chart variables - Remove unused OCI_BASE variable from root Makefile Signed-off-by: Richard Wall --- .github/workflows/release.yml | 14 +++++++++- RELEASE.md | 19 +++++++++----- hack/ark/test-e2e.sh | 12 ++++++--- make/00_mod.mk | 2 -- make/ark/00_mod.mk | 10 +++---- make/ark/02_mod.mk | 49 ++++++++++++++++++++--------------- 6 files changed, 67 insertions(+), 39 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c443f10f..8fb5f529 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -37,13 +37,19 @@ jobs: go-version: ${{ steps.go-version.outputs.result }} - id: release - run: make release + run: make release ark-release outputs: RELEASE_OCI_PREFLIGHT_IMAGE: ${{ steps.release.outputs.RELEASE_OCI_PREFLIGHT_IMAGE }} RELEASE_OCI_PREFLIGHT_TAG: ${{ steps.release.outputs.RELEASE_OCI_PREFLIGHT_TAG }} RELEASE_HELM_CHART_IMAGE: ${{ steps.release.outputs.RELEASE_HELM_CHART_IMAGE }} RELEASE_HELM_CHART_VERSION: ${{ steps.release.outputs.RELEASE_HELM_CHART_VERSION }} + ARK_IMAGE: ${{ steps.release.outputs.ARK_IMAGE }} + ARK_IMAGE_TAG: ${{ steps.release.outputs.ARK_IMAGE_TAG }} + ARK_IMAGE_DIGEST: ${{ steps.release.outputs.ARK_IMAGE_DIGEST }} + ARK_CHART: ${{ steps.release.outputs.ARK_CHART }} + ARK_CHART_TAG: ${{ steps.release.outputs.ARK_CHART_TAG }} + ARK_CHART_DIGEST: ${{ steps.release.outputs.ARK_CHART_DIGEST }} github_release: runs-on: ubuntu-latest @@ -61,6 +67,12 @@ jobs: echo "OCI_PREFLIGHT_TAG: ${{ needs.build_and_push.outputs.RELEASE_OCI_PREFLIGHT_TAG }}" >> .notes-file echo "HELM_CHART_IMAGE: ${{ needs.build_and_push.outputs.RELEASE_HELM_CHART_IMAGE }}" >> .notes-file echo "HELM_CHART_VERSION: ${{ needs.build_and_push.outputs.RELEASE_HELM_CHART_VERSION }}" >> .notes-file + echo "ARK_IMAGE: ${{ needs.build_and_push.outputs.ARK_IMAGE }}" >> .notes-file + echo "ARK_IMAGE_TAG: ${{ needs.build_and_push.outputs.ARK_IMAGE_TAG }}" >> .notes-file + echo "ARK_IMAGE_DIGEST: ${{ needs.build_and_push.outputs.ARK_IMAGE_DIGEST }}" >> .notes-file + echo "ARK_CHART: ${{ needs.build_and_push.outputs.ARK_CHART }}" >> .notes-file + echo "ARK_CHART_TAG: ${{ needs.build_and_push.outputs.ARK_CHART_TAG }}" >> .notes-file + echo "ARK_CHART_DIGEST: ${{ needs.build_and_push.outputs.ARK_CHART_DIGEST }}" >> .notes-file - env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/RELEASE.md b/RELEASE.md index a3b466ba..3958e6bd 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -10,10 +10,11 @@ The release process is semi-automated. > [!NOTE] > > Upon pushing the tag, a GitHub Action will do the following: -> - Build and publish the container image at `quay.io/jetstack/venafi-agent`, -> - Build and publish the Helm chart at `oci://quay.io/jetstack/charts/venafi-kubernetes-agent`, +> - Build and publish the container image: `quay.io/jetstack/venafi-agent`, +> - Build and publish the Helm chart: `oci://quay.io/jetstack/charts/venafi-kubernetes-agent`, +> - Build and publish the container image: `quay.io/jetstack/cyberark-disco-agent`, +> - Build and publish the Helm chart: `oci://quay.io/jetstack/charts/cyberark-disco-agent`, > - Create a draft GitHub release, -> - Upload the Helm chart tarball to the GitHub release. 1. Upgrade the Go dependencies. @@ -71,9 +72,10 @@ The release process is semi-automated. For context, the new tag will create the following images: -| Image | Automation | -| --------------------------------------------------------- | -------------------------------------------------------------------------------------------- | +| Image | Automation | +|-----------------------------------------------------------|----------------------------------------------------------------------------------------------| | `quay.io/jetstack/venafi-agent` | Automatically built by the [release action](.github/workflows/release.yml) on Git tag pushes | +| `quay.io/jetstack/cyberark-disco-agent` | Automatically built by the [release action](.github/workflows/release.yml) on Git tag pushes | | `registry.venafi.cloud/venafi-agent/venafi-agent` | Automatically mirrored by Harbor Replication rule | | `private-registry.venafi.cloud/venafi-agent/venafi-agent` | Automatically mirrored by Harbor Replication rule | | `private-registry.venafi.eu/venafi-agent/venafi-agent` | Automatically mirrored by Harbor Replication rule | @@ -81,8 +83,9 @@ For context, the new tag will create the following images: and the following OCI Helm charts: | Helm Chart | Automation | -| -------------------------------------------------------------------- | -------------------------------------------------------------------------------------------- | +|----------------------------------------------------------------------|----------------------------------------------------------------------------------------------| | `oci://quay.io/jetstack/charts/venafi-kubernetes-agent` | Automatically built by the [release action](.github/workflows/release.yml) on Git tag pushes | +| `oci://quay.io/jetstack/charts/cyberark-disco-agent` | Automatically built by the [release action](.github/workflows/release.yml) on Git tag pushes | | `oci://registry.venafi.cloud/charts/venafi-kubernetes-agent` | Automatically mirrored by Harbor Replication rule | | `oci://private-registry.venafi.cloud/charts/venafi-kubernetes-agent` | Automatically mirrored by Harbor Replication rule | | `oci://private-registry.venafi.eu/charts/venafi-kubernetes-agent` | Automatically mirrored by Harbor Replication rule | @@ -118,3 +121,7 @@ v1.1.0 (Git tag in the jetstack-secure repo) ### Step 2: Test the Helm chart "venafi-kubernetes-agent" with venctl connect NOTE(mael): TBD + +### Step 3: Test the Helm chart "cyberark-disco-agent" + +NOTE(wallrj): TBD diff --git a/hack/ark/test-e2e.sh b/hack/ark/test-e2e.sh index 7cc1f7da..604d2f9c 100755 --- a/hack/ark/test-e2e.sh +++ b/hack/ark/test-e2e.sh @@ -43,7 +43,11 @@ trap 'rm -rf "${tmp_dir}"' EXIT pushd "${tmp_dir}" > release.env -make -C "$root_dir" ark-release GITHUB_OUTPUT="${tmp_dir}/release.env" +make -C "$root_dir" ark-release \ + GITHUB_OUTPUT="${tmp_dir}/release.env" \ + OCI_SIGN_ON_PUSH=false \ + oci_platforms="" \ + ARK_OCI_BASE="${OCI_BASE}" cat release.env source release.env @@ -61,15 +65,15 @@ kubectl create secret generic agent-credentials \ --from-literal=ARK_SUBDOMAIN=$ARK_SUBDOMAIN \ --from-literal=ARK_DISCOVERY_API=$ARK_DISCOVERY_API -helm upgrade agent "oci://${RELEASE_OCI_CHART}@${RELEASE_OCI_CHART_DIGEST}" \ - --version "${RELEASE_OCI_CHART_TAG}" \ +helm upgrade agent "oci://${ARK_CHART}@${ARK_CHART_DIGEST}" \ + --version "${ARK_CHART_TAG}" \ --install \ --wait \ --create-namespace \ --namespace "$NAMESPACE" \ --set pprof.enabled=true \ --set fullnameOverride=disco-agent \ - --set "image.digest=${RELEASE_OCI_IMAGE_DIGEST}" \ + --set "image.digest=${ARK_IMAGE_DIGEST}" \ --set-json "podLabels={\"disco-agent.cyberark.cloud/test-id\": \"${RANDOM}\"}" kubectl rollout status deployments/disco-agent --namespace "${NAMESPACE}" diff --git a/make/00_mod.mk b/make/00_mod.mk index d423b26c..2e08f20a 100644 --- a/make/00_mod.mk +++ b/make/00_mod.mk @@ -6,8 +6,6 @@ repo_name := github.com/jetstack/jetstack-secure # third-party modules. generate-golangci-lint-config: repo_name := github.com/jetstack/preflight -OCI_BASE ?= # default to an empty value to avoid warnings - license_ignore := gitlab.com/venafi,github.com/jetstack kind_cluster_name := preflight diff --git a/make/ark/00_mod.mk b/make/ark/00_mod.mk index a89f1a47..f4fa6906 100644 --- a/make/ark/00_mod.mk +++ b/make/ark/00_mod.mk @@ -7,20 +7,20 @@ go_ark_ldflags := \ -X $(repo_name)/pkg/version.BuildDate=$(shell date "+%F-%T-%Z") \ oci_ark_base_image_flavor := static -oci_ark_image_name := quay.io/jetstack/ark-agent +oci_ark_image_name := quay.io/jetstack/cyberark-disco-agent oci_ark_image_tag := $(VERSION) -oci_ark_image_name_development := jetstack.local/ark-agent +oci_ark_image_name_development := jetstack.local/cyberark-disco-agent # Annotations are the standardised set of annotations we set on every component we publish oci_ark_build_args := \ --image-annotation="org.opencontainers.image.source"="https://github.com/jetstack/jetstack-secure" \ --image-annotation="org.opencontainers.image.vendor"="CyberArk Software Ltd." \ --image-annotation="org.opencontainers.image.licenses"="EULA - https://www.cyberark.com/contract-terms/" \ - --image-annotation="org.opencontainers.image.authors"="TODO" \ + --image-annotation="org.opencontainers.image.authors"="CyberArk Software Ltd." \ --image-annotation="org.opencontainers.image.title"="CyberArk Discovery and Context Agent" \ --image-annotation="org.opencontainers.image.description"="Gathers machine identity data from Kubernetes clusters." \ - --image-annotation="org.opencontainers.image.url"="TODO" \ - --image-annotation="org.opencontainers.image.documentation"="TODO" \ + --image-annotation="org.opencontainers.image.url"="https://www.cyberark.com/products/" \ + --image-annotation="org.opencontainers.image.documentation"="https://docs.cyberark.com" \ --image-annotation="org.opencontainers.image.version"="$(VERSION)" \ --image-annotation="org.opencontainers.image.revision"="$(GITCOMMIT)" diff --git a/make/ark/02_mod.mk b/make/ark/02_mod.mk index 5b89172c..21a4a529 100644 --- a/make/ark/02_mod.mk +++ b/make/ark/02_mod.mk @@ -1,31 +1,38 @@ +# Makefile targets for CyberArk Discovery and Context + +# The base OCI repository for all CyberArk Discovery and Context artifacts +ARK_OCI_BASE ?= quay.io/jetstack + +# The OCI repository (without tag) for the CyberArk Discovery and Context Agent Docker image +# Can be overridden when calling `make ark-release` to push to a different repository. +ARK_IMAGE ?= $(ARK_OCI_BASE)/cyberark-disco-agent + +# The OCI repository (without tag) for the CyberArk Discovery and Context Helm chart +# Can be overridden when calling `make ark-release` to push to a different repository. +ARK_CHART ?= $(ARK_OCI_BASE)/charts/cyberark-disco-agent + +# Used to output variables when running in GitHub Actions GITHUB_OUTPUT ?= /dev/stderr + .PHONY: ark-release ## Publish all release artifacts (image + helm chart) ## @category CyberArk Discovery and Context -ark-release: oci_ark_image_name := $(OCI_BASE)/images/cyberark-disco-agent -ark-release: OCI_SIGN_ON_PUSH := false -ark-release: oci_platforms := linux/amd64 -ark-release: helm_chart_source_dir := deploy/charts/cyberark-disco-agent -ark-release: helm_chart_image_name := $(OCI_BASE)/charts/cyberark-disco-agent -ark-release: helm_chart_version := $(helm_chart_version) ark-release: oci_ark_image_digest_path := $(bin_dir)/scratch/image/oci-layout-ark.digests ark-release: helm_digest_path := $(bin_dir)/scratch/helm/cyberark-disco-agent-$(helm_chart_version).digests ark-release: $(MAKE) oci-push-ark helm-chart-oci-push \ - oci_ark_image_name="$(oci_ark_image_name)" \ - OCI_SIGN_ON_PUSH="$(OCI_SIGN_ON_PUSH)" \ - oci_platforms="$(oci_platforms)" \ - helm_image_name="$(oci_ark_image_name)" \ + oci_ark_image_name="$(ARK_IMAGE)" \ + helm_image_name="$(ARK_IMAGE)" \ helm_image_tag="$(oci_ark_image_tag)" \ - helm_chart_source_dir="$(helm_chart_source_dir)" \ - helm_chart_image_name="$(helm_chart_image_name)" + helm_chart_source_dir=deploy/charts/cyberark-disco-agent \ + helm_chart_image_name="$(ARK_CHART)" - @echo "RELEASE_OCI_IMAGE=$(oci_ark_image_name)" >> "$(GITHUB_OUTPUT)" - @echo "RELEASE_OCI_IMAGE_TAG=$(oci_ark_image_tag)" >> "$(GITHUB_OUTPUT)" - @echo "RELEASE_OCI_IMAGE_DIGEST=$$(head -1 $(oci_ark_image_digest_path))" >> "$(GITHUB_OUTPUT)" - @echo "RELEASE_OCI_CHART=$(helm_chart_image_name)" >> "$(GITHUB_OUTPUT)" - @echo "RELEASE_OCI_CHART_TAG=$(helm_chart_version)" >> "$(GITHUB_OUTPUT)" - @echo "RELEASE_OCI_CHART_DIGEST=$$(head -1 $(helm_digest_path))" >> "$(GITHUB_OUTPUT)" + @echo "ARK_IMAGE=$(ARK_IMAGE)" >> "$(GITHUB_OUTPUT)" + @echo "ARK_IMAGE_TAG=$(oci_ark_image_tag)" >> "$(GITHUB_OUTPUT)" + @echo "ARK_IMAGE_DIGEST=$$(head -1 $(oci_ark_image_digest_path))" >> "$(GITHUB_OUTPUT)" + @echo "ARK_CHART=$(ARK_CHART)" >> "$(GITHUB_OUTPUT)" + @echo "ARK_CHART_TAG=$(helm_chart_version)" >> "$(GITHUB_OUTPUT)" + @echo "ARK_CHART_DIGEST=$$(head -1 $(helm_digest_path))" >> "$(GITHUB_OUTPUT)" @echo "Release complete!" @@ -40,11 +47,11 @@ ark-test-e2e: $(NEEDS_KIND) $(NEEDS_KUBECTL) $(NEEDS_HELM) ## Verify the Helm chart ## @category CyberArk Discovery and Context ark-verify: - $(MAKE) verify-helm-lint verify-helm-values verify-pod-security-standards verify-helm-kubeconform\ + $(MAKE) verify-helm-lint verify-helm-values verify-pod-security-standards verify-helm-kubeconform \ helm_chart_source_dir=deploy/charts/cyberark-disco-agent \ - helm_chart_image_name=$(OCI_BASE)/charts/cyberark-disco-agent + helm_chart_image_name=$(ARK_CHART) -shared_verify_targets_dirty += ark-verify +shared_verify_targets += ark-verify .PHONY: ark-generate ## Generate Helm chart documentation and schema