Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ALL CHARTS] Publish new charts to OCI registry #2631

Merged
merged 3 commits into from
Nov 2, 2022
Merged

[ALL CHARTS] Publish new charts to OCI registry #2631

merged 3 commits into from
Nov 2, 2022

Conversation

scottrigby
Copy link
Member

@scottrigby scottrigby commented Nov 1, 2022
edited
Loading

Signed-off-by: Scott Rigby scott@r6by.com

What this PR does / why we need it

GH Action to provide Helm OCI support for existing and new chart versions.

Which issue this PR fixes

(optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged)

Special notes for your reviewer

  • You can see a working example here: https://github.com/scottrigby/ghcr-helm-oci
  • Note pushing previous chart versions to OCI will be a separate step.
  • Also update readme telling people how to verify artifacts with cosign

Checklist

  • DCO signed
  • [ ] Chart Version bumped
  • Title of the PR starts with chart name (e.g. [prometheus-couchdb-exporter])

@scottrigby
Publish new charts to OCI registry
d6deb11 
Signed-off-by: Scott Rigby <scott@r6by.com>
@scottrigby scottrigby added the enhancement New feature or request label Nov 1, 2022
@scottrigby scottrigby requested a review from a team as a code owner November 1, 2022 18:23
torstenwalter
torstenwalter reviewed Nov 1, 2022
View reviewed changes
.github/workflows/release.yaml Outdated Show resolved Hide resolved
.github/workflows/release.yaml Outdated Show resolved Hide resolved
.github/workflows/release.yaml
fi
helm push "${pkg}" oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts
file=${pkg##*/}
name=${file%-*}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need quotes here as well? Could $file contain spaces?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need to quote the bash var expansion syntax. I ran actionlint locally, and shellcheck (which it uses to check this part) – only those lines needed love 😄

monotek
monotek requested changes Nov 1, 2022
View reviewed changes
.github/workflows/release.yaml Outdated Show resolved Hide resolved
@scottrigby
Fix shellcheck. Not required for these vars, but good practice
1671103 
Co-authored-by: Torsten Walter <torsten.walter@syncier.com>

Signed-off-by: Scott Rigby <scott@r6by.com>
@scottrigby @monotek
Pin sigstore/cosign-installer
791980d 
Co-authored-by: André Bauer <monotek@users.noreply.github.com>
Signed-off-by: Scott Rigby <scott@r6by.com>
@scottrigby
Copy link
Member Author

Oh I want to do one more thing, add info to the readme on how to pull from ghcr, and how to verify keyless signature using cosign...

@scottrigby
Copy link
Member Author

Oh I want to do one more thing, add info to the readme on how to pull from ghcr, and how to verify keyless signature using cosign...

Let's do this as a follow-up PR, once we see everything working in ghcr.io.

PS here's what I was thinking as a template for updating each charts README's. We also prob want to add a single note in the main repo README as well.

diff --git a/charts/prometheus/README.md b/charts/prometheus/README.md
index d8a1e9ab2..055bc61be 100644
--- a/charts/prometheus/README.md
+++ b/charts/prometheus/README.md
@@ -9,24 +9,41 @@ This chart bootstraps a [Prometheus](https://prometheus.io/) deployment on a [Ku
 - Kubernetes 1.16+
 - Helm 3+
 
-## Get Repo Info
+## Install from ghcr.io (OCI)
 
 ```console
-helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
-helm repo update
+helm install [RELEASE_NAME] \
+oci://ghcr.io/prometheus-community/charts/prometheus
+```
+
+_See [Using OCI-based registries](https://helm.sh/docs/topics/registries/) for documentation._
+
+## Verify the OCI artifact
+
+Install the [cosign](https://github.com/sigstore/cosign) CLI:
+
+```sh
+brew install sigstore/tap/cosign
/ ```
 
-_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+Verify a prometheus release with cosign CLI:
+
+```sh
+COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/prometheus-community/charts/prometheus:[VERSION]
+```
 
-## Install Chart
+## Install from github.io (HTTP)
 
 ```console
+helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
+helm repo update
+
 helm install [RELEASE_NAME] prometheus-community/prometheus
/ ```
 
 _See [configuration](#configuration) below._
 
-_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) and [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
 
 ## Dependencies

@scottrigby scottrigby merged commit 9aebcee into prometheus-community:main Nov 2, 2022
@scottrigby scottrigby mentioned this pull request Nov 3, 2022
Closed
1 task
developer-guy
developer-guy reviewed Nov 6, 2022
View reviewed changes
.github/workflows/release.yaml
name=${file%-*}
version=${file%.*}
version=${version#*-}
cosign sign ghcr.io/"${GITHUB_REPOSITORY_OWNER}"/charts/"${name}":"${version}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @scottrigby, instead of signing the tags, it'd be better to use digests to provide a better assurance about the content we are signing. I did a similar task in the Kyverno project, as you can see from here.

TLDR;

AFAIK, the helm push command outputs the digest of the image being pushed, so we can save that digest in a file and retrieve it from there later.

WDYT?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kindly ping @monotek @torstenwalter, do you have any comments about it?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#2664

@dotdc dotdc mentioned this pull request Nov 7, 2022
Closed
This was referenced Nov 8, 2022
Merged
Merged
Open
@scottrigby scottrigby mentioned this pull request Nov 9, 2022
Merged
2 tasks
@sereinity sereinity mentioned this pull request Nov 14, 2022
Closed
1 task
Matiasmct pushed a commit to giffgaff/prometheus-charts that referenced this pull request May 16, 2023
@scottrigby @monotek @Matiasmct
[ALL CHARTS] Publish new charts to OCI registry (prometheus-community…
620a821 
…#2631)

* Publish new charts to OCI registry

Signed-off-by: Scott Rigby <scott@r6by.com>

* Fix shellcheck. Not required for these vars, but good practice

Co-authored-by: Torsten Walter <torsten.walter@syncier.com>

Signed-off-by: Scott Rigby <scott@r6by.com>

* Pin sigstore/cosign-installer

Co-authored-by: André Bauer <monotek@users.noreply.github.com>
Signed-off-by: Scott Rigby <scott@r6by.com>

Signed-off-by: Scott Rigby <scott@r6by.com>
Co-authored-by: André Bauer <monotek@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@developer-guy developer-guy developer-guy left review comments

@monotek monotek monotek approved these changes

@torstenwalter torstenwalter torstenwalter approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@scottrigby @monotek @torstenwalter @developer-guy