-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ALL CHARTS] Publish new charts to OCI registry #2631
Conversation
Signed-off-by: Scott Rigby <scott@r6by.com>
fi | ||
helm push "${pkg}" oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts | ||
file=${pkg##*/} | ||
name=${file%-*} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need quotes here as well? Could $file contain spaces?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't need to quote the bash var expansion syntax. I ran actionlint locally, and shellcheck (which it uses to check this part) – only those lines needed love 😄
Co-authored-by: Torsten Walter <torsten.walter@syncier.com> Signed-off-by: Scott Rigby <scott@r6by.com>
Co-authored-by: André Bauer <monotek@users.noreply.github.com> Signed-off-by: Scott Rigby <scott@r6by.com>
Oh I want to do one more thing, add info to the readme on how to pull from ghcr, and how to verify keyless signature using cosign... |
Let's do this as a follow-up PR, once we see everything working in ghcr.io. PS here's what I was thinking as a template for updating each charts README's. We also prob want to add a single note in the main repo README as well. diff --git a/charts/prometheus/README.md b/charts/prometheus/README.md
index d8a1e9ab2..055bc61be 100644
--- a/charts/prometheus/README.md
+++ b/charts/prometheus/README.md
@@ -9,24 +9,41 @@ This chart bootstraps a [Prometheus](https://prometheus.io/) deployment on a [Ku
- Kubernetes 1.16+
- Helm 3+
-## Get Repo Info
+## Install from ghcr.io (OCI)
```console
-helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
-helm repo update
+helm install [RELEASE_NAME] \
+oci://ghcr.io/prometheus-community/charts/prometheus
+```
+
+_See [Using OCI-based registries](https://helm.sh/docs/topics/registries/) for documentation._
+
+## Verify the OCI artifact
+
+Install the [cosign](https://github.com/sigstore/cosign) CLI:
+
+```sh
+brew install sigstore/tap/cosign
/ ```
-_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
+Verify a prometheus release with cosign CLI:
+
+```sh
+COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/prometheus-community/charts/prometheus:[VERSION]
+```
-## Install Chart
+## Install from github.io (HTTP)
```console
+helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
+helm repo update
+
helm install [RELEASE_NAME] prometheus-community/prometheus
/ ```
_See [configuration](#configuration) below._
-_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
+_See [helm repo](https://helm.sh/docs/helm/helm_repo/) and [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
## Dependencies
|
name=${file%-*} | ||
version=${file%.*} | ||
version=${version#*-} | ||
cosign sign ghcr.io/"${GITHUB_REPOSITORY_OWNER}"/charts/"${name}":"${version}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @scottrigby, instead of signing the tags, it'd be better to use digests to provide a better assurance about the content we are signing. I did a similar task in the Kyverno project, as you can see from here.
TLDR;
AFAIK, the helm push
command outputs the digest of the image being pushed, so we can save that digest in a file and retrieve it from there later.
WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Kindly ping @monotek @torstenwalter, do you have any comments about it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
…#2631) * Publish new charts to OCI registry Signed-off-by: Scott Rigby <scott@r6by.com> * Fix shellcheck. Not required for these vars, but good practice Co-authored-by: Torsten Walter <torsten.walter@syncier.com> Signed-off-by: Scott Rigby <scott@r6by.com> * Pin sigstore/cosign-installer Co-authored-by: André Bauer <monotek@users.noreply.github.com> Signed-off-by: Scott Rigby <scott@r6by.com> Signed-off-by: Scott Rigby <scott@r6by.com> Co-authored-by: André Bauer <monotek@users.noreply.github.com>
Signed-off-by: Scott Rigby scott@r6by.com
What this PR does / why we need it
GH Action to provide Helm OCI support for existing and new chart versions.
Which issue this PR fixes
(optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close that issue when PR gets merged)Special notes for your reviewer
Checklist
[ ] Chart Version bumped[prometheus-couchdb-exporter]
)