Merge pull request #244 from bank-vaults/chore/prepare-release

chore: prepare release
bank-vaults · Dec 16, 2024 · a33adfe · a33adfe
2 parents 7c0712d + 39315ac
commit a33adfe
Show file tree

Hide file tree

Showing 10 changed files with 350 additions and 262 deletions.
diff --git a/.github/workflows/artifacts.yaml b/.github/workflows/artifacts.yaml
@@ -124,10 +124,24 @@ jobs:
           TAGS: ${{ steps.meta.outputs.tags }}
         run: |
           images=""
-          for tag in ${TAGS}; do
+          for tag in ${TAGS[@]}; do
             images+="${tag}@${DIGEST} "
           done
-          cosign sign --yes ${images}
+
+          cosign sign --yes --rekor-url "https://rekor.sigstore.dev/" ${images}
+
+      - name: Verify signed image with cosign
+        if: ${{ inputs.publish && github.repository_owner == 'bank-vaults' }} # Check if the workflow is called by the same GitHub organization
+        env:
+          DIGEST: ${{ steps.build.outputs.digest }}
+          TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          for tag in ${TAGS[@]}; do
+            cosign verify "${tag}@${DIGEST}" \
+              --rekor-url "https://rekor.sigstore.dev/" \
+              --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/artifacts.yaml@${{ github.ref }}" \
+              --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq
+          done
 
       - name: Set image ref
         id: image-ref
@@ -239,13 +253,6 @@ jobs:
           helm package deploy/charts/${{ steps.chart-name.outputs.value }} --version ${{ steps.version.outputs.value }} --app-version ${{ steps.raw-version.outputs.value }}
           echo "package=${{ steps.chart-name.outputs.value }}-${{ steps.version.outputs.value }}.tgz" >> "$GITHUB_OUTPUT"
 
-      - name: Sign chart with GitHub OIDC Token
-        if: ${{ inputs.publish && github.repository_owner == 'bank-vaults' }} # Check if the workflow is called by the same GitHub organization
-        env:
-          PACKAGE: ${{ steps.build.outputs.package }}
-        run: |
-          cosign sign-blob --yes $PACKAGE
-
       - name: Upload chart as artifact
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
@@ -261,11 +268,30 @@ jobs:
         if: inputs.publish && inputs.release
 
       - name: Helm push
-        run: helm push ${{ steps.build.outputs.package }} oci://${{ steps.oci-registry-name.outputs.value }}
+        id: push
+        run: |
+          helm push ${{ steps.build.outputs.package }} oci://${{ steps.oci-registry-name.outputs.value }} &> push-metadata.txt
+          echo "digest=$(awk '/Digest: /{print $2}' push-metadata.txt)" >> "$GITHUB_OUTPUT"
         env:
           HELM_REGISTRY_CONFIG: ~/.docker/config.json
         if: inputs.publish && inputs.release
 
+      - name: Sign chart with GitHub OIDC Token
+        if: ${{ inputs.publish && inputs.release && github.repository_owner == 'bank-vaults' }} # Check if the workflow is called by the same GitHub organization
+        env:
+          DIGEST: ${{ steps.push.outputs.digest }}
+        run: cosign sign --yes --rekor-url "https://rekor.sigstore.dev/" "${{ steps.oci-chart-name.outputs.value }}@${DIGEST}"
+
+      - name: Verify signed chart with cosign
+        if: ${{ inputs.publish && inputs.release && github.repository_owner == 'bank-vaults' }} # Check if the workflow is called by the same GitHub organization
+        env:
+          DIGEST: ${{ steps.push.outputs.digest }}
+        run: |
+          cosign verify "${{ steps.oci-chart-name.outputs.value }}@${DIGEST}" \
+            --rekor-url "https://rekor.sigstore.dev/" \
+            --certificate-identity "https://github.com/${{ github.repository }}/.github/workflows/artifacts.yaml@${{ github.ref }}" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq
+
       - name: Upload package as artifact
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -215,7 +215,7 @@ jobs:
     strategy:
       matrix:
         k8s_version: ["v1.28.9", "v1.29.4", "v1.30.0"]
-        operator_version: ["v1.22.1", "v1.22.2", "v1.22.3"] # First version that works with the generic webhook: v1.22.1
+        operator_version: ["v1.22.2", "v1.22.3", "v1.22.4"] # First version that works with the generic webhook: v1.22.1
         # vault_version: ["1.11.12", "1.12.8", "1.13.4", "1.14.8"]
 
     steps:

diff --git a/Makefile b/Makefile
@@ -120,11 +120,11 @@ deps: bin/golangci-lint bin/licensei bin/kind bin/kurun bin/helm bin/helm-docs
 deps: ## Install dependencies
 
 # Dependency versions
-GOLANGCI_LINT_VERSION = 1.61.0
+GOLANGCI_LINT_VERSION = 1.62.2
 LICENSEI_VERSION = 0.9.0
-KIND_VERSION = 0.24.0
+KIND_VERSION = 0.25.0
 KURUN_VERSION = 0.7.0
-HELM_VERSION = 3.16.1
+HELM_VERSION = 3.16.3
 HELM_DOCS_VERSION = 1.14.2
 
 # Dependency binaries

diff --git a/deploy/charts/secrets-webhook/README.md b/deploy/charts/secrets-webhook/README.md
@@ -122,7 +122,7 @@ The following table lists the configurable parameters of the Helm chart.
 | `webhookClientConfig.useUrl` | bool | `false` | Use url if webhook should be contacted over loadbalancer or ingress instead of service object. By default, the mutating webhook uses the service of the webhook directly to contact webhook. |
 | `webhookClientConfig.url` | string | `"https://example.com"` | Set the url how the webhook should be contacted, including the protocol |
 | `secretInit.repository` | string | `"ghcr.io/bank-vaults/secret-init"` | Container image repo that contains the secret-init container |
-| `secretInit.tag` | string | `"v0.2.1"` | Container image tag for the secret-init container |
+| `secretInit.tag` | string | `"v0.2.2"` | Container image tag for the secret-init container |
 | `env` | object | `{}` | Custom environment variables available to webhook |
 | `initContainers` | list | `[]` | Containers to run before the webhook containers are started |
 | `metrics.enabled` | bool | `false` | Enable metrics service for the webhook |

diff --git a/deploy/charts/secrets-webhook/values.yaml b/deploy/charts/secrets-webhook/values.yaml
@@ -73,7 +73,7 @@ secretInit:
   # -- Container image repo that contains the secret-init container
   repository: ghcr.io/bank-vaults/secret-init
   # -- Container image tag for the secret-init container
-  tag: "v0.2.1"
+  tag: "v0.2.2"
 
 # -- Custom environment variables available to webhook
 env: {}

diff --git a/garden.yaml b/garden.yaml
@@ -5,7 +5,7 @@ spec:
   namespace: vault-operator
   chart:
     name: oci://ghcr.io/bank-vaults/helm-charts/vault-operator
-    version: "1.22.3"
+    version: "1.22.4"
 
 ---
 kind: Build