diff --git a/.github/actions/marketplace/action.yml b/.github/actions/marketplace/action.yml deleted file mode 100644 index c76421fd61..0000000000 --- a/.github/actions/marketplace/action.yml +++ /dev/null @@ -1,59 +0,0 @@ -name: 'Marketplace Helm Chart Release Action' -description: 'Generate Helm Chart with Pinned to Provided Image References' -inputs: - registry: - description: 'Registry' - required: true - default: '' - version: - description: 'KubeArmor Release Version' - required: true - default: '' - relay_version: - description: 'Relay Release Version' - required: true - default: '' - helm_chart_path: - description: 'Helm Chart Path' - required: true - default: '' - helm_chart_name: - description: 'Helm Chart Name' - required: true - default: '' -runs: - using: 'composite' - steps: - - name: Install yq - shell: bash - run: | - sudo apt-get update - sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 - sudo chmod a+x /usr/local/bin/yq - yq --version - - - name: Generate Helm Chart - shell: bash - run: | - yq -i '.oci_meta.repo = "${{inputs.registry}}" | - .oci_meta.images.kubearmor.tag = "${{ inputs.version }}" | - .oci_meta.images.kubearmorInit.tag = "${{ inputs.version }}" | - .oci_meta.images.kubearmorController.tag = "${{ inputs.version }}" | - .oci_meta.images.kubearmorSnitch.tag = "${{ inputs.version }}" | - .oci_meta.images.kubearmorOperator.tag = "${{ inputs.version }}" | - .oci_meta.images.kubearmorRelay.tag = "${{ inputs.relay_version }}" | - .autoDeploy = true | - .imagePinning = true' ${{ inputs.helm_chart_path }}/values.yaml - yq -i '.name = "${{ inputs.helm_chart_name }}" | - .version = "${{ inputs.version }}"' ${{ inputs.helm_chart_path }}/Chart.yaml - - - name: Generate Helm Package - shell: bash - run: | - helm package ${{ inputs.helm_chart_path }} - - - name: Publish Helm Chart - shell: bash - run: | - helm push ${{ inputs.helm_chart_name }}-${{ inputs.version }}.tgz oci://${{inputs.registry}} - diff --git a/.github/workflows/ci-marketplace-release.yml b/.github/workflows/ci-marketplace-release.yml index 7321481dcb..9fb6633a52 100644 --- a/.github/workflows/ci-marketplace-release.yml +++ b/.github/workflows/ci-marketplace-release.yml @@ -1,17 +1,25 @@ name: ci-marketplace-release on: - push: - branches: [main] - paths: - - "STABLE-RELEASE" - - ".github/workflows/ci-marketplace-release.yml" + workflow_run: + workflows: ["ci-stable-release"] + types: + - completed + branches: + - "main" + - "operator-refactor" + # push: + # branches: [main] + # paths: + # - "STABLE-RELEASE" + # - ".github/workflows/ci-marketplace-release.yml" # Declare default permissions as read only. permissions: read-all jobs: certify-images-on-redhat: + if: ${{ github.event.workflow_run.conclusion == 'success' }} runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 @@ -36,29 +44,28 @@ jobs: certids=("${{secrets.CONTROLLER_OSPID}}" "${{secrets.KUBEARMOR_UBI_OSPID}}" "${{secrets.KUBEARMOR_INIT_OSPID}}" "${{secrets.OPERATOR_OSPID}}" "${{secrets.SNITCH_OSPID}}") pyxis="${{secrets.OS_PYXIS}}" # Loop through the repositories and target repositories - for ((i=0; i<${#repositories[@]}; i++)); do - repository="$repo/${repositories[i]}" - certid=${certids[i]} - echo "Processing $repository image..." - echo "Submitting image for $repository..." - for platform in "amd64" "arm64"; do - preflight check container \ - $repository:$tag \ - --certification-project-id=$certid \ - --pyxis-api-token=$pyxis \ - --platform=${platform} \ - --docker-config=${HOME}/.docker/config.json \ - --artifacts=./artifacts/${repository} \ - --submit - if [ $? -eq 0 ]; then - echo "Successfully submitted image for $repository." - else - echo "Error: Failed to submit image for $repository." - fi - done - done + # for ((i=0; i<${#repositories[@]}; i++)); do + # repository="$repo/${repositories[i]}" + # certid=${certids[i]} + # echo "Processing $repository image..." + # echo "Submitting image for $repository..." + # preflight check container \ + # $repository:$tag \ + # --certification-project-id=$certid \ + # --pyxis-api-token=$pyxis \ + # --platform=${platform} \ + # --docker-config=${HOME}/.docker/config.json \ + # --artifacts=./artifacts/${repository} \ + # --submit + # if [ $? -eq 0 ]; then + # echo "Successfully submitted image for $repository." + # else + # echo "Error: Failed to submit image for $repository." + # fi + # done publish-images-to-ecr: + if: ${{ github.event.workflow_run.conclusion == 'success' }} runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 @@ -81,149 +88,48 @@ jobs: mv regctl /usr/local/bin regctl version - - name: Publish Images to ECR - run: | - # copy images to ecr registry - STABLE_VERSION=`cat STABLE-RELEASE` - regctl image copy kubearmor/kubearmor:$STABLE_VERSION ${{vars.AWS_ECR_REGISTRY}}/kubearmor:$STABLE_VERSION --digest-tags - regctl image copy kubearmor/kubearmor-init:$STABLE_VERSION ${{vars.AWS_ECR_REGISTRY}}/kubearmor-init:$STABLE_VERSION --digest-tags - regctl image copy kubearmor/kubearmor-controller:$STABLE_VERSION ${{vars.AWS_ECR_REGISTRY}}/kubearmor-controller:$STABLE_VERSION --digest-tags - regctl image copy kubearmor/kubearmor-operator:$STABLE_VERSION ${{vars.AWS_ECR_REGISTRY}}/kubearmor-operator:$STABLE_VERSION --digest-tags - regctl image copy kubearmor/kubearmor-snitch:$STABLE_VERSION ${{vars.AWS_ECR_REGISTRY}}/kubearmor-snitch:$STABLE_VERSION --digest-tags - - publish-images-to-ocir: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - - name: login to ocir registry - run: | - echo "${{ secrets.OCIR_AUTHTOKEN }}" | docker login ${{ vars.OCIR_REGION }} -u ${{ secrets.OCIR_USERNAME }} --password-stdin - - - name: Install regctl - run: | - curl -L https://github.com/regclient/regclient/releases/latest/download/regctl-linux-amd64 >regctl - chmod 755 regctl - mv regctl /usr/local/bin - regctl version - - - name: Publish Images to OCIR - run: | - # copy images to ocir registry - STABLE_VERSION=`cat STABLE-RELEASE` - regctl image copy kubearmor/kubearmor:$STABLE_VERSION ${{vars.OCIR_REGISTRY}}/kubearmor:$STABLE_VERSION --digest-tags - regctl image copy kubearmor/kubearmor-init:$STABLE_VERSION ${{vars.OCIR_REGISTRY}}/kubearmor-init:$STABLE_VERSION --digest-tags - regctl image copy kubearmor/kubearmor-controller:$STABLE_VERSION ${{vars.OCIR_REGISTRY}}/kubearmor-controller:$STABLE_VERSION --digest-tags - regctl image copy kubearmor/kubearmor-operator:$STABLE_VERSION ${{vars.OCIR_REGISTRY}}/kubearmor-operator:$STABLE_VERSION --digest-tags - regctl image copy kubearmor/kubearmor-snitch:$STABLE_VERSION ${{vars.OCIR_REGISTRY}}/kubearmor-snitch:$STABLE_VERSION --digest-tags - - publish-aws-helm-chart: - runs-on: ubuntu-latest - needs: ["publish-images-to-ecr"] - steps: - - uses: actions/checkout@v3 - - uses: azure/setup-helm@v3 - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ vars.AWS_REGION }} - - - name: Login to AWS Helm - run: | - aws ecr get-login-password --region ${{ vars.AWS_REGION }} | helm registry login --username AWS --password-stdin ${{ vars.AWS_ECR_REGISTRY }} - - - name: Generate version metadata - id: metadata - run: | - version=`cat STABLE-RELEASE` - relay_version=$(curl https://raw.githubusercontent.com/kubearmor/kubearmor-relay-server/main/STABLE-RELEASE) - echo "version=${version}" >> $GITHUB_OUTPUT - echo "relay_version=${relay_version}" >> $GITHUB_OUTPUT - - - name: Create and Publish Helm Chart - uses: ./.github/actions/marketplace - with: - registry: '${{ vars.AWS_ECR_REGISTRY }}' - version: '${{ steps.metadata.outputs.version }}' - relay_version: '${{ steps.metadata.outputs.relay_version }}' - helm_chart_path: './deployments/helm/KubeArmorOperator' - helm_chart_name: 'kubearmor-operator-aws' - - # workaround to mandatory subfolder for helm-gh-master action - # https://github.com/stefanprodan/helm-gh-pages/issues/23#issuecomment-854101420 - - name: Move operator chart to charts subfolder - run: | - mkdir -p ./deployments/helm/charts - mv ./deployments/helm/KubeArmorOperator ./deployments/helm/charts/KubeArmorOperatorAws - - - name: Publish Helm chart to KubeArmor helm repo - uses: stefanprodan/helm-gh-pages@master - with: - # Access token which can push to a different repo in the same org - token: ${{ secrets.GH_ACCESS_TOKEN }} - charts_dir: deployments/helm/charts - # repo where charts would be published - owner: kubearmor - repository: charts - branch: gh-pages - charts_url: https://kubearmor.github.io/charts - commit_username: "github-actions[bot]" - commit_email: "github-actions[bot]@users.noreply.github.com" - - publish-oci-helm-chart: - runs-on: ubuntu-latest - needs: ["publish-images-to-ocir"] - steps: - - uses: actions/checkout@v3 - - uses: azure/setup-helm@v3 - - - name: Login to OCI Helm - run: | - echo "${{ secrets.OCIR_AUTHTOKEN }}" | helm registry login ${{ vars.OCIR_REGION }} -u ${{ secrets.OCIR_USERNAME }} --password-stdin - - - name: Generate version metadata - id: metadata - run: | - version=`cat STABLE-RELEASE` - relay_version=$(curl https://raw.githubusercontent.com/kubearmor/kubearmor-relay-server/main/STABLE-RELEASE) - echo "version=${version}" >> $GITHUB_OUTPUT - echo "relay_version=${relay_version}" >> $GITHUB_OUTPUT - - - name: Create and Publish Helm Chart - uses: ./.github/actions/marketplace - with: - registry: '${{ vars.OCIR_REGISTRY }}' - version: '${{ steps.metadata.outputs.version }}' - relay_version: '${{ steps.metadata.outputs.relay_version }}' - helm_chart_path: './deployments/helm/KubeArmorOperator' - helm_chart_name: 'kubearmor-operator-oci' - - # workaround to mandatory subfolder for helm-gh-master action - # https://github.com/stefanprodan/helm-gh-pages/issues/23#issuecomment-854101420 - - name: Move operator chart to charts subfolder - run: | - mkdir -p ./deployments/helm/charts - mv ./deployments/helm/KubeArmorOperator ./deployments/helm/charts/KubeArmorOperatorOci - - - name: Publish Helm chart to KubeArmor helm repo - uses: stefanprodan/helm-gh-pages@master - with: - # Access token which can push to a different repo in the same org - token: ${{ secrets.GH_ACCESS_TOKEN }} - charts_dir: deployments/helm/charts - # repo where charts would be published - owner: kubearmor - repository: charts - branch: gh-pages - charts_url: https://kubearmor.github.io/charts - commit_username: "github-actions[bot]" - commit_email: "github-actions[bot]@users.noreply.github.com" + # - name: Publish Images to ECR + # run: | + # # copy images to ecr registry + # STABLE_VERSION=`cat STABLE-RELEASE` + # regctl image copy kubearmor/kubearmor:$STABLE_VERSION ${{vars.AWS_ECR_REGISTRY}}/kubearmor:$STABLE_VERSION --digest-tags + # regctl image copy kubearmor/kubearmor-init:$STABLE_VERSION ${{vars.AWS_ECR_REGISTRY}}/kubearmor-init:$STABLE_VERSION --digest-tags + # regctl image copy kubearmor/kubearmor-controller:$STABLE_VERSION ${{vars.AWS_ECR_REGISTRY}}/kubearmor-controller:$STABLE_VERSION --digest-tags + # regctl image copy kubearmor/kubearmor-operator:$STABLE_VERSION ${{vars.AWS_ECR_REGISTRY}}/kubearmor-operator:$STABLE_VERSION --digest-tags + # regctl image copy kubearmor/kubearmor-snitch:$STABLE_VERSION ${{vars.AWS_ECR_REGISTRY}}/kubearmor-snitch:$STABLE_VERSION --digest-tags + +# =================================== +# Publish to OCIR is disabled for now +# =================================== + # publish-images-to-ocir: + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@v3 + + # - name: login to ocir registry + # run: | + # echo "${{ secrets.OCIR_AUTHTOKEN }}" | docker login ${{ vars.OCIR_REGION }} -u ${{ secrets.OCIR_USERNAME }} --password-stdin + + # - name: Install regctl + # run: | + # curl -L https://github.com/regclient/regclient/releases/latest/download/regctl-linux-amd64 >regctl + # chmod 755 regctl + # mv regctl /usr/local/bin + # regctl version + + # - name: Publish Images to OCIR + # run: | + # # copy images to ocir registry + # STABLE_VERSION=`cat STABLE-RELEASE` + # regctl image copy kubearmor/kubearmor:$STABLE_VERSION ${{vars.OCIR_REGISTRY}}/kubearmor:$STABLE_VERSION --digest-tags + # regctl image copy kubearmor/kubearmor-init:$STABLE_VERSION ${{vars.OCIR_REGISTRY}}/kubearmor-init:$STABLE_VERSION --digest-tags + # regctl image copy kubearmor/kubearmor-controller:$STABLE_VERSION ${{vars.OCIR_REGISTRY}}/kubearmor-controller:$STABLE_VERSION --digest-tags + # regctl image copy kubearmor/kubearmor-operator:$STABLE_VERSION ${{vars.OCIR_REGISTRY}}/kubearmor-operator:$STABLE_VERSION --digest-tags + # regctl image copy kubearmor/kubearmor-snitch:$STABLE_VERSION ${{vars.OCIR_REGISTRY}}/kubearmor-snitch:$STABLE_VERSION --digest-tags create_issue: - needs: ["publish-oci-helm-chart","publish-aws-helm-chart","certify-images-on-redhat"] + if: ${{ github.event.workflow_run.conclusion == 'success' }} + # needs: ["certify-images-on-redhat","publish-images-to-ecr"] runs-on: ubuntu-latest permissions: issues: write @@ -238,7 +144,7 @@ jobs: --label "$LABELS" \ --body "$BODY") env: - GH_TOKEN: ${{ secrets.GH_ISSUE_RW_ACCESS_TOKEN }} + GH_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }} GH_REPO: ${{ github.repository }} TITLE: Marketplace Release KubeArmor ASSIGNEES: rksharma95,daemon1024 @@ -247,8 +153,9 @@ jobs: ### Tasks - [ ] Test and Publish KubeArmor Operator on Red Hat + - [ ] Publish helm chart on kubearmor/charts repo - [ ] Update KubeArmor Listing on AWS Marketplace - - [ ] Update KubeArmor Listing on Oracle Marketplace + # - [ ] Update KubeArmor Listing on Oracle Marketplace Assignees: @kubearmor/triagers diff --git a/.github/workflows/ci-operator-release.yaml b/.github/workflows/ci-operator-release.yaml index 0260e1be14..e23186a5f2 100644 --- a/.github/workflows/ci-operator-release.yaml +++ b/.github/workflows/ci-operator-release.yaml @@ -60,7 +60,7 @@ jobs: - name: Build & Push KubeArmor Operator working-directory: ./pkg/KubeArmorOperator - run: PLATFORM=$PLATFORM make docker-buildx TAG=${{ steps.vars.outputs.tag }} + run: PLATFORM=$PLATFORM make docker-buildx VERSION=${{ steps.vars.outputs.tag }} - uses: actions/checkout@v3 with: diff --git a/.github/workflows/ci-stable-release.yml b/.github/workflows/ci-stable-release.yml index cb5d8e3dfb..db06d93a8f 100644 --- a/.github/workflows/ci-stable-release.yml +++ b/.github/workflows/ci-stable-release.yml @@ -2,17 +2,20 @@ name: ci-stable-release on: push: - branches: [main] + branches: [main, "operator-refactor"] paths: - "STABLE-RELEASE" +env: + PLATFORM: linux/amd64,linux/arm64/v8 + # Declare default permissions as read only. permissions: read-all jobs: push-stable-version: name: Create KubeArmor stable release - if: github.repository == 'kubearmor/kubearmor' + # if: github.repository == 'kubearmor/kubearmor' runs-on: ubuntu-22.04 timeout-minutes: 60 steps: @@ -33,28 +36,96 @@ jobs: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_AUTHTOK }} - - name: Generate the stable version of KubeArmor in Docker Hub + # - name: Generate the stable version of KubeArmor in Docker Hub + # run: | + # STABLE_VERSION=`cat STABLE-RELEASE` + # regctl image copy rksharma95/kubearmor:$STABLE_VERSION rksharma95/kubearmor:stable --digest-tags + # regctl image copy rksharma95/kubearmor-init:$STABLE_VERSION rksharma95/kubearmor-init:stable --digest-tags + # regctl image copy rksharma95/kubearmor-ubi:$STABLE_VERSION rksharma95/kubearmor-ubi:stable --digest-tags + # regctl image copy rksharma95/kubearmor-controller:$STABLE_VERSION rksharma95/kubearmor-controller:stable --digest-tags + # # regctl image copy rksharma95/kubearmor-operator:$STABLE_VERSION rksharma95/kubearmor-operator:stable --digest-tags + # regctl image copy rksharma95/kubearmor-snitch:$STABLE_VERSION rksharma95/kubearmor-snitch:stable --digest-tags + + build-and-push-operator-image: + name: Rebuild Operator Image + # if: github.repository == 'kubearmor/kubearmor' + runs-on: ubuntu-22.04 + permissions: + contents: write + steps: + - uses: actions/checkout@v3 + + - uses: actions/setup-go@v5 + with: + go-version-file: 'pkg/KubeArmorOperator/go.mod' + + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + with: + platforms: linux/amd64,linux/arm64/v8 + + - name: Login to Docker Hub + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_AUTHTOK }} + + - name: Get Stable Version + id: version + run: | + echo stable=`cat STABLE-RELEASE` >> $GITHUB_OUTPUT + relay_version=$(curl https://raw.githubusercontent.com/kubearmor/kubearmor-relay-server/main/STABLE-RELEASE) + echo "relay=${relay_version}" >> $GITHUB_OUTPUT + + - name: Pin Versioned Images + working-directory: ./deployments + run: | + VERSION=${{ steps.version.outputs.stable }} RELAY_VERSION=${{ steps.version.outputs.relay }} make pin-version + + - name: Update Chart Version + working-directory: ./deployments + run: | + VERSION=${{ steps.version.outputs.stable }} make chart-version + + - name: Use embeded chart + working-directory: ./deployments run: | - STABLE_VERSION=`cat STABLE-RELEASE` - regctl image copy kubearmor/kubearmor:$STABLE_VERSION kubearmor/kubearmor:stable --digest-tags - regctl image copy kubearmor/kubearmor-init:$STABLE_VERSION kubearmor/kubearmor-init:stable --digest-tags - regctl image copy kubearmor/kubearmor-ubi:$STABLE_VERSION kubearmor/kubearmor-ubi:stable --digest-tags - regctl image copy kubearmor/kubearmor-controller:$STABLE_VERSION kubearmor/kubearmor-controller:stable --digest-tags - regctl image copy kubearmor/kubearmor-operator:$STABLE_VERSION kubearmor/kubearmor-operator:stable --digest-tags - regctl image copy kubearmor/kubearmor-snitch:$STABLE_VERSION kubearmor/kubearmor-snitch:stable --digest-tags - - - name: Publish Helm chart - env: - # Access token which can push to a different repo in the same org - GH_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }} + VERSION=${{ steps.version.outputs.stable }} make embed-chart + + - name: Build & Push KubeArmor Operator + working-directory: ./pkg/KubeArmorOperator + run: | + PLATFORM=$PLATFORM OPERATOR_IMG=rksharma95/kubearmor-operator \ + make docker-buildx-operator VERSION=${{ steps.version.outputs.stable }} + + - name: Install regctl + run: | + curl -L https://github.com/regclient/regclient/releases/latest/download/regctl-linux-amd64 >regctl + chmod 755 regctl + mv regctl /usr/local/bin + + - name: Check install + run: regctl version + + - name: Generate the stable version of KubeArmor Operator in Docker Hub run: | - STABLE_VERSION=`cat STABLE-RELEASE` - gh release create --repo kubearmor/charts $STABLE_VERSION --generate-notes + regctl image copy rksharma95/kubearmor-operator:${{ steps.version.outputs.stable }} rksharma95/kubearmor-operator:stable --digest-tags + # - name: Publish Helm chart + # env: + # # Access token which can push to a different repo in the same org + # GH_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }} + # run: | + # STABLE_VERSION=`cat STABLE-RELEASE` + # gh release create --repo rksharma95/charts $STABLE_VERSION --generate-notes update-helm-chart: name: Update KubeArmor Helm chart version - if: github.repository == 'kubearmor/kubearmor' + # if: github.repository == 'kubearmor/kubearmor' + needs: ["build-and-push-operator-image"] runs-on: ubuntu-22.04 timeout-minutes: 20 permissions: @@ -63,25 +134,37 @@ jobs: steps: - uses: actions/checkout@v3 - - name: Update Chart.yaml - id: update + - name: Get Stable Version + id: version run: | - STABLE_VERSION=`cat STABLE-RELEASE` + echo stable=`cat STABLE-RELEASE` >> $GITHUB_OUTPUT + relay_version=$(curl https://raw.githubusercontent.com/kubearmor/kubearmor-relay-server/main/STABLE-RELEASE) + echo "relay=${relay_version}" >> $GITHUB_OUTPUT - sed -i -e "s/appVersion:.*/appVersion: $STABLE_VERSION/g" deployments/helm/*/Chart.yaml - sed -i -e "s/version:.*/version: $STABLE_VERSION/g" deployments/helm/*/Chart.yaml + - name: Use Versioned Images + working-directory: ./deployments + run: | + VERSION=${{ steps.version.outputs.stable }} RELAY_VERSION=${{ steps.version.output.relay }} make pin-version - echo "STABLE_VERSION=$STABLE_VERSION" >> $GITHUB_OUTPUT + - name: Update Chart Version + working-directory: ./deployments + run: | + VERSION=${{ steps.version.outputs.stable }} make chart-version + + - name: Use embeded chart + working-directory: ./deployments + run: | + VERSION=${{ steps.version.outputs.stable }} make embed-chart - name: Create PR to update Helm chart version in KubeArmor repo uses: peter-evans/create-pull-request@v5 with: - branch: update-helm-${{ steps.update.outputs.STABLE_VERSION }} - add-paths: "deployments/helm/*/Chart.yaml" - commit-message: "[skip ci] Update Helm Chart To ${{ steps.update.outputs.STABLE_VERSION }}" + branch: update-helm-${{ steps.version.outputs.stable }} + add-paths: "deployments/*" + commit-message: "[skip ci] Update Helm Chart To ${{ steps.version.outputs.stable }}" committer: "github-actions[bot] " author: "github-actions[bot] " - title: "[skip ci] Update Helm Chart To ${{ steps.update.outputs.STABLE_VERSION }}" + title: "[skip ci] Update Helm Chart To ${{ steps.version.outputs.stable }}" base: main signoff: true delete-branch: true diff --git a/deployments/Makefile b/deployments/Makefile index bcb8d09909..4f19af8db6 100644 --- a/deployments/Makefile +++ b/deployments/Makefile @@ -16,3 +16,61 @@ build: .PHONY: clean clean: rm -f $(CURDIR)/deploygen + +VERSION ?= stable +RELAY_VERSION ?= stable +KUBE_RBAC_PROXY ?= v0.15.0 +KUBEARMOR_CHART_DIR = $(CURDIR)/helm/KubeArmor +KUBEARMOR_OPERATOR_CHART_DIR = $(CURDIR)/helm/KubeArmorOperator + +.PHONY: pin-version +pin-version: yq + $(YQ) eval ".kubearmorRelay.image.tag = \"$(RELAY_VERSION)\"" $(KUBEARMOR_CHART_DIR)/values.yaml -i + $(YQ) eval ".kubearmorInit.image.tag = \"$(VERSION)\"" $(KUBEARMOR_CHART_DIR)/values.yaml -i + $(YQ) eval ".kubearmorController.image.tag = \"$(VERSION)\"" $(KUBEARMOR_CHART_DIR)/values.yaml -i + $(YQ) eval ".kubearmor.image.tag = \"$(VERSION)\"" $(KUBEARMOR_CHART_DIR)/values.yaml - + $(YQ) eval ".snitch.image.tag = \"$(VERSION)\"" $(KUBEARMOR_OPERATOR_CHART_DIR)/values.yaml -i + $(YQ) eval ".kubearmorOperator.image.tag = \"$(VERSION)\"" $(KUBEARMOR_OPERATOR_CHART_DIR)/values.yaml -i + +REGISTRY ?= kubearmor +.PHONY: pin-images +pin-images: yq + $(YQ) eval ".imagePinning = true" $(KUBEARMOR_OPERATOR_CHART_DIR)/values.yaml -i + $(YQ) eval ".oci_meta.repo = \"$(REGISTRY)\"" $(KUBEARMOR_OPERATOR_CHART_DIR)/values.yaml -i + $(YQ) eval ".oci_meta.images.kubearmorRelay.tag = \"$(RELAY_VERSION)\"" $(KUBEARMOR_OPERATOR_CHART_DIR)/values.yaml -i + $(YQ) eval ".oci_meta.images.kubearmorInit.tag = \"$(VERSION)\"" $(KUBEARMOR_OPERATOR_CHART_DIR)/values.yaml -i + $(YQ) eval ".oci_meta.images.kubearmorController.tag = \"$(VERSION)\"" $(KUBEARMOR_OPERATOR_CHART_DIR)/values.yaml -i + $(YQ) eval ".oci_meta.images.kubearmor.tag = \"$(VERSION)\"" $(KUBEARMOR_OPERATOR_CHART_DIR)/values.yaml -i + $(YQ) eval ".oci_meta.images.kubearmorSnitch.tag = \"$(VERSION)\"" $(KUBEARMOR_OPERATOR_CHART_DIR)/values.yaml -i + $(YQ) eval ".oci_meta.images.kubearmorOperator.tag = \"$(VERSION)\"" $(KUBEARMOR_OPERATOR_CHART_DIR)/values.yaml -i + $(YQ) eval ".oci_meta.images.kubeRbacProxy.tag = \"$(KUBE_RBAC_PROXY)\"" $(KUBEARMOR_OPERATOR_CHART_DIR)/values.yaml -i + +.PHONY: chart-version +chart-version: yq + $(YQ) eval ".version = \"$(VERSION)\"" $(KUBEARMOR_CHART_DIR)/Chart.yaml -i + $(YQ) eval ".appVersion = \"$(VERSION)\"" $(KUBEARMOR_CHART_DIR)/Chart.yaml -i + $(YQ) eval ".version = \"$(VERSION)\"" $(KUBEARMOR_OPERATOR_CHART_DIR)/Chart.yaml -i + $(YQ) eval ".appVersion = \"$(VERSION)\"" $(KUBEARMOR_OPERATOR_CHART_DIR)/Chart.yaml -i + +.PHONY: embed-chart +embed-chart: yq + $(YQ) eval ".helm.repository=\"embed\"" $(KUBEARMOR_OPERATOR_CHART_DIR)/values.yaml -i + $(YQ) eval ".helm.chart=\"kubearmor\"" $(KUBEARMOR_OPERATOR_CHART_DIR)/values.yaml -i + $(YQ) eval ".helm.version=\"$(VERSION)\"" $(KUBEARMOR_OPERATOR_CHART_DIR)/values.yaml -i + +LOCALBIN ?= $(shell pwd)/bin +$(LOCALBIN): + mkdir -p $(LOCALBIN) + +YQ := $(LOCALBIN)/yq +yq: +ifeq (,$(wildcard $(YQ))) +ifeq (,$(shell ls $(YQ) 2>/dev/null)) + @{ \ + set -e ;\ + mkdir -p $(dir $(YQ)) ;\ + curl -L https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -o $(YQ); \ + chmod +x $(YQ); \ + } +endif +endif \ No newline at end of file diff --git a/pkg/KubeArmorOperator/Makefile b/pkg/KubeArmorOperator/Makefile index 9546526897..1a369b1218 100644 --- a/pkg/KubeArmorOperator/Makefile +++ b/pkg/KubeArmorOperator/Makefile @@ -159,12 +159,25 @@ run: manifests generate fmt vet install-dev ## Run a controller from your host. # (i.e. docker build --platform linux/arm64). However, you must enable docker buildKit for it. # More info: https://docs.docker.com/develop/develop-images/build_enhancements/ .PHONY: docker-build -docker-build: embed-chart ## Build docker image with the manager. +docker-build: docker-build-operator docker-build-snitch ## Build docker image with the manager. + +.PHONY: docker-build-operator +docker-build-operator: embed-chart $(CONTAINER_TOOL) build -t ${OPERATOR_IMG}:${VERSION} -t ${OPERATOR_IMG}:latest --build-arg VERSION=${VERSION} --target operator . + +.PHONY: docker-build-snitch +docker-build-snitch: $(CONTAINER_TOOL) build -t ${SNITCH_IMG}:${VERSION} -t ${SNITCH_IMG}:latest --build-arg VERSION=${VERSION} --target snitch . + .PHONY: docker-push -docker-push: ## Push docker image with the manager. +docker-push: docker-push-operator docker-push-snitch ## Push docker image with the manager. + +.PHONY: docker-push-operator +docker-push-operator: $(CONTAINER_TOOL) push ${OPERATOR_IMG}:${VERSION} + +.PHONY: docker-push-snitch +docker-push-snitch: $(CONTAINER_TOOL) push ${SNITCH_IMG}:${VERSION} # PLATFORMS defines the target platforms for the manager image be built to provide support to multiple @@ -173,17 +186,18 @@ docker-push: ## Push docker image with the manager. # - have enabled BuildKit. More info: https://docs.docker.com/develop/develop-images/build_enhancements/ # - be able to push the image to your registry (i.e. if you do not set a valid value via IMG=> then the export will fail) # To adequately provide solutions that are compatible with multiple platforms, you should consider using this option. -PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le +PLATFORM ?= "linux/amd64,linux/arm64/v8" .PHONY: docker-buildx -docker-buildx: embed-chart ## Build and push docker image for the manager for cross-platform support - # copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile - sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross - - $(CONTAINER_TOOL) buildx create --name project-v3-builder - $(CONTAINER_TOOL) buildx use project-v3-builder - - $(CONTAINER_TOOL) buildx build --platform ${PLATFORM} --build-arg VERSION=${VERSION} --push --target operator -t ${OPERATOR_IMG}:${VERSION} -f Dockerfile.cross . - - $(CONTAINER_TOOL) buildx build --platform ${PLATFORM} --build-arg VERSION=${VERSION} --push --target snitch -t ${SNITCH_IMG}:${VERSION} -f Dockerfile.cross . +docker-buildx: docker-buildx-operator docker-buildx-snitch ## Build and push docker image for the manager for cross-platform support + +.PHONY: docker-buildx-operator +docker-buildx-operator: embed-chart + - $(CONTAINER_TOOL) buildx build --platform ${PLATFORM} --build-arg VERSION=${VERSION} --push --target operator -t ${OPERATOR_IMG}:${VERSION} -f Dockerfile . + +.PHONY: docker-buildx-snitch +docker-buildx-snitch: + - $(CONTAINER_TOOL) buildx build --platform ${PLATFORM} --build-arg VERSION=${VERSION} --push --target snitch -t ${SNITCH_IMG}:${VERSION} -f Dockerfile . - $(CONTAINER_TOOL) buildx rm project-v3-builder - rm Dockerfile.cross ##@ Deployment