diff --git a/.github/workflows/ci-latest-helm-chart-release.yaml b/.github/workflows/ci-latest-helm-chart-release.yaml index b11bd6b2c..d14b9f9ce 100644 --- a/.github/workflows/ci-latest-helm-chart-release.yaml +++ b/.github/workflows/ci-latest-helm-chart-release.yaml @@ -13,7 +13,7 @@ permissions: read-all jobs: publish-chart: name: Update Stable Helm Chart With Latest Changes - if: ${{ (github.repository == 'kubearmor/kubearmor') && (!contains(github.event.head_commit.message, '[skip ci]')) }} + if: ${{ (github.repository == 'kubearmor/kubearmor') }} runs-on: ubuntu-20.04 permissions: contents: write diff --git a/.github/workflows/ci-latest-release.yml b/.github/workflows/ci-latest-release.yml index d6c64af00..c41a7d740 100644 --- a/.github/workflows/ci-latest-release.yml +++ b/.github/workflows/ci-latest-release.yml @@ -46,7 +46,7 @@ jobs: if: github.repository == 'kubearmor/kubearmor' && (needs.check.outputs.kubearmor == 'true' || ${{ github.ref }} != 'refs/heads/main') runs-on: ubuntu-latest-16-cores permissions: - id-token: write + id-token: write timeout-minutes: 120 steps: - uses: actions/checkout@v3 @@ -81,7 +81,7 @@ jobs: run: | make docker-build TAG=${{ steps.vars.outputs.tag }} - - name: deploy pre existing pod + - name: deploy pre existing pod run: | kubectl apply -f ./tests/k8s_env/ksp/pre-run-pod.yaml sleep 60 @@ -93,7 +93,7 @@ jobs: docker save kubearmor/kubearmor:${{ steps.vars.outputs.tag }} | sudo k3s ctr images import - docker save kubearmor/kubearmor-operator:${{ steps.vars.outputs.tag }} | sudo k3s ctr images import - docker save kubearmor/kubearmor-snitch:${{ steps.vars.outputs.tag }} | sudo k3s ctr images import - - + helm upgrade --install kubearmor-operator ./deployments/helm/KubeArmorOperator -n kubearmor --create-namespace --set kubearmorOperator.image.tag=${{ steps.vars.outputs.tag }} kubectl wait --for=condition=ready --timeout=5m -n kubearmor pod -l kubearmor-app=kubearmor-operator kubectl get pods -A @@ -145,12 +145,12 @@ jobs: - name: Push KubeArmor images to Docker run: GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/push_kubearmor.sh ${{ steps.vars.outputs.tag }} - - name: Install Cosign + - name: Install Cosign uses: sigstore/cosign-installer@main - name: Get Image Digest id: digest - run: | + run: | echo "imagedigest=$(jq -r '.["containerimage.digest"]' kubearmor.json)" >> $GITHUB_OUTPUT echo "initdigest=$(jq -r '.["containerimage.digest"]' kubearmor-init.json)" >> $GITHUB_OUTPUT echo "ubidigest=$(jq -r '.["containerimage.digest"]' kubearmor-ubi.json)" >> $GITHUB_OUTPUT @@ -207,7 +207,7 @@ jobs: regctl image copy kubearmor/kubearmor:$STABLE_VERSION kubearmor/kubearmor:stable --digest-tags regctl image copy kubearmor/kubearmor-ubi:$STABLE_VERSION kubearmor/kubearmor-ubi:stable --digest-tags regctl image copy kubearmor/kubearmor-controller:$STABLE_VERSION kubearmor/kubearmor-controller:stable --digest-tags - + kubearmor-controller-release: name: Build & Push KubeArmorController needs: check @@ -223,7 +223,7 @@ jobs: - uses: actions/setup-go@v5 with: go-version-file: 'KubeArmor/go.mod' - + - name: Set up QEMU uses: docker/setup-qemu-action@v2 diff --git a/.github/workflows/ci-marketplace-release.yml b/.github/workflows/ci-marketplace-release.yml index 237456212..7321481dc 100644 --- a/.github/workflows/ci-marketplace-release.yml +++ b/.github/workflows/ci-marketplace-release.yml @@ -7,6 +7,9 @@ on: - "STABLE-RELEASE" - ".github/workflows/ci-marketplace-release.yml" +# Declare default permissions as read only. +permissions: read-all + jobs: certify-images-on-redhat: runs-on: ubuntu-latest @@ -249,4 +252,4 @@ jobs: Assignees: @kubearmor/triagers - Refer the documentation [here](https://github.com/kubearmor/KubeArmor/wiki/Update-KubeArmor-Marketplace-Releases) for update listing instructions. \ No newline at end of file + Refer the documentation [here](https://github.com/kubearmor/KubeArmor/wiki/Update-KubeArmor-Marketplace-Releases) for update listing instructions. diff --git a/.github/workflows/ci-systemd-release.yml b/.github/workflows/ci-systemd-release.yml index 45157fac6..740e8b601 100644 --- a/.github/workflows/ci-systemd-release.yml +++ b/.github/workflows/ci-systemd-release.yml @@ -1,10 +1,19 @@ name: ci-systemd-release on: + workflow_dispatch: + inputs: + tag: + description: "Release tag which has to be updated" + type: "string" + required: true push: tags: - "*" +# Declare default permissions as read only. +permissions: read-all + jobs: goreleaser: runs-on: ubuntu-20.04 @@ -16,34 +25,70 @@ jobs: - uses: actions/checkout@v3 with: submodules: true + fetch-depth: 0 - uses: actions/setup-go@v5 with: go-version-file: 'KubeArmor/go.mod' - - name: Install the latest LLVM toolchain run: ./.github/workflows/install-llvm.sh - name: Compile libbpf run: ./.github/workflows/install-libbpf.sh + - name: Install Cosign uses: sigstore/cosign-installer@main - name: Install karmor run: curl -sfL https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/install.sh | sudo sh -s -- -b . working-directory: KubeArmor - + - name: Build KubeArmor object files - run: make + run: make working-directory: KubeArmor/BPF - + + - name: Log in to Docker Hub + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_AUTHTOK }} + + - name: Get release tag + id: vars + run: | + cp KubeArmor/.goreleaser.yaml /tmp/.goreleaser.yaml + if [[ ${{ github.event_name }} == "workflow_dispatch" ]]; then + # checkout branch but use goreleaser config from latest + echo "Checking out tag: ${{ inputs.tag }}" + git checkout ${{ inputs.tag }} + echo "GORELEASER_CURRENT_TAG=${{ inputs.tag }}" >> $GITHUB_OUTPUT + + REF=${{ inputs.tag }} + echo "tag=${REF#v}" >> $GITHUB_OUTPUT + else + REF=${GITHUB_REF#refs/*/} + echo "tag=${REF#v}" >> $GITHUB_OUTPUT + fi + - name: Run GoReleaser uses: goreleaser/goreleaser-action@v5 with: distribution: goreleaser version: v1.25.0 - args: release --clean + args: release --config=/tmp/.goreleaser.yaml workdir: KubeArmor env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GORELEASER_CURRENT_TAG: ${{ steps.vars.outputs.GORELEASER_CURRENT_TAG }} + + - name: Setup ORAS + uses: oras-project/setup-oras@v1 + with: + version: 1.0.0 + + - name: Publish release artifacts to Dockerhub + working-directory: KubeArmor/dist + run: | + oras push docker.io/kubearmor/kubearmor-systemd:${{ steps.vars.outputs.tag }}_linux-amd64 kubearmor_${{ steps.vars.outputs.tag }}_linux-amd64.tar.gz + oras push docker.io/kubearmor/kubearmor-systemd:${{ steps.vars.outputs.tag }}_linux-arm64 kubearmor_${{ steps.vars.outputs.tag }}_linux-arm64.tar.gz diff --git a/KubeArmor/.goreleaser.yaml b/KubeArmor/.goreleaser.yaml index 2fc835ee3..9480c1c9f 100644 --- a/KubeArmor/.goreleaser.yaml +++ b/KubeArmor/.goreleaser.yaml @@ -11,6 +11,11 @@ builds: env: - CGO_ENABLED=0 +release: + replace_existing_artifacts: true + mode: replace + make_latest: false + signs: - cmd: cosign certificate: '${artifact}.cert' @@ -22,7 +27,7 @@ signs: - --yes artifacts: all output: true - + archives: - id: "kubearmor" builds: diff --git a/KubeArmor/go.mod b/KubeArmor/go.mod index dfcd6368b..04ec7b200 100644 --- a/KubeArmor/go.mod +++ b/KubeArmor/go.mod @@ -45,6 +45,7 @@ require ( k8s.io/apimachinery v0.29.0 k8s.io/client-go v0.29.0 k8s.io/cri-api v0.29.0 + k8s.io/klog/v2 v2.120.0 k8s.io/utils v0.0.0-20240310230437-4693a0247e57 sigs.k8s.io/controller-runtime v0.15.3 ) @@ -130,7 +131,6 @@ require ( gotest.tools/v3 v3.4.0 // indirect k8s.io/apiextensions-apiserver v0.29.0 // indirect k8s.io/component-base v0.29.0 // indirect - k8s.io/klog/v2 v2.120.0 // indirect k8s.io/kube-openapi v0.0.0-20240105020646-a37d4de58910 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect