Skip to content

Bump controller runtime (#1644) #148

Bump controller runtime (#1644)

Bump controller runtime (#1644) #148

Workflow file for this run

name: kapp-controller release
on:
workflow_dispatch:
push:
tags:
- 'v*'
jobs:
kapp-controller-release:
name: kapp-controller release
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
id-token: write
steps:
- name: Check out code
uses: actions/[email protected]
with:
fetch-depth: 0
- name: Install Carvel Tools
run: ./hack/install-deps.sh
- name: Install imgpkg
uses: carvel-dev/setup-action@v2
with:
only: imgpkg
token: ${{ secrets.GITHUB_TOKEN }}
- name: Login to GitHub Container Registry
uses: docker/[email protected]
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Go 1.x
uses: actions/setup-go@v5
with:
go-version: 1.22.9
- name: Set up Cosign
uses: sigstore/[email protected]
- name: Run release script
run: |
set -e -x
minikube start --driver=docker --wait=all
docker buildx create --name minikube --use --driver=kubernetes --bootstrap
./hack/build-release.sh
# Create release folder to store all the output artifacts
mkdir release
cp ./tmp/release.yml release/release.yml
cd cli
./hack/build-binaries.sh
cp ./kctrl-* ../release/
- name: Sign kapp-controller OCI image
run: |
image_url=`yq e '.spec.template.spec.containers[] | select(.name == "kapp-controller") | .image' release/release.yml`
cosign sign --yes "$image_url"
- name: Verify signature on Kapp-controller OCI image
run: |
image_url=`yq e '.spec.template.spec.containers[] | select(.name == "kapp-controller") | .image' release/release.yml`
cosign verify \
$image_url \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
- name: Run Package build
run: |
constraintVersion="${{ github.ref_name }}"
./cli/kctrl-linux-amd64 pkg release -y -v ${constraintVersion:1} --debug
mv ./carvel-artifacts/packages/kapp-controller.carvel.dev/metadata.yml ./carvel-artifacts/packages/kapp-controller.carvel.dev/package-metadata.yml
mv ./carvel-artifacts/packages/kapp-controller.carvel.dev/* release/
- name: Sign kapp-controller-package-bundle OCI image
run: |
image_url=`yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml`
cosign sign --yes "$image_url"
- name: Verify signature on kapp-controller-package-bundle OCI image
run: |
image_url=`yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml`
cosign verify \
$image_url \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
- name: Generate release notes
run: |
RELEASE_TAG=$(git describe --tags --abbrev=0)
KAPP_CONTROLLER_IMAGE=$(yq e '.spec.template.spec.containers[] | select(.name == "kapp-controller") | .image' release/release.yml)
KAPP_CONTROLLER_PACKAGE_BUNDLE_IMAGE=$(yq e '.spec.template.spec.fetch[0].imgpkgBundle.image' release/package.yml)
RELEASE_NOTES="
<details>
<summary><h2>Installation and signature verification</h2></summary>
## Installation of kctrl
#### By downloading binary from the release
For instance, if you are using Linux on an AMD64 architecture:
\`\`\`shell
# Download the binary
curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/kctrl-linux-amd64
# Move the binary in to your PATH
mv kctrl-linux-amd64 /usr/local/bin/kctrl
# Make the binary executable
chmod +x /usr/local/bin/kctrl
\`\`\`
#### Via Homebrew (macOS or Linux)
\`\`\`shell
$ brew tap carvel-dev/carvel
$ brew install kctrl
$ kctrl version
\`\`\`
## Verify checksums file signature
Install cosign on your system https://docs.sigstore.dev/system_config/installation/
The checksums file provided within the artifacts attached to this release is signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of this file, run the following commands:
\`\`\`shell
# Download the checksums file, certificate, and signature
curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt
curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt.pem
curl -LO https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/releases/download/$RELEASE_TAG/checksums.txt.sig
### Verify the checksums file
cosign verify-blob checksums.txt \
--certificate checksums.txt.pem \
--signature checksums.txt.sig \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
\`\`\`
### Verify binary integrity
To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature. For instance, if you are using Linux on an AMD64 architecture:
\`\`\`shell
# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing
\`\`\`
## Installation of kapp-controller
kapp-controller can be installed by using kapp
\`\`\`shell
kapp deploy -a kc -f https://github.com/carvel-dev/kapp-controller/releases/download/$RELEASE_TAG/release.yml
\`\`\`
or by using kubectl
\`\`\`shell
kubectl deploy -f https://github.com/carvel-dev/kapp-controller/releases/download/$RELEASE_TAG/release.yml
\`\`\`
### Container Images
Kapp-controller and Kapp-controller-package-bundle images are available in Github Container Registry.
### OCI Image URLs
- $KAPP_CONTROLLER_IMAGE
- $KAPP_CONTROLLER_PACKAGE_BUNDLE_IMAGE
### Verify container image signature
The container images are signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of OCI images, run the following commands:
\`\`\`shell
# Verifying kapp-controller image
cosign verify $KAPP_CONTROLLER_IMAGE \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
-o text
# Verifying kapp-controller-package-bundle image
cosign verify $KAPP_CONTROLLER_PACKAGE_BUNDLE_IMAGE \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
-o text
\`\`\`
</summary>
</details>
"
echo "$RELEASE_NOTES" > ./tmp/release_notes.txt
- name: Create formatted checksum and add it to release notes
run: |
pushd release
shasum -a 256 ./release.yml ./kctrl-* ./package.yml ./package-metadata.yml | tee ../tmp/checksums.txt
popd
echo "# :open_file_folder: Files Checksum" | tee ./tmp/checksums-formatted.txt
echo '```' | tee -a ./tmp/checksums-formatted.txt
cat ./tmp/checksums.txt | tee -a ./tmp/checksums-formatted.txt
echo '```' | tee -a ./tmp/checksums-formatted.txt
cat ./tmp/checksums-formatted.txt | tee -a ./tmp/release_notes.txt
- name: Sign checksums.txt
run: |
cosign sign-blob --yes ./tmp/checksums.txt --output-certificate release/checksums.txt.pem --output-signature release/checksums.txt.sig
- name: Verify checksums signature
run: |
cosign verify-blob \
--cert release/checksums.txt.pem \
--signature release/checksums.txt.sig \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com ./tmp/checksums.txt
- name: Create release draft and upload release yaml
uses: softprops/[email protected]
with:
name: ${{ github.ref_name }}
token: ${{ secrets.GITHUB_TOKEN }}
body_path: ./tmp/release_notes.txt
files: |
./release/*
./tmp/checksums.txt
draft: true
prerelease: true
- name: Get uploaded release YAML checksum
uses: actions/[email protected]
id: get-checksums-from-draft-release
if: startsWith(github.ref, 'refs/tags/')
with:
github-token: ${{secrets.GITHUB_TOKEN}}
result-encoding: string
script: |
var crypto = require('crypto');
const { owner, repo } = context.repo;
// https://docs.github.com/en/rest/reference/repos#list-releases
// https://octokit.github.io/rest.js/v18#repos-list-releases
var releases = await github.rest.repos.listReleases({
owner: owner,
repo: repo
});
var crypto = require('crypto')
var fs = require('fs')
const url = require('url');
const https = require('https');
checksums = {}
for (const r of releases["data"]) {
if (r.draft && `refs/tags/${r.tag_name}` == "${{ github.ref }}") {
for (const asset of r.assets) {
var release_asset = await github.rest.repos.getReleaseAsset({ headers: {accept: `application/octet-stream`}, accept: `application/octet-stream`, owner: owner, repo: repo, asset_id: asset.id });
const hash = crypto.createHash('sha256');
let http_promise = new Promise((resolve, reject) => {
https.get(release_asset.url, (stream) => {
stream.on('data', function (data) {
hash.update(data);
});
stream.on('end', function () {
checksums[asset.name]= hash.digest('hex');
resolve(`${asset.name}`);
});
});
});
await http_promise;
}
}
}
console.log(checksums)
return `${checksums['release.yml']} ./release.yml
${checksums['kctrl-darwin-amd64']} ./kctrl-darwin-amd64
${checksums['kctrl-darwin-arm64']} ./kctrl-darwin-arm64
${checksums['kctrl-linux-amd64']} ./kctrl-linux-amd64
${checksums['kctrl-linux-arm64']} ./kctrl-linux-arm64
${checksums['kctrl-windows-amd64.exe']} ./kctrl-windows-amd64.exe
${checksums['package.yml']} ./package.yml
${checksums['package-metadata.yml']} ./package-metadata.yml`
- name: Verify uploaded artifacts
if: startsWith(github.ref, 'refs/tags/')
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: |
set -e -x
cat ./tmp/checksums.txt
diff ./tmp/checksums.txt <(cat <<EOF
${{steps.get-checksums-from-draft-release.outputs.result}}
EOF
)