Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Also publish chart to OCI registry #1889

Merged
merged 2 commits into from
Mar 6, 2024
Merged

feat: Also publish chart to OCI registry #1889

merged 2 commits into from
Mar 6, 2024
+79 −7

Conversation

mkilchhofer
Copy link
Contributor

@mkilchhofer mkilchhofer commented Mar 3, 2024
edited by chen-keinan
Loading

Description

See linked issue:

The helm chart of trivy-operator is published using the classic approach with a static webserver and an index.yaml (on a separate Repository https://github.com/aquasecurity/helm-charts).

$ helm repo add aqua https://aquasecurity.github.io/helm-charts/
$ helm install trivy-operator aqua/trivy-operator \
     --namespace trivy-system \
     --create-namespace \
     --version 0.20.6

In helm 3.8+ the OCI method went GA:

I'd like to see you pushing the packaged helm chart(s) also on ghcr.io, alongside the container images and trivy-db's.

There is existing code available from multiple Kubernetes projects which could easily adapted:

After one implemented this, users can easily install trivy-operator via:

helm install trivy-operator oci://ghcr.io/aquasecurity/charts/trivy-operator --version x.y.z

Related issues

Remove this section if you don't have related PRs.

Testing

  • I created a second branch feature/chart_oci_publish_FORK_ADAPTION with little adaption of the paths and run it inside my fork: 
    git diff feature/chart_oci_publish..feature/chart_oci_publish_FORK_ADAPTION
diff --git a/.github/workflows/publish-helm-chart.yaml b/.github/workflows/publish-helm-chart.yaml
index d627445..7d7f539 100644
--- a/.github/workflows/publish-helm-chart.yaml
+++ b/.github/workflows/publish-helm-chart.yaml
@@ -7,17 +7,19 @@ on:
    types: [publish-chart]
    paths:
      - deploy/helm/Chart.yaml
+  # Manual trigger is also possible
+  workflow_dispatch: {}
env:
  CR_PACKAGE_PATH: .cr-release-packages
-  HELM_REP: helm-charts
-  GH_OWNER: aquasecurity
+  HELM_REP: aquasecurity-helm-charts
+  GH_OWNER: mkilchhofer
  CHART_DIR: deploy/helm
  KIND_VERSION: v0.17.0
  KIND_IMAGE: kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
jobs:
  release:
    # this job will only run if the PR has been merged
-    if: github.event.client_payload.action == 'chart-release' || github.event.client_payload.action == 'chart-and-app-release'
+    # if: github.event.client_payload.action == 'chart-release' || github.event.client_payload.action == 'chart-and-app-release'
    permissions:
      contents: write  # for peter-evans/repository-dispatch to create a repository dispatch event
      packages: write  # to push OCI chart package to GitHub Registry
@@ -92,16 +94,16 @@ jobs:
            helm push "${pkg}" oci://ghcr.io/${{ env.GH_OWNER }}/${{ env.HELM_REP }}
          done

-      - name: Get latest tag
-        id: latest_tag
-        run: |
-          latest_tag=$(git describe --tags --abbrev=0)
-          echo "::set-output name=tag::$latest_tag"
+      # - name: Get latest tag
+      #   id: latest_tag
+      #   run: |
+      #     latest_tag=$(git describe --tags --abbrev=0)
+      #     echo "::set-output name=tag::$latest_tag"

-      - name: Repository Dispatch Publish docs
-        if: github.event.client_payload.action == 'chart-and-app-release' && !contains(steps.latest_tag.outputs.tag, 'rc')
-        uses: peter-evans/repository-dispatch@v3
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          event-type: publish-docs
-          client-payload: '{"action": "docs-release", "tag": "${{ steps.latest_tag.outputs.tag }}"}'
+      # - name: Repository Dispatch Publish docs
+      #   if: github.event.client_payload.action == 'chart-and-app-release' && !contains(steps.latest_tag.outputs.tag, 'rc')
+      #   uses: peter-evans/repository-dispatch@v3
+      #   with:
+      #     token: ${{ secrets.GITHUB_TOKEN }}
+      #     event-type: publish-docs
+      #     client-payload: '{"action": "docs-release", "tag": "${{ steps.latest_tag.outputs.tag }}"}'
  • Created a repository to simulate the central helm repository: https://github.com/mkilchhofer/aquasecurity-helm-charts
  • Executed the workflow without simulating all repo dispatch events
    See: https://github.com/mkilchhofer/trivy-operator/actions/runs/8130660226/job/22219118024
  • Classic chart publish works 
    $ helm repo add aqua-fork https://mkilchhofer.github.io/aquasecurity-helm-charts/
"aqua-fork" has been added to your repositories

$ helm search repo aqua-fork
NAME                    	CHART VERSION	APP VERSION	DESCRIPTION
aqua-fork/trivy-operator	0.20.6       	0.18.5     	Keeps security report resources updated
  • OCI publish also works 
    $ helm show chart oci://ghcr.io/mkilchhofer/aquasecurity-helm-charts/trivy-operator
Pulled: ghcr.io/mkilchhofer/aquasecurity-helm-charts/trivy-operator:0.20.6
Digest: sha256:abfb2006b259fb160daf5d5b51d90928d37242790a9a89273618d41ec4b50519
apiVersion: v2
appVersion: 0.18.5
description: Keeps security report resources updated
keywords:
- aquasecurity
- trivyoperator
- trivy
name: trivy-operator
sources:
- https://github.com/aquasecurity/trivy-operator
type: application
version: 0.20.6

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

Sorry, something went wrong.

@mkilchhofer
feat: Also publish chart to OCI registry
Loading
Loading status checks…
90d5169
@mkilchhofer mkilchhofer requested a review from chen-keinan as a code owner March 3, 2024 13:33
mkilchhofer
mkilchhofer commented Mar 3, 2024
View reviewed changes
.github/workflows/publish-helm-chart.yaml
@@ -37,7 +41,7 @@ jobs:
uses: helm/kind-action@v1.9.0 # v1.5.0
with:
version: ${{ env.KIND_VERSION }}
image: ${{ env.KIND_IMAGE }}
node_image: ${{ env.KIND_IMAGE }}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixes warning

Warning: Unexpected input(s) 'image', valid inputs are ['version', 'config', 'node_image', 'cluster_name', 'wait', 'verbosity', 'kubectl_version', 'install_only', 'ignore_failed_clean']

grafik

@mkilchhofer mkilchhofer mentioned this pull request Mar 3, 2024
Closed
chen-keinan
chen-keinan reviewed Mar 4, 2024
View reviewed changes
Copy link
Contributor

@chen-keinan chen-keinan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mkilchhofer lgtm 🚀 one comment could you please to update the helm install docs accordingly with new instal command option

@mkilchhofer
Copy link
Contributor Author

@chen-keinan I can do that. But I skipped this intentional and wanted to add this as soon as the first chart is published to OCI.

@chen-keinan
Copy link
Contributor

@mkilchhofer should a small and quick change to docs , it will be great to have both so it can get merged together

@mkilchhofer
chore: Update docs on howto use chart via OCI registry
645d4c5 
Signed-off-by: Marco Maurer <mkilchhofer@users.noreply.github.com>
@mkilchhofer
Copy link
Contributor Author

@mkilchhofer should a small and quick change to docs , it will be great to have both so it can get merged together

@chen-keinan Alright, updated the PR. Is that okay for you like this?

chen-keinan
chen-keinan approved these changes Mar 6, 2024
View reviewed changes
Copy link
Contributor

@chen-keinan chen-keinan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mkilchhofer lgtm 🚀 thank you for the contribution

@chen-keinan chen-keinan merged commit f6b4e47 into aquasecurity:main Mar 6, 2024
8 checks passed
@mkilchhofer mkilchhofer deleted the feature/chart_oci_publish branch March 6, 2024 09:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chen-keinan chen-keinan

Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Publish helm chart(s) also as an OCI package (e.g. on GHCR registry)
2 participants
@mkilchhofer @chen-keinan