Skip to content

Commit 40f96e6

Browse files
migmartrimigmartri
authored
feat(deployment): support Airgap relocation (#1091)
Signed-off-by: Miguel Martinez Trivino <[email protected]>
1 parent 95e5518 commit 40f96e6

File tree

14 files changed

+148
-65
lines changed

14 files changed

+148
-65
lines changed

.github/workflows/utils/bump-chart-version.sh

Lines changed: 30 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ set -e
66

77
die () {
88
echo >&2 "$@"
9-
echo "usage: bump.sh [chartPath] [version]"
9+
echo "usage: bump.sh [chartPath] [version] [isCanary]"
1010
exit 1
1111
}
1212

@@ -15,19 +15,36 @@ if [[ -n "${DEBUG}" ]]; then
1515
set -x
1616
fi
1717

18-
[ "$#" -eq 2 ] || die "2 arguments required, $# provided"
18+
[ "$#" -ge 2 ] || die "At least 2 arguments required, $# provided"
1919

2020
chart_yaml="${1}/Chart.yaml"
21+
values_yaml="${1}/values.yaml"
22+
semVer="${2}"
23+
24+
## Changes in Chart.yaml
25+
# If we are bumping to a canary version, we want to
26+
# - Replace the patch segment in the version (build or pre-release component are not valid)
27+
# - Append `canary` to the chart Name
28+
isCanary="${3:-false}"
29+
if [[ "${isCanary}" == "true" ]]; then
30+
# i.e 1.0.2 => 1.0.2024122233
31+
chartVersion=$(cat ${chart_yaml} | awk -F'[ .]' '/^version:/ {print $2"."$3}').${semVer}
32+
33+
sed -i "s#^version:.*#version: ${chartVersion}#g" "${chart_yaml}"
34+
sed -i 's/^name: \(.*\)/name: \1-canary/' "${chart_yaml}"
35+
else
36+
# We are not bumping to a canary version so we want to
37+
# Bump chart version MINOR and reset PATCH segment
38+
# A new release means a bump in the minor segment of the Chart and a reset of the patch one
39+
# i.e 1.0.2 => 1.1.0
40+
chartVersion=$(cat ${chart_yaml} | awk -F'[ .]' '/^version:/ {print $2"."$3+1"."0}')
41+
sed -i "s#^version:.*#version: ${chartVersion}#g" "${chart_yaml}"
42+
fi
2143

22-
# Remove v prefix if provided
23-
semVer="$(echo ${2} | sed -e 's/^v\(.*\)/\1/')"
24-
25-
26-
# AppVersion includes a v prefix
27-
sed -i "s#^appVersion:.*#appVersion: v${semVer}#g" "${chart_yaml}"
44+
# AppVersion represents the container version
45+
sed -i "s#^appVersion:.*#appVersion: ${semVer}#g" "${chart_yaml}"
46+
# We want to also replace the images annotation tags
47+
sed -i "s/:v[0-9\.]*/:${semVer}/g" "${chart_yaml}"
2848

29-
# Bump chart version MINOR and reset PATCH segment
30-
# A new release means a bump in the minor segment of the Chart and a reset of the patch one
31-
# i.e 1.0.2 => 1.1.0
32-
chartVersion=$(cat ${chart_yaml} | awk -F'[ .]' '/^version:/ {print $2"."$3+1"."0}')
33-
sed -i "s#^version:.*#version: ${chartVersion}#g" "${chart_yaml}"
49+
## Changes images in Values.yaml
50+
sed -i "s/tag: .*/tag: \"${semVer}\"/g" "${values_yaml}"

deployment/chainloop/Chart.lock

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,15 @@
11
dependencies:
22
- name: common
33
repository: https://charts.bitnami.com/bitnami
4-
version: 2.20.2
4+
version: 2.20.4
55
- name: postgresql
66
repository: https://charts.bitnami.com/bitnami
7-
version: 15.5.5
7+
version: 15.5.16
88
- name: vault
99
repository: https://charts.bitnami.com/bitnami
10-
version: 1.4.6
10+
version: 1.4.11
1111
- name: dex
1212
repository: https://charts.dexidp.io
1313
version: 0.18.0
14-
digest: sha256:7f47b9aca49bedc3f378c9ec0bfa18ce53a4f4ba4b1e1e51348a08afe9e3fdeb
15-
generated: "2024-06-14T08:39:26.654098+02:00"
14+
digest: sha256:94515adbbfef1d109d520d44ef61cd0f07681afd5f14d4f104b68e9a9e1bec87
15+
generated: "2024-07-13T08:52:36.287808567+02:00"

deployment/chainloop/Chart.yaml

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ description: Chainloop is an open source software supply chain control plane, a
77

88
type: application
99
# Bump the patch (not minor, not major) version on each change in the Chart Source code
10-
version: 1.77.0
10+
version: 1.77.1
1111
# Do not update appVersion, this is handled automatically by the release process
1212
appVersion: v0.93.7
1313

@@ -29,3 +29,12 @@ dependencies:
2929
condition: development
3030
repository: https://charts.dexidp.io
3131
version: 0.18.0
32+
33+
annotations:
34+
images: |
35+
- image: ghcr.io/chainloop-dev/chainloop/artifact-cas:v0.93.7
36+
name: artifact-cas
37+
- image: ghcr.io/chainloop-dev/chainloop/control-plane:v0.93.7
38+
name: control-plane
39+
- image: ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v0.93.7
40+
name: control-plane-migrations

deployment/chainloop/README.md

Lines changed: 52 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -173,6 +173,30 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
173173
--set controlplane.auth.oidc.clientSecret=[clientSecret]
174174
```
175175

176+
## AirGap and Relocation Support
177+
178+
This chart is compatible with relocation processes performed by the [Helm Relocation Plugin](https://github.com/vmware-labs/distribution-tooling-for-helm)
179+
180+
This is a two-step process (wrap -> unwrap)
181+
182+
- Pull all the container images and Helm chart and wrap them in an intermediate tarball.
183+
- Unwrap the tarball and push container images, update the Helm Chart with new image references and push it to the target registry.
184+
185+
For example: to relocate to an Azure Container Registry
186+
187+
```sh
188+
helm dt wrap oci://ghcr.io/chainloop-dev/charts/chainloop
189+
# 🎉 Helm chart wrapped into "chainloop-1.77.0.wrap.tgz"
190+
191+
# Now you can take the tarball to an air-gapped environment and unwrap it like this
192+
helm dt unwrap chainloop-1.77.0.wrap.tgz oci://chainloop.azurecr.io --yes
193+
# Unwrapping Helm chart "chainloop-1.77.0.wrap.tgz"
194+
# ✔ All images pushed successfully
195+
# ✔ Helm chart successfully pushed
196+
#
197+
# 🎉 Helm chart unwrapped successfully: You can use it now by running "helm install oci://chainloop.azurecr.io/chart/chainloop --generate-name"
198+
```
199+
176200
## How to guides
177201

178202
### CAS upload speeds are slow, what can I do?
@@ -454,6 +478,13 @@ chainloop config save \
454478

455479
## Parameters
456480

481+
### Global parameters
482+
483+
| Name | Description | Value |
484+
| ------------------------- | ----------------------------------------------- | ----- |
485+
| `global.imageRegistry` | Global Docker image registry | `""` |
486+
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` |
487+
457488
### Common parameters
458489

459490
| Name | Description | Value |
@@ -489,18 +520,21 @@ chainloop config save \
489520

490521
### Control Plane
491522

492-
| Name | Description | Value |
493-
| ---------------------------------------------- | ----------------------------------------------------------------------------------------------- | ----------------------------------------------- |
494-
| `controlplane.replicaCount` | Number of replicas | `2` |
495-
| `controlplane.image.repository` | FQDN uri for the image | `ghcr.io/chainloop-dev/chainloop/control-plane` |
496-
| `controlplane.image.tag` | Image tag (immutable tags are recommended). If no set chart.appVersion will be used | |
497-
| `controlplane.tlsConfig.secret.name` | name of a secret containing TLS certificate to be used by the controlplane grpc server. | `""` |
498-
| `controlplane.pluginsDir` | Directory where to look for plugins | `/plugins` |
499-
| `controlplane.referrerSharedIndex` | Configure the shared, public index API endpoint that can be used to discover metadata referrers | |
500-
| `controlplane.referrerSharedIndex.enabled` | Enable index API endpoint | `false` |
501-
| `controlplane.referrerSharedIndex.allowedOrgs` | List of UUIDs of organizations that are allowed to publish to the shared index | `[]` |
502-
| `controlplane.onboarding.name` | Name of the organization to onboard | |
503-
| `controlplane.onboarding.role` | Role of the organization to onboard | |
523+
| Name | Description | Value |
524+
| ---------------------------------------------- | ----------------------------------------------------------------------------------------------- | -------------------------------------------------- |
525+
| `controlplane.replicaCount` | Number of replicas | `2` |
526+
| `controlplane.image.registry` | Image registry | `ghcr.io` |
527+
| `controlplane.image.repository` | Image repository | `chainloop-dev/chainloop/control-plane` |
528+
| `controlplane.tlsConfig.secret.name` | name of a secret containing TLS certificate to be used by the controlplane grpc server. | `""` |
529+
| `controlplane.pluginsDir` | Directory where to look for plugins | `/plugins` |
530+
| `controlplane.referrerSharedIndex` | Configure the shared, public index API endpoint that can be used to discover metadata referrers | |
531+
| `controlplane.referrerSharedIndex.enabled` | Enable index API endpoint | `false` |
532+
| `controlplane.referrerSharedIndex.allowedOrgs` | List of UUIDs of organizations that are allowed to publish to the shared index | `[]` |
533+
| `controlplane.onboarding.name` | Name of the organization to onboard | |
534+
| `controlplane.onboarding.role` | Role of the organization to onboard | |
535+
| `controlplane.migration.image.registry` | Image registry | `ghcr.io` |
536+
| `controlplane.migration.image.repository` | Image repository | `chainloop-dev/chainloop/control-plane-migrations` |
537+
| `controlplane.migration.ssl` | Connect to the database using SSL (required fro AWS RDS, etc) | `false` |
504538

505539
### Control Plane Database
506540

@@ -606,12 +640,12 @@ chainloop config save \
606640

607641
### Artifact Content Addressable (CAS) API
608642

609-
| Name | Description | Value |
610-
| --------------------------- | --------------------------------------------------------------------------------------- | ---------------------------------------------- |
611-
| `cas.replicaCount` | Number of replicas | `2` |
612-
| `cas.image.repository` | FQDN uri for the image | `ghcr.io/chainloop-dev/chainloop/artifact-cas` |
613-
| `cas.image.tag` | Image tag (immutable tags are recommended). If no set chart.appVersion will be used | |
614-
| `cas.tlsConfig.secret.name` | name of a secret containing TLS certificate to be used by the controlplane grpc server. | `""` |
643+
| Name | Description | Value |
644+
| --------------------------- | --------------------------------------------------------------------------------------- | -------------------------------------- |
645+
| `cas.replicaCount` | Number of replicas | `2` |
646+
| `cas.image.registry` | Image registry | `ghcr.io` |
647+
| `cas.image.repository` | Image repository | `chainloop-dev/chainloop/artifact-cas` |
648+
| `cas.tlsConfig.secret.name` | name of a secret containing TLS certificate to be used by the controlplane grpc server. | `""` |
615649

616650
### CAS Networking
617651

deployment/chainloop/charts/common-2.20.2.tgz

-15.7 KB
Binary file not shown.

deployment/chainloop/charts/common-2.20.4.tgz

15.7 KB
Binary file not shown.

deployment/chainloop/charts/postgresql-15.5.16.tgz

73.9 KB
Binary file not shown.

deployment/chainloop/charts/postgresql-15.5.5.tgz

-73.9 KB
Binary file not shown.

deployment/chainloop/charts/vault-1.4.11.tgz

55.7 KB
Binary file not shown.

deployment/chainloop/charts/vault-1.4.6.tgz

-55.7 KB
Binary file not shown.

0 commit comments

Comments
 (0)