@@ -45,3 +45,84 @@ go run main.go echo
4545
4646The Jetstack-Secure agent exposes its metrics through a Prometheus server, on port 8081.
4747The Prometheus server is disabled by default but can be enabled by passing the ` --enable-metrics ` flag to the agent binary.
48+
49+ ## Release Process
50+
51+ The release process is semi-automated.
52+ It starts with the following manual steps:
53+
54+ 1 . Choose the next semver version number.
55+ This project has only ever incremented the "patch" number (never the "minor" number) regardless of the scope of the changes.
56+ 1 . Create a branch.
57+ 1 . Increment version numbers in the ` venafi-kubernetes-agent ` Helm chart.
58+ (the ` jetstack-secure ` Helm chart uses a different version scheme and is updated and released separately):
59+ 1 . Increment the ` version ` value in [ Chart.yaml] ( deploy/charts/venafi-kubernetes-agent/Chart.yaml ) .
60+ DO NOT use a ` v ` prefix.
61+ The ` v ` prefix [ breaks Helm OCI operations] ( https://github.com/helm/helm/issues/11107 ) .
62+ 1 . Increment ` appVersion ` value in [ Chart.yaml] ( deploy/charts/venafi-kubernetes-agent/Chart.yaml ) .
63+ Use a ` v ` prefix, to match the Docker image tag.
64+ 1 . Increment the ` image.tag ` value in [ values.yaml] ( deploy/charts/venafi-kubernetes-agent/values.yaml ) .
65+ Use a ` v ` prefix.
66+ 1 . Commit the changes.
67+ 1 . Create a pull request and wait for it to be approved.
68+ 1 . Merge the branch.
69+ 1 . Push a semver tag with a ` v ` prefix: ` vX.Y.Z ` .
70+
71+ This will trigger the following automated processes:
72+
73+ 1 . Two Docker images are built and pushed to a public ` quay.io ` registry, by the [ release-master workflow] ( .github/workflows/release-master.yml ) :
74+ * ` quay.io/jetstack/preflight ` : is pulled directly by tier 1 Jetstack Secure users, who do not have access to the Jetstack Enterprise Registry.
75+ * ` quay.io/jetstack/venafi-agent ` : is mirrored to a public Venafi OCI registry for Venafi TLS Protect for Kubernetes users.
76+
77+ 2 . The Docker images are mirrored by private Venafi CI pipelines, to:
78+ * [ Jetstack Enterprise Registry] ( https://platform.jetstack.io/documentation/installation/agent#1-obtain-oci-registry-credentials ) :
79+ for Tier 2 Jetstack Secure users. Tier 2 grants users access to this registry.
80+ * [ Venafi private Registry] ( https://docs.venafi.cloud/vaas/k8s-components/th-guide-confg-access-to-tlspk-enterprise-components/ ) :
81+ for Tier 2 Venafi TLS Protect for Kubernetes users. Tier 2 grants users access to this registry.
82+ * [ Venafi public Registry] ( https://registry.venafi.cloud/public/venafi-images/venafi-kubernetes-agent ) :
83+ for Tier 1 Venafi TLS Protect for Kubernetes users. Tier 1 users do not have access to the private registry. (TODO)
84+
85+ ### Helm Chart: venafi-kubernetes-agent
86+
87+ The [ venafi-kubernetes-agent] ( deploy/charts/venafi-kubernetes-agent/README.md ) chart
88+ is released manually, as follows:
89+
90+ ``` sh
91+ export VERSION=0.1.43
92+ helm package deploy/charts/venafi-kubernetes-agent --version " ${VERSION} "
93+ helm push venafi-kubernetes-agent-${VERSION} .tgz oci://eu.gcr.io/jetstack-secure-enterprise/charts
94+ ```
95+
96+ > ℹ️ To test the Helm chart before releasing it, use a [ pre-release suffix] ( https://semver.org/#spec-item-9 ) . E.g.
97+ > ` export VERSION=0.1.43-alpha.0 ` .
98+
99+ The chart will be mirrored to:
100+ * ` registry.venafi.cloud/charts/venafi-kubernetes-agent ` (Public)
101+ * ` private-registry.venafi.cloud/charts/venafi-kubernetes-agent ` (Private, US)
102+ * ` private-registry.venafi.eu/charts/venafi-kubernetes-agent ` (Private, EU)
103+
104+ ### Helm Chart: jetstack-agent
105+
106+ The [ jetstack-agent] ( deploy/charts/jetstack-agent/README.md ) chart has a different version number to the agent.
107+ This is because the first version of * this* chart was given version ` 0.1.0 ` ,
108+ while the app version at the time was ` 0.1.38 ` .
109+ And this allows the chart to be updated and released more frequently than the Docker image if necessary.
110+ This chart is for [ Jetstack Secure] ( https://platform.jetstack.io/documentation/installation/agent#jetstack-agent-helm-chart-installation ) .
111+
112+ 1 . Create a branch
113+ 1 . Increment version numbers.
114+ 1 . Increment the ` version ` value in [ Chart.yaml] ( deploy/charts/jetstack-agent/Chart.yaml ) .
115+ DO NOT use a ` v ` prefix.
116+ The ` v ` prefix [ breaks Helm OCI operations] ( https://github.com/helm/helm/issues/11107 ) .
117+ 1 . Increment the ` appVersion ` value in [ Chart.yaml] ( deploy/charts/jetstack-agent/Chart.yaml ) .
118+ Use a ` v ` prefix, to match the Docker image tag.
119+ 1 . Increment the ` image.tag ` value in [ values.yaml] ( deploy/charts/jetstack-agent/values.yaml ) .
120+ Use a ` v ` prefix, to match the Docker image tag.
121+ 1 . Create a pull request and wait for it to be approved.
122+ 1 . Merge the branch
123+ 1 . Push a tag, using the format: ` chart-vX.Y.Z ` .
124+ This unique tag format is recognized by the private CI pipeline that builds and publishes the chart.
125+
126+ The chart will be published to
127+ the [ Jetstack Enterprise Registry] ( https://platform.jetstack.io/documentation/installation/agent#1-obtain-oci-registry-credentials )
128+ by a private CI pipeline managed by Venafi.
0 commit comments