feat(capsule): release security and workflow updates #825
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for capsule-documentation canceled.
|
| @@ -60,8 +60,6 @@ spec: | |||
| secretName: {{ include "capsule.secretTlsName" . }} | |||
| containers: | |||
| - name: manager | |||
| command: | |||
There was a problem hiding this comment.
May I ask you the reason in removing the command, here?
There was a problem hiding this comment.
with ko, we no longer build a binary which is called manager. We would have to replace it with /ko-build/capsule. I thought it's nicer to just remove it.
oliverbaehler
changed the title
|
@prometherion i would like to get this merged. Its far from perfect but i would like to make additional adjustments with follow-up pull requests |
|
Sure thing, may I just ask you to squash where possible the commits to make easier tracking the changes, please? |
|
@prometherion done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
implements #824
related to #820
This quiet large Pull Request has several improvements to the capsule repository. They are both related to the move of the project but are mainly focused on the Github actions part. The release flows are kept as is (tag = image release, helm-v* = helm chart release).
Note before review:
Release
On tag a release is created which publishes the controller binary. The Release is created automatically and adds a changelog based on the commits added.
With the commit check, we verify the types of changes. The changelog respects the types and creates a Changelog via goreleaser. Additional documentation has been added as part of CONTRIBUTING.md.
Packages
With the introduction of these workflows the following packages will be published:
capsule- Capsule Controller Docker Imagecharts/capsule- Capsule OCI Helm Chartsignatures- Signature Registry for Docker Images and OCI Helm Chartssbom- SBOM RegistryYou can see as reference the fork's package repository:
https://github.com/orgs/buttahtoast/packages?repo_name=capsule
Docker Image
Changed to build workflow to use ko. Since we don't need to release any binaries, I did not consider goreleaser. Ko builds docker images automatically and requires minimal configuration in the
.ko.yamlfile. Currently the controller is released forlinux/arm64andlinux/amd64. Most of the changes in the Makefile relate to this change. I have made sure the ko build works locally and can be used with local e2e testing etc.We have two workflows, a docker-build workflow on pull requests. Which builds the image and ensures everything works as expected. The docker publish action publishes the docker image to
capsule. Ko automatically generates an sbom for the oci. My github action signs the published sigest and publishes the signature undersignatures. At the end an attestation for the image is made via SLSA and uploaded to thecapsulepackage repo.Important: Ko does not require a Dockerfile. The entrypoint is
/ko-build/capsule. Therefor themanagercommand is no longer required/supported.Helm Chart
I have kept the old release procedure to publish a
tar.gzto a dedicatedchartsrepository (https://github.com/projectcapsule/charts). But this workflow is the least tested, it might be, that we need additional changes. But I would add them, should it fail.I have focused on adding a workflow to publish the capsule helm chart in oci format. This happens along side with the legacy-release. The OCI helm chart is also signed and we also provide attestation for the build via slsa.
The chart documentation has been updated to point to the new repository and includes instructions on OCI usage. In addition the helm-test actions have been reneabled.
Github-Workflow Security
Introduces a new github-check (
.github/workflows/check-actions.yaml), which requires all github actions to be included be their commit SHA. In addition a matching dependabot configuration has been added, which updates github actions automatically. I have initially added all the latest commit SHA for all the Github actions used.Code Coverage
Enabled Code Coverage on the upstream repository. Added a workflow to upload coverage on pull requests. Added the badge to the
README.mdScoreBoard
Added periodical ScoreBoard action.
I think these cover most of the changes. There will be some cleanup work for me after that. But with these workflows we should satisfy CLO monitor and provide secure artifacts to our users.