actions/fluxcd-flux2
3
0
Fork 0
mirror of https://github.com/fluxcd/flux2.git synced 2026-02-24 08:31:47 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Update push artifact's --revision to RFC-0005

Browse source 
Signed-off-by: Hidde Beydals <hello@hidde.co>
This commit is contained in:
Hidde Beydals 2023-02-17 12:26:31 +01:00
parent 71d59e36cc
commit 0f7b903ace
5 changed files with 23 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/e2e.yaml vendored
View file

@ -183,7 +183,7 @@ jobs:
/tmp/flux push artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \ /tmp/flux push artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
--path="./manifests" \ --path="./manifests" \
--source="${{ github.repositoryUrl }}" \ --source="${{ github.repositoryUrl }}" \
--revision="${{ github.ref }}/${{ github.sha }}" --revision="${{ github.ref }}@sha1:${{ github.sha }}"
/tmp/flux tag artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \ /tmp/flux tag artifact oci://localhost:5000/fluxcd/flux:${{ github.sha }} \
--tag latest --tag latest
/tmp/flux list artifacts oci://localhost:5000/fluxcd/flux /tmp/flux list artifacts oci://localhost:5000/fluxcd/flux

4
.github/workflows/release.yaml vendored
View file

@ -120,7 +120,7 @@ jobs:
oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \ oci://ghcr.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
--path="./flux-system" \ --path="./flux-system" \
--source=${{ github.repositoryUrl }} \ --source=${{ github.repositoryUrl }} \
--revision="${{ github.ref_name }}/${{ github.sha }}" --revision="${{ github.ref_name }}@sha1:${{ github.sha }}"
- name: Push manifests to DockerHub - name: Push manifests to DockerHub
run: | run: |
mkdir -p ./docker.io/flux-system mkdir -p ./docker.io/flux-system
@ -132,7 +132,7 @@ jobs:
oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \ oci://docker.io/fluxcd/flux-manifests:${{ steps.prep.outputs.VERSION }} \
--path="./flux-system" \ --path="./flux-system" \
--source=${{ github.repositoryUrl }} \ --source=${{ github.repositoryUrl }} \
--revision="${{ github.ref_name }}/${{ github.sha }}" --revision="${{ github.ref_name }}@sha1:${{ github.sha }}"
- uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1 - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
- name: Sign manifests - name: Sign manifests
env: env:

4
action/README.md
View file

@ -132,7 +132,7 @@ jobs:
flux push artifact $OCI_REPO:$(git rev-parse --short HEAD) \ flux push artifact $OCI_REPO:$(git rev-parse --short HEAD) \
--path="./deploy" \ --path="./deploy" \
--source="$(git config --get remote.origin.url)" \ --source="$(git config --get remote.origin.url)" \
--revision="$(git branch --show-current)/$(git rev-parse HEAD)" --revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)"
- name: Deploy manifests to staging - name: Deploy manifests to staging
run: | run: |
flux tag artifact $OCI_REPO:$(git rev-parse --short HEAD) --tag staging flux tag artifact $OCI_REPO:$(git rev-parse --short HEAD) --tag staging
@ -180,7 +180,7 @@ jobs:
$OCI_REPO:$(git rev-parse --short HEAD) \ $OCI_REPO:$(git rev-parse --short HEAD) \
--path="./manifests" \ --path="./manifests" \
--source="$(git config --get remote.origin.url)" \ --source="$(git config --get remote.origin.url)" \
--revision="$(git branch --show-current)/$(git rev-parse HEAD)" |\ --revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)" |\
jq -r '. | .repository + "@" + .digest') jq -r '. | .repository + "@" + .digest')
cosign sign $digest_url cosign sign $digest_url

16
cmd/flux/push_artifact.go
View file

@ -41,13 +41,13 @@ The command can read the credentials from '~/.docker/config.json' but they can a
flux push artifact oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) \ flux push artifact oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) \
--path="./path/to/local/manifests" \ --path="./path/to/local/manifests" \
--source="$(git config --get remote.origin.url)" \ --source="$(git config --get remote.origin.url)" \
--revision="$(git branch --show-current)/$(git rev-parse HEAD)" --revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)"
# Push and sign artifact with cosign # Push and sign artifact with cosign
digest_url = $(flux push artifact \ digest_url = $(flux push artifact \
oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) \ oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) \
--source="$(git config --get remote.origin.url)" \ --source="$(git config --get remote.origin.url)" \
--revision="$(git branch --show-current)/$(git rev-parse HEAD)" \ --revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)" \
--path="./path/to/local/manifest.yaml" \ --path="./path/to/local/manifest.yaml" \
--output json | \ --output json | \
jq -r '. | .repository + "@" + .digest') jq -r '. | .repository + "@" + .digest')
@ -56,21 +56,21 @@ The command can read the credentials from '~/.docker/config.json' but they can a
# Push manifests passed into stdin to GHCR # Push manifests passed into stdin to GHCR
kustomize build . | flux push artifact oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) -p - \ kustomize build . | flux push artifact oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) -p - \
--source="$(git config --get remote.origin.url)" \ --source="$(git config --get remote.origin.url)" \
--revision="$(git branch --show-current)/$(git rev-parse HEAD)" --revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)"
# Push single manifest file to GHCR using the short Git SHA as the OCI artifact tag # Push single manifest file to GHCR using the short Git SHA as the OCI artifact tag
echo $GITHUB_PAT | docker login ghcr.io --username flux --password-stdin echo $GITHUB_PAT | docker login ghcr.io --username flux --password-stdin
flux push artifact oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) \ flux push artifact oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) \
--path="./path/to/local/manifest.yaml" \ --path="./path/to/local/manifest.yaml" \
--source="$(git config --get remote.origin.url)" \ --source="$(git config --get remote.origin.url)" \
--revision="$(git branch --show-current)/$(git rev-parse HEAD)" --revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)"
# Push manifests to Docker Hub using the Git tag as the OCI artifact tag # Push manifests to Docker Hub using the Git tag as the OCI artifact tag
echo $DOCKER_PAT | docker login --username flux --password-stdin echo $DOCKER_PAT | docker login --username flux --password-stdin
flux push artifact oci://docker.io/org/app-config:$(git tag --points-at HEAD) \ flux push artifact oci://docker.io/org/app-config:$(git tag --points-at HEAD) \
--path="./path/to/local/manifests" \ --path="./path/to/local/manifests" \
--source="$(git config --get remote.origin.url)" \ --source="$(git config --get remote.origin.url)" \
--revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)" --revision="$(git tag --points-at HEAD)@sha1:$(git rev-parse HEAD)"
# Login directly to the registry provider # Login directly to the registry provider
# You might need to export the following variable if you use local config files for AWS: # You might need to export the following variable if you use local config files for AWS:
@ -78,14 +78,14 @@ The command can read the credentials from '~/.docker/config.json' but they can a
flux push artifact oci://<account>.dkr.ecr.<region>.amazonaws.com/foo:v1:$(git tag --points-at HEAD) \ flux push artifact oci://<account>.dkr.ecr.<region>.amazonaws.com/foo:v1:$(git tag --points-at HEAD) \
--path="./path/to/local/manifests" \ --path="./path/to/local/manifests" \
--source="$(git config --get remote.origin.url)" \ --source="$(git config --get remote.origin.url)" \
--revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)" \ --revision="$(git tag --points-at HEAD)@sha1:$(git rev-parse HEAD)" \
--provider aws --provider aws
# Or pass credentials directly # Or pass credentials directly
flux push artifact oci://docker.io/org/app-config:$(git tag --points-at HEAD) \ flux push artifact oci://docker.io/org/app-config:$(git tag --points-at HEAD) \
--path="./path/to/local/manifests" \ --path="./path/to/local/manifests" \
--source="$(git config --get remote.origin.url)" \ --source="$(git config --get remote.origin.url)" \
--revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)" \ --revision="$(git tag --points-at HEAD)@sha1:$(git rev-parse HEAD)" \
--creds flux:$DOCKER_PAT --creds flux:$DOCKER_PAT
`, `,
RunE: pushArtifactCmdRun, RunE: pushArtifactCmdRun,
@ -112,7 +112,7 @@ func newPushArtifactFlags() pushArtifactFlags {
func init() { func init() {
pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.path, "path", "", "path to the directory where the Kubernetes manifests are located") pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.path, "path", "", "path to the directory where the Kubernetes manifests are located")
pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.source, "source", "", "the source address, e.g. the Git URL") pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.source, "source", "", "the source address, e.g. the Git URL")
pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.revision, "revision", "", "the source revision in the format '<branch|tag>/<commit-sha>'") pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.revision, "revision", "", "the source revision in the format '<branch|tag>@sha1:<commit-sha>'")
pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic") pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
pushArtifactCmd.Flags().Var(&pushArtifactArgs.provider, "provider", pushArtifactArgs.provider.Description()) pushArtifactCmd.Flags().Var(&pushArtifactArgs.provider, "provider", pushArtifactArgs.provider.Description())
pushArtifactCmd.Flags().StringSliceVar(&pushArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format") pushArtifactCmd.Flags().StringSliceVar(&pushArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")

20
rfcs/0003-kubernetes-oci/README.md
View file

@ -47,7 +47,7 @@ and push the archive to a container registry as an OCI artifact.
```sh ```sh
flux push artifact oci://docker.io/org/app-config:v1.0.0 \ flux push artifact oci://docker.io/org/app-config:v1.0.0 \
--source="$(git config --get remote.origin.url)" \ --source="$(git config --get remote.origin.url)" \
--revision="$(git rev-parse HEAD)" \ --revision="sha1:$(git rev-parse HEAD)" \
--path="./deploy" --path="./deploy"
``` ```
@ -65,7 +65,7 @@ The source and revision are added to the OCI artifact as Open Containers standar
"mediaType": "application/vnd.oci.image.manifest.v1+json", "mediaType": "application/vnd.oci.image.manifest.v1+json",
"annotations": { "annotations": {
"org.opencontainers.image.created": "2023-02-10T09:06:09Z", "org.opencontainers.image.created": "2023-02-10T09:06:09Z",
"org.opencontainers.image.revision": "6ea3e5b4da159fcb4a1288f072d34c3315644bcc", "org.opencontainers.image.revision": "sha1:6ea3e5b4da159fcb4a1288f072d34c3315644bcc",
"org.opencontainers.image.source": "https://github.com/fluxcd/flux2" "org.opencontainers.image.source": "https://github.com/fluxcd/flux2"
} }
} }
@ -288,7 +288,7 @@ Then push the Kubernetes manifests to GHCR:
```sh ```sh
flux push artifact oci://ghcr.io/org/my-app-config:v1.0.0 \ flux push artifact oci://ghcr.io/org/my-app-config:v1.0.0 \
--source="$(git config --get remote.origin.url)" \ --source="$(git config --get remote.origin.url)" \
--revision="$(git rev-parse HEAD)"\ --revision="sha1:$(git rev-parse HEAD)"\
--path="./deploy" --path="./deploy"
``` ```
@ -309,8 +309,8 @@ List the artifacts and their metadata with:
```console ```console
$ flux list artifacts oci://ghcr.io/org/my-app-config $ flux list artifacts oci://ghcr.io/org/my-app-config
ARTIFACT DIGEST SOURCE REVISION ARTIFACT DIGEST SOURCE REVISION
ghcr.io/org/my-app-config:latest sha256:45b95019d30af335137977a369ad56e9ea9e9c75bb01afb081a629ba789b890c https://github.com/org/my-app-config.git 20b3a674391df53f05e59a33554973d1cbd4d549 ghcr.io/org/my-app-config:latest sha256:45b95019d30af335137977a369ad56e9ea9e9c75bb01afb081a629ba789b890c https://github.com/org/my-app-config.git sha1:20b3a674391df53f05e59a33554973d1cbd4d549
ghcr.io/org/my-app-config:v1.0.0 sha256:45b95019d30af335137977a369ad56e9ea9e9c75bb01afb081a629ba789b890c https://github.com/org/my-app-config.git 3f45e72f0d3457e91e3c530c346d86969f9f4034 ghcr.io/org/my-app-config:v1.0.0 sha256:45b95019d30af335137977a369ad56e9ea9e9c75bb01afb081a629ba789b890c https://github.com/org/my-app-config.git sha1:3f45e72f0d3457e91e3c530c346d86969f9f4034
``` ```
#### Story 2 #### Story 2
@ -402,7 +402,7 @@ The Flux CLI will produce OCI artifacts with the following format:
], ],
"annotations": { "annotations": {
"org.opencontainers.image.created": "2023-02-10T09:06:09Z", "org.opencontainers.image.created": "2023-02-10T09:06:09Z",
"org.opencontainers.image.revision": "6ea3e5b4da159fcb4a1288f072d34c3315644bcc", "org.opencontainers.image.revision": "sha1:6ea3e5b4da159fcb4a1288f072d34c3315644bcc",
"org.opencontainers.image.source": "https://github.com/fluxcd/flux2" "org.opencontainers.image.source": "https://github.com/fluxcd/flux2"
} }
} }
@ -436,21 +436,21 @@ status:
lastUpdateTime: "2022-06-22T09:14:21Z" lastUpdateTime: "2022-06-22T09:14:21Z"
metadata: metadata:
org.opencontainers.image.created: "2023-02-10T09:06:09Z" org.opencontainers.image.created: "2023-02-10T09:06:09Z"
org.opencontainers.image.revision: b3b00fe35424a45d373bf4c7214178bc36fd7872 org.opencontainers.image.revision: sha1:b3b00fe35424a45d373bf4c7214178bc36fd7872
org.opencontainers.image.source: https://github.com/stefanprodan/podinfo.git org.opencontainers.image.source: https://github.com/stefanprodan/podinfo.git
path: ocirepository/oci/podinfo/3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de.tar.gz path: ocirepository/oci/podinfo/3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de.tar.gz
revision: 3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de revision: sha256:3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de
size: 1105 size: 1105
url: http://source-controller.flux-system.svc.cluster.local./ocirepository/oci/podinfo/3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de.tar.gz url: http://source-controller.flux-system.svc.cluster.local./ocirepository/oci/podinfo/3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de.tar.gz
conditions: conditions:
- lastTransitionTime: "2022-06-22T09:14:21Z" - lastTransitionTime: "2022-06-22T09:14:21Z"
message: stored artifact for revision '3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de' message: stored artifact for revision 'sha256:3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de'
observedGeneration: 1 observedGeneration: 1
reason: Succeeded reason: Succeeded
status: "True" status: "True"
type: Ready type: Ready
- lastTransitionTime: "2022-06-22T09:14:21Z" - lastTransitionTime: "2022-06-22T09:14:21Z"
message: stored artifact for revision '3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de' message: stored artifact for revision 'sha256:3b6cdcc7adcc9a84d3214ee1c029543789d90b5ae69debe9efa3f66e982875de'
observedGeneration: 1 observedGeneration: 1
reason: Succeeded reason: Succeeded
status: "True" status: "True"