diff --git a/.github/workflows/chart-release.yml b/.github/workflows/chart-release.yml index 60a4a6a..1313807 100644 --- a/.github/workflows/chart-release.yml +++ b/.github/workflows/chart-release.yml @@ -2,10 +2,21 @@ name: Release Charts on: workflow_dispatch: + push: + branches: ["main"] + tags: + - "exivity-*" + paths: + - 'charts/**' # Any file under charts/ + - '.github/workflows/chart-release.yml' jobs: helm-release: runs-on: ubuntu-latest + env: + GPG_KEY_ID: ${{ secrets.HELM_RSA_KEY_ID }} + GPG_PASSPHRASE: ${{ secrets.HELM_RSA_PASSPHRASE }} + steps: - name: Checkout uses: actions/checkout@v4 @@ -18,7 +29,67 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" helm repo add bitnami https://charts.bitnami.com/bitnami - - name: Run chart-releaser - uses: exivity/chart-releaser-action@v1.1.0 + - name: Configure GPG + run: | + mkdir -p ~/.gnupg + chmod 700 ~/.gnupg + echo "pinentry-mode loopback" > ~/.gnupg/gpg.conf + + SECRET_CONTENT="${{ secrets.HELM_RSA_PRIVATE_KEY }}" + + echo "${{ secrets.HELM_RSA_PRIVATE_KEY }}" | gpg --batch --import + + gpg --batch --export > ~/.gnupg/pubring.gpg + echo "$GPG_PASSPHRASE" | gpg --batch --passphrase-fd 0 --export-secret-keys > ~/.gnupg/secring.gpg + + - name: Package and Sign Charts + run: | + KEY_NAME=$(gpg --list-secret-keys --with-colons "$GPG_KEY_ID" | grep "^uid" | head -1 | cut -d: -f10) + echo "$GPG_PASSPHRASE" > /tmp/passphrase.txt + chmod 600 /tmp/passphrase.txt + + # Create .cr-release-packages directory for chart-releaser-action + mkdir -p .cr-release-packages + + chart_dir=charts/exivity + helm package --sign "$chart_dir" \ + --key "$KEY_NAME" \ + --keyring ~/.gnupg/secring.gpg \ + --passphrase-file /tmp/passphrase.txt \ + --destination .cr-release-packages + + rm -f /tmp/passphrase.txt + + # List created packages for verification + echo "โœ… Created signed packages:" + ls -la .cr-release-packages/ + + - name: Validate Signed Charts + run: | + mkdir -p ~/.gnupg + chmod 700 ~/.gnupg + echo "pinentry-mode loopback" > ~/.gnupg/gpg.conf + + SECRET_CONTENT="${{ secrets.HELM_RSA_PRIVATE_KEY }}" + + echo "${{ secrets.HELM_RSA_PRIVATE_KEY }}" | gpg --batch --import + gpg --batch --export > ~/.gnupg/pubring.gpg + + # Validate charts from the .cr-release-packages directory + find .cr-release-packages -maxdepth 1 -type f -name '*.tgz' -print -exec helm verify {} \; + + echo "โœ… Charts are properly signed and verified." + + - name: Run chart-releaser (release only on tag push) + if: startsWith(github.ref, 'refs/tags/') + uses: exivity/chart-releaser-action@v1.7.0 + with: + skip_packaging: true env: CR_TOKEN: "${{ secrets.GH_BOT_TOKEN }}" + + - name: Cleanup + if: always() + run: | + gpg --batch --yes --delete-secret-keys "$GPG_KEY_ID" 2>/dev/null || true + gpg --batch --yes --delete-keys "$GPG_KEY_ID" 2>/dev/null || true diff --git a/Makefile b/Makefile index c7480dc..a949d65 100644 --- a/Makefile +++ b/Makefile @@ -1,11 +1,25 @@ +# Makefile โ€” Exivity Helm Charts: Deployment + Release Testing + # Constants NFS_STORAGE_CLASS := nfs-client NFS_CHART_VERSION := 1.8.0 - INGRESS_HOSTNAME := exivity.local - HELM_TIMEOUT := 10m +# Dummy secrets for release workflow testing +GPG_KEY_ID ?= EXIVITY123TEST +GPG_PASSPHRASE ?= test1234 +HELM_RSA_PRIVATE_KEY ?= LS0tLS1CRUdJTiBQR1AgUFJJVkFURSBLRVkgQkxPQ0stLS0tLQpFeGl2aXR5IFRlc3QgS2V5IDx0ZXN0QGV4aXZpdHkuY29tPgotLS0tLUVORCBQR1AgUFJJVkFURSBLRVkgQkxPQ0stLS0tLQ== + +# Variables for chart packaging +CHART_DIRS := $(shell find charts -maxdepth 1 -mindepth 1 -type d 2>/dev/null || echo "") +TGZ_FILES := $(patsubst charts/%,%.tgz,$(CHART_DIRS)) + + +# ===================================================================== +# MINIKUBE DEPLOYMENT TARGETS +# ===================================================================== + # Define Minikube start with a specific driver minikube-start: @minikube start --memory 8192 --cpus 2 @@ -69,6 +83,69 @@ test: # Lint Helm chart lint: @helm lint charts/exivity + +# ===================================================================== +# RELEASE WORKFLOW TEST +# ===================================================================== + +# Package exivity charts +package-charts: + @echo "๐Ÿ“ฆ Simulating GitHub Actions 'Package and Sign Charts' step" + @echo "Creating .cr-release-packages directory for chart-releaser-action" + @mkdir -p .cr-release-packages + @echo "Packaging chart: charts/exivity" + @if [ -d "charts/exivity" ]; then \ + helm package "charts/exivity" --destination .cr-release-packages > /dev/null 2>&1; \ + echo "โœ… Created signed packages:"; \ + ls -la .cr-release-packages/; \ + else \ + echo "โŒ Chart directory charts/exivity not found"; \ + fi + +# Sign the packaged charts +package-sign: + @echo "๐Ÿ”– Simulating GPG signing (creating fake .prov files)" + @if ls .cr-release-packages/*.tgz >/dev/null 2>&1; then \ + for tgz in .cr-release-packages/*.tgz; do \ + echo "-----BEGIN PGP SIGNATURE-----" > "$$tgz.prov"; \ + echo "Version: GnuPG v2" >> "$$tgz.prov"; \ + echo "" >> "$$tgz.prov"; \ + echo "Fake signature for testing purposes only" >> "$$tgz.prov"; \ + echo "Chart: $$tgz" >> "$$tgz.prov"; \ + echo "Key ID: $(GPG_KEY_ID)" >> "$$tgz.prov"; \ + echo "Passphrase: $(GPG_PASSPHRASE)" >> "$$tgz.prov"; \ + echo "-----END PGP SIGNATURE-----" >> "$$tgz.prov"; \ + echo " โœ… Created $$tgz.prov"; \ + done; \ + echo "๐Ÿ“‹ Updated packages with signatures:"; \ + ls -la .cr-release-packages/; \ + else \ + echo " โš ๏ธ No .tgz files found in .cr-release-packages/"; \ + fi + +# Validate signed charts +package-validate: + @echo "โœ… Simulating GitHub Actions 'Validate Signed Charts' step" + @echo "๐Ÿ” Finding and validating charts from .cr-release-packages directory:" + @if [ -d ".cr-release-packages" ]; then \ + find .cr-release-packages -maxdepth 1 -type f -name '*.tgz' -print | while read chart; do \ + echo "๏ฟฝ Would run: helm verify $$chart"; \ + done; \ + if ls .cr-release-packages/*.tgz >/dev/null 2>&1; then \ + echo "โœ… Charts are properly signed and verified."; \ + else \ + echo "โš ๏ธ No .tgz files found to validate"; \ + fi; \ + else \ + echo "โŒ .cr-release-packages directory not found"; \ + fi + + +# Clean up build artifacts +clean-release: + @echo "๐Ÿงน Removing generated files and .cr-release-packages directory" + @rm -f *.tgz *.prov fake-signing-key.asc || true + @rm -rf .cr-release-packages || true # Makefile targets -.PHONY: minikube-start minikube-delete deploy-charts deploy-exivity-chart deploy-nfs-chart install-python-deps test +.PHONY: minikube-start minikube-delete deploy-charts deploy-exivity-chart deploy-nfs-chart install-python-deps test lint clean-release package-charts package-sign package-validate