Skip to content

Commit 632f3d2

Browse files
committed
Merge remote-tracking branch 'origin' into issue-212
2 parents 565dfe7 + a7e5ae9 commit 632f3d2

File tree

4 files changed

+56
-12
lines changed

4 files changed

+56
-12
lines changed

.github/workflows/release.yaml

Lines changed: 43 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@ jobs:
2323
steps:
2424
- name: Checkout code
2525
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
26+
2627
- name: Setup Golang
2728
uses: actions/setup-go@v5
2829
with:
@@ -116,10 +117,15 @@ jobs:
116117

117118
helm-release:
118119
runs-on: ubuntu-latest
120+
permissions:
121+
id-token: write
119122
steps:
120123
- name: Checkout code
121124
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
122125

126+
- name: Setup Cosign
127+
uses: sigstore/cosign-installer@main
128+
123129
- name: checkout jetstack-charts
124130
uses: actions/checkout@v4
125131
with:
@@ -128,16 +134,22 @@ jobs:
128134
ref: main
129135
path: jetstack-charts
130136

131-
- uses: azure/setup-helm@v4
137+
- name: Setup Helm
138+
uses: azure/setup-helm@v4
132139
with:
133140
token: ${{ github.token }}
134141

142+
- name: Login to Quay.io
143+
run: echo "${{ secrets.QUAY_ROBOT_TOKEN }}" | helm registry login quay.io -u ${{ secrets.QUAY_USERNAME }} --password-stdin
144+
135145
- name: package helm chart
136146
run: |
137147
helm package version-checker/deploy/charts/version-checker -d jetstack-charts/charts/
138148
139-
- name: Login to Quay.io
140-
run: echo "${{ secrets.QUAY_ROBOT_TOKEN }}" | helm registry login quay.io -u ${{ secrets.QUAY_USERNAME }} --password-stdin
149+
- name: Sign Helm Chart
150+
run: |
151+
cosign sign-blob -y jetstack-charts/charts/version-checker-${{steps.release_number.outputs.substring}}.tgz \
152+
--bundle jetstack-charts/charts/version-checker-${{steps.release_number.outputs.substring}}.tgz.cosign.bundle
141153
142154
- name: Creating PR
143155
if: startsWith(github.ref, 'refs/tags/')
@@ -148,7 +160,9 @@ jobs:
148160
commit-message: "Release version-checker ${{github.ref_name }}"
149161
branch: version-checker/${{github.ref_name}}
150162
path: jetstack-charts
151-
add-paths: charts/*.tgz
163+
add-paths: |
164+
charts/*.tgz
165+
charts/*.tgz.cosign.bundle
152166
delete-branch: true
153167
signoff: true
154168
base: main
@@ -160,10 +174,19 @@ jobs:
160174
161175
docker-release:
162176
runs-on: ubuntu-latest
177+
permissions:
178+
id-token: write
163179
steps:
164180
- name: Checkout code
165181
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
166182

183+
# Install the cosign tool except on PR
184+
# https://github.com/sigstore/cosign-installer
185+
- name: Install cosign
186+
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
187+
with:
188+
cosign-release: "v2.2.4"
189+
167190
- name: Set up QEMU
168191
uses: docker/setup-qemu-action@v3
169192

@@ -180,6 +203,7 @@ jobs:
180203
password: ${{ secrets.QUAY_ROBOT_TOKEN }}
181204

182205
- name: Build and push (if applicable)
206+
id: build-and-push
183207
uses: docker/build-push-action@v6
184208
with:
185209
context: .
@@ -193,6 +217,21 @@ jobs:
193217
type=sbom
194218
type=provenance,mode=max
195219
220+
# Sign the resulting Docker image digest except on PRs.
221+
# This will only write to the public Rekor transparency log when the Docker
222+
# repository is public to avoid leaking data. If you would like to publish
223+
# transparency data even for private images, pass --force to cosign below.
224+
# https://github.com/sigstore/cosign
225+
- name: Sign the published Docker image
226+
if: ${{ startsWith(github.ref, 'refs/tags/') }}
227+
env:
228+
# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
229+
TAGS: ${{ steps.meta.outputs.tags }}
230+
DIGEST: ${{ steps.build-and-push.outputs.digest }}
231+
# This step uses the identity token to provision an ephemeral certificate
232+
# against the sigstore community Fulcio instance.
233+
run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
234+
196235
github-release:
197236
name: Create/Update GitHub Release
198237
permissions:

cmd/app/options.go

Lines changed: 11 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -64,21 +64,21 @@ var (
6464

6565
// Options is a struct to hold options for the version-checker.
6666
type Options struct {
67-
kubeConfigFlags *genericclioptions.ConfigFlags
68-
69-
Client client.Options
7067
MetricsServingAddress string
71-
LogLevel string
68+
PprofBindAddress string
7269

73-
PprofBindAddress string
74-
selfhosted selfhosted.Options
70+
DefaultTestAll bool
71+
LogLevel string
7572

7673
CacheTimeout time.Duration
7774
GracefulShutdownTimeout time.Duration
7875
CacheSyncPeriod time.Duration
7976
RequeueDuration time.Duration
8077

81-
DefaultTestAll bool
78+
kubeConfigFlags *genericclioptions.ConfigFlags
79+
80+
selfhosted selfhosted.Options
81+
Client client.Options
8282
}
8383

8484
type envMatcher struct {
@@ -143,6 +143,10 @@ func (o *Options) addAppFlags(fs *pflag.FlagSet) {
143143
"graceful-shutdown-timeout", "", 10*time.Second,
144144
"Time that the manager should wait for all controller to shutdown.")
145145

146+
fs.DurationVarP(&o.RequeueDuration,
147+
"requeue-duration", "r", time.Hour,
148+
"The time a pod will be re-checked for new versions/tags")
149+
146150
fs.DurationVarP(&o.CacheSyncPeriod,
147151
"cache-sync-period", "", 5*time.Hour,
148152
"The time in which all resources should be updated.")

pkg/controller/pod_controller.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,8 +56,8 @@ func NewPodReconciler(
5656
Client: kubeClient,
5757
Metrics: metrics,
5858
VersionChecker: checker.New(search),
59-
defaultTestAll: defaultTestAll,
6059
RequeueDuration: requeueDuration,
60+
defaultTestAll: defaultTestAll,
6161
}
6262
}
6363

pkg/controller/pod_controller_test.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -85,6 +85,7 @@ func TestReconcile(t *testing.T) {
8585
prometheus.NewRegistry(),
8686
kubeClient,
8787
)
88+
8889
controller := NewPodReconciler(5*time.Minute, metrics, imageClient, kubeClient, testLogger, 5*time.Minute, true)
8990

9091
ctx := context.Background()

0 commit comments

Comments
 (0)