Skip to content

Commit

Permalink
ref(*): sign and package release charts
Browse files Browse the repository at this point in the history 
As opposed to signing (and modifying) release artifact at a later point in time.
  • Loading branch information
Vaughn Dice committed Dec 12, 2016
1 parent 2dcfa30 commit 4b06c14
Show file tree
Hide file tree
Showing 14 changed files with 784 additions and 790 deletions.
210 changes: 101 additions & 109 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,66 +117,69 @@ that follow the main steps of the job itself. See the [Workflow component job](

### Component Release Pipeline
```
Component Release Pipeline
start
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ β”‚
β”‚ β”‚ - triggered by `v1.2.3` git tag
β”‚ β”‚ webhook
β”‚ component-release β”‚
β”‚ β”‚ - locate release candidate image
β”‚ β”‚ associated with git tag
β”‚ β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
β”‚
β”‚
β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ β”‚
β”‚ β”‚
β”‚ β”‚ - retag candidate image with
β”‚ release candidate promote β”‚ official release (v1.2.3)
β”‚ β”‚
β”‚ β”‚
β”‚ β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
β”‚
β”‚
β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ β”‚
β”‚ β”‚
β”‚ component release β”‚ - publish release data to
β”‚ publish β”‚ workflow-manager-api
β”‚ β”‚
β”‚ β”‚
β”‚ β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
β”‚
β”‚
β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ β”‚
β”‚ β”‚
β”‚ component chart β”‚ - package release component chart
β”‚ publish β”‚
β”‚ β”‚ - publish to both 'production' and
β”‚ β”‚ 'dev' chart repos
β”‚ β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
β”‚
β”‚
β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ β”‚
β”‚ β”‚
β”‚ β”‚ - sign release chart in 'production'
β”‚ component chart sign β”‚ chart repo
β”‚ β”‚
β”‚ β”‚
β”‚ β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
Component Release Pipeline
start
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ β”‚
β”‚ β”‚ - triggered by `v1.2.3` git tag
β”‚ β”‚ webhook
β”‚ component-release β”‚
β”‚ β”‚ - locate release candidate image
β”‚ β”‚ associated with git tag
β”‚ β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
β”‚
β”‚
β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ β”‚
β”‚ β”‚
β”‚ β”‚ - retag candidate image with
β”‚ release candidate promote β”‚ official release (v1.2.3)
β”‚ β”‚
β”‚ β”‚
β”‚ β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
β”‚
β”‚
β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ β”‚
β”‚ β”‚
β”‚ component release β”‚ - publish release data to
β”‚ publish β”‚ workflow-manager-api
β”‚ β”‚
β”‚ β”‚
β”‚ β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
β”‚
β”‚
β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ β”‚
β”‚ β”‚ - publish signed and packaged chart
β”‚ component chart β”‚ to 'production'
β”‚ publish β”‚
β”‚ β”‚ - publish packaged chart 'dev'
β”‚ β”‚ chart repos
β”‚ β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
β”‚
β”‚
β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ β”‚
β”‚ β”‚
β”‚ β”‚ - verifies signature of chart in
β”‚ component chart verify β”‚ 'production' chart repo
β”‚ β”‚
β”‚ β”‚
β”‚ β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
```

### When Workflow-CLI is tagged
Expand Down Expand Up @@ -225,64 +228,53 @@ that follow the main steps of the job itself. See the [Workflow component job](

### When a Workflow Helm Chart is to be released
```
Workflow Chart Release
Pipeline
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” - triggered manually with
β”‚ β”‚ supplied release tag
β”‚ β”‚
β”‚ β”‚ - update chart dependencies by
β”‚ workflow-chart-publish β”‚ gathering latest releases for
β”‚ β”‚ all component charts
β”‚ β”‚
β”‚ β”‚ - update index file, package and
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ upload to the 'staging' charts
β”‚
β”‚
β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” - lease GKE cluster, install
β”‚ β”‚ Workflow chart (version handed
β”‚ β”‚ down from upstream)
β”‚ β”‚
β”‚ workflow-chart-e2e β”‚ - install workflow-e2e chart
β”‚ β”‚
β”‚ β”‚ - archive test results and
β”‚ β”‚ report job status to appropriate
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ channel(s)
β”‚
β”‚
β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” - triggered manually with
β”‚ β”‚ supplied release tag
β”‚ β”‚
β”‚ β”‚ - pull down approved chart
β”‚ workflow-chart-release β”‚ from 'staging' chart repo
β”‚ β”‚
β”‚ β”‚ - update index file, upload
β”‚ β”‚ chart to 'production' charts
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ repo
β”‚
β”‚
β–Ό
- triggered manually with supplied release
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” tag
β”‚ β”‚
β”‚ β”‚ - update chart dependencies by gathering
β”‚ β”‚ latest releases for all component charts
β”‚ workflow-chart-stage β”‚
β”‚ β”‚ - upload signed and packaged candidate chart
β”‚ β”‚ (sans index file) to 'production' repo
β”‚ β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ - upload packaged candidate chart (with
β”‚ index file) to 'staging' charts repo
β”‚
β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ β”‚ - lease GKE cluster, install Workflow chart
β”‚ β”‚ (version handed down from upstream) from
β”‚ β”‚ 'staging' repo
β”‚ workflow-chart-e2e β”‚
β”‚ β”‚ - install workflow-e2e chart
β”‚ β”‚
β”‚ β”‚ - archive test results and report job status
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ to appropriate channel(s)
β”‚
β”‚
β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ β”‚ - triggered manually with supplied release
β”‚ β”‚ tag
β”‚ β”‚
β”‚ β”‚ - fetch specific chart version
β”‚ β”‚
β”‚ helm-chart-sign β”‚ - sign chart with signing key
β”‚ workflow-chart-release β”‚ - pull down approved, signed chart from
β”‚ β”‚ 'production' chart repo
β”‚ β”‚
β”‚ β”‚ - upload new *.tgz and *.tgz.prov
β”‚ β”‚ files to chart repo
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
β”‚
β”‚
β–Ό
β”‚ β”‚ - update index file, upload to 'production'
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ charts repo, making it officially
β”‚ fetchable/installable
β”‚
β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ β”‚
β”‚ β”‚ - verifies signature of chart from 'production'
β”‚ β”‚ repo
β”‚ helm-chart-verify β”‚
β”‚ β”‚ - (job succeeds if command succeeds)
β”‚ β”‚
β”‚ β”‚ - non-signatory node runs `helm fetch
β”‚ helm-chart-verify β”‚ --verify <chart> --version <version>`
β”‚ β”‚
β”‚ β”‚ - (job succeeds if command succeeds)
β”‚ β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
```
Expand Down
Loading

0 comments on commit 4b06c14

Please sign in to comment.