Mirrors/flux2
1
0
Fork 0
mirror of synced 2026-02-08 11:35:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3540 from fluxcd/push-output

Browse Source 
Add json/yaml output to flux push artifact
This commit is contained in:
Stefan Prodan
2023-01-31 15:28:26 +02:00
committed by GitHub
parent 51504406da 6681cd05a9
commit 023a709b6a
2 changed files with 86 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
action/README.md
View File

@@ -134,18 +134,25 @@ jobs:
flux tag artifact $OCI_REPO:$(git rev-parse --short HEAD) --tag staging flux tag artifact $OCI_REPO:$(git rev-parse --short HEAD) --tag staging
``` ```
Example workflow for publishing Kubernetes manifests bundled as OCI artifacts to Docker Hub: ### Push and sign Kubernetes manifests to container registries
Example workflow for publishing Kubernetes manifests bundled as OCI artifacts
which are signed with Cosign and GitHub OIDC:
```yaml ```yaml
name: push-artifact-production name: push-sign-artifact
on: on:
push: push:
tags: branches:
- '*' - 'main'
permissions:
packages: write # needed for ghcr.io access
id-token: write # needed for keyless signing
env: env:
OCI_REPO: "oci://docker.io/my-org/app-config" OCI_REPO: "oci://ghcr.io/my-org/manifests/${{ github.event.repository.name }}"
jobs: jobs:
kubernetes: kubernetes:
@@ -155,23 +162,24 @@ jobs:
uses: actions/checkout@v3 uses: actions/checkout@v3
- name: Setup Flux CLI - name: Setup Flux CLI
uses: fluxcd/flux2/action@main uses: fluxcd/flux2/action@main
- name: Login to Docker Hub - name: Setup Cosign
uses: sigstore/cosign-installer@main
- name: Login to GHCR
uses: docker/login-action@v2 uses: docker/login-action@v2
with: with:
username: ${{ secrets.DOCKER_USERNAME }} registry: ghcr.io
password: ${{ secrets.DOCKER_PASSWORD }} username: ${{ github.actor }}
- name: Generate manifests password: ${{ secrets.GITHUB_TOKEN }}
- name: Push and sign manifests
run: | run: |
kustomize build ./manifests/production > ./deploy/app.yaml digest_url=$(flux push artifact \
- name: Push manifests $OCI_REPO:$(git rev-parse --short HEAD) \
run: | --path="./manifests" \
flux push artifact $OCI_REPO:$(git tag --points-at HEAD) \
--path="./deploy" \
--source="$(git config --get remote.origin.url)" \ --source="$(git config --get remote.origin.url)" \
--revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)" --revision="$(git branch --show-current)/$(git rev-parse HEAD)" |\
- name: Deploy manifests to production jq -r '. | .repository + "@" + .digest')
run: |
flux tag artifact $OCI_REPO:$(git tag --points-at HEAD) --tag production cosign sign $digest_url
``` ```
### End-to-end testing ### End-to-end testing

60
cmd/flux/push_artifact.go
View File

@@ -18,12 +18,15 @@ package main
import ( import (
"context" "context"
"encoding/json"
"fmt" "fmt"
"os" "os"
"github.com/fluxcd/flux2/internal/flags" "github.com/fluxcd/flux2/internal/flags"
sourcev1 "github.com/fluxcd/source-controller/api/v1beta2" sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
reg "github.com/google/go-containerregistry/pkg/name"
"github.com/spf13/cobra" "github.com/spf13/cobra"
"sigs.k8s.io/yaml"
oci "github.com/fluxcd/pkg/oci/client" oci "github.com/fluxcd/pkg/oci/client"
) )
@@ -40,6 +43,16 @@ The command can read the credentials from '~/.docker/config.json' but they can a
--source="$(git config --get remote.origin.url)" \ --source="$(git config --get remote.origin.url)" \
--revision="$(git branch --show-current)/$(git rev-parse HEAD)" --revision="$(git branch --show-current)/$(git rev-parse HEAD)"
# Push and sign artifact with cosign
digest_url = $(flux push artifact \
oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) \
--source="$(git config --get remote.origin.url)" \
--revision="$(git branch --show-current)/$(git rev-parse HEAD)" \
--path="./path/to/local/manifest.yaml" \
--output json | \
jq -r '. | .repository + "@" + .digest')
cosign sign $digest_url
# Push manifests passed into stdin to GHCR # Push manifests passed into stdin to GHCR
kustomize build . | flux push artifact oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) -p - \ kustomize build . | flux push artifact oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) -p - \
--source="$(git config --get remote.origin.url)" \ --source="$(git config --get remote.origin.url)" \
@@ -85,6 +98,7 @@ type pushArtifactFlags struct {
creds string creds string
provider flags.SourceOCIProvider provider flags.SourceOCIProvider
ignorePaths []string ignorePaths []string
output string
} }
var pushArtifactArgs = newPushArtifactFlags() var pushArtifactArgs = newPushArtifactFlags()
@@ -102,6 +116,8 @@ func init() {
pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic") pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
pushArtifactCmd.Flags().Var(&pushArtifactArgs.provider, "provider", pushArtifactArgs.provider.Description()) pushArtifactCmd.Flags().Var(&pushArtifactArgs.provider, "provider", pushArtifactArgs.provider.Description())
pushArtifactCmd.Flags().StringSliceVar(&pushArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format") pushArtifactCmd.Flags().StringSliceVar(&pushArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")
pushArtifactCmd.Flags().StringVarP(&pushArtifactArgs.output, "output", "o", "",
"the format in which the artifact digest should be printed, can be 'json' or 'yaml'")
pushCmd.AddCommand(pushArtifactCmd) pushCmd.AddCommand(pushArtifactCmd)
} }
@@ -172,14 +188,54 @@ func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
} }
} }
if pushArtifactArgs.output == "" {
logger.Actionf("pushing artifact to %s", url) logger.Actionf("pushing artifact to %s", url)
}
digest, err := ociClient.Push(ctx, url, path, meta, pushArtifactArgs.ignorePaths) digestURL, err := ociClient.Push(ctx, url, path, meta, pushArtifactArgs.ignorePaths)
if err != nil { if err != nil {
return fmt.Errorf("pushing artifact failed: %w", err) return fmt.Errorf("pushing artifact failed: %w", err)
} }
logger.Successf("artifact successfully pushed to %s", digest) digest, err := reg.NewDigest(digestURL)
if err != nil {
return fmt.Errorf("artifact digest parsing failed: %w", err)
}
tag, err := reg.NewTag(url)
if err != nil {
return fmt.Errorf("artifact tag parsing failed: %w", err)
}
info := struct {
URL string `json:"url"`
Repository string `json:"repository"`
Tag string `json:"tag"`
Digest string `json:"digest"`
}{
URL: fmt.Sprintf("oci://%s", digestURL),
Repository: digest.Repository.Name(),
Tag: tag.TagStr(),
Digest: digest.DigestStr(),
}
switch pushArtifactArgs.output {
case "json":
marshalled, err := json.MarshalIndent(&info, "", " ")
if err != nil {
return fmt.Errorf("artifact digest JSON conversion failed: %w", err)
}
marshalled = append(marshalled, "\n"...)
rootCmd.Print(string(marshalled))
case "yaml":
marshalled, err := yaml.Marshal(&info)
if err != nil {
return fmt.Errorf("artifact digest YAML conversion failed: %w", err)
}
rootCmd.Print(string(marshalled))
default:
logger.Successf("artifact successfully pushed to %s", digestURL)
}
return nil return nil
} }