From 0fc582d6fde584ec25db6080c15533f9b6594cc6 Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Thu, 31 Mar 2022 11:42:58 +0300 Subject: [PATCH] Add user stories for publishing and reconciling OCI artifacts Signed-off-by: Stefan Prodan --- rfcs/kubernetes-oci/README.md | 91 ++++++++++++++++++++++++++++++++++- 1 file changed, 90 insertions(+), 1 deletion(-) diff --git a/rfcs/kubernetes-oci/README.md b/rfcs/kubernetes-oci/README.md index 65b0737e..d528fa1f 100644 --- a/rfcs/kubernetes-oci/README.md +++ b/rfcs/kubernetes-oci/README.md @@ -125,7 +125,96 @@ spec: ### User Stories -TODO +#### Story 1 + +> As a developer I want to publish my app Kubernetes manifests to the same GHCR registry +> where I publish my app containers. + +First login to GHCR with Docker: + +```sh +docker login ghcr.io -u ${GITHUB_USER} -p ${GITHUB_TOKEN} +``` + +Build your app container image and push it to GHCR: + +```sh +docker build -t ghcr.io/org/my-app:v1.0.0 . +docker push ghcr.io/org/my-app:v1.0.0 +``` + +Edit the app deployment manifest and set the new image tag. +Then push the Kubernetes manifests to GHCR: + +```sh +flux push artifact ghcr.io/org/my-app-config:v1.0.0 -f ./deploy +``` + +Sign the config image with cosign: + +```sh +cosign sign --key cosign.key ghcr.io/org/my-app-config:v1.0.0 +``` + +#### Story 2 + +> As a developer I want to deploy my app using Kubernetes manifests published as OCI artifacts to GHCR. + +First create a secret using a GitHub token that allows access to GHCR: + +```sh +kubectl create secret docker-registry my-app-regcred \ + --docker-server=ghcr.io \ + --docker-username=$GITHUB_USER \ + --docker-password=$GITHUB_TOKEN +``` + +Then create a secret with your cosgin public key: + +```sh +kubectl create secret generic my-app-cosgin-key \ + --from-file=cosign.pub=cosign/my-key.pub +``` + +Then define an `OCIRepository` to fetch and verify the latest app config version: + +```yaml +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: OCIRepository +metadata: + name: app-config + namespace: default +spec: + interval: 10m + url: ghcr.io/org/my-app-config + ref: + semver: "1.x" + secretRef: + name: my-app-regcred + verify: + provider: cosign + secretRef: + name: my-app-cosgin-key +``` + +And finally, create a Flux Kustomization to reconcile the app on the cluster: + +```yaml +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: app + namespace: default +spec: + interval: 10m + sourceRef: + kind: OCIRepository + name: app-config + path: ./ + prune: true + wait: true + timeout: 2m +``` ### Alternatives