diff --git a/docs/release/controllers.md b/docs/release/controllers.md index 0058a2bf..45db7280 100644 --- a/docs/release/controllers.md +++ b/docs/release/controllers.md @@ -96,11 +96,17 @@ controller release is included in a Flux patch release. Minor releases are intended for backwards compatible feature additions and improvements. Note that breaking changes may occur if required by a security vulnerability fix. -In addition, minor releases are used when updating Kubernetes dependencies such as `k8s.io/api` from one minor version to another. +In addition, minor releases are used when updating Kubernetes dependencies such +as `k8s.io/api` from one minor version to another. -In effect, this means a new minor version will at least be released for all Flux controllers approximately every four months, following each Kubernetes minor version release. To properly validate the controllers against the latest Kubernetes version, we typically allocate a time window of at least two weeks for end-to-end testing of Flux controllers. +In effect, this means a new minor version will at least be released for all Flux +controllers approximately every four months, following each Kubernetes minor version release. +To properly validate the controllers against the latest Kubernetes version, +we typically allocate a time window of around two weeks for end-to-end testing of Flux controllers. -It is worth noting that in certain scenarios where project dependencies are not in sync with the Kubernetes version or conflicts arise, this two-week timeframe may prove insufficient, requiring additional time to address the issues appropriately. +It is worth noting that in certain scenarios where project dependencies are not in sync with +the Kubernetes version or conflicts arise, this two-week timeframe may prove insufficient, +requiring additional time to address the issues appropriately. ### Major releases @@ -134,33 +140,15 @@ Each controller release produces the following artifacts: - Source code (GitHub Releases page) - Software Bill of Materials in SPDX format (GitHub Releases page) +- SLSA provenance attestations (GitHub Releases page) - Kubernetes manifests such as CRDs and Deployments (GitHub Releases page) - Signed checksums of source code, SBOM and manifests (GitHub Releases page) - Multi-arch container images (GitHub Container Registry and DockerHub) -All the artifacts are cryptographically signed and can be verified with Cosign. +All the artifacts are cryptographically signed and can be verified with Cosign and GitHub OIDC. The release artifacts can be accessed based on the controller name and version. -To import or update a controller's API package in a Go project: - -```shell -go get github.com/fluxcd//api@ -``` - -To verify and pull a controller's container image: - -```shell -cosign verify ghcr.io/fluxcd/: -docker pull ghcr.io/fluxcd/: -``` - -To download a controller's Kubernetes Custom resource definitions: - -```shell -curl -sL https://github.com/fluxcd//releases/download//.crds.yaml -``` - ## Controller release procedure As a project maintainer, to release a controller and its API: diff --git a/docs/release/flux.md b/docs/release/flux.md index 44c6cbbd..cae1bbb9 100644 --- a/docs/release/flux.md +++ b/docs/release/flux.md @@ -112,6 +112,7 @@ Each Flux release produces the following artifacts: - Source code (GitHub Releases page) - Software Bill of Materials in SPDX format (GitHub Releases page) +- SLSA provenance attestations (GitHub Releases page) - Kubernetes manifests of all controllers (GitHub Releases page) - CLI binaries for Linux, macOS and Windows (GitHub Releases page) - Signed checksums of source code, SBOM and manifests (GitHub Releases page) @@ -123,26 +124,6 @@ All the artifacts are cryptographically signed and can be verified with Cosign. The release artifacts can be accessed based on the Flux version. -To verify and pull the Flux CLI container image: - -```shell -cosign verify ghcr.io/fluxcd/flux-cli: -docker pull ghcr.io/fluxcd/flux-cli: -``` - -To install the latest stable release of the Flux CLI with Homebrew: - -```shell -brew install fluxcd/tap/flux -``` - -To download the Kubernetes manifests: - -```shell -cosign verify ghcr.io/fluxcd/flux-manifests: -flux pull artifact oci://ghcr.io/fluxcd/flux-manifests: --output . -``` - ## Release changelog All released versions of Flux are published on [GitHub Releases page](https://github.com/fluxcd/flux2/releases)