Mirrors
/
flux2
mirror of https://github.com/fluxcd/flux2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add SLSA provenance to release artifacts

Browse Source 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
pull/3254/head
Stefan Prodan 2 years ago
parent 8d5c4492d8
commit 91660a98d5
No known key found for this signature in database
GPG Key ID: 3299AEB0E4085BAF
2 changed files with 12 additions and 43 deletions
Show Stats Download Patch File Download Diff File

34
docs/release/controllers.md
Unescape Escape View File

@ -96,11 +96,17 @@ controller release is included in a Flux patch release.
Minor releases are intended for backwards compatible feature additions and improvements.
Note that breaking changes may occur if required by a security vulnerability fix.
In addition, minor releases are used when updating Kubernetes dependencies such as `k8s.io/api` from one minor version to another.
In addition, minor releases are used when updating Kubernetes dependencies such
as `k8s.io/api` from one minor version to another.
In effect, this means a new minor version will at least be released for all Flux controllers approximately every four months, following each Kubernetes minor version release. To properly validate the controllers against the latest Kubernetes version, we typically allocate a time window of at least two weeks for end-to-end testing of Flux controllers.
In effect, this means a new minor version will at least be released for all Flux
controllers approximately every four months, following each Kubernetes minor version release.
To properly validate the controllers against the latest Kubernetes version,
we typically allocate a time window of around two weeks for end-to-end testing of Flux controllers.
It is worth noting that in certain scenarios where project dependencies are not in sync with the Kubernetes version or conflicts arise, this two-week timeframe may prove insufficient, requiring additional time to address the issues appropriately.
It is worth noting that in certain scenarios where project dependencies are not in sync with
the Kubernetes version or conflicts arise, this two-week timeframe may prove insufficient,
requiring additional time to address the issues appropriately.
### Major releases
@ -134,33 +140,15 @@ Each controller release produces the following artifacts:
- Source code (GitHub Releases page)
- Software Bill of Materials in SPDX format (GitHub Releases page)
- SLSA provenance attestations (GitHub Releases page)
- Kubernetes manifests such as CRDs and Deployments (GitHub Releases page)
- Signed checksums of source code, SBOM and manifests (GitHub Releases page)
- Multi-arch container images (GitHub Container Registry and DockerHub)
All the artifacts are cryptographically signed and can be verified with Cosign.
All the artifacts are cryptographically signed and can be verified with Cosign and GitHub OIDC.
The release artifacts can be accessed based on the controller name and version.
To import or update a controller's API package in a Go project:
```shell
go get github.com/fluxcd/<controller-name>/api@<version>
```
To verify and pull a controller's container image:
```shell
cosign verify ghcr.io/fluxcd/<controller-name>:<version>
docker pull ghcr.io/fluxcd/<controller-name>:<version>
```
To download a controller's Kubernetes Custom resource definitions:
```shell
curl -sL https://github.com/fluxcd/<controller-name>/releases/download/<version>/<controller-name>.crds.yaml
```
## Controller release procedure
As a project maintainer, to release a controller and its API:

21
docs/release/flux.md
Unescape Escape View File

@ -112,6 +112,7 @@ Each Flux release produces the following artifacts:
- Source code (GitHub Releases page)
- Software Bill of Materials in SPDX format (GitHub Releases page)
- SLSA provenance attestations (GitHub Releases page)
- Kubernetes manifests of all controllers (GitHub Releases page)
- CLI binaries for Linux, macOS and Windows (GitHub Releases page)
- Signed checksums of source code, SBOM and manifests (GitHub Releases page)
@ -123,26 +124,6 @@ All the artifacts are cryptographically signed and can be verified with Cosign.
The release artifacts can be accessed based on the Flux version.
To verify and pull the Flux CLI container image:
```shell
cosign verify ghcr.io/fluxcd/flux-cli:<version>
docker pull ghcr.io/fluxcd/flux-cli:<version>
```
To install the latest stable release of the Flux CLI with Homebrew:
```shell
brew install fluxcd/tap/flux
```
To download the Kubernetes manifests:
```shell
cosign verify ghcr.io/fluxcd/flux-manifests:<version>
flux pull artifact oci://ghcr.io/fluxcd/flux-manifests:<version> --output .
```
## Release changelog
All released versions of Flux are published on [GitHub Releases page](https://github.com/fluxcd/flux2/releases)

Write Preview
Loading…
Cancel
Save