Mirrors
/
flux2
mirror of https://github.com/fluxcd/flux2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
fix-create-cmd
rfc-0008-implemented
dependabot/go_modules/github.com/go-git/go-git/v5-5.13.0
dependabot/go_modules/tests/integration/golang.org/x/net-0.33.0
main
dependabot/github_actions/ci-c96ae57a0b
dependabot/go_modules/tests/integration/github.com/golang-jwt/jwt/v4-4.5.1
release/v2.4.x
remove-notation-validation
release/v2.3.x
dependabot/go_modules/github.com/hashicorp/go-retryablehttp-0.7.7
dependabot/go_modules/github.com/Azure/azure-sdk-for-go/sdk/azidentity-1.6.0
rfc-flux-bootstrap-oci
release/v2.2.x
RFC
fix-commit-log
flux-audit
release/v2.1.x
context-ns
ksm-dashboard
rfc-passwordless-git-auth
release/v2.0.x
rfc-gating
release/v0.27.4
rfc-0003
rfc-0002
rfc-0001
prompt-for-tokens
encrypt-init-cmd
v2.4.0
v2.3.0
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
v2.0.1
v2.0.0
v2.0.0-rc.5
v2.0.0-rc.4
v2.0.0-rc.3
v2.0.0-rc.2
v2.0.0-rc.1
v0.41.2
v0.40.0
v0.39.0
v0.38.2
v0.38.1
v0.38.0
v0.37.0
v0.36.0
v0.35.0
v0.34.0
v0.33.0
v0.32.0
v0.31.3
v0.31.2
v0.31.1
v0.31.0
v0.30.1
v0.28.2
v0.27.2
v0.27.1
v0.27.0
v0.26.3
v0.26.2
v0.26.1
v0.26.0
v0.25.3
v0.0.1
v0.0.1-alpha.1
v0.0.1-beta.1
v0.0.1-beta.2
v0.0.1-beta.3
v0.0.1-beta.4
v0.0.10
v0.0.11
v0.0.12
v0.0.13
v0.0.14
v0.0.15
v0.0.16
v0.0.17
v0.0.18
v0.0.19
v0.0.2
v0.0.20
v0.0.21
v0.0.22
v0.0.23
v0.0.24
v0.0.25
v0.0.26
v0.0.27
v0.0.28
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.10.0
v0.11.0
v0.12.0
v0.12.1
v0.12.2
v0.12.3
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.13.4
v0.14.0
v0.14.1
v0.14.2
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.16.0
v0.16.1
v0.16.2
v0.17.0
v0.17.1
v0.17.2
v0.18.0
v0.18.1
v0.18.2
v0.18.3
v0.19.0
v0.19.1
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.20.0
v0.20.1
v0.21.0
v0.21.1
v0.22.0
v0.22.1
v0.23.0
v0.24.0
v0.24.1
v0.25.0
v0.25.1
v0.25.2
v0.27.3
v0.27.4
v0.28.0
v0.28.1
v0.28.3
v0.28.4
v0.28.5
v0.29.0
v0.29.1
v0.29.2
v0.29.3
v0.29.4
v0.29.5
v0.3.0
v0.30.0
v0.30.2
v0.31.4
v0.31.5
v0.38.3
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.40.1
v0.40.2
v0.41.0
v0.41.1
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.7.7
v0.8.0
v0.8.1
v0.8.2
v0.9.0
v0.9.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '36adfff99e'
${ noResults }
flux2/cmd/flux/push_artifact.go

326 lines
11 KiB
Go
Raw Blame History

/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"strings"
"time"
"github.com/google/go-containerregistry/pkg/authn"
"github.com/google/go-containerregistry/pkg/crane"
"github.com/google/go-containerregistry/pkg/logs"
"github.com/google/go-containerregistry/pkg/name"
"github.com/google/go-containerregistry/pkg/v1/remote"
"github.com/google/go-containerregistry/pkg/v1/remote/transport"
"github.com/spf13/cobra"
"sigs.k8s.io/yaml"
"github.com/fluxcd/pkg/oci"
"github.com/fluxcd/pkg/oci/auth/login"
"github.com/fluxcd/pkg/oci/client"
sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
"github.com/fluxcd/flux2/v2/internal/flags"
)
var pushArtifactCmd = &cobra.Command{
Use: "artifact",
Short: "Push artifact",
Long: withPreviewNote(`The push artifact command creates a tarball from the given directory or the single file and uploads the artifact to an OCI repository.
The command can read the credentials from '~/.docker/config.json' but they can also be passed with --creds. It can also login to a supported provider with the --provider flag.`),
Example: ` # Push manifests to GHCR using the short Git SHA as the OCI artifact tag
echo $GITHUB_PAT | docker login ghcr.io --username flux --password-stdin
flux push artifact oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) \
--path="./path/to/local/manifests" \
--source="$(git config --get remote.origin.url)" \
--revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)"
# Push and sign artifact with cosign
digest_url = $(flux push artifact \
oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) \
--source="$(git config --get remote.origin.url)" \
--revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)" \
--path="./path/to/local/manifest.yaml" \
--output json | \
jq -r '. | .repository + "@" + .digest')
cosign sign $digest_url
# Push manifests passed into stdin to GHCR and set custom OCI annotations
kustomize build . | flux push artifact oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) -f - \
--source="$(git config --get remote.origin.url)" \
--revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)" \
--annotations='org.opencontainers.image.licenses=Apache-2.0' \
--annotations='org.opencontainers.image.documentation=https://app.org/docs' \
--annotations='org.opencontainers.image.description=Production config.'
# Push single manifest file to GHCR using the short Git SHA as the OCI artifact tag
echo $GITHUB_PAT | docker login ghcr.io --username flux --password-stdin
flux push artifact oci://ghcr.io/org/config/app:$(git rev-parse --short HEAD) \
--path="./path/to/local/manifest.yaml" \
--source="$(git config --get remote.origin.url)" \
--revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)"
# Push manifests to Docker Hub using the Git tag as the OCI artifact tag
echo $DOCKER_PAT | docker login --username flux --password-stdin
flux push artifact oci://docker.io/org/app-config:$(git tag --points-at HEAD) \
--path="./path/to/local/manifests" \
--source="$(git config --get remote.origin.url)" \
--revision="$(git tag --points-at HEAD)@sha1:$(git rev-parse HEAD)"
# Login directly to the registry provider
# You might need to export the following variable if you use local config files for AWS:
# export AWS_SDK_LOAD_CONFIG=1
flux push artifact oci://<account>.dkr.ecr.<region>.amazonaws.com/app-config:$(git tag --points-at HEAD) \
--path="./path/to/local/manifests" \
--source="$(git config --get remote.origin.url)" \
--revision="$(git tag --points-at HEAD)@sha1:$(git rev-parse HEAD)" \
--provider aws
# Login by passing credentials directly
flux push artifact oci://docker.io/org/app-config:$(git tag --points-at HEAD) \
--path="./path/to/local/manifests" \
--source="$(git config --get remote.origin.url)" \
--revision="$(git tag --points-at HEAD)@sha1:$(git rev-parse HEAD)" \
--creds flux:$DOCKER_PAT
`,
RunE: pushArtifactCmdRun,
}
type pushArtifactFlags struct {
path string
source string
revision string
creds string
provider flags.SourceOCIProvider
ignorePaths []string
annotations []string
output string
debug bool
}
var pushArtifactArgs = newPushArtifactFlags()
func newPushArtifactFlags() pushArtifactFlags {
return pushArtifactFlags{
provider: flags.SourceOCIProvider(sourcev1.GenericOCIProvider),
}
}
func init() {
pushArtifactCmd.Flags().StringVarP(&pushArtifactArgs.path, "path", "f", "", "path to the directory where the Kubernetes manifests are located")
pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.source, "source", "", "the source address, e.g. the Git URL")
pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.revision, "revision", "", "the source revision in the format '<branch|tag>@sha1:<commit-sha>'")
pushArtifactCmd.Flags().StringVar(&pushArtifactArgs.creds, "creds", "", "credentials for OCI registry in the format <username>[:<password>] if --provider is generic")
pushArtifactCmd.Flags().Var(&pushArtifactArgs.provider, "provider", pushArtifactArgs.provider.Description())
pushArtifactCmd.Flags().StringSliceVar(&pushArtifactArgs.ignorePaths, "ignore-paths", excludeOCI, "set paths to ignore in .gitignore format")
pushArtifactCmd.Flags().StringArrayVarP(&pushArtifactArgs.annotations, "annotations", "a", nil, "Set custom OCI annotations in the format '<key>=<value>'")
pushArtifactCmd.Flags().StringVarP(&pushArtifactArgs.output, "output", "o", "",
"the format in which the artifact digest should be printed, can be 'json' or 'yaml'")
pushArtifactCmd.Flags().BoolVarP(&pushArtifactArgs.debug, "debug", "", false, "display logs from underlying library")
pushCmd.AddCommand(pushArtifactCmd)
}
func pushArtifactCmdRun(cmd *cobra.Command, args []string) error {
if len(args) < 1 {
return fmt.Errorf("artifact URL is required")
}
ociURL := args[0]
if pushArtifactArgs.source == "" {
return fmt.Errorf("--source is required")
}
if pushArtifactArgs.revision == "" {
return fmt.Errorf("--revision is required")
}
if pushArtifactArgs.path == "" {
return fmt.Errorf("invalid path %q", pushArtifactArgs.path)
}
url, err := client.ParseArtifactURL(ociURL)
if err != nil {
return err
}
ref, err := name.ParseReference(url)
if err != nil {
return err
}
path := pushArtifactArgs.path
if pushArtifactArgs.path == "-" {
path, err = saveReaderToFile(os.Stdin)
if err != nil {
return err
}
defer os.Remove(path)
}
if _, err := os.Stat(path); err != nil {
return fmt.Errorf("invalid path '%s', must point to an existing directory or file: %w", path, err)
}
annotations := map[string]string{}
for _, annotation := range pushArtifactArgs.annotations {
kv := strings.Split(annotation, "=")
if len(kv) != 2 {
return fmt.Errorf("invalid annotation %s, must be in the format key=value", annotation)
}
annotations[kv[0]] = kv[1]
}
if pushArtifactArgs.debug {
// direct logs from crane library to stderr
// this can be useful to figure out things happening underneath e.g when the library is retrying a request
logs.Warn.SetOutput(os.Stderr)
}
meta := client.Metadata{
Source: pushArtifactArgs.source,
Revision: pushArtifactArgs.revision,
Annotations: annotations,
}
ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
defer cancel()
var auth authn.Authenticator
opts := client.DefaultOptions()
if pushArtifactArgs.provider.String() == sourcev1.GenericOCIProvider && pushArtifactArgs.creds != "" {
logger.Actionf("logging in to registry with credentials")
auth, err = client.GetAuthFromCredentials(pushArtifactArgs.creds)
if err != nil {
return fmt.Errorf("could not login with credentials: %w", err)
}
opts = append(opts, crane.WithAuth(auth))
}
if pushArtifactArgs.provider.String() != sourcev1.GenericOCIProvider {
logger.Actionf("logging in to registry with provider credentials")
ociProvider, err := pushArtifactArgs.provider.ToOCIProvider()
if err != nil {
return fmt.Errorf("provider not supported: %w", err)
}
auth, err = login.NewManager().Login(ctx, url, ref, getProviderLoginOption(ociProvider))
if err != nil {
return fmt.Errorf("error during login with provider: %w", err)
}
opts = append(opts, crane.WithAuth(auth))
}
if rootArgs.timeout != 0 {
backoff := remote.Backoff{
Duration: 1.0 * time.Second,
Factor: 3,
Jitter: 0.1,
// timeout happens when the cap is exceeded or number of steps is reached
// 10 steps is big enough that most reasonable cap(under 30min) will be exceeded before
// the number of steps are completed.
Steps: 10,
Cap: rootArgs.timeout,
}
if auth == nil {
auth, err = authn.DefaultKeychain.Resolve(ref.Context())
if err != nil {
return err
}
}
transportOpts, err := client.WithRetryTransport(ctx, ref, auth, backoff, []string{ref.Context().Scope(transport.PushScope)})
if err != nil {
return fmt.Errorf("error setting up transport: %w", err)
}
opts = append(opts, transportOpts, client.WithRetryBackOff(backoff))
}
if pushArtifactArgs.output == "" {
logger.Actionf("pushing artifact to %s", url)
}
ociClient := client.NewClient(opts)
digestURL, err := ociClient.Push(ctx, url, path,
client.WithPushMetadata(meta),
client.WithPushIgnorePaths(pushArtifactArgs.ignorePaths...),
)
if err != nil {
return fmt.Errorf("pushing artifact failed: %w", err)
}
digest, err := name.NewDigest(digestURL)
if err != nil {
return fmt.Errorf("artifact digest parsing failed: %w", err)
}
tag, err := name.NewTag(url)
if err != nil {
return fmt.Errorf("artifact tag parsing failed: %w", err)
}
info := struct {
URL string `json:"url"`
Repository string `json:"repository"`
Tag string `json:"tag"`
Digest string `json:"digest"`
}{
URL: fmt.Sprintf("oci://%s", digestURL),
Repository: digest.Repository.Name(),
Tag: tag.TagStr(),
Digest: digest.DigestStr(),
}
switch pushArtifactArgs.output {
case "json":
marshalled, err := json.MarshalIndent(&info, "", " ")
if err != nil {
return fmt.Errorf("artifact digest JSON conversion failed: %w", err)
}
marshalled = append(marshalled, "\n"...)
rootCmd.Print(string(marshalled))
case "yaml":
marshalled, err := yaml.Marshal(&info)
if err != nil {
return fmt.Errorf("artifact digest YAML conversion failed: %w", err)
}
rootCmd.Print(string(marshalled))
default:
logger.Successf("artifact successfully pushed to %s", digestURL)
}
return nil
}
func getProviderLoginOption(provider oci.Provider) login.ProviderOptions {
var opts login.ProviderOptions
switch provider {
case oci.ProviderAzure:
opts.AzureAutoLogin = true
case oci.ProviderAWS:
opts.AwsAutoLogin = true
case oci.ProviderGCP:
opts.GcpAutoLogin = true
}
return opts
}
Reference in New Issue View Git Blame Copy Permalink