add publish stage for pushing OCI helm chart

Signed-off-by: Ashley Davis <[email protected]>

Author: SgtCoDFish

cmd/cmrel/cmd/gcb_publish.go

@@ -19,6 +19,7 @@ package cmd
 import (
 	"bytes"
 	"context"
+	"errors"
 	"fmt"
 	"log"
 	"os"
@@ -33,6 +34,9 @@ import (
 	"github.com/spf13/cobra"
 	flag "github.com/spf13/pflag"
 	"golang.org/x/oauth2"
+	"helm.sh/helm/v3/pkg/pusher"
+	helmregistry "helm.sh/helm/v3/pkg/registry"
+	"helm.sh/helm/v3/pkg/uploader"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/utils/pointer"
 
@@ -98,6 +102,9 @@ type gcbPublishOptions struct {
 	// release will be published to.
 	PublishedGitHubRepo string
 
+	// PublishedOCIHelmChartRegistry is the registry to which helm charts should be published
+	PublishedOCIHelmChartRegistry string
+
 	// SkipSigning, if true, will skip trying to sign artifacts using KMS
 	SkipSigning bool
 
@@ -185,6 +192,7 @@ func (o *gcbPublishOptions) AddFlags(fs *flag.FlagSet, markRequired func(string)
 	fs.StringVar(&o.PublishedHelmChartGitHubBranch, "published-helm-chart-github-branch", release.DefaultHelmChartGitHubBranch, "The name of the main branch in the GitHub repository for Helm charts.")
 	fs.StringVar(&o.PublishedGitHubOrg, "published-github-org", release.DefaultGitHubOrg, "The org of the repository where the release wil be published to.")
 	fs.StringVar(&o.PublishedGitHubRepo, "published-github-repo", release.DefaultGitHubRepo, "The repo name in the provided org where the release will be published to.")
+	fs.StringVar(&o.PublishedOCIHelmChartRegistry, "published-oci-chart-registry", release.DefaultOCIHelmChartRegistry, "The OCI registry to which the Helm chart should be pushed")
 	fs.StringVar(&o.CosignPath, "cosign-path", "cosign", "Full path to the cosign binary. Defaults to searching in $PATH for a binary called 'cosign'")
 	fs.StringVar(&o.SigningKMSKey, "signing-kms-key", defaultKMSKey, "Full name of the GCP KMS key to use for signing.")
 	fs.BoolVar(&o.SkipSigning, "skip-signing", false, "Skip signing container images.")
@@ -200,6 +208,7 @@ func (o *gcbPublishOptions) print() {
 	log.Printf("  PublishedHelmChartGitHubRepo: %q", o.PublishedHelmChartGitHubRepo)
 	log.Printf("  PublishedHelmChartGitHubOwner: %q", o.PublishedHelmChartGitHubOwner)
 	log.Printf("  PublishedHelmChartGitHubBranch: %q", o.PublishedHelmChartGitHubBranch)
+	log.Printf("  PublishedOCIHelmChartRegistry: %q", o.PublishedOCIHelmChartRegistry)
 	log.Printf("  PublishedGitHubOrg: %q", o.PublishedGitHubOrg)
 	log.Printf("  PublishedGitHubRepo: %q", o.PublishedGitHubRepo)
 	log.Printf("  CosignPath: %q", o.CosignPath)
@@ -256,6 +265,7 @@ func canonicalizeAndVerifyPublishActions(rawActions []string) ([]string, error)
 
 var publishActionMap map[string]publishAction = map[string]publishAction{
 	"helmchartpr":         pushHelmChartPR,
+	"helmchartoci":        pushOCIHelmChart,
 	"githubrelease":       pushGitHubRelease,
 	"pushcontainerimages": pushContainerImages,
 }
@@ -403,6 +413,41 @@ func pushHelmChartPR(ctx context.Context, o *gcbPublishOptions, rel *release.Unp
 	return nil
 }
 
+func pushOCIHelmChart(ctx context.Context, o *gcbPublishOptions, rel *release.Unpacked) error {
+	// based on https://github.com/helm/helm/blob/v3.17.1/pkg/action/push.go
+	charts := rel.Charts
+
+	var errs []error
+
+	for _, chart := range charts {
+		var out strings.Builder
+
+		c := uploader.ChartUploader{
+			Out: &out,
+			Pushers: pusher.Providers{
+				pusher.Provider{
+					Schemes: []string{helmregistry.OCIScheme},
+					New:     pusher.NewOCIPusher,
+				},
+			},
+			Options: []pusher.Option{},
+		}
+
+		chartPath := chart.Path()
+
+		err := c.UploadTo(chartPath, o.PublishedOCIHelmChartRegistry)
+		if err != nil {
+			log.Printf("failed to upload OCI chart %s to %s: %v", chartPath, o.PublishedOCIHelmChartRegistry, err)
+			errs = append(errs, err)
+			continue
+		}
+
+		log.Printf("helm OCI push logs for %s: %s", chartPath, out.String())
+	}
+
+	return errors.Join(errs...)
+}
+
 func pushGitHubRelease(ctx context.Context, o *gcbPublishOptions, rel *release.Unpacked) error {
 	githubClient, err := o.GitHubClient(ctx)
 	if err != nil {

cmd/cmrel/cmd/publish.go

@@ -93,6 +93,9 @@ type publishOptions struct {
 	// release will be published to.
 	PublishedGitHubRepo string
 
+	// PublishedOCIHelmChartRegistry is the registry to which helm charts should be published
+	PublishedOCIHelmChartRegistry string
+
 	// PublishActions is a list of publishing actions which should be taken,
 	// or else "*" - the default - to mean "all actions"
 	PublishActions []string
@@ -104,6 +107,10 @@ type publishOptions struct {
 	// projects/<PROJECT_NAME>/locations/<LOCATION>/keyRings/<KEYRING_NAME>/cryptoKeys/<KEY_NAME>/versions/<KEY_VERSION>
 	// This must be set if SkipSigning is not set to true
 	SigningKMSKey string
+
+	// CmrelRepoRef allows the ref for the cmrel repo to be specified; this
+	// allows running "cmrel gcb publish" using a branch on the main cmrel repo
+	CmrelRepoRef string
 }
 
 func (o *publishOptions) AddFlags(fs *flag.FlagSet, markRequired func(string)) {
@@ -119,9 +126,12 @@ func (o *publishOptions) AddFlags(fs *flag.FlagSet, markRequired func(string)) {
 	fs.StringVar(&o.PublishedHelmChartGitHubBranch, "published-helm-chart-github-branch", release.DefaultHelmChartGitHubBranch, "The name of the main branch in the GitHub repository for Helm charts.")
 	fs.StringVar(&o.PublishedGitHubOrg, "published-github-org", release.DefaultGitHubOrg, "The org of the repository where the release wil be published to.")
 	fs.StringVar(&o.PublishedGitHubRepo, "published-github-repo", release.DefaultGitHubRepo, "The repo name in the provided org where the release will be published to.")
+	fs.StringVar(&o.PublishedOCIHelmChartRegistry, "published-oci-chart-registry", release.DefaultOCIHelmChartRegistry, "The OCI registry to which the Helm chart should be pushed")
 	fs.StringVar(&o.SigningKMSKey, "signing-kms-key", defaultKMSKey, "Full name of the GCP KMS key to use for signing.")
 	fs.BoolVar(&o.SkipSigning, "skip-signing", false, "Skip signing container images.")
 	fs.StringSliceVar(&o.PublishActions, "publish-actions", []string{"*"}, fmt.Sprintf("Comma-separated list of actions to take, or '*' to do everything. Only meaningful if nomock is set. Order of operations is preserved if given, or is alphabetical by default. Actions can be removed with a prefix of '-'. Options: %s", strings.Join(allPublishActionNames(), ", ")))
+
+	fs.StringVar(&o.CmrelRepoRef, "cmrel-repo-ref", "master", "The ref on the cert-manager/release repo to use when building cmrel in GCB")
 }
 
 func (o *publishOptions) print() {
@@ -135,9 +145,11 @@ func (o *publishOptions) print() {
 	log.Printf("  PublishedHelmChartGitHubRepo: %q", o.PublishedHelmChartGitHubRepo)
 	log.Printf("  PublishedHelmChartGitHubOwner: %q", o.PublishedHelmChartGitHubOwner)
 	log.Printf("  PublishedHelmChartGitHubBranch: %q", o.PublishedHelmChartGitHubBranch)
+	log.Printf("  PublishedOCIHelmChartRegistry: %q", o.PublishedOCIHelmChartRegistry)
 	log.Printf("  PublishedGitHubOrg: %q", o.PublishedGitHubOrg)
 	log.Printf("  PublishedGitHubRepo: %q", o.PublishedGitHubRepo)
 	log.Printf("  PublishActions: %q", strings.Join(o.PublishActions, ","))
+	log.Printf("  CmrelRepoRef: %q", o.CmrelRepoRef)
 }
 
 func publishCmd(rootOpts *rootOptions) *cobra.Command {
@@ -201,10 +213,12 @@ func runPublish(rootOpts *rootOptions, o *publishOptions) error {
 	build.Substitutions["_PUBLISHED_HELM_CHART_GITHUB_OWNER"] = o.PublishedHelmChartGitHubOwner
 	build.Substitutions["_PUBLISHED_HELM_CHART_GITHUB_REPO"] = o.PublishedHelmChartGitHubRepo
 	build.Substitutions["_PUBLISHED_HELM_CHART_GITHUB_BRANCH"] = o.PublishedHelmChartGitHubBranch
+	build.Substitutions["_PUBLISHED_OCI_HELM_CHART_REGISTRY"] = o.PublishedOCIHelmChartRegistry
 	build.Substitutions["_PUBLISHED_IMAGE_REPO"] = o.PublishedImageRepository
 	build.Substitutions["_PUBLISH_ACTIONS"] = strings.Join(o.PublishActions, ",")
 	build.Substitutions["_SKIP_SIGNING"] = fmt.Sprintf("%v", o.SkipSigning)
 	build.Substitutions["_KMS_KEY"] = o.SigningKMSKey
+	build.Substitutions["_RELEASE_REPO_REF"] = o.CmrelRepoRef
 
 	log.Printf("DEBUG: building google cloud build API client")
 	svc, err := cloudbuild.NewService(ctx)

gcb/publish/cloudbuild.yaml

@@ -58,6 +58,7 @@ steps:
   - --published-helm-chart-github-owner=${_PUBLISHED_HELM_CHART_GITHUB_OWNER}
   - --published-helm-chart-github-repo=${_PUBLISHED_HELM_CHART_GITHUB_REPO}
   - --published-helm-chart-github-branch=${_PUBLISHED_HELM_CHART_GITHUB_BRANCH}
+  - --published-oci-chart-registry=${_PUBLISHED_OCI_HELM_CHART_REGISTRY}
   - --published-image-repo=${_PUBLISHED_IMAGE_REPO}
   - --publish-actions=${_PUBLISH_ACTIONS}
   - --signing-kms-key=${_KMS_KEY}
@@ -88,6 +89,7 @@ substitutions:
   _PUBLISHED_HELM_CHART_GITHUB_OWNER: ""
   _PUBLISHED_HELM_CHART_GITHUB_REPO: ""
   _PUBLISHED_HELM_CHART_GITHUB_BRANCH: ""
+  _PUBLISHED_OCI_HELM_CHART_REGISTRY: ""
   _PUBLISHED_IMAGE_REPO: ""
   ## Used to control the exact artifacts which will be published
   _PUBLISH_ACTIONS: "*"

go.mod

@@ -1,8 +1,6 @@
 module github.com/cert-manager/release
 
-go 1.23
-
-toolchain go1.23.4
+go 1.23.0
 
 require (
 	cloud.google.com/go/storage v1.43.0
@@ -14,15 +12,15 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.9.0
+	github.com/stretchr/testify v1.10.0
 	golang.org/x/crypto v0.32.0
-	golang.org/x/exp v0.0.0-20231006140011-7918f672742d
-	golang.org/x/mod v0.19.0
+	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
+	golang.org/x/mod v0.21.0
 	golang.org/x/oauth2 v0.23.0
 	google.golang.org/api v0.187.0
-	helm.sh/helm/v3 v3.15.3
-	k8s.io/apimachinery v0.30.3
-	k8s.io/utils v0.0.0-20230726121419-3b25d923346b
+	helm.sh/helm/v3 v3.17.1
+	k8s.io/apimachinery v0.32.1
+	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738
 	sigs.k8s.io/yaml v1.4.0
 )
 
@@ -32,37 +30,114 @@ require (
 	cloud.google.com/go/auth/oauth2adapt v0.2.2 // indirect
 	cloud.google.com/go/compute/metadata v0.5.2 // indirect
 	cloud.google.com/go/iam v1.1.8 // indirect
-	github.com/Masterminds/semver/v3 v3.2.1 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
+	github.com/MakeNowJust/heredoc v1.0.0 // indirect
+	github.com/Masterminds/semver/v3 v3.3.0 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/chai2010/gettext-go v1.0.2 // indirect
+	github.com/containerd/containerd v1.7.24 // indirect
+	github.com/containerd/errdefs v0.3.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
+	github.com/containerd/platforms v0.2.1 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/distribution/reference v0.6.0 // indirect
+	github.com/docker/cli v25.0.1+incompatible // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
+	github.com/docker/docker v25.0.6+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.7.0 // indirect
+	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/go-metrics v0.0.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/evanphx/json-patch v5.9.0+incompatible // indirect
+	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/btree v1.0.1 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/go-querystring v1.0.0 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
+	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.5 // indirect
+	github.com/gorilla/mux v1.8.0 // indirect
+	github.com/gorilla/websocket v1.5.0 // indirect
+	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.16.7 // indirect
+	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/moby/locker v1.0.1 // indirect
+	github.com/moby/spdystream v0.5.0 // indirect
+	github.com/moby/term v0.5.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/prometheus/client_golang v1.19.1 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.55.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	github.com/xlab/treeprint v1.2.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
 	go.opentelemetry.io/otel v1.31.0 // indirect
 	go.opentelemetry.io/otel/metric v1.31.0 // indirect
 	go.opentelemetry.io/otel/trace v1.31.0 // indirect
 	golang.org/x/net v0.34.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/term v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
-	golang.org/x/time v0.5.0 // indirect
+	golang.org/x/time v0.7.0 // indirect
 	google.golang.org/genproto v0.0.0-20240624140628-dc46fd24d27d // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f // indirect
 	google.golang.org/grpc v1.69.4 // indirect
 	google.golang.org/protobuf v1.36.3 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/klog/v2 v2.120.1 // indirect
+	k8s.io/api v0.32.1 // indirect
+	k8s.io/apiextensions-apiserver v0.32.1 // indirect
+	k8s.io/cli-runtime v0.32.1 // indirect
+	k8s.io/client-go v0.32.1 // indirect
+	k8s.io/component-base v0.32.1 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
+	k8s.io/kubectl v0.32.1 // indirect
+	oras.land/oras-go v1.2.5 // indirect
+	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
+	sigs.k8s.io/kustomize/api v0.18.0 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.18.1 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
 )