Signing the releases

.github/workflows/ci/setup-image-registry.sh

@@ -0,0 +1,50 @@
+#!/bin/sh
+set -o errexit
+
+echo 1. Create registry container unless it already exists
+reg_name='kind-registry'
+reg_port='5001'
+if [ "$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)" != 'true' ]; then
+  docker run \
+    -d --restart=always -p "127.0.0.1:${reg_port}:5000" --name "${reg_name}" \
+    registry:2
+fi
+
+echo 2. Add the registry config to the nodes
+
+# This is necessary because localhost resolves to loopback addresses that are
+# network-namespace local.
+# In other words: localhost in the container is not localhost on the host.
+#
+# We want a consistent name that works from both ends, so we tell containerd to
+# alias localhost:${reg_port} to the registry container when pulling images
+kind get nodes --name chart-testing
+REGISTRY_DIR="/etc/containerd/certs.d/localhost:${reg_port}"
+for node in $(kind get nodes --name chart-testing); do
+  docker exec "${node}" mkdir -p "${REGISTRY_DIR}"
+  cat <<EOF | docker exec -i "${node}" cp /dev/stdin "${REGISTRY_DIR}/hosts.toml"
+[host."http://${reg_name}:5000"]
+EOF
+done
+
+echo 3. Connect the registry to the cluster network if not already connected
+# This allows kind to bootstrap the network but ensures they're on the same network
+if [ "$(docker inspect -f='{{json .NetworkSettings.Networks.kind}}' "${reg_name}")" = 'null' ]; then
+  docker network connect "kind" "${reg_name}"
+fi
+
+echo 4. Document the local registry
+# https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: local-registry-hosting
+  namespace: kube-public
+data:
+  localRegistryHosting.v1: |
+    host: "localhost:${reg_port}"
+    help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
+EOF
+
+

.github/workflows/ci_kind.yaml

@@ -14,22 +14,23 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4.1.6
         with:
           fetch-depth: 0
           submodules: recursive
 
       - name: Install Helm
-        uses: azure/setup-helm@v3
+        uses: azure/setup-helm@v4
         with:
           version: v3.13.3
 
       - name: Setup Bats and Bats libs
-        uses: bats-core/bats-action@1.5.4
+        uses: bats-core/bats-action@2.0.0
         with:
-          bats-version: 1.10.0
+          bats-version: 1.11.0
           support-path: ${{ github.workspace }}/tests/test-common/bats-support
           assert-path: ${{ github.workspace }}/tests/test-common/bats-assert
+          detik-install: false
 
       - name: Login to Github Container Registry
         uses: docker/login-action@v3
@@ -39,19 +40,15 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1.5.0
+        uses: helm/kind-action@v1.10.0
         with:
           node_image: "kindest/node:v1.29.0"
           config: ./.github/workflows/ci/kind-config.yaml
           cluster_name: chart-testing
-
-      - name: Create registry secret
-        run: |-
-          kubectl create secret docker-registry github-secret --docker-server=ghcr.io/${{ github.repository_owner }} --docker-username=${{ github.actor }} --docker-password=${{ github.token }}
-
-      - name: Check registry secret
+
+      - name: Setup Image registry
         run: |-
-          kubectl get secret github-secret --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode
+          ./.github/workflows/ci/setup-image-registry.sh
 
       - name: Setup Nginx Ingress Controller
         run: |-
@@ -64,4 +61,4 @@ jobs:
       - name: Run Tests
         run: |-
           cd tests/bats
-          export IMAGE_REGISTRY=ghcr.io/${{ github.repository_owner }} && export PUSH_TO_REGISTRY=true && export USE_OPENSHIFT=false && export BATS_LIBS_BASEDIR=../test-common && export_CLUSTER_CLIENT=kubectl && bats --timing --trace --verbose-run -r . 
+          export IMAGE_REGISTRY=localhost:5001 && export PUSH_TO_REGISTRY=true && export USE_OPENSHIFT=false && export BATS_LIBS_BASEDIR=../test-common && export CLUSTER_CLIENT=kubectl && bats --timing --trace --verbose-run -r . 

.github/workflows/helm.yaml

@@ -16,23 +16,42 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: Configure Git
         run: |
           git config user.name "$GITHUB_ACTOR"
           git config user.email "[email protected]"
+      - name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.PASSPHRASE }}
+      - name: List keys
+        run: gpg -K
+      - name: Prepare GPG key
+        run: |
+          gpg_dir=.cr-gpg
+          mkdir "$gpg_dir"
+          keyring=~/.gnupg/pubring.gpg
+          base64 -d <<< "$GPG_KEYRING_BASE64" > "$keyring"
+          passphrase_file="$gpg_dir/passphrase"
+          echo "$GPG_PASSPHRASE" > "$passphrase_file"
+          echo "CR_PASSPHRASE_FILE=$passphrase_file" >> "$GITHUB_ENV"
+        env:
+          GPG_KEYRING_BASE64: "${{ secrets.GPG_PRIVATE_KEY_BASE64 }}"
+          GPG_PASSPHRASE: "${{ secrets.GPG_PASSPHRASE }}"
 
       - name: Install Helm
-        uses: azure/setup-helm@v1
+        uses: azure/setup-helm@v3.5
         with:
           version: v3.4.0
 
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.1.0
-        with:
-          charts_repo_url: http://docs.wildfly.org/wildfly-charts/
+        uses: helm/chart-releaser-action@v1.6.0
+       # with:
+       #   charts_repo_url: http://docs.wildfly.org/wildfly-charts/
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

charts/wildfly/Chart.yaml

@@ -16,6 +16,16 @@ icon: https://design.jboss.org/wildfly/logo/final/wildfly_logomark_256px.png
 annotations:
   charts.openshift.io/name: WildFly
   charts.openshift.io/provider: WildFly
+  artifacthub.io/category: ApplicationServer
+  artifacthub.io/images: |
+    - name: builderImage
+      image: quay.io/wildfly/wildfly-s2i:latest
+    - name: runtimeImage
+      image: quay.io/wildfly/wildfly-runtime:latest
+  artifacthub.io/license: Apache-2.0
+  artifacthub.io/signKey: |
+    fingerprint: 54CBE792CAFD9AD9E59D7C8E9E0332B74DCA3EF1
+    url: https://docs.wildfly.org/wildfly-charts/pubkey.asc
 
 dependencies:
 - name: wildfly-common

cr.yml

@@ -0,0 +1,2 @@
+sign: true
+key: [email protected]

tests/bats/ingress.bats

@@ -27,8 +27,6 @@ deploy:
     enabled: true
   route:
     enabled: false # Disable OpenShift Route
-  imagePullSecrets:
-    - name: github-secret
 EOF
     sleep 5    
     ${CLUSTER_CLIENT} wait deployment test-ingress --for condition=Available=True --timeout=90s
@@ -58,8 +56,6 @@ deploy:
       secret: test-secret-tls
   route:
     enabled: false # Disable OpenShift Route
-  imagePullSecrets:
-    - name: github-secret
 EOF
     sleep 5
     ${CLUSTER_CLIENT} wait deployment test-ingress --for condition=Available=True --timeout=90s

tests/bats/metadata.bats

@@ -25,8 +25,6 @@ deploy:
     foo-label: bar
   route:
     enabled: false # Disable OpenShift Route
-  imagePullSecrets:
-    - name: github-secret
 EOF
 
     run ${CLUSTER_CLIENT} get deployment test-metadata -o jsonpath='{.metadata.labels}'
@@ -44,8 +42,6 @@ deploy:
     foo-annotation: bar
   route:
     enabled: false # Disable OpenShift Route
-  imagePullSecrets:
-    - name: github-secret
 EOF
 
     run ${CLUSTER_CLIENT} get deployment test-metadata -o jsonpath='{.metadata.annotations}'

tests/bats/setup_suite.bash

@@ -37,6 +37,7 @@ setup_suite() {
         cd quickstart/helloworld
         mvn -B -Popenshift package wildfly:image
         docker tag helloworld ${IMAGE_REGISTRY}/helloworld
+        echo "docker tag of ${IMAGE_REGISTRY}/helloworld was successful" >&3
         docker push ${IMAGE_REGISTRY}/helloworld
         echo "docker push of ${IMAGE_REGISTRY}/helloworld was successful" >&3
         popd