Make Helm artifacts reproducible (#36930)

Following #36726, #36744, #36763, #36819 this PR adds the feature of making source tarball that we release as an official release of the ASF for Helm Chart into reproducible tarball. This means that anyone should be able to produce such tarball using the sources of airflow and verify that he tarball pushed to SVN by the release manager is built from our source repositories. We also do the same with Helm package. It turns out that gpg signing of the package does not modify the .tgz file - it just adds .prov file containing checksum and signature, so we can safely re-pack the .tar.gz package in a reproducible way, this way we have both reproduciblity and provenance check nicely working together. There are few changes in this PR that are related: * Bumped Helm version in our environment to use the latest one and using the `breeze k8s setup-env` environment to run all the release commands - this way we can be sure same helm version is used to build the package, further making it more reproducible. * The reproducible packaging utility we have has been refeactored now - we take "source" archive as parameter rather than directory and simply repack it in reproducible way. * The tool also applies group/other ownership removal on its own, because helm package has no option to umask the generated files. * In this change we also ignore subcharts from being exported to the source tarball package as we shoudl not include source files from postgres in our source package.. * Both - the tarball and helm package are generated in `dist` folder similarly as all our other packages. * Documentation for releasing the packages and verifying them is updated. * CI jobs are updated to use the new commands and generated packages are produced as artifacts so that we can be sure the commands continue working and produce the right output. (cherry picked from commit 48158c9)
apache · Feb 7, 2024 · 496a718 · 496a718
1 parent d99795a
commit 496a718
Show file tree

Hide file tree

Showing 29 changed files with 1,067 additions and 283 deletions.
diff --git a/.gitattributes b/.gitattributes
@@ -9,6 +9,7 @@ manifests export-ignore
 newsfragments export-ignore
 scripts export-ignore
 tests export-ignore
+chart/charts/** export-ignore
 
 Dockerfile.ci export-ignore
 

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1051,6 +1051,58 @@ jobs:
       - name: "Helm Unit Tests: ${{ matrix.helm-test-package }}"
         run: breeze testing helm-tests --helm-test-package "${{ matrix.helm-test-package }}"
 
+  tests-helm-release:
+    timeout-minutes: 80
+    name: "Release Helm"
+    runs-on: ${{fromJSON(needs.build-info.outputs.runs-on)}}
+    needs: [build-info]
+    env:
+      RUNS_ON: "${{needs.build-info.outputs.runs-on}}"
+      PYTHON_MAJOR_MINOR_VERSION: "${{needs.build-info.outputs.default-python-version}}"
+    if: >
+      needs.build-info.outputs.needs-helm-tests == 'true' && needs.build-info.outputs.default-branch == 'main'
+    steps:
+      - name: Cleanup repo
+        run: docker run -v "${GITHUB_WORKSPACE}:/workspace" -u 0:0 bash -c "rm -rf /workspace/*"
+      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: "Install Breeze"
+        uses: ./.github/actions/breeze
+      - name: Setup git for tagging
+        run: |
+          git config --global user.email "name@example.com"
+          git config --global user.name "Your Name"
+      - name: "Remove old artifacts"
+        run: rm -rf dist/*
+      - name: "Setup k8s/helm environment"
+        run: breeze k8s setup-env
+      - name: "Install helm gpg plugin"
+        run: >
+          breeze k8s shell -c "helm plugin install https://github.com/technosophos/helm-gpg
+          --version 6303407eb63deaeb1b2f24de611e3468a27ec05b"
+      - name: "Helm release tarball"
+        run: >
+          breeze release-management prepare-helm-chart-tarball --ignore-version-check --override-tag
+          --skip-tag-signing --version 0.0.0 --version-suffix dev0
+      - name: Generate GPG key for signing
+        run: gpg --batch --passphrase '' --quick-gen-key dev@airflow.apache.org default default
+      - name: "Helm release package"
+        run: >
+          breeze release-management prepare-helm-chart-package --sign-email dev@airflow.apache.org
+      - name: "Sign artifacts for ASF distribution"
+        run: ./dev/sign.sh dist/airflow-*.tgz dist/airflow-*-source.tar.gz
+        env:
+          SIGN_WITH: dev@airflow.apache.org
+      - name: "Upload Helm artifacts"
+        uses: actions/upload-artifact@v3
+        with:
+          name: Helm artifacts
+          path: ./dist/airflow-*
+          retention-days: 7
+          if-no-files-found: error
+
   tests-postgres:
     timeout-minutes: 130
     name: >

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -135,7 +135,7 @@ repos:
           - --fuzzy-match-generates-todo
       - id: insert-license
         name: Add license for all YAML files except Helm templates
-        exclude: ^\.github/.*$|^.*/.*_vendor/|^chart/templates/.*|^airflow/reproducible_build.yaml$
+        exclude: ^\.github/.*$|^.*/.*_vendor/|^chart/templates/.*|.*/reproducible_build.yaml$
         types: [yaml]
         files: \.ya?ml$
         args:
@@ -254,7 +254,7 @@ repos:
         name: Check YAML files with yamllint
         entry: yamllint -c yamllint-config.yml --strict
         types: [yaml]
-        exclude: ^.*airflow\.template\.yaml$|^.*init_git_sync\.template\.yaml$|^.*/.*_vendor/|^chart/(?:templates|files)/.*\.yaml$|openapi/.*\.yaml$|^\.pre-commit-config\.yaml$|^airflow/reproducible_build.yaml$
+        exclude: ^.*airflow\.template\.yaml$|^.*init_git_sync\.template\.yaml$|^.*/.*_vendor/|^chart/(?:templates|files)/.*\.yaml$|openapi/.*\.yaml$|^\.pre-commit-config\.yaml$|^.*/reproducible_build.yaml$
   - repo: https://github.com/ikamensh/flynt
     rev: '1.0.1'
     hooks:
@@ -833,7 +833,7 @@ repos:
         name: Update Source Date Epoch for reproducible builds
         language: python
         entry: ./scripts/ci/pre_commit/pre_commit_update_source_date_epoch.py
-        files: ^RELEASE_NOTES.rst$
+        files: ^RELEASE_NOTES.rst$|^chart/RELEASE_NOTES.rst$
         additional_dependencies: ['rich>=12.4.4', 'pyyaml']
         pass_filenames: false
         require_serial: true

diff --git a/CI.rst b/CI.rst
@@ -384,6 +384,8 @@ This workflow is a regular workflow that performs all checks of Airflow code.
 +---------------------------------+----------------------------------------------------------+----------+----------+-----------+-------------------+
 | Helm tests                      | Run the Helm integration tests                           | Yes      | Yes      | Yes       | -                 |
 +---------------------------------+----------------------------------------------------------+----------+----------+-----------+-------------------+
+| Helm release tests              | Run the tests for Helm releasing                         | Yes      | Yes      | Yes       | -                 |
++---------------------------------+----------------------------------------------------------+----------+----------+-----------+-------------------+
 | Summarize warnings              | Summarizes warnings from all other tests                 | Yes      | Yes      | Yes       | Yes               |
 +---------------------------------+----------------------------------------------------------+----------+----------+-----------+-------------------+
 | Wait for PROD Images            | Waits for and verify PROD Images                         | Yes (2)  | Yes (2)  | Yes (2)   | Yes (2)           |

diff --git a/CI_DIAGRAMS.md b/CI_DIAGRAMS.md
@@ -62,6 +62,8 @@ sequenceDiagram
         Note over Tests: React WWW tests
     and
         Note over Tests: Test git clone on Windows
+    and
+        Note over Tests: Helm release tests
     and
         opt
             Note over Tests: Run basic <br>static checks
@@ -216,6 +218,8 @@ sequenceDiagram
         Note over Tests: Test examples<br>PROD image building
     and
         Note over Tests: Test git clone on Windows
+    and
+        Note over Tests: Helm release tests
     and
         opt
             Note over Tests: Run basic <br>static checks

diff --git a/chart/reproducible_build.yaml b/chart/reproducible_build.yaml
@@ -0,0 +1,2 @@
+release-notes-hash: 46313503ae418af0ecad2c5504a97a43
+source-date-epoch: 1705774629
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		release-notes-hash: 46313503ae418af0ecad2c5504a97a43
		source-date-epoch: 1705774629