(WIP) Re-hosting Docs #149
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 4 commits
November 12, 2022 11:49
Signed-off-by: Kingdon Barrett <[email protected]>
* test build and push * test again * pull the result of build This is not for merge, it is just for the example * actions/cache@v3 * this is too much indirection but it's for testing so I think it's OK (the original idea was to pull this at runtime, so we'd always have the latest – this is going to need some refining, but I just want something that I can run right now, and say the job is done, point a domain at it, and call it good for today) push server * slightly broken ingress manifests works: http://teamhephy.info/ http://docs.teamhephy.info/ http://teamhephy.info/workflow/docs/ http://docs.teamhephy.info/workflow/docs/ doesn't (bad): http://docs.teamhephy.info/workflow/docs http://teamhephy.info/workflow/docs enable production letsencrypt try a new text trigger another build try imagePullPolicy: Always try another build try one more tracking one behind Add keyless (experimental) signing with Cosign This may or may not work? Just try it... Signed-off-by: Kingdon Barrett <[email protected]> add differentiation between "build" and "serve" we're going to remove this again in a moment, but it will be helpful to have the tasks separated before we try to obviate them together again set up flux-pull.sh for exec at runtime update deployment manifest and add init container soften rsync -a rsync: [generator] chgrp "/usr/share/nginx/html/." failed: Operation not permitted (1) a side effect of the -g in -rlptgoD, (how -a is expanded) further soften -t rsync: [generator] failed to set times on "/usr/share/nginx/html/.": Operation not permitted (1) further soften -p rsync: [generator] failed to set permissions on "/usr/share/nginx/html/.": Operation not permitted (1) USER 101 directive messes a bunch of things up nginx will drop the root user permission, so long as we are root when we start running (but with this USER directive here, it won't even start) Signed-off-by: Kingdon Barrett <[email protected]> try rebuilding docs add write packages permission here skip the pre-build part try again with fresh docs all of this chown stuff is unnecessary the server drops permissions, but the container starts as root let's test tagging docs not sure if these really worked try for beta2 try later metadata-action version remove redundant USER root make sure to tag the artifact as "testing" too this is our environment tag (until we come up with something better!) beta3 Signed-off-by: Kingdon Barrett <[email protected]>
Signed-off-by: Kingdon Barrett <[email protected]>
Signed-off-by: Kingdon Barrett <[email protected]>
|
Alright, I figured out keyless signing 🎉 you need a digest to sign an OCI artifact without cosign emitting a warning |
added 2 commits
January 21, 2023 12:47
try fixup cosign * only build main when Dockerfile changes we don't need a new `serve` image unless one of these files has changed try fixup action puts debugger * ahhhh it is working cosign OCI manifests which are addressed by digest are signed without warning Signed-off-by: Kingdon Barrett <[email protected]>
Signed-off-by: Kingdon Barrett <[email protected]>
kingdonb
force-pushed
the
rebase-for-upstreaming
branch
from
916bd28
to
a993fcd
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I've built this thing in such a way that the serving image (nginx) doesn't need to change much, because it points to a static image tag, an environment tag that is moving whenever a new tag is tagged.
I've also separated the content into its own OCI image, so that serving can always pull the latest docs tag. There's nothing to
kubectl applyunless the Nginx configuration has changed, as there is no new serving image, just a new site content image that gets pulled at runtime, that contains only the HTML and site content for serving.I'm using this to wrap my brain around Flux's new OCI support, which includes cosign verification. I have keylessly signed the docs image, but I am not verifying the signature (or doing anything with the signature)
The main goal was just to give you a new CI process that builds an image that you can deploy to get the latest docs out, and make it easy to update the docs when you need to push a new version. So after a new tag is pushed, just the HTML gets updated in an image by itself, and as soon as
rollout restartis over, the site is automatically upgraded.The client-side caching isn't quite right, so you still need to Ctrl+Shift+R in order to get the latest version when I tested.
But this is pretty close! And it's very builder pattern, I should be able to make this better and get it ready for the next release 👍