Update KubeArmor Marketplace Releases
- Update Container Images
- Create Helm Chart Targeted For New Version
- Push The Helm Chart
- Update The Listing
-
Oracle [TBD]
-
Digital Ocean [TBD]
Prerequisites:
- Access to redhat partner connect portal
- Install preflight tool https://github.com/redhat-openshift-ecosystem/openshift-preflight
- PID for each container project and an API key to submit the test results. (can be accessed with partner portal)
We’ve a product KubeArmor listed on RedHat Catalog. At this point there are six container images attached with this listing.
- KubeArmor (UBI)
- KubeArmor-Init
- KubeArmor Controller
- KubeArmor Relay Server
- KubeArmor Snitch
- KubeArmor Operator
Each of these containers are associated with a separate Container Certification Project and have a unique PID (Project ID) associated with them. This PID will be required to submit the test result generated by the preflight tool. Apart from that, to submit the test results we’ll require an api key that can be generated using the partner connect portal https://connect.redhat.com/account/api-keys.
Certify the containers and submit the result:
$ preflight check container $repository:$tag --submit --certification-project-id=$certid --pyxis-api-token=$pyxis
respository:tag = target container repo and tag, i.e. docker.io/kubearmor-init:v1.1.1
certid = certificate/project id, i.e. ospid-xyzabcd1234
Pyxis = api key
The script given below can be used to execute the above command for each of the target container images.
#!/bin/bash
repo="docker.io/kubearmor"
repositories=("kubearmor-relay-server" "kubearmor-controller" "kubearmor-ubi" "kubearmor-init" "kubearmor-operator" "kubearmor-snitch")
# target container version tag
tags=("v1.1.0" "v1.1.1" "v1.1.1" "v1.1.1" "v1.1.1" "v1.1.1")
certids=("<kubearmor-relay-pid>" "<kubearmor-controller-pid>" "<kubearmor-ubi-pid>" "<kubearmor-init-pid>" "<kubearmor-operator-pid>" "<kubearmor-snitch-pid>")
pyxis="<api-key>"
# Loop through the repositories and target repositories
for ((i=0; i<${#repositories[@]}; i++)); do
repository="$repo/${repositories[i]}"
tag=${tags[i]}
certid=${certids[i]}
echo "Processing $repository image..."
echo "Submitting image for $repository..."
preflight check container $repository:$tag --submit --certification-project-id=$certid --pyxis-api-token=$pyxis
if [ $? -eq 0 ]; then
echo "Successfully submitted image for $repository."
else
echo "Error: Failed to submit image for $repository."
fi
mv artifacts ${repositories[i]}
done
echo "Script completed successfully."
exit 0If there’s no other changes to be made to the bundle than updating the images. Update the sha digest of all the images referenced in the operator with the sha digests, certified in the previous step. Update the operator bundle here https://github.com/kubearmor/certified-operators/tree/main/operators/kubearmor-operator-certified and raise a PR to the upstream repo.
Prerequisites:
Access to the AWS marketplace portal https://aws.amazon.com/marketplace/login Setup and configure AWS CLI https://aws.amazon.com/cli/ KubeArmor helm chart with image reference to aws ecr repository
Multi-architecture images are supported on aws ecr or any oci registry in-general using image manifests. It requires pushing multi-arch images separately and associated image-manifest to support distribution of these images under a unique image tag. https://aws.amazon.com/blogs/containers/introducing-multi-architecture-container-images-for-amazon-ecr/
Push the multi-arch images:
Tag and push images separately for a target architecture.
i.e.
pull and tag amd64 image
docker pull <image_repo>@<sha digest of amd64 image>
docker tag <image_repo>:<version_tag>-amd64
pull and tag arm64 image
docker pull <image_repo>@<sha digest of arm64 image>
docker tag <image_repo>:<version_tag>-arm64
The script given below can be used to automate the process of pushing image for each of the target container images.
#!/bin/bash
target=$1
rbac=$2
target_repo=""
if [[ "$target" == "" ]]; then
echo "Please Provide a target platform: [aws, oracle]"
exit
elif [[ "$target" == "aws" ]]; then
target_repo="<KUBEARMOR_AWS_ECR_REGISTRY>"
else
target_repo="<KUBEARMOR_ORACLE_OCI_REGISTRY>"
fi
if [[ "$rbac" != "" ]]; then
repo="gcr.io/kubebuilder"
repository=kube-rbac-proxy
tag=v0.12.0
platforms=("amd64" "arm64")
for ((i=0; i<${#platforms[@]}; i++)); do
docker pull "$repo/$repository:$tag-${platforms[i]}"
docker tag "$repo/$repository:$tag-${platforms[i]}" "$target_repo/$repository:$tag-${platforms[i]}"
if [ $? -eq 0 ]; then
echo "Successfully pulled and tagged ${platforms[i]} image for $target_repo/$repository."
else
echo "Error: Failed to pull or tag arm64 image for $repository."
exit 1
fi
docker push "$target_repo/$repository:$tag-${platforms[i]}"
done
exit 0
fi
repo="kubearmor"
repositories=("kubearmor" "kubearmor-init" "kubearmor-controller" "kubearmor-relay-server")
tags=("v1.1.1" "v1.1.1" "v1.1.1" "v1.1.0") # tags to pull from docker registry
target_tags=("v1.1.1" "v1.1.1" "v1.1.1" "v1.1.0") # tags to push to marketplace registry
# Function to inspect the Docker manifest for a repository and extract the digest
inspect_and_extract_digest() {
local repository=$1
local architecture=$2
local tag=$3
manifest=$(docker manifest inspect "$repository:$tag" 2>/dev/null)
digest=$(echo "$manifest" | jq -r '.manifests[] | select(.platform.architecture == "'$architecture'") | .digest')
echo "$digest"
}
# Loop through the repositories and target repositories
for ((i=0; i<${#repositories[@]}; i++)); do
repository="$repo/${repositories[i]}"
target_repository="$target_repo/${repositories[i]}"
tag=${tags[i]}
target_tag=${target_tags[i]}
echo "Processing $repository image..."
# Extract the digests for arm64 and amd64 architecture images
arm64_digest=$(inspect_and_extract_digest "$repository" "arm64" "$tag")
amd64_digest=$(inspect_and_extract_digest "$repository" "amd64" "$tag")
# Pull and tag the arm64 image
if [ -n "$arm64_digest" ]; then
echo "Pulling arm image for $repository..."
docker pull "$repository@$arm64_digest" && docker tag "$repository@$arm64_digest" "$target_repository:$target_tag-arm64"
if [ $? -eq 0 ]; then
echo "Successfully pulled and tagged arm64 image for $repository."
echo "Pushing the image $target_repository:$target_tag-arm64"
docker push $target_repository:$target_tag-arm64
else
echo "Error: Failed to pull or tag arm64 image for $repository."
fi
fi
# Pull and tag the amd64 image
if [ -n "$amd64_digest" ]; then
echo "Pulling amd image for $repository..."
docker pull "$repository@$amd64_digest" && docker tag "$repository@$amd64_digest" "$target_repository:$target_tag-amd64"
if [ $? -eq 0 ]; then
echo "Successfully pulled and tagged amd64 image for $repository."
echo "Pushing the image $target_repository:$target_tag-amd64"
docker push $target_repository:$target_tag-amd64
else
echo "Error: Failed to pull or tag amd64 image for $repository."
fi
fi
done
echo "Script completed successfully."
exit 0Replace the image references to point to the aws ecr repository for each of the container applications (including kube-rbac-proxy). Remove the “v” prefix from the chart version. For example change version: v1.1.1 to version: 1.1.1, we’re doing this because we are sharing the kubearmor image repo to publish the helm chart also. So a tag with the v prefix will refer to the kubearmor image and without the v prefix the tag will refer to the helm chart.
Package the helm chart
$ helm package /path_to_the_helm_chart
Authenticate the helm client to aws ecr registry
aws ecr get-login-password --region us-east-1 | helm registry login --username AWS --password-stdin <kubearmor_aws_ecr_private_registry>
Push helm chart
helm push <helm_package.tgz> oci://<kubearmor_aws_ecr_registry>
The script given below can be used to automate the process of pushing image manifests for each of the target container images.
#!/bin/bash
read -p "Have you Authenticated your client with aws ecr? (y/n): " answer
if [ "$answer" == "y" ]; then
target=$1
rbac=$2
target_repo=""
if [[ "$target" == "" ]]; then
echo "Please Provide a target platform: [aws, oracle]"
exit
elif [[ "$target" == "aws" ]]; then
target_repo=<KUBEARMOR_AWS_ECR_REPO>
else
target_repo=<KUBEARMOR_ORACLE_OCI_REPO>
fi
echo $target_repo
repositories=("kubearmor" "kubearmor-init" "kubearmor-controller" "kubearmor-relay-server")
tags=("v1.1.1" "v1.1.1" "v1.1.1" "v1.1.0")
if [[ "$rbac" != "" ]]; then
repositories=("kube-rbac-proxy")
tags=("v0.12.0")
fi
# Loop through the target repositories
for ((i=0; i<${#repositories[@]}; i++)); do
repository="$target_repo/${repositories[i]}"
tag=${tags[i]}
echo "Processing $repository image..."
# create manifest for arm64 and amd64 architecture images
echo "Creating manifest for $repository:$tag"
docker manifest create $repository:$tag \
$repository:"$tag-amd64" \
$repository:"$tag-arm64"
# annotate the manifest
echo "Annotating manifest for $repository:$tag"
docker manifest annotate --os=linux --arch arm64 $repository:$tag \
$repository:$tag-arm64
docker manifest annotate --os=linux --arch amd64 $repository:$tag \
$repository:$tag-amd64
echo "Pushing manifest for $repository:$tag"
docker manifest push $repository:$tag
done
elif [ "$answer" == "n" ]; then
echo "Authenticate the docker client first, refer to aws/oracle documentation"
exit 0
else
echo "Invalid input. Exiting the script."
exit 1
fi
echo "Script execution completed."On aws marketplace management portal, select KubeArmor under the server category of products. And add a new version of the KubeArmor. Once chosen this option, follow the instructions in the subsequent window. Update Listing with Helm and EKS add-on delivery method added and update the image or Helm chart references wherever prompted to create a new listing.
