Add OCM artifact for OpenBao

[voigt]

This PR addresses #74 and adds a Github Action job to create an OCM artifact for OpenBao referencing the OpenBao upstream helm-chart.

The OCM job will be triggered after a release of the helm chart is performed.

Artifact signing is not yet part of this PR. We'd like to use our existing GPG key we use to sign all other artifacts. Unfortunately OCM does not yet support signing via a passkey protected key (see #1544).

[pree]

@voigt Thanks already for the PR! Please open PR's as draft PRs (especially when your working on it) and press Ready for review once the actions are green and it's ready for review, as we are then notified that this PR is ready and don't receive a bunch of mails before :) I think we could add this approach to CONTRIBUTING.md too.

[voigt]

Good point - I simply haven't thought of that option. Sorry for spamming your inbox 😇

[voigt]

@cipherboy / @pree would either of you be able to store the signing material as secrets.OCM_SIGNING_KEY_PRIV in Github Secrets of this project?

https://ocm.software/docs/getting-started/sign-component-versions/

[pree]

@cipherboy / @pree would either of you be able to store the signing material as secrets.OCM_SIGNING_KEY_PRIV in Github Secrets of this project?

https://ocm.software/docs/getting-started/sign-component-versions/

Alex put the signing key as secrets.GPG_PRIVATE_KEY and secrets.GPG_PRIVATE_KEY_BASE64 with the password as secrets.GPG_PASSWORD

[JanMa]

@voigt looking at the error message, the GitHub Actions workflow is trying to push to a non existing package in the GitHub registry:

Error: openbao.org/openbao:0.16.3: transferring resource 0: unable to add blob (component openbao.org/openbao:0.16.3 resource openbao-helm-chart-external-oci): exploding OCI artifact resource blob ([openbao/charts/openbao:0.16.3] namespace openbao/openbao/charts/openbao: transfer artifact): transferring config blob: unable to add blob (OCI repository openbao/openbao/charts/openbao): failed to push: failed to push: POST "https://ghcr.io/v2/openbao/openbao/charts/openbao/blobs/uploads/": response status code 403: denied: installation not allowed to Create organization package, ghcr.io/openbao/openbao/charts/openbao

The correct path would be ghcr.io/openbao/charts/openbao. I am not yet sure which setting needs to be changed in the OCM config to get rid of the additional openbao in the path 🤔

[phyrog]

@JanMa @pree Can one of you with the right permissions try to trigger the failed job again? I think I fixed the ghcr.io path now, but I don't have permissions to push the artifacts.

[eyenx]

@JanMa @pree Can one of you with the right permissions try to trigger the failed job again? I think I fixed the ghcr.io path now, but I don't have permissions to push the artifacts.

Done

[pree]

I think this needs to be merged to be able to run using the repository GH secrets

[phyrog]

I will try this out in our fork repo and update it to only trigger on releases when everything else is working

[phyrog]

@pree @JanMa This should be done now. This is what it looks like in our forked repo: https://github.com/Ki-Reply-GmbH/openbao-helm/pkgs/container/component-descriptors%2Fopenbao.org%2Fopenbao so the artifact would be stored under ghcr.io/openbao/component-descriptors/openbao.org/openbao:<tag>.

This now only builds and pushes the OCM artifact itself, all the actual artifacts (helm chart + images) are just being referenced.

Unfortunately since it's not my PR I can't undraft it.

[pree]

Thanks for the update!

Unfortunately since it's not my PR I can't undraft it.

I've just undrafted the PR for you :)

[pree]

LGTM for the first iteration.

I would love to have this swapped out for a OCM GH Action when this will be available sometime in the future.

Let's see if it works after merging :)