feat(release): self-contained image and release CI (GHCR image, Helm chart)#20
Merged
Conversation
…file build context
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What and why
Slice B of productionize. Ships the Fleet Manager as consumable artifacts anyone can run on their own infrastructure.
internal/webui—go:embedthe webdist/and serve the SPA on the same mux as the Connect API (the API path wins by longest-prefix; a directory path or unknown route falls back toindex.html, no directory listings). Mounted at/incmd/manager, so it sits behind the same client-cert-mTLS listener (Slice A) — no unauthenticated hole.Dockerfile— multi-stage BuildKit build: build the web bundle (Node) → embed → static distrolessnonrootimage. Verified with a real build..github/workflows/job-release-image.yaml— on av*tag, build+push the image (buildx →ghcr.io/cryptos-pki/manager) and package+push the Helm chart (oci://ghcr.io/cryptos-pki/charts).chart/fleet-manager— Helm chart; bring-your-own server cert + operator CA + node inventory;authBypassdefaults false;requiredguards on the trust material when not bypassing.The image and chart assume no particular deploy environment — adopters bring their own registry, trust material, and orchestrator. Builds on Slice A (#18, merged).
Closes #19
Verification
docker buildsucceeds (distroless image ~6.8 MB content)helm lintclean; renders verified for authBypass true (no TLS volumes) and false (TLS + operator-CA volumes)actionlintclean on the release workflowHow this was verified
Whole-branch review confirmed: the Connect API path still wins over the SPA mount (proven by a real mux test), no unauthenticated path is introduced, the Dockerfile bakes no secrets and embeds the real bundle before
go build, the workflow triggers only on tags with norun:injection risk, and the chart renders correctly in both auth modes. The node ISO ships separately fromcryptos.