From 59309c8cd03ad948410f323d40b810a514fc9dab Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Fri, 22 May 2026 18:51:25 +0200 Subject: [PATCH 1/5] feat(dagger): add enterprise mode for proprietary CLI image Add --enterprise and --cli-version optional parameters to the Dagger module constructor. When enterprise mode is enabled, the module uses ghcr.io/chainloop-dev/platform/cli instead of the OSS image. The bump script now fetches the platform version from the infoz endpoint. Assisted-by: Claude Code Signed-off-by: Javier Rodriguez Chainloop-Trace-Sessions: 8a5a6956-cc02-47f6-9366-bb732b59ecf7 --- .../utils/bump-chart-and-dagger-version.sh | 6 +++ extras/dagger/main.go | 46 +++++++++++++++---- 2 files changed, 44 insertions(+), 8 deletions(-) diff --git a/.github/workflows/utils/bump-chart-and-dagger-version.sh b/.github/workflows/utils/bump-chart-and-dagger-version.sh index 0f91c512f..a9c40547a 100755 --- a/.github/workflows/utils/bump-chart-and-dagger-version.sh +++ b/.github/workflows/utils/bump-chart-and-dagger-version.sh @@ -53,3 +53,9 @@ sed -i "s/tag: .*/tag: \"${semVer}\"/g" "${values_yaml}" ## Update Dagger version sed -i "s/chainloopVersion = \"v.*\"/chainloopVersion = \"${semVer}\"/" "${dagger_main}" +## Update platform (enterprise) CLI version from infoz endpoint +platform_version=$(curl -sf https://api.app.chainloop.dev/infoz | jq -r '.version') +if [[ -n "${platform_version}" && "${platform_version}" != "null" ]]; then + sed -i "s/platformVersion = \"v.*\"/platformVersion = \"${platform_version}\"/" "${dagger_main}" +fi + diff --git a/extras/dagger/main.go b/extras/dagger/main.go index a33e55c23..58f335757 100644 --- a/extras/dagger/main.go +++ b/extras/dagger/main.go @@ -11,6 +11,7 @@ import ( const ( chainloopVersion = "v1.98.4" + platformVersion = "v1.77.8" ) var execOpts = dagger.ContainerWithExecOpts{ @@ -20,6 +21,25 @@ var execOpts = dagger.ContainerWithExecOpts{ type Chainloop struct { // +private Instance InstanceInfo + // +private + Enterprise bool + // +private + CLIVersion string +} + +// New creates a new Chainloop module client. +func New( + // Use the enterprise CLI image (ghcr.io/chainloop-dev/platform/cli) + // +optional + enterprise bool, + // Pin a specific CLI version (overrides the built-in default) + // +optional + cliVersion string, +) *Chainloop { + return &Chainloop{ + Enterprise: enterprise, + CLIVersion: cliVersion, + } } // A Chainloop attestation @@ -515,13 +535,23 @@ func (att *Attestation) Debug() *dagger.Container { return att.Container(0).Terminal() } -func cliContainer(ttl int, token *dagger.Secret, instance InstanceInfo, parentCI *ParentCIContext, githubEventFile *dagger.File) *dagger.Container { +func cliContainer(ttl int, token *dagger.Secret, instance InstanceInfo, parentCI *ParentCIContext, githubEventFile *dagger.File, enterprise bool, cliVersionOverride string) *dagger.Container { + image := "ghcr.io/chainloop-dev/chainloop/cli" + version := chainloopVersion + if enterprise { + image = "ghcr.io/chainloop-dev/platform/cli" + version = platformVersion + } + if cliVersionOverride != "" { + version = cliVersionOverride + } + ctr := dag.Container(). - From(fmt.Sprintf("ghcr.io/chainloop-dev/chainloop/cli:%s", chainloopVersion)). - WithEntrypoint([]string{"/chainloop"}). // Be explicit to prepare for possible API change - WithEnvVariable("CHAINLOOP_DAGGER_CLIENT", chainloopVersion). - WithUser(""). // Our images come with pre-defined user set, so we need to reset it - WithEnvVariable("DAGGER_CACHE_KEY", time.Now().Truncate(time.Duration(ttl)*time.Second).String()) // Cache TTL + From(fmt.Sprintf("%s:%s", image, version)). + WithEntrypoint([]string{"/chainloop"}). + WithEnvVariable("CHAINLOOP_DAGGER_CLIENT", version). + WithUser(""). + WithEnvVariable("DAGGER_CACHE_KEY", time.Now().Truncate(time.Duration(ttl)*time.Second).String()) // Inject parent CI context if provided if parentCI != nil { @@ -631,7 +661,7 @@ func (att *Attestation) Container( // +default=0 ttl int, ) *dagger.Container { - ctr := cliContainer(ttl, att.Token, att.Client.Instance, att.parentCIContext, att.githubEventFile) + ctr := cliContainer(ttl, att.Token, att.Client.Instance, att.parentCIContext, att.githubEventFile, att.Client.Enterprise, att.Client.CLIVersion) if att.repository != nil { ctr = ctr.WithDirectory(".", att.repository) } @@ -778,7 +808,7 @@ func (m *Chainloop) WorkflowCreate( // +optional skipIfExists bool, ) (string, error) { - return cliContainer(0, token, m.Instance, nil, nil). + return cliContainer(0, token, m.Instance, nil, nil, m.Enterprise, m.CLIVersion). WithExec([]string{ "workflow", "create", "--name", name, From 3358ed50cd5fe6ce08a14afd228c42a7852f50b4 Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Fri, 22 May 2026 18:54:33 +0200 Subject: [PATCH 2/5] restore comments Signed-off-by: Javier Rodriguez Chainloop-Trace-Sessions: 8a5a6956-cc02-47f6-9366-bb732b59ecf7 --- extras/dagger/main.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/extras/dagger/main.go b/extras/dagger/main.go index 58f335757..ea53b614d 100644 --- a/extras/dagger/main.go +++ b/extras/dagger/main.go @@ -548,10 +548,10 @@ func cliContainer(ttl int, token *dagger.Secret, instance InstanceInfo, parentCI ctr := dag.Container(). From(fmt.Sprintf("%s:%s", image, version)). - WithEntrypoint([]string{"/chainloop"}). + WithEntrypoint([]string{"/chainloop"}). // Be explicit to prerare for possible API change WithEnvVariable("CHAINLOOP_DAGGER_CLIENT", version). - WithUser(""). - WithEnvVariable("DAGGER_CACHE_KEY", time.Now().Truncate(time.Duration(ttl)*time.Second).String()) + WithUser(""). // Our images come with pre-defined user set, so we need to reset it + WithEnvVariable("DAGGER_CACHE_KEY", time.Now().Truncate(time.Duration(ttl)*time.Second).String()) // Cache TTL // Inject parent CI context if provided if parentCI != nil { From 324a6374be211a072fa36fea24a0923d086ded02 Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Fri, 22 May 2026 18:57:27 +0200 Subject: [PATCH 3/5] fix typo Signed-off-by: Javier Rodriguez Chainloop-Trace-Sessions: 8a5a6956-cc02-47f6-9366-bb732b59ecf7 --- extras/dagger/main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extras/dagger/main.go b/extras/dagger/main.go index ea53b614d..7c4ac8cda 100644 --- a/extras/dagger/main.go +++ b/extras/dagger/main.go @@ -548,7 +548,7 @@ func cliContainer(ttl int, token *dagger.Secret, instance InstanceInfo, parentCI ctr := dag.Container(). From(fmt.Sprintf("%s:%s", image, version)). - WithEntrypoint([]string{"/chainloop"}). // Be explicit to prerare for possible API change + WithEntrypoint([]string{"/chainloop"}). // Be explicit to prepare for possible API change WithEnvVariable("CHAINLOOP_DAGGER_CLIENT", version). WithUser(""). // Our images come with pre-defined user set, so we need to reset it WithEnvVariable("DAGGER_CACHE_KEY", time.Now().Truncate(time.Duration(ttl)*time.Second).String()) // Cache TTL From 0f7c4ac2235c8c224ee4b128d924dc56fdc85a65 Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Sun, 24 May 2026 15:08:40 +0200 Subject: [PATCH 4/5] remove option to change CLI enterprise container version Signed-off-by: Javier Rodriguez Chainloop-Trace-Sessions: 8a5a6956-cc02-47f6-9366-bb732b59ecf7 --- extras/dagger/main.go | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/extras/dagger/main.go b/extras/dagger/main.go index 7c4ac8cda..fa584c032 100644 --- a/extras/dagger/main.go +++ b/extras/dagger/main.go @@ -23,8 +23,6 @@ type Chainloop struct { Instance InstanceInfo // +private Enterprise bool - // +private - CLIVersion string } // New creates a new Chainloop module client. @@ -32,13 +30,10 @@ func New( // Use the enterprise CLI image (ghcr.io/chainloop-dev/platform/cli) // +optional enterprise bool, - // Pin a specific CLI version (overrides the built-in default) - // +optional - cliVersion string, + ) *Chainloop { return &Chainloop{ Enterprise: enterprise, - CLIVersion: cliVersion, } } @@ -535,16 +530,13 @@ func (att *Attestation) Debug() *dagger.Container { return att.Container(0).Terminal() } -func cliContainer(ttl int, token *dagger.Secret, instance InstanceInfo, parentCI *ParentCIContext, githubEventFile *dagger.File, enterprise bool, cliVersionOverride string) *dagger.Container { +func cliContainer(ttl int, token *dagger.Secret, instance InstanceInfo, parentCI *ParentCIContext, githubEventFile *dagger.File, enterprise bool) *dagger.Container { image := "ghcr.io/chainloop-dev/chainloop/cli" version := chainloopVersion if enterprise { image = "ghcr.io/chainloop-dev/platform/cli" version = platformVersion } - if cliVersionOverride != "" { - version = cliVersionOverride - } ctr := dag.Container(). From(fmt.Sprintf("%s:%s", image, version)). @@ -661,7 +653,7 @@ func (att *Attestation) Container( // +default=0 ttl int, ) *dagger.Container { - ctr := cliContainer(ttl, att.Token, att.Client.Instance, att.parentCIContext, att.githubEventFile, att.Client.Enterprise, att.Client.CLIVersion) + ctr := cliContainer(ttl, att.Token, att.Client.Instance, att.parentCIContext, att.githubEventFile, att.Client.Enterprise) if att.repository != nil { ctr = ctr.WithDirectory(".", att.repository) } @@ -808,7 +800,7 @@ func (m *Chainloop) WorkflowCreate( // +optional skipIfExists bool, ) (string, error) { - return cliContainer(0, token, m.Instance, nil, nil, m.Enterprise, m.CLIVersion). + return cliContainer(0, token, m.Instance, nil, nil, m.Enterprise). WithExec([]string{ "workflow", "create", "--name", name, From 8d6ddf147c7d8349a34c00733cb1d30ce1cc1e5f Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Sun, 24 May 2026 15:18:20 +0200 Subject: [PATCH 5/5] allow to customize platform CAs and API Signed-off-by: Javier Rodriguez Chainloop-Trace-Sessions: 8a5a6956-cc02-47f6-9366-bb732b59ecf7 --- extras/dagger/main.go | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/extras/dagger/main.go b/extras/dagger/main.go index fa584c032..2f610e95f 100644 --- a/extras/dagger/main.go +++ b/extras/dagger/main.go @@ -78,6 +78,10 @@ type InstanceInfo struct { CASAPI string // path to a custom CA for the CAS API CASCAPath *dagger.File + // hostname for the Platform API i.e api.app.chainloop.dev:443 + PlatformAPI string + // path to a custom CA for the Platform API + PlatformCAPath *dagger.File // Password to use when authenticating to the registry Insecure bool } @@ -373,6 +377,11 @@ func (m *Chainloop) WithInstance( // Path to custom CA certificate for the Control Plane API // +optional controlplaneCA *dagger.File, + // Example: "api.app.chainloop.dev:443" + platformAPI string, + // Path to custom CA certificate for the Platform API + // +optional + platformCA *dagger.File, // Whether to skip TLS verification // +optional insecure bool, @@ -383,6 +392,8 @@ func (m *Chainloop) WithInstance( Insecure: insecure, CASCAPath: casCA, ControlplaneCAPath: controlplaneCA, + PlatformAPI: platformAPI, + PlatformCAPath: platformCA, } return m @@ -635,6 +646,14 @@ func cliContainer(ttl int, token *dagger.Secret, instance InstanceInfo, parentCI ctr = ctr.WithEnvVariable("CHAINLOOP_ARTIFACT_CAS_API", cas) } + if platformAPI := instance.PlatformAPI; platformAPI != "" { + ctr = ctr.WithEnvVariable("CHAINLOOP_PLATFORM_API", platformAPI) + } + + if ca := instance.PlatformCAPath; ca != nil { + ctr = ctr.WithFile("/platform-ca.pem", ca).WithEnvVariable("CHAINLOOP_PLATFORM_API_CA", "/platform-ca.pem") + } + if instance.Insecure { ctr = ctr.WithEnvVariable("CHAINLOOP_API_INSECURE", "true") }