feat(tls): Support server side TLS #82
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| permissions: | |
| # Allow action to write raw configs back to the repository. | |
| contents: write | |
| # Run commits in order to prevent out of order write back commits. | |
| concurrency: | |
| group: ${{ github.head_ref || github.ref_name }} | |
| cancel-in-progress: false | |
| jobs: | |
| shellcheck: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install ShellCheck | |
| run: sudo apt-get install shellcheck | |
| - name: Run ShellCheck | |
| run: shellcheck -x -s bash entrypoint.sh | |
| test: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| # This matrix allows us to test multiple bindplane versions. | |
| # When writing back to the repo, we write to directories based | |
| # on the bindplane version. | |
| bindplane_versions: | |
| - 1.40.0 | |
| - 1.45.0 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Detect Runner IP | |
| run: echo "MAIN_IP=$(ip addr show | grep 'inet ' | grep -v '127.0.0.1' | awk '{print $2}' | cut -f1 -d'/' | head -n 1)" >> $GITHUB_ENV | |
| - name: Print Runner IP | |
| run: echo $MAIN_IP | |
| - name: Install step cli | |
| run: | | |
| wget https://dl.smallstep.com/cli/docs-cli-install/latest/step-cli_amd64.deb | |
| sudo apt-get install -y -f ./step-cli_amd64.deb | |
| - name: Create CA certificate | |
| run: | | |
| mkdir tls | |
| step certificate create \ | |
| ca.internal \ | |
| tls/ca.crt tls/ca.key \ | |
| --profile root-ca \ | |
| --no-password \ | |
| --insecure \ | |
| --not-after=8760h | |
| - name: Set CA certificate | |
| run: echo "TLS_CA_CERT=$(cat tls/ca.crt)" >> $GITHUB_ENV | |
| shell: bash | |
| - name: Create BindPlane certificate | |
| run: | | |
| step certificate create \ | |
| bindplane.internal \ | |
| tls/bindplane.crt tls/bindplane.key \ | |
| --ca tls/ca.crt tls/ca.key \ | |
| --profile leaf \ | |
| --no-password \ | |
| --insecure \ | |
| --not-after=8760h | |
| - name: Pull BindPlane | |
| run: docker pull ghcr.io/observiq/bindplane-ee:${{ matrix.bindplane_versions }} | |
| - name: Start BindPlane | |
| run: | | |
| docker run \ | |
| -d \ | |
| --name bindplane \ | |
| -e BINDPLANE_USERNAME=admin \ | |
| -e BINDPLANE_PASSWORD=admin \ | |
| -e BINDPLANE_REMOTE_URL=https://${MAIN_IP}:3001 \ | |
| -e BINDPLANE_SESSION_SECRET=2c23c9d3-850f-4062-a5c8-3f9b814ae144 \ | |
| -e BINDPLANE_SECRET_KEY=8a5353f7-bbf4-4eea-846d-a6d54296b781 \ | |
| -e BINDPLANE_LOG_OUTPUT=stdout \ | |
| -e BINDPLANE_ACCEPT_EULA=true \ | |
| -e BINDPLANE_TLS_CERT=/tls/bindplane.crt \ | |
| -e BINDPLANE_TLS_KEY=/tls/bindplane.key \ | |
| -p 3001:3001 \ | |
| ghcr.io/observiq/bindplane-ee:${{ matrix.bindplane_versions }} | |
| - name: Wait for BindPlane | |
| uses: nick-fields/retry@v2 | |
| with: | |
| timeout_minutes: 1 | |
| polling_interval_seconds: 5 | |
| max_attempts: 10 | |
| shell: bash | |
| command: docker exec bindplane /bindplane get agent | |
| - name: Run BindPlane Action | |
| # This should be replaced with a release action. | |
| # <organization>/<repository>@<tag> | |
| uses: ./ | |
| with: | |
| # These values are hardcode to match the test instance used by | |
| # this workflow. The instance does not persist. Consumers of | |
| # this action should always use secrets when passing in the remote | |
| # url, bindplane_username, bindplane_password or api key. | |
| # | |
| # Remote url will never be localhost when running this action. The action | |
| # executes in a container and localhost will always be the container's network | |
| # and not the network of the bindplane instance, even if that instance | |
| # is running within this runner. | |
| bindplane_remote_url: http://${{ env.MAIN_IP }}:3001 | |
| bindplane_username: admin | |
| bindplane_password: admin | |
| destination_path: test/resources/destinations/resource.yaml | |
| configuration_path: test/resources/configurations/resource.yaml | |
| configuration_output_dir: test/otel/${{ matrix.bindplane_versions }} | |
| configuration_output_branch: otel-raw-configs | |
| target_branch: main | |
| # Token should have contents: write permissions | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| enable_otel_config_write_back: true | |
| enable_auto_rollout: true | |
| # Generally this would come from a secret, but the certificate | |
| # was created in this workflow. | |
| tls_ca_cert: ${{ env.TLS_CA_CERT }} | |
| - name: Get Resources | |
| if: always() | |
| run: | | |
| docker exec bindplane /bindplane get destinations | |
| docker exec bindplane /bindplane get configurations | |
| - name: Debug Container Logs | |
| if: always() | |
| run: docker logs bindplane |