Skip to content

Bump github.com/brancz/kube-rbac-proxy from 0.18.0 to 0.18.1 in /hack… #985

Bump github.com/brancz/kube-rbac-proxy from 0.18.0 to 0.18.1 in /hack…

Bump github.com/brancz/kube-rbac-proxy from 0.18.0 to 0.18.1 in /hack… #985

Workflow file for this run

name: CI
on:
push:
branches:
- '**'
- '!dependabot/**'
tags:
# semver tags
- 'v[0-9]+\.[0-9]+\.[0-9]+-?**'
pull_request: {}
env:
IMGPKG: go run -modfile hack/imgpkg/go.mod github.com/vmware-tanzu/carvel-imgpkg/cmd/imgpkg
KAPP: go run -modfile hack/kapp/go.mod github.com/k14s/kapp/cmd/kapp
KBLD: go run -modfile hack/kbld/go.mod github.com/vmware-tanzu/carvel-kbld/cmd/kbld
KO: go run -modfile hack/ko/go.mod github.com/google/ko
jobs:
unit:
name: Unit Test
runs-on: ubuntu-latest
steps:
- uses: actions/setup-go@v5
with:
go-version: 1.22.x
- uses: actions/checkout@v4
- name: Test
run: make test
- name: Report coverage
uses: codecov/codecov-action@v4
env:
CODECOV_TOKEN: 0e521354-90f7-4a17-a876-73ca69b59cb5
- name: Disallow generated drift
run: |
set -o errexit
set -o nounset
set -o pipefail
git diff --exit-code .
stage:
name: Stage
runs-on: ubuntu-latest
env:
REGISTRY_NAME: registry.local
KO_DOCKER_REPO: registry.local/servicebinding
KO_PLATFORMS: linux/amd64,linux/arm64
BUNDLE: registry.local/servicebinding/bundle
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: 1.22.x
- name: Generate certs
run: |
set -o errexit
set -o nounset
set -o pipefail
CERT_DIR=$(mktemp -d -t certs.XXXX)
echo "CERT_DIR=$CERT_DIR" >> $GITHUB_ENV
echo "##[group]Install cfssl"
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64 -o cfssl
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64 -o cfssljson
chmod +x cfssl*
sudo mv cfssl* /usr/local/bin
echo "##[endgroup]"
echo "##[group]Generate CA"
cfssl gencert -initca .github/tls/root-csr.json \
| cfssljson -bare ${CERT_DIR}/root-ca
cfssl gencert -ca ${CERT_DIR}/root-ca.pem -ca-key ${CERT_DIR}/root-ca-key.pem \
-config=".github/tls/config.json" \
-profile="intermediate" .github/tls/intermediate-csr.json \
| cfssljson -bare ${CERT_DIR}/signing-ca
cat ${CERT_DIR}/signing-ca.pem ${CERT_DIR}/root-ca.pem > ${CERT_DIR}/ca.pem
echo "##[endgroup]"
echo "##[group]Install CA"
# https://ubuntu.com/server/docs/security-trust-store
sudo apt-get install -y ca-certificates
sudo cp ${CERT_DIR}/ca.pem /usr/local/share/ca-certificates/ca.crt
sudo update-ca-certificates
echo "##[endgroup]"
echo "##[group]Generate cert"
cfssl gencert -ca ${CERT_DIR}/signing-ca.pem -ca-key ${CERT_DIR}/signing-ca-key.pem \
-config=".github/tls/config.json" \
-profile="server" \
-hostname="${REGISTRY_NAME},local-registry" \
.github/tls/server-csr.json \
| cfssljson -bare ${CERT_DIR}/server
echo "##[endgroup]"
- name: Setup local registry
run: |
set -o errexit
set -o nounset
set -o pipefail
# Run a registry.
docker run -d \
--restart=always \
--name local-registry \
-v ${CERT_DIR}:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.pem \
-e REGISTRY_HTTP_TLS_KEY=/certs/server-key.pem \
-p "443:443" \
registry:2
# Make the $REGISTRY_NAME -> local-registry
echo "$(hostname -I | cut -d' ' -f1) $REGISTRY_NAME" | sudo tee -a /etc/hosts
- name: Build all platforms for tags
if: startsWith(github.ref, 'refs/tags/')
run: |
echo "KO_PLATFORMS=all" >> $GITHUB_ENV
- name: Build
run: |
set -o errexit
set -o nounset
set -o pipefail
scratch=$(mktemp -d -t bundle.XXXX)
mkdir -p "${scratch}/.imgpkg"
mkdir -p "${scratch}/config"
cp LICENSE "${scratch}/LICENSE"
echo "##[group]Build"
cat hack/boilerplate.yaml.txt > "${scratch}/config/servicebinding-runtime.yaml"
${KO} resolve --platform ${KO_PLATFORMS} -f config/servicebinding-runtime.yaml >> "${scratch}/config/servicebinding-runtime.yaml"
cat hack/boilerplate.yaml.txt > "${scratch}/config/servicebinding-workloadresourcemappings.yaml"
cat config/servicebinding-workloadresourcemappings.yaml >> "${scratch}/config/servicebinding-workloadresourcemappings.yaml"
${KBLD} --imgpkg-lock-output "${scratch}/.imgpkg/images.yml" \
-f "${scratch}/config/servicebinding-runtime.yaml" \
-f "${scratch}/config/servicebinding-workloadresourcemappings.yaml" \
> /dev/null
echo "##[endgroup]"
echo "##[group]Create bundle"
${IMGPKG} push -f "${scratch}" -b "${BUNDLE}"
${IMGPKG} copy -b "${BUNDLE}" --to-tar servicebinding-runtime-bundle.tar
echo "##[endgroup]"
- uses: actions/upload-artifact@v4
with:
name: servicebinding-runtime-bundle.tar
path: servicebinding-runtime-bundle.tar
retention-days: 7
acceptance:
name: Acceptance Test
needs: stage
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
include:
- node: kindest/node:v1.23.17@sha256:14d0a9a892b943866d7e6be119a06871291c517d279aedb816a4b4bc0ec0a5b3
version: v1.23.17
os: ubuntu-latest
- node: kindest/node:v1.24.17@sha256:bad10f9b98d54586cba05a7eaa1b61c6b90bfc4ee174fdc43a7b75ca75c95e51
version: v1.24.17
os: ubuntu-latest
- node: kindest/node:v1.25.16@sha256:5da57dfc290ac3599e775e63b8b6c49c0c85d3fec771cd7d55b45fae14b38d3b
version: v1.25.16
os: ubuntu-latest
- node: kindest/node:v1.26.15@sha256:84333e26cae1d70361bb7339efb568df1871419f2019c80f9a12b7e2d485fe19
version: v1.26.15
os: ubuntu-latest
- node: kindest/node:v1.27.13@sha256:17439fa5b32290e3ead39ead1250dca1d822d94a10d26f1981756cd51b24b9d8
version: v1.27.13
os: ubuntu-latest
- node: kindest/node:v1.28.9@sha256:dca54bc6a6079dd34699d53d7d4ffa2e853e46a20cd12d619a09207e35300bd0
version: v1.28.9
os: ubuntu-latest
- node: kindest/node:v1.29.4@sha256:3abb816a5b1061fb15c6e9e60856ec40d56b7b52bcea5f5f1350bc6e2320b6f8
version: v1.29.4
os: ubuntu-latest
- node: kindest/node:v1.30.0@sha256:047357ac0cfea04663786a612ba1eaba9702bef25227a794b52890dd8bcd692e
version: v1.30.0
os: ubuntu-latest
env:
REGISTRY_NAME: registry.local
BUNDLE: registry.local/bundle
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: 1.22.x
- uses: actions/setup-python@v5
with:
python-version: "3.10"
- name: Install kind
run: |
cd $(mktemp -d -t kind.XXXX)
curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.22.0/kind-$(go env GOHOSTOS)-$(go env GOHOSTARCH)
chmod +x ./kind
sudo mv ./kind /usr/local/bin
cd -
- name: Generate certs
run: |
set -o errexit
set -o nounset
set -o pipefail
CERT_DIR=$(mktemp -d -t certs.XXXX)
echo "CERT_DIR=$CERT_DIR" >> $GITHUB_ENV
echo "##[group]Install cfssl"
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64 -o cfssl
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64 -o cfssljson
chmod +x cfssl*
sudo mv cfssl* /usr/local/bin
echo "##[endgroup]"
echo "##[group]Generate CA"
cfssl gencert -initca .github/tls/root-csr.json \
| cfssljson -bare ${CERT_DIR}/root-ca
cfssl gencert -ca ${CERT_DIR}/root-ca.pem -ca-key ${CERT_DIR}/root-ca-key.pem \
-config=".github/tls/config.json" \
-profile="intermediate" .github/tls/intermediate-csr.json \
| cfssljson -bare ${CERT_DIR}/signing-ca
cat ${CERT_DIR}/signing-ca.pem ${CERT_DIR}/root-ca.pem > ${CERT_DIR}/ca.pem
echo "##[endgroup]"
echo "##[group]Install CA"
# https://ubuntu.com/server/docs/security-trust-store
sudo apt-get install -y ca-certificates
sudo cp ${CERT_DIR}/ca.pem /usr/local/share/ca-certificates/ca.crt
sudo update-ca-certificates
echo "##[endgroup]"
echo "##[group]Generate cert"
cfssl gencert -ca ${CERT_DIR}/signing-ca.pem -ca-key ${CERT_DIR}/signing-ca-key.pem \
-config=".github/tls/config.json" \
-profile="server" \
-hostname="${REGISTRY_NAME},local-registry" \
.github/tls/server-csr.json \
| cfssljson -bare ${CERT_DIR}/server
echo "##[endgroup]"
- name: Setup local registry
run: |
set -o errexit
set -o nounset
set -o pipefail
# Run a registry.
docker run -d \
--restart=always \
--name local-registry \
-v ${CERT_DIR}:/certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.pem \
-e REGISTRY_HTTP_TLS_KEY=/certs/server-key.pem \
-p "443:443" \
registry:2
# Make the $REGISTRY_NAME -> local-registry
echo "$(hostname -I | cut -d' ' -f1) $REGISTRY_NAME" | sudo tee -a /etc/hosts
- name: Create Cluster
run: |
set -o errexit
set -o nounset
set -o pipefail
# create a cluster with the local registry enabled in containerd
cat <<EOF | kind create cluster --config=-
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
containerdConfigPatches:
- |-
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."${REGISTRY_NAME}"]
endpoint = ["https://local-registry"]
- |-
[plugins."io.containerd.grpc.v1.cri".registry.configs."local-registry".tls]
ca_file = "/etc/docker/certs.d/local-registry/ca.pem"
nodes:
- role: control-plane
image: ${{ matrix.node }}
extraMounts:
- containerPath: /etc/docker/certs.d/local-registry
hostPath: ${CERT_DIR}
EOF
# connect the registry to the cluster network
docker network connect kind local-registry
# Document the local registry
# https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
name: local-registry-hosting
namespace: kube-public
data:
localRegistryHosting.v1: |
host: "localhost"
help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
EOF
- name: Download staged bundle
uses: actions/download-artifact@v4
with:
name: servicebinding-runtime-bundle.tar
- name: Relocate bundle
run: |
set -o errexit
set -o nounset
set -o pipefail
${IMGPKG} copy --tar servicebinding-runtime-bundle.tar --to-repo "${BUNDLE}"
mkdir -p bundle
${IMGPKG} pull -b "${BUNDLE}" -o bundle
- name: Deploy
run: |
set -o errexit
set -o nounset
set -o pipefail
echo "##[group]Create namespace"
kubectl create ns apps
echo "##[endgroup]"
echo "##[group]Deploy cert-manager"
${KAPP} deploy -a cert-manager -n apps --wait-timeout 5m -y \
-f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml
echo "##[endgroup]"
echo "##[group]Deploy servicebinding-runtime"
${KAPP} deploy -a servicebinding-runtime -n apps --wait-timeout 5m -y \
-f <(${KBLD} -f bundle/.imgpkg/images.yml -f bundle/config)
echo "##[endgroup]"
- name: Test samples
run: |
set -o errexit
set -o nounset
set -o pipefail
echo "##[group]Deploy spring-petclinic"
${KAPP} deploy -a servicebinding-sample-spring-petclinic -n apps --wait-timeout 5m -y \
-f samples/spring-petclinic
echo "##[endgroup]"
- name: Checkout conformance tests
uses: actions/checkout@v4
with:
repository: servicebinding/conformance.git
ref: v0.3.2
fetch-depth: 1
path: conformance-tests
- name: Conformance tests
working-directory: conformance-tests
run: |
set -o errexit
set -o nounset
set -o pipefail
echo "##[group]Setup conformance tests"
./setup.sh
echo "##[endgroup]"
echo "##[group]Run conformance tests"
./run_tests.sh -j 4
echo "##[endgroup]"
- name: Collect diagnostics
run: |
set +o errexit
set -o nounset
set +o pipefail
if [ -e conformance-tests/test-output/results/failing_scenarios.txt ] ; then
echo "##[group]failing conformance tests"
cat conformance-tests/test-output/results/failing_scenarios.txt
echo "##[endgroup]"
fi
echo "##[group]kubectl get clusterworkloadresourcemappings.servicebinding.io"
kubectl get clusterworkloadresourcemappings.servicebinding.io
echo "##[endgroup]"
echo "##[group]kubectl get servicebindings.servicebinding.io -A"
kubectl get servicebindings.servicebinding.io -A
echo "##[endgroup]"
echo "##[group]kubectl describe servicebindings.servicebinding.io -A"
kubectl describe servicebindings.servicebinding.io -A
echo "##[endgroup]"
echo "##[group]kapp list -A"
${KAPP} list -A
echo "##[endgroup]"
echo "##[group]kubectl get all -n servicebinding-system"
kubectl get all -n servicebinding-system
echo "##[endgroup]"
echo "##[group]kubectl get all -n servicebinding-cts"
kubectl get all -n servicebindings-cts
echo "##[endgroup]"
echo "##[group]kubectl describe deployments.apps -n servicebinding-system"
kubectl describe deployments.apps -n servicebinding-system
echo "##[endgroup]"
echo "##[group]kubectl describe deployments.apps -n servicebinding-cts"
kubectl describe deployments.apps -n servicebindings-cts
echo "##[endgroup]"
echo "##[group]kubectl describe mutatingwebhookconfigurations.admissionregistration.k8s.io servicebinding-admission-projector"
kubectl describe mutatingwebhookconfigurations.admissionregistration.k8s.io servicebinding-admission-projector
echo "##[endgroup]"
echo "##[group]kubectl describe validatingwebhookconfigurations.admissionregistration.k8s.io servicebinding-trigger"
kubectl describe validatingwebhookconfigurations.admissionregistration.k8s.io servicebinding-trigger
echo "##[endgroup]"
echo "##[group]kubectl logs -n servicebinding-system -l control-plane=controller-manager --tail 10000"
kubectl logs -n servicebinding-system -l control-plane=controller-manager --tail 10000
echo "##[endgroup]"
if: always()
continue-on-error: true
- name: Save test results
uses: actions/upload-artifact@v4
if: always()
with:
name: acceptance-test-results-${{ matrix.version }}
path: conformance-tests/test-output/results
- name: Delete Gracefully
run: |
set -o errexit
set -o nounset
set -o pipefail
echo "##[group]Delete spring-petclinic"
${KAPP} delete -a servicebinding-sample-spring-petclinic -n apps --wait-timeout 5m -y
echo "##[endgroup]"
echo "##[group]Delete servicebinding-runtime"
${KAPP} delete -a servicebinding-runtime -n apps --wait-timeout 5m -y
echo "##[endgroup]"
echo "##[group]Delete cert-manager"
${KAPP} delete -a cert-manager -n apps --wait-timeout 5m -y
echo "##[endgroup]"
if: always()
- name: Cleanup cluster
run: kind delete cluster
if: always()
# aggregate the unit and acceptance results into a single job
test:
name: Test
needs:
- unit
- acceptance
runs-on: ubuntu-latest
steps:
- run: echo "it passed"
release:
name: Release
needs:
- test
if: startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: 1.22.x
- name: Get the version
id: get_version
run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//}
- name: Draft release
id: create_release
uses: actions/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ github.ref }}
release_name: ${{ steps.get_version.outputs.VERSION }}
draft: true
- name: Download staged bundle
uses: actions/download-artifact@v4
with:
name: servicebinding-runtime-bundle.tar
- name: Upload servicebinding-runtime-bundle.tar
uses: actions/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps
asset_path: servicebinding-runtime-bundle.tar
asset_name: servicebinding-runtime-bundle-${{ steps.get_version.outputs.VERSION }}.tar
asset_content_type: application/x-tar
- name: Install crane
run: |
cd $(mktemp -d -t crane.XXXX)
curl -L https://github.com/google/go-containerregistry/releases/download/v0.9.0/go-containerregistry_Linux_x86_64.tar.gz | tar -xz
chmod +x ./crane
sudo mv ./crane /usr/local/bin
cd -
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Relocate bundle to public registry
run: |
set -o errexit
set -o nounset
set -o pipefail
version=${{ steps.get_version.outputs.VERSION }}
${IMGPKG} copy --tar servicebinding-runtime-bundle.tar --to-repo "ghcr.io/${{ github.repository }}/bundle"
crane tag "ghcr.io/${{ github.repository }}/bundle" "${version}"
digest=$(crane digest "ghcr.io/${{ github.repository }}/bundle:${version}")
scratch=$(mktemp -d -t bundle.XXXX)
mkdir -p ${scratch}
${IMGPKG} pull -b "ghcr.io/${{ github.repository }}/bundle:${version}@${digest}" -o ${scratch}
cp hack/boilerplate.yaml.txt servicebinding-runtime.yaml
${KBLD} -f ${scratch}/config/servicebinding-runtime.yaml -f ${scratch}/.imgpkg/images.yml \
>> servicebinding-runtime.yaml
cp hack/boilerplate.yaml.txt servicebinding-workloadresourcemappings.yaml
${KBLD} -f ${scratch}/config/servicebinding-workloadresourcemappings.yaml -f ${scratch}/.imgpkg/images.yml \
>> servicebinding-workloadresourcemappings.yaml
- name: Upload servicebinding-runtime.yaml
uses: actions/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps
asset_path: servicebinding-runtime.yaml
asset_name: servicebinding-runtime-${{ steps.get_version.outputs.VERSION }}.yaml
asset_content_type: application/x-yaml
- name: Upload servicebinding-workloadresourcemappings.yaml
uses: actions/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps
asset_path: servicebinding-workloadresourcemappings.yaml
asset_name: servicebinding-workloadresourcemappings-${{ steps.get_version.outputs.VERSION }}.yaml
asset_content_type: application/x-yaml