Skip to content

Merge pull request #689 from securesign/konflux/mintmaker/release-1.0… #2818

Merge pull request #689 from securesign/konflux/mintmaker/release-1.0…

Merge pull request #689 from securesign/konflux/mintmaker/release-1.0… #2818

Workflow file for this run

name: Validate SecureSign
on:
workflow_dispatch:
push:
branches: ["main", "release*"]
tags: ["*"]
pull_request:
branches: ["main", "release*"]
env:
GO_VERSION: 1.21
AWS_REGION: us-east-2
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
jobs:
build-operator:
name: Build-operator
runs-on: ubuntu-20.04
steps:
- name: Checkout source
uses: actions/checkout@v2
- name: Install Go
uses: actions/setup-go@v3
with:
go-version: ${{ env.GO_VERSION }}
- uses: actions/cache@v3
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Remove rhel9 suffix from images.go
uses: jacobtomlinson/gha-find-replace@v3
with:
find: "-rhel9@"
replace: "@"
include: "**images.go"
regex: false
- name: Replace trillian images
uses: jacobtomlinson/gha-find-replace@v3
with:
find: "registry.redhat.io/rhtas/trillian-"
replace: "quay.io/redhat-user-workloads/rhtas-tenant/trillian/"
include: "**images.go"
regex: false
- name: replace Fulcio images
uses: jacobtomlinson/gha-find-replace@v3
with:
find: "registry.redhat.io/rhtas/fulcio"
replace: "quay.io/redhat-user-workloads/rhtas-tenant/fulcio/fulcio-server"
include: "**images.go"
regex: false
- name: replace Rekor-search images
uses: jacobtomlinson/gha-find-replace@v3
with:
find: "registry.redhat.io/rhtas/rekor-search-ui"
replace: "quay.io/redhat-user-workloads/rhtas-tenant/rekor-search/rekor-search"
include: "**images.go"
regex: false
- name: replace Rekor images
uses: jacobtomlinson/gha-find-replace@v3
with:
find: 'registry.redhat.io/rhtas/rekor-'
replace: "quay.io/redhat-user-workloads/rhtas-tenant/rekor/rekor-"
include: "**images.go"
regex: false
- name: replace Tuf images
uses: jacobtomlinson/gha-find-replace@v3
with:
find: "registry.redhat.io/rhtas/tuf-"
replace: "quay.io/redhat-user-workloads/rhtas-tenant/scaffold/tuf-"
include: "**images.go"
regex: false
- name: replace CTL images
uses: jacobtomlinson/gha-find-replace@v3
with:
find: "registry.redhat.io/rhtas/certificate-transparency"
replace: "quay.io/redhat-user-workloads/rhtas-tenant/certificate-transparency-go/certificate-transparency-go"
include: "**images.go"
regex: false
- name: replace server-cg image
uses: jacobtomlinson/gha-find-replace@v3
with:
find: "registry.redhat.io/rhtas/client-server-cg"
replace: "quay.io/redhat-user-workloads/rhtas-tenant/cli/client-server-cg"
include: "**images.go"
regex: false
- name: replace server-re image
uses: jacobtomlinson/gha-find-replace@v3
with:
find: "registry.redhat.io/rhtas/client-server-re"
replace: "quay.io/redhat-user-workloads/rhtas-tenant/cli/client-server-re"
include: "**images.go"
regex: false
- name: replace segment job image
uses: jacobtomlinson/gha-find-replace@v3
with:
find: "registry.redhat.io/rhtas/segment-reporting"
replace: "quay.io/redhat-user-workloads/rhtas-tenant/segment-backup-job/segment-backup-job"
include: "**images.go"
regex: false
- name: Print Resulting images.go file
run: cat controllers/constants/images.go
- name: Build operator container
run: IMG=ttl.sh/securesign/secure-sign-operator-${GITHUB_SHA}:1h make docker-build docker-push
test-kind:
name: Test kind deployment
runs-on: ubuntu-20.04
needs: build-operator
steps:
- name: Checkout source
uses: actions/checkout@v2
- name: Install Go
uses: actions/setup-go@v3
with:
go-version: ${{ env.GO_VERSION }}
- uses: actions/cache@v3
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Log in to registry.redhat.io
uses: redhat-actions/podman-login@9184318aae1ee5034fbfbacc0388acf12669171f # v1
with:
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_PASSWORD }}
registry: registry.redhat.io
auth_file_path: /tmp/config.json
- name: Install Cluster
uses: container-tools/[email protected]
with:
version: v0.20.0
node_image: kindest/node:v1.26.6@sha256:6e2d8b28a5b601defe327b98bd1c2d1930b49e5d8c512e1895099e4504007adb
cpu: 3
registry: false
config: ./ci/config.yaml
- name: Install Ingress
run: |
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=90s
- name: Deploy operator container
run: |
IMG=ttl.sh/securesign/secure-sign-operator-${GITHUB_SHA}:1h OPENSHIFT=false make deploy
- name: Wait for operator to be ready
run: |
kubectl wait --for=condition=available deployment/rhtas-operator-controller-manager --timeout=120s -n openshift-rhtas-operator
- name: Install Keycloak
run: |
#install OLM
kubectl create -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.25.0/crds.yaml
# wait for a while to be sure CRDs are installed
sleep 1
kubectl create -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.25.0/olm.yaml
kubectl create --kustomize ci/keycloak/operator/overlay/kind
until [ ! -z "$(kubectl get pod -l name=keycloak-operator -n keycloak-system 2>/dev/null)" ]
do
echo "Waiting for keycloak operator. Pods in keycloak-system namespace:"
kubectl get pods -n keycloak-system
sleep 10
done
kubectl create --kustomize ci/keycloak/resources/overlay/kind
until [[ $( oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system 2>/dev/null) == "true" ]]
do
printf "Waiting for keycloak deployment. \n Keycloak ready: %s\n" $(oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system)
sleep 10
done
# HACK - expose keycloak under the same name as the internal SVC has so it will be accessible:
# - within the cluster (where the localhost does not work)
# - outside the cluster (resolved from /etc/hosts and redirect to the localhost)
kubectl create -n keycloak-system -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: keycloak
spec:
rules:
- host: keycloak-internal.keycloak-system.svc
http:
paths:
- backend:
service:
name: keycloak-internal
port:
number: 80
path: /
pathType: Prefix
EOF
shell: bash
- name: Add service hosts to /etc/hosts
run: |
sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local keycloak-internal.keycloak-system.svc rekor-search-ui.local cli-server.local" | sudo tee -a /etc/hosts
- name: Install cosign
run: go install github.com/sigstore/cosign/v2/cmd/[email protected]
- name: Run tests
run: make integration-test
- name: dump the logs of the operator
run: kubectl logs -n openshift-rhtas-operator deployment/rhtas-operator-controller-manager
if: always()
test-eks:
name: Test EKS deployment
runs-on: ubuntu-20.04
needs: build-operator
if: >
(github.event_name == 'push' || github.event_name == 'schedule') &&
(github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v'))
steps:
- name: Checkout source
uses: actions/checkout@v2
- name: Install Go
uses: actions/setup-go@v3
with:
go-version: ${{ env.GO_VERSION }}
- uses: actions/cache@v3
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Install eksctl
run: |
ARCH=amd64
PLATFORM=$(uname -s)_$ARCH
curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_$PLATFORM.tar.gz"
tar -xzf eksctl_$PLATFORM.tar.gz -C /tmp && rm eksctl_$PLATFORM.tar.gz
sudo mv /tmp/eksctl /usr/local/bin
- name: Install kubectl
run: |
ARCH=amd64
PLATFORM=$(uname -s)_$ARCH
curl -sLO "https://dl.k8s.io/release/v1.22.0/bin/linux/amd64/kubectl"
chmod +x kubectl
sudo mv kubectl /usr/local/bin
- name: run eksctl create cluster
run: |
eksctl create cluster --alb-ingress-access --external-dns-access --name rhtas-eks-${GITHUB_SHA} --nodes 1 --node-type m5.xlarge --spot
eksctl utils associate-iam-oidc-provider --region=us-east-2 --cluster=rhtas-eks-${GITHUB_SHA} --approve
eksctl create iamserviceaccount --region us-east-2 --name ebs-csi-controller-sa --namespace kube-system --cluster rhtas-eks-${GITHUB_SHA} --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy --approve --role-only --role-name AmazonEKS_EBS_CSI_DriverRole
eksctl create addon --name aws-ebs-csi-driver --cluster rhtas-eks-${GITHUB_SHA} --service-account-role-arn arn:aws:iam::${{ secrets.AWS }}:role/AmazonEKS_EBS_CSI_DriverRole --force
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/aws/deploy.yaml
- name: Deploy operator container
run: IMG=ttl.sh/securesign/secure-sign-operator-${GITHUB_SHA}:1h make deploy
- name: Wait for operator to be ready
run: |
kubectl wait --for=condition=available deployment/rhtas-operator-controller-manager --timeout=60s -n openshift-rhtas-operator
- name: Install cosign
run: go install github.com/sigstore/cosign/v2/cmd/[email protected]
- name: Deploy RTHAS
run: |
sed -i 's|"https://your-oidc-issuer-url"|${{ secrets.testing_keycloak }}|g' config/samples/rhtas_v1alpha1_securesign.yaml
sed -i 's|ClientID: "trusted-artifact-signer"|ClientID: "sigstore"|g' config/samples/rhtas_v1alpha1_securesign.yaml
kubectl create ns test
kubectl apply -f config/samples/rhtas_v1alpha1_securesign.yaml -n test
- name: Until shell script to wait for trillian-db deployment to be created
run: |
for i in trillian-db trillian-logserver trillian-logsigner fulcio-server; do
until [ ! -z "$(kubectl get deployment $i -n test 2>/dev/null)" ]
do
echo "Waiting for $i deployment to be created. Pods in test namespace:"
kubectl get pods -n test
sleep 3
done
done
shell: bash
- name: Test deployments are ready
run: |
kubectl wait --for=condition=available deployment/trillian-db -n test --timeout=60s
kubectl wait --for=condition=available deployment/trillian-logserver -n test --timeout=60s
kubectl wait --for=condition=available deployment/trillian-logsigner -n test --timeout=60s
kubectl wait --for=condition=available deployment/fulcio-server -n test --timeout=60s
- name: Until shell script to wait for tuf, ctlog, rekor-redis, rekor-server deployment to be created
run: |
for i in tuf ctlog rekor-redis rekor-server; do
until [ ! -z "$(kubectl get deployment $i -n test 2>/dev/null)" ]
do
echo "Waiting for $i deployment to be created. Pods in test namespace:"
kubectl get pods -n test
sleep 3
done
done
shell: bash
- name: Test deployments are ready
run: |
kubectl wait --for=condition=available deployment/tuf -n test --timeout=60s
kubectl wait --for=condition=available deployment/ctlog -n test --timeout=60s
kubectl wait --for=condition=available deployment/rekor-redis -n test --timeout=60s
kubectl wait --for=condition=available deployment/rekor-server -n test --timeout=60s
- name: dump the logs of the operator
run: kubectl logs -n openshift-rhtas-operator deployment/rhtas-operator-controller-manager
if: always()
- name: delete the cluster
run: eksctl delete cluster --name rhtas-eks-${GITHUB_SHA} --region us-east-2 --wait
if: always()