66a760794f
update alpine and golang remove nano update go modules remove need for openssl external cli fix stale Signed-off-by: James Strong <james.strong@chainguard.dev>
494 lines
15 KiB
YAML
494 lines
15 KiB
YAML
name: CI
|
|
|
|
on:
|
|
pull_request:
|
|
branches:
|
|
- "*"
|
|
paths-ignore:
|
|
- 'docs/**'
|
|
- 'deploy/**'
|
|
|
|
push:
|
|
branches:
|
|
- main
|
|
paths-ignore:
|
|
- 'docs/**'
|
|
- 'deploy/**'
|
|
|
|
workflow_dispatch:
|
|
inputs:
|
|
run_e2e:
|
|
description: 'Force e2e to run'
|
|
required: false
|
|
type: boolean
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
|
|
changes:
|
|
permissions:
|
|
contents: read # for dorny/paths-filter to fetch a list of changed files
|
|
pull-requests: read # for dorny/paths-filter to read pull requests
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
go: ${{ steps.filter.outputs.go }}
|
|
charts: ${{ steps.filter.outputs.charts }}
|
|
|
|
steps:
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
|
|
|
|
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
|
|
id: filter
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
filters: |
|
|
go:
|
|
- '**/*.go'
|
|
- 'go.mod'
|
|
- 'go.sum'
|
|
- 'rootfs/**/*'
|
|
- 'TAG'
|
|
- 'test/e2e/**/*'
|
|
- 'NGINX_BASE'
|
|
charts:
|
|
- 'charts/ingress-nginx/Chart.yaml'
|
|
- 'charts/ingress-nginx/**/*'
|
|
- 'NGINX_BASE'
|
|
|
|
|
|
security:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
|
|
|
|
- name: Run Gosec Security Scanner
|
|
uses: securego/gosec@1af1d5bb49259b62e45c505db397dd2ada5d74f8 # v2.14.0
|
|
with:
|
|
# G601 for zz_generated.deepcopy.go
|
|
# G306 TODO: Expect WriteFile permissions to be 0600 or less
|
|
# G307 TODO: Deferring unsafe method "Close"
|
|
args: -exclude=G109,G601,G104,G204,G304,G306,G307 -tests=false -exclude-dir=test -exclude-dir=images/ -exclude-dir=docs/ ./...
|
|
|
|
lint:
|
|
runs-on: ubuntu-latest
|
|
needs: changes
|
|
if: |
|
|
(needs.changes.outputs.go == 'true')
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
|
|
|
|
- name: Set up Go
|
|
id: go
|
|
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
|
|
with:
|
|
go-version: '1.20'
|
|
check-latest: true
|
|
|
|
- name: Run Lint
|
|
run: ./hack/verify-golint.sh
|
|
|
|
gofmt:
|
|
runs-on: ubuntu-latest
|
|
needs: changes
|
|
if: |
|
|
(needs.changes.outputs.go == 'true')
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
|
|
|
|
- name: Set up Go
|
|
id: go
|
|
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
|
|
with:
|
|
go-version: '1.20'
|
|
check-latest: true
|
|
|
|
- name: Run go-fmt
|
|
run: ./hack/verify-gofmt.sh
|
|
|
|
test-go:
|
|
runs-on: ubuntu-latest
|
|
needs: changes
|
|
if: |
|
|
(needs.changes.outputs.go == 'true')
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
|
|
|
|
- name: Set up Go
|
|
id: go
|
|
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
|
|
with:
|
|
go-version: '1.20'
|
|
check-latest: true
|
|
|
|
- name: Run test
|
|
run: make test
|
|
|
|
build:
|
|
name: Build
|
|
runs-on: ubuntu-latest
|
|
needs: changes
|
|
if: |
|
|
(needs.changes.outputs.go == 'true') || (needs.changes.outputs.charts == 'true') || ${{ inputs.run_e2e }}
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
|
|
|
|
- name: Set up Go
|
|
id: go
|
|
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
|
|
with:
|
|
go-version: '1.20'
|
|
check-latest: true
|
|
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
|
|
|
|
- name: Set up Docker Buildx
|
|
id: buildx
|
|
uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1
|
|
with:
|
|
version: latest
|
|
|
|
- name: Available platforms
|
|
run: echo ${{ steps.buildx.outputs.platforms }}
|
|
|
|
- name: Prepare Host
|
|
run: |
|
|
sudo apt-get -qq update || true
|
|
sudo apt-get install -y pigz
|
|
curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.25.5/bin/linux/amd64/kubectl
|
|
chmod +x ./kubectl
|
|
sudo mv ./kubectl /usr/local/bin/kubectl
|
|
|
|
- name: Build images
|
|
env:
|
|
TAG: 1.0.0-dev
|
|
ARCH: amd64
|
|
REGISTRY: ingress-controller
|
|
run: |
|
|
echo "building images..."
|
|
make clean-image build image image-chroot
|
|
make -C test/e2e-image image
|
|
|
|
echo "creating images cache..."
|
|
docker save \
|
|
nginx-ingress-controller:e2e \
|
|
ingress-controller/controller:1.0.0-dev \
|
|
ingress-controller/controller-chroot:1.0.0-dev \
|
|
| pigz > docker.tar.gz
|
|
|
|
- name: cache
|
|
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
|
|
with:
|
|
name: docker.tar.gz
|
|
path: docker.tar.gz
|
|
|
|
helm:
|
|
name: Helm chart
|
|
runs-on: ubuntu-latest
|
|
needs:
|
|
- changes
|
|
- build
|
|
if: |
|
|
(needs.changes.outputs.charts == 'true') || ${{ inputs.run_e2e }}
|
|
|
|
strategy:
|
|
matrix:
|
|
k8s: [v1.23.13, v1.24.7, v1.25.3, v1.26.0]
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
|
|
|
|
- name: Setup Go
|
|
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
|
|
with:
|
|
go-version: '1.20'
|
|
check-latest: true
|
|
|
|
- name: cache
|
|
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1
|
|
with:
|
|
name: docker.tar.gz
|
|
|
|
- name: Lint
|
|
run: |
|
|
./build/run-in-docker.sh ./hack/verify-chart-lint.sh
|
|
|
|
- name: Run helm-docs
|
|
run: |
|
|
GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.11.0
|
|
./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts
|
|
DIFF=$(git diff ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md)
|
|
if [ ! -z "$DIFF" ]; then
|
|
echo "Please use helm-docs in your clone, of your fork, of the project, and commit a updated README.md for the chart. https://github.com/kubernetes/ingress-nginx/blob/main/RELEASE.md#d-edit-the-valuesyaml-and-run-helm-docs"
|
|
fi
|
|
git diff --exit-code
|
|
rm -f ./helm-docs
|
|
|
|
- name: Run Artifact Hub lint
|
|
run: |
|
|
wget https://github.com/artifacthub/hub/releases/download/v1.5.0/ah_1.5.0_linux_amd64.tar.gz
|
|
echo 'ad0e44c6ea058ab6b85dbf582e88bad9fdbc64ded0d1dd4edbac65133e5c87da *ah_1.5.0_linux_amd64.tar.gz' | shasum -c
|
|
tar -xzvf ah_1.5.0_linux_amd64.tar.gz ah
|
|
./ah lint -p charts/ingress-nginx || exit 1
|
|
rm -f ./ah ./ah_1.5.0_linux_amd64.tar.gz
|
|
|
|
- name: fix permissions
|
|
run: |
|
|
sudo mkdir -p $HOME/.kube
|
|
sudo chmod -R 777 $HOME/.kube
|
|
|
|
- name: Create Kubernetes ${{ matrix.k8s }} cluster
|
|
id: kind
|
|
run: |
|
|
kind create cluster --image=kindest/node:${{ matrix.k8s }}
|
|
|
|
- uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0
|
|
with:
|
|
name: docker.tar.gz
|
|
failOnError: false
|
|
|
|
- name: Load images from cache
|
|
run: |
|
|
echo "loading docker images..."
|
|
pigz -dc docker.tar.gz | docker load
|
|
|
|
- name: Test
|
|
env:
|
|
KIND_CLUSTER_NAME: kind
|
|
SKIP_CLUSTER_CREATION: true
|
|
SKIP_IMAGE_CREATION: true
|
|
run: |
|
|
kind get kubeconfig > $HOME/.kube/kind-config-kind
|
|
make kind-e2e-chart-tests
|
|
|
|
kubernetes:
|
|
name: Kubernetes
|
|
runs-on: ubuntu-latest
|
|
needs:
|
|
- changes
|
|
- build
|
|
if: |
|
|
(needs.changes.outputs.go == 'true') || ${{ inputs.run_e2e }}
|
|
|
|
strategy:
|
|
matrix:
|
|
k8s: [v1.23.13, v1.24.7, v1.25.3, v1.26.0]
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
|
|
|
|
- name: cache
|
|
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1
|
|
with:
|
|
name: docker.tar.gz
|
|
|
|
- name: Create Kubernetes ${{ matrix.k8s }} cluster
|
|
id: kind
|
|
run: |
|
|
kind create cluster --image=kindest/node:${{ matrix.k8s }} --config test/e2e/kind.yaml
|
|
|
|
- uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0
|
|
with:
|
|
name: docker.tar.gz
|
|
failOnError: false
|
|
|
|
- name: Load images from cache
|
|
run: |
|
|
echo "loading docker images..."
|
|
pigz -dc docker.tar.gz | docker load
|
|
|
|
- name: Run e2e tests
|
|
env:
|
|
KIND_CLUSTER_NAME: kind
|
|
SKIP_CLUSTER_CREATION: true
|
|
SKIP_IMAGE_CREATION: true
|
|
run: |
|
|
kind get kubeconfig > $HOME/.kube/kind-config-kind
|
|
make kind-e2e-test
|
|
|
|
- name: Uplaod e2e junit-reports
|
|
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
|
|
if: success() || failure()
|
|
with:
|
|
name: e2e-test-reports-${{ matrix.k8s }}
|
|
path: 'test/junitreports/report*.xml'
|
|
|
|
kubernetes-chroot:
|
|
name: Kubernetes chroot
|
|
runs-on: ubuntu-latest
|
|
needs:
|
|
- changes
|
|
- build
|
|
if: |
|
|
(needs.changes.outputs.go == 'true') || ${{ inputs.run_e2e }}
|
|
|
|
strategy:
|
|
matrix:
|
|
k8s: [v1.23.13, v1.24.7, v1.25.3, v1.26.0]
|
|
|
|
steps:
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
|
|
|
|
- name: cache
|
|
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1
|
|
with:
|
|
name: docker.tar.gz
|
|
|
|
- name: Create Kubernetes ${{ matrix.k8s }} cluster
|
|
id: kind
|
|
run: |
|
|
kind create cluster --image=kindest/node:${{ matrix.k8s }} --config test/e2e/kind.yaml
|
|
|
|
- uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0
|
|
with:
|
|
name: docker.tar.gz
|
|
failOnError: false
|
|
|
|
- name: Load images from cache
|
|
run: |
|
|
echo "loading docker images..."
|
|
pigz -dc docker.tar.gz | docker load
|
|
|
|
- name: Run e2e tests
|
|
env:
|
|
KIND_CLUSTER_NAME: kind
|
|
SKIP_CLUSTER_CREATION: true
|
|
SKIP_IMAGE_CREATION: true
|
|
IS_CHROOT: true
|
|
run: |
|
|
kind get kubeconfig > $HOME/.kube/kind-config-kind
|
|
make kind-e2e-test
|
|
|
|
- name: Uplaod e2e junit-reports
|
|
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
|
|
if: success() || failure()
|
|
with:
|
|
name: e2e-test-reports-chroot-${{ matrix.k8s }}
|
|
path: 'test/junitreports/report*.xml'
|
|
|
|
|
|
test-image-build:
|
|
permissions:
|
|
contents: read # for dorny/paths-filter to fetch a list of changed files
|
|
pull-requests: read # for dorny/paths-filter to read pull requests
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
PLATFORMS: linux/amd64,linux/arm64
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
|
|
|
|
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
|
|
id: filter-images
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
filters: |
|
|
custom-error-pages:
|
|
- 'images/custom-error-pages/**'
|
|
cfssl:
|
|
- 'images/cfssl/**'
|
|
fastcgi-helloserver:
|
|
- 'images/fastcgi-helloserver/**'
|
|
echo:
|
|
- 'images/echo/**'
|
|
go-grpc-greeter-server:
|
|
- 'images/go-grpc-greeter-server/**'
|
|
httpbin:
|
|
- 'images/httpbin/**'
|
|
kube-webhook-certgen:
|
|
- 'images/kube-webhook-certgen/**'
|
|
ext-auth-example-authsvc:
|
|
- 'images/ext-auth-example-authsvc/**'
|
|
|
|
- name: custom-error-pages image build
|
|
if: ${{ steps.filter-images.outputs.custom-error-pages == 'true' }}
|
|
run: |
|
|
cd images/custom-error-pages && make build
|
|
- name: cfssl image build
|
|
if: ${{ steps.filter-images.outputs.cfssl == 'true' }}
|
|
run: |
|
|
cd images/cfssl && make build
|
|
- name: fastcgi-helloserver
|
|
if: ${{ steps.filter-images.outputs.fastcgi-helloserver == 'true' }}
|
|
run: |
|
|
cd images/fastcgi-helloserver && make build
|
|
- name: echo image build
|
|
if: ${{ steps.filter-images.outputs.echo == 'true' }}
|
|
run: |
|
|
cd images/echo && make build
|
|
- name: go-grpc-greeter-server image build
|
|
if: ${{ steps.filter-images.outputs.go-grpc-greeter-server == 'true' }}
|
|
run: |
|
|
cd images/go-grpc-greeter-server && make build
|
|
- name: httpbin image build
|
|
if: ${{ steps.filter-images.outputs.httpbin == 'true' }}
|
|
run: |
|
|
cd images/httpbin && make build
|
|
- name: kube-webhook-certgen image build
|
|
if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
|
|
run: |
|
|
cd images/kube-webhook-certgen && make build
|
|
- name: ext-auth-example-authsvc
|
|
if: ${{ steps.filter-images.outputs.ext-auth-example-authsvc == 'true' }}
|
|
run: |
|
|
cd images/ext-auth-example-authsvc && make build
|
|
|
|
test-image:
|
|
permissions:
|
|
contents: read # for dorny/paths-filter to fetch a list of changed files
|
|
pull-requests: read # for dorny/paths-filter to read pull requests
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
env:
|
|
PLATFORMS: linux/amd64
|
|
|
|
strategy:
|
|
matrix:
|
|
k8s: [v1.23.13, v1.24.7, v1.25.3, v1.26.0]
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
|
|
|
|
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
|
|
id: filter-images
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
filters: |
|
|
kube-webhook-certgen:
|
|
- 'images/kube-webhook-certgen/**'
|
|
|
|
- name: Create Kubernetes cluster
|
|
id: kind
|
|
if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
|
|
run: |
|
|
kind create cluster --image=kindest/node:${{ matrix.k8s }}
|
|
|
|
- name: Set up Go
|
|
id: go
|
|
if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
|
|
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
|
|
with:
|
|
go-version: '1.20'
|
|
check-latest: true
|
|
|
|
- name: kube-webhook-certgen image build
|
|
if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
|
|
run: |
|
|
cd images/kube-webhook-certgen && make test test-e2e
|