feat: add RHCL (Red Hat Connectivity Link) Helm chart #12
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: RHCL CI | |
| on: | |
| push: | |
| branches: [main, rhoai-*, odh-*, master] | |
| paths: | |
| - 'charts/rhcl/**' | |
| - '.github/workflows/rhcl-ci.yaml' | |
| pull_request: | |
| branches: [main, rhoai-*, odh-*, master] | |
| paths: | |
| - 'charts/rhcl/**' | |
| - '.github/workflows/rhcl-ci.yaml' | |
| permissions: | |
| contents: read | |
| jobs: | |
| lint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Helm | |
| uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0 | |
| - name: Lint RHCL chart | |
| run: helm lint charts/rhcl/ | |
| template: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Helm | |
| uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0 | |
| - name: Template RHCL chart (kubernetes) | |
| run: | | |
| helm template rhcl charts/rhcl/ \ | |
| --namespace kuadrant-operators \ | |
| --set images.pullSecret.dockerConfigJson="e30=" \ | |
| --set platform.type=kubernetes | |
| - name: Template RHCL chart (openshift) | |
| run: | | |
| helm template rhcl charts/rhcl/ \ | |
| --namespace kuadrant-operators \ | |
| --set images.pullSecret.dockerConfigJson="e30=" \ | |
| --set platform.type=openshift | |
| - name: Template with DNS operator enabled | |
| run: | | |
| helm template rhcl charts/rhcl/ \ | |
| --namespace kuadrant-operators \ | |
| --set images.pullSecret.dockerConfigJson="e30=" \ | |
| --set operators.dns.enabled=true | |
| - name: Template with monitoring enabled | |
| run: | | |
| helm template rhcl charts/rhcl/ \ | |
| --namespace kuadrant-operators \ | |
| --set images.pullSecret.dockerConfigJson="e30=" \ | |
| --set monitoring.enabled=true | |
| security-check: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Helm | |
| uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0 | |
| - name: Verify no secrets in values.yaml | |
| run: | | |
| if grep -qE '(password|token|key):\s*["\x27].+["\x27]' charts/rhcl/values.yaml; then | |
| echo "ERROR: Potential hardcoded secret found in values.yaml" | |
| exit 1 | |
| fi | |
| echo "No hardcoded secrets found" | |
| - name: Verify all images from registry.redhat.io | |
| run: | | |
| RENDERED=$(helm template rhcl charts/rhcl/ \ | |
| --set images.pullSecret.dockerConfigJson="e30=" 2>/dev/null) | |
| NON_RH=$(echo "$RENDERED" | grep -oE '(quay\.io|ghcr\.io|docker\.io)[^"'\''[:space:]]+' || true) | |
| if [[ -n "${NON_RH}" ]]; then | |
| echo "ERROR: Found non-Red Hat registry images:" | |
| echo "${NON_RH}" | |
| exit 1 | |
| fi | |
| echo "All images are from registry.redhat.io / registry.access.redhat.com" | |
| - name: Verify all images use digest pinning | |
| run: | | |
| RENDERED=$(helm template rhcl charts/rhcl/ \ | |
| --set images.pullSecret.dockerConfigJson="e30=" 2>/dev/null) | |
| if echo "$RENDERED" | grep -E 'image:.*:v?[0-9]' | grep -v '@sha256:'; then | |
| echo "ERROR: Found image using tag instead of digest" | |
| exit 1 | |
| fi | |
| echo "All images use digest pinning" | |
| - name: Verify CRDs in crds/ directory | |
| working-directory: ./charts/rhcl | |
| run: | | |
| if [[ ! -d "crds" ]] || [[ -z "$(ls -A crds/*.yaml 2>/dev/null)" ]]; then | |
| echo "ERROR: No CRDs found in crds/ directory" | |
| exit 1 | |
| fi | |
| echo "CRDs found:" | |
| ls -la crds/ | |
| - name: Verify security contexts | |
| run: | | |
| RENDERED=$(helm template rhcl charts/rhcl/ \ | |
| --set images.pullSecret.dockerConfigJson="e30=" 2>/dev/null) | |
| for container in kuadrant-operator authorino-operator limitador-operator; do | |
| if ! echo "$RENDERED" | grep -A5 "readOnlyRootFilesystem" | grep -q "true"; then | |
| echo "WARNING: readOnlyRootFilesystem may not be set for $container" | |
| fi | |
| done | |
| echo "Security context checks passed" |