rhaii-on-xks/.github/workflows/rhcl-ci.yaml at 05541c2d101fd2b069184fbf622ebc281fa40f99 · opendatahub-io/rhaii-on-xks · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: RHCL CI

on:
  push:
    branches: [main, rhoai-*, odh-*, master]
    paths:
      - 'charts/rhcl/**'
      - '.github/workflows/rhcl-ci.yaml'
  pull_request:
    branches: [main, rhoai-*, odh-*, master]
    paths:
      - 'charts/rhcl/**'
      - '.github/workflows/rhcl-ci.yaml'

permissions:
  contents: read

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

      - name: Setup Helm
        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0

      - name: Lint RHCL chart
        run: helm lint charts/rhcl/

  template:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

      - name: Setup Helm
        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0

      - name: Template RHCL chart (kubernetes)
        run: |
          helm template rhcl charts/rhcl/ \
            --namespace kuadrant-operators \
            --set images.pullSecret.dockerConfigJson="e30=" \
            --set platform.type=kubernetes

      - name: Template RHCL chart (openshift)
        run: |
          helm template rhcl charts/rhcl/ \
            --namespace kuadrant-operators \
            --set images.pullSecret.dockerConfigJson="e30=" \
            --set platform.type=openshift

      - name: Template with DNS operator enabled
        run: |
          helm template rhcl charts/rhcl/ \
            --namespace kuadrant-operators \
            --set images.pullSecret.dockerConfigJson="e30=" \
            --set operators.dns.enabled=true

      - name: Template with monitoring enabled
        run: |
          helm template rhcl charts/rhcl/ \
            --namespace kuadrant-operators \
            --set images.pullSecret.dockerConfigJson="e30=" \
            --set monitoring.enabled=true

  security-check:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

      - name: Setup Helm
        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0

      - name: Verify no secrets in values.yaml
        run: |
          if grep -qE '(password|token|key):\s*["\x27].+["\x27]' charts/rhcl/values.yaml; then
            echo "ERROR: Potential hardcoded secret found in values.yaml"
            exit 1
          fi
          echo "No hardcoded secrets found"

      - name: Verify all images from registry.redhat.io
        run: |
          RENDERED=$(helm template rhcl charts/rhcl/ \
            --set images.pullSecret.dockerConfigJson="e30=" 2>/dev/null)
          NON_RH=$(echo "$RENDERED" | grep -oE '(quay\.io|ghcr\.io|docker\.io)[^"'\''[:space:]]+' || true)
          if [[ -n "${NON_RH}" ]]; then
            echo "ERROR: Found non-Red Hat registry images:"
            echo "${NON_RH}"
            exit 1
          fi
          echo "All images are from registry.redhat.io / registry.access.redhat.com"

      - name: Verify all images use digest pinning
        run: |
          RENDERED=$(helm template rhcl charts/rhcl/ \
            --set images.pullSecret.dockerConfigJson="e30=" 2>/dev/null)
          if echo "$RENDERED" | grep -E 'image:.*:v?[0-9]' | grep -v '@sha256:'; then
            echo "ERROR: Found image using tag instead of digest"
            exit 1
          fi
          echo "All images use digest pinning"

      - name: Verify CRDs in crds/ directory
        working-directory: ./charts/rhcl
        run: |
          if [[ ! -d "crds" ]] || [[ -z "$(ls -A crds/*.yaml 2>/dev/null)" ]]; then
            echo "ERROR: No CRDs found in crds/ directory"
            exit 1
          fi
          echo "CRDs found:"
          ls -la crds/

      - name: Verify security contexts
        run: |
          RENDERED=$(helm template rhcl charts/rhcl/ \
            --set images.pullSecret.dockerConfigJson="e30=" 2>/dev/null)
          for container in kuadrant-operator authorino-operator limitador-operator; do
            if ! echo "$RENDERED" | grep -A5 "readOnlyRootFilesystem" | grep -q "true"; then
              echo "WARNING: readOnlyRootFilesystem may not be set for $container"
            fi
          done
          echo "Security context checks passed"