From db7c317f486b95dfa89ba00d3bfa8e0b605a33b1 Mon Sep 17 00:00:00 2001 From: Jan Bouska Date: Wed, 29 Jan 2025 09:23:59 +0100 Subject: [PATCH 1/2] Kind action --- .../workflows/actions/kind-cluster/action.yml | 95 ++++++++ .github/workflows/main.yml | 210 +++++++----------- 2 files changed, 175 insertions(+), 130 deletions(-) create mode 100644 .github/workflows/actions/kind-cluster/action.yml diff --git a/.github/workflows/actions/kind-cluster/action.yml b/.github/workflows/actions/kind-cluster/action.yml new file mode 100644 index 000000000..27269c224 --- /dev/null +++ b/.github/workflows/actions/kind-cluster/action.yml @@ -0,0 +1,95 @@ +name: 'Install and configure Kind cluster' +inputs: + config: + description: 'Kind config' + required: true + olm: + description: 'install olm' + required: true + type: boolean + default: 'false' + keycloak: + description: 'install keycloak' + required: true + type: boolean + default: 'false' + prometheus: + description: 'install prometheus' + required: true + type: boolean + default: 'false' +runs: + using: 'composite' + steps: + - name: Install Cluster + uses: container-tools/kind-action@v2.0.1 + with: + version: v0.20.0 + node_image: kindest/node:v1.26.6@sha256:6e2d8b28a5b601defe327b98bd1c2d1930b49e5d8c512e1895099e4504007adb + cpu: 3 + registry: false + config: ${{ inputs.config }} + + - name: Configure ingress + shell: bash + run: | + kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml + kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=90s + - name: Install prometheus + if: ${{ inputs.prometheus }} + shell: bash + run: | + #install Prometheus + LATEST=$(curl -s https://api.github.com/repos/prometheus-operator/prometheus-operator/releases/latest | jq -cr .tag_name) + curl -sL https://github.com/prometheus-operator/prometheus-operator/releases/download/${LATEST}/bundle.yaml | kubectl create -f - + kubectl wait --for=condition=Ready pods -l app.kubernetes.io/name=prometheus-operator -n default + + - name: Install olm + if: ${{ inputs.olm }} + shell: bash + run: | + #install OLM + kubectl create -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.25.0/crds.yaml + # wait for a while to be sure CRDs are installed + sleep 1 + kubectl create -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.25.0/olm.yaml + + - name: Install keycloak + if: ${{ inputs.keycloak }} + shell: bash + run: | + kubectl create --kustomize ci/keycloak/operator/overlay/kind + until [ ! -z "$(kubectl get pod -l name=keycloak-operator -n keycloak-system 2>/dev/null)" ] + do + echo "Waiting for keycloak operator. Pods in keycloak-system namespace:" + kubectl get pods -n keycloak-system + sleep 10 + done + kubectl create --kustomize ci/keycloak/resources/overlay/kind + until [[ $( oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system 2>/dev/null) == "true" ]] + do + printf "Waiting for keycloak deployment. \n Keycloak ready: %s\n" $(oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system) + sleep 10 + done + + # HACK - expose keycloak under the same name as the internal SVC has so it will be accessible: + # - within the cluster (where the localhost does not work) + # - outside the cluster (resolved from /etc/hosts and redirect to the localhost) + kubectl create -n keycloak-system -f - </dev/null)" ] - do - echo "Waiting for keycloak operator. Pods in keycloak-system namespace:" - kubectl get pods -n keycloak-system - sleep 10 - done - kubectl create --kustomize ci/keycloak/resources/overlay/kind - until [[ $( oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system 2>/dev/null) == "true" ]] - do - printf "Waiting for keycloak deployment. \n Keycloak ready: %s\n" $(oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system) - sleep 10 - done - - # HACK - expose keycloak under the same name as the internal SVC has so it will be accessible: - # - within the cluster (where the localhost does not work) - # - outside the cluster (resolved from /etc/hosts and redirect to the localhost) - kubectl create -n keycloak-system -f - </dev/null)" ] - do - echo "Waiting for keycloak operator. Pods in keycloak-system namespace:" - kubectl get pods -n keycloak-system - sleep 10 - done - kubectl create --kustomize ci/keycloak/resources/overlay/kind - until [[ $( oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system 2>/dev/null) == "true" ]] - do - printf "Waiting for keycloak deployment. \n Keycloak ready: %s\n" $(oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system) - sleep 10 - done - - # HACK - expose keycloak under the same name as the internal SVC has so it will be accessible: - # - within the cluster (where the localhost does not work) - # - outside the cluster (resolved from /etc/hosts and redirect to the localhost) - kubectl create -n keycloak-system -f - < Date: Fri, 31 Jan 2025 11:19:09 +0100 Subject: [PATCH 2/2] Add e2e test scenario --- .../actions/kind-cluster/action.yml | 25 ++++--- .github/workflows/main.yml | 70 ++++++++++++------- 2 files changed, 62 insertions(+), 33 deletions(-) rename .github/{workflows => }/actions/kind-cluster/action.yml (84%) diff --git a/.github/workflows/actions/kind-cluster/action.yml b/.github/actions/kind-cluster/action.yml similarity index 84% rename from .github/workflows/actions/kind-cluster/action.yml rename to .github/actions/kind-cluster/action.yml index 27269c224..e3ca70e14 100644 --- a/.github/workflows/actions/kind-cluster/action.yml +++ b/.github/actions/kind-cluster/action.yml @@ -1,4 +1,6 @@ name: 'Install and configure Kind cluster' +description: 'Customized Kind-action' + inputs: config: description: 'Kind config' @@ -6,18 +8,21 @@ inputs: olm: description: 'install olm' required: true - type: boolean default: 'false' keycloak: description: 'install keycloak' required: true - type: boolean default: 'false' prometheus: description: 'install prometheus' required: true - type: boolean default: 'false' + +outputs: + oidc_url: + value: keycloak_url + description: 'Keycloak OIDC url' + runs: using: 'composite' steps: @@ -36,7 +41,7 @@ runs: kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=90s - name: Install prometheus - if: ${{ inputs.prometheus }} + if: ${{ inputs.prometheus == 'true'}} shell: bash run: | #install Prometheus @@ -45,7 +50,7 @@ runs: kubectl wait --for=condition=Ready pods -l app.kubernetes.io/name=prometheus-operator -n default - name: Install olm - if: ${{ inputs.olm }} + if: ${{ inputs.olm == 'true'}} shell: bash run: | #install OLM @@ -55,7 +60,7 @@ runs: kubectl create -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.25.0/olm.yaml - name: Install keycloak - if: ${{ inputs.keycloak }} + if: ${{ inputs.keycloak == 'true'}} shell: bash run: | kubectl create --kustomize ci/keycloak/operator/overlay/kind @@ -66,9 +71,9 @@ runs: sleep 10 done kubectl create --kustomize ci/keycloak/resources/overlay/kind - until [[ $( oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system 2>/dev/null) == "true" ]] + until [[ $( kubectl get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system 2>/dev/null) == "true" ]] do - printf "Waiting for keycloak deployment. \n Keycloak ready: %s\n" $(oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system) + printf "Waiting for keycloak deployment. \n Keycloak ready: %s\n" $(kubectl get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system) sleep 10 done @@ -92,4 +97,6 @@ runs: number: 80 path: / pathType: Prefix - EOF \ No newline at end of file + EOF + + echo "keycloak_url=https://keycloak-internal.keycloak-system.svc" >> $GITHUB_OUTPUT diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index de9111557..2360955bc 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -205,7 +205,7 @@ jobs: run: podman load -i /tmp/operator-oci.tar - name: Install Cluster - uses: ./.github/workflows/actions/kind-cluster + uses: ./.github/actions/kind-cluster with: config: ./ci/config.yaml prometheus: 'true' @@ -286,7 +286,7 @@ jobs: podman load -i /tmp/catalog-oci.tar - name: Install Cluster - uses: ./.github/workflows/actions/kind-cluster + uses: ./.github/actions/kind-cluster with: config: ./ci/config.yaml prometheus: 'true' @@ -356,7 +356,7 @@ jobs: run: podman load -i /tmp/operator-oci.tar - name: Install Cluster - uses: ./.github/workflows/actions/kind-cluster + uses: ./.github/actions/kind-cluster with: config: ./ci/config.yaml @@ -382,18 +382,19 @@ jobs: test-e2e: name: Execute securesign/sigstore-e2e - runs-on: ubuntu-20.04 + runs-on: ubuntu-24.04 needs: - - build-fbc + - build-operator + env: + TEST_NAMESPACE: test steps: - - name: Free Disk Space (Ubuntu) - uses: jlumbroso/free-disk-space@main - with: - tool-cache: true - name: Checkout source uses: actions/checkout@v4 + - name: Checkout test source repository + uses: actions/checkout@v4 with: repository: "securesign/sigstore-e2e" + path: e2e - name: Install Go uses: actions/setup-go@v5 @@ -421,35 +422,56 @@ jobs: - name: Load images run: | podman load -i /tmp/operator-oci.tar - podman load -i /tmp/bundle-oci.tar - podman load -i /tmp/catalog-oci.tar - name: Install Cluster - uses: ./.github/workflows/actions/kind-cluster + id: kind + uses: ./.github/actions/kind-cluster with: config: ./ci/config.yaml keycloak: 'true' olm: 'true' + prometheus: 'true' - name: Add service hosts to /etc/hosts run: | sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local rekor-search-ui.local cli-server.local" | sudo tee -a /etc/hosts - - name: Install operator - run: - - - name: Run tests + - name: Deploy operator container env: - TEST_MANAGER_IMAGE: ${{ env.IMG }} OPENSHIFT: false - run: make install && go test ./test/e2e/... -tags=custom_install -p 1 -timeout 20m + run: make deploy - - name: Archive test artifacts - uses: actions/upload-artifact@v4 - if: always() - with: - name: test-custom-install - path: test/**/k8s-dump-*.tar.gz + - name: Wait for operator to be ready + run: | + kubectl wait --for=condition=available deployment/rhtas-operator-controller-manager --timeout=120s -n openshift-rhtas-operator + + - name: Install securesign + run: | + sed -i 's#https://your-oidc-issuer-url#${{ steps.kind.outputs.oidc_url }}#' config/samples/rhtas_v1alpha1_securesign.yaml + sed -i 's#rhtas.redhat.com/metrics: "true"#rhtas.redhat.com/metrics: "false"#' config/samples/rhtas_v1alpha1_securesign.yaml + kubectl create ns ${{ env.TEST_NAMESPACE }} + kubectl create -f config/samples/rhtas_v1alpha1_securesign.yaml -n ${{ env.TEST_NAMESPACE }} + sleep 1 + kubectl wait --for=condition=Ready securesign/securesign-sample -n ${{ env.TEST_NAMESPACE }} + + - name: Run tests + run: | + export SIGSTORE_OIDC_ISSUER=${{ steps.kind.outputs.oidc_url }} + export FULCIO_URL=$(kubectl get securesign -o jsonpath='{.items[0].status.fulcio.url}' -n ${{ env.TEST_NAMESPACE }}) + export REKOR_URL=$(kubectl get securesign -o jsonpath='{.items[0].status.rekor.url}' -n ${{ env.TEST_NAMESPACE }}) + export TUF_URL=$(kubectl get securesign -o jsonpath='{.items[0].status.tuf.url}' -n ${{ env.TEST_NAMESPACE }}) + export TSA_URL=$(kubectl get securesign -o jsonpath='{.items[0].status.tsa.url}' -n ${{ env.TEST_NAMESPACE }}) + + export CLI_STRATEGY=cli_server + export CLI_SERVER_URL="http://cli-server.local" + + cd e2e + go test -v ./test/... + + - name: dump the logs of the operator + run: | + kubectl logs -n openshift-rhtas-operator deployment/rhtas-operator-controller-manager + if: failure() test-eks: name: Test EKS deployment