Skip to content
This repository has been archived by the owner on Mar 22, 2024. It is now read-only.

Deny production runs of example.org trust domains #2431

Deny production runs of example.org trust domains

Deny production runs of example.org trust domains #2431

Workflow file for this run

name: Helm Chart CI
on:
workflow_dispatch:
pull_request:
types: [synchronize, opened, reopened]
paths:
- 'charts/**'
- '.github/workflows/helm-chart-ci.yaml'
- '.github/kind/conf/kind-config.yaml'
- '.github/tests/**/*.yaml'
- '.github/tests/**/*.sh'
- '.github/tests/**/*.json'
- 'examples/**/*.yaml'
- 'examples/**/*.sh'
- 'tests/**/*'
- 'helm-docs.sh'
concurrency:
group: ${{ github.ref }}
cancel-in-progress: true
env:
HELM_VERSION: v3.12.0
PYTHON_VERSION: 3.11.3
KIND_VERSION: v0.19.0
CHART_TESTING_VERSION: v3.8.0
jobs:
checks:
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/[email protected]
- name: Verify Docs updated
run: ./helm-docs.sh
- name: Verify Spire appVersion
run: |
set +e
BASEVER=$(yq e .appVersion Chart.yaml)
for FILE in spiffe-oidc-discovery-provider spire-agent spire-server; do
VER=$(yq .appVersion charts/$FILE/Chart.yaml)
if [ "$VER" != "$BASEVER" ]; then
{
echo "## Version mismatch"
echo
echo "There is a mismatch between the chart version ($BASEVER) and subchart version ($VER). The issue may be in file $FILE. Please fix."
} >> "$GITHUB_STEP_SUMMARY"
exit 1
fi
done
- name: Check objects for images without overrides
run: |
set +e
set -o pipefail
# Look for image: definitions that are not templated. If we find none, exit is not 0 and we invert the error code to get the
# test to pass. Ignore tests for now...
grep -r "image:" charts/spire | grep "templates/" | grep -v 'image: {{ template "' > /tmp/findings
res=$?
if [ $res -eq 0 ]; then
{
echo "## Hardcoded images"
echo
echo ":x: These templates were found to be using statically defined images and not overridable ones. Please fix."
echo
cat /tmp/findings
} >> "$GITHUB_STEP_SUMMARY"
exit 1
fi
- name: Setup Go
uses: actions/[email protected]
with:
go-version-file: tests/go.mod
cache-dependency-path: tests/go.sum
check-latest: true
- name: Install do dependencies
run: |
go mod download
go install github.com/onsi/ginkgo/v2/ginkgo@latest
working-directory: ./tests/unit
- name: Run Unit Tests
run: ginkgo
working-directory: ./tests/unit
lint-chart:
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/[email protected]
with:
fetch-depth: 0
- name: Set up Helm
uses: azure/[email protected]
with:
version: ${{ env.HELM_VERSION }}
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Setup chart-testing
uses: helm/[email protected]
with:
version: ${{ env.CHART_TESTING_VERSION }}
- name: Run chart-testing (lint)
run: TARGET_BRANCH=${{ github.base_ref }} make lint${{ github.base_ref == 'release' && '-release' || '' }}
test:
runs-on: ubuntu-22.04
needs:
- lint-chart
strategy:
fail-fast: false
matrix:
# Choose tags corresponding to the version of Kind being used.
# At a minimum, we should test the currently supported versions of
# Kubernetes, but can go back farther as long as we don't need heroics
# to pull it off (i.e. kubectl version juggling).
k8s:
- v1.27.2
- v1.26.4
- v1.25.9
steps:
- name: Checkout
uses: actions/[email protected]
with:
fetch-depth: 0
- name: Set up Helm
uses: azure/[email protected]
with:
version: ${{ env.HELM_VERSION }}
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Setup chart-testing
uses: helm/[email protected]
with:
version: ${{ env.CHART_TESTING_VERSION }}
- name: Create kind ${{ matrix.k8s }} cluster
uses: helm/[email protected]
# Only build a kind cluster if there are chart changes to test.
with:
version: ${{ env.KIND_VERSION }}
node_image: kindest/node:${{ matrix.k8s }}
config: .github/kind/conf/kind-config.yaml
verbosity: 1
- name: Setup Test dependencies
run: ./pre-install.sh
working-directory: .github/tests
- name: Run chart-testing (install)
run: |
ct install --config ct.yaml \
--target-branch ${{ github.base_ref }}
- name: Test summary
if: always()
run: ./post-install.sh
working-directory: .github/tests
build-matrix:
name: Build matrix
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/[email protected]
- id: set-matrix
name: Collect all examples
run: |
examples="$(find examples -maxdepth 2 -type f -name run-tests.sh | xargs -I % dirname %)"
examples_json="$(echo "$examples" | jq -c --slurp --raw-input 'split("\n") | map(select(. != ""))')"
echo "${examples_json}"
echo "examples=$examples_json" >>"$GITHUB_OUTPUT"
outputs:
examples: ${{ steps.set-matrix.outputs.examples }}
example-test:
runs-on: ubuntu-22.04
needs:
- lint-chart
- build-matrix
strategy:
fail-fast: false
matrix:
k8s:
- v1.27.2
- v1.26.4
- v1.25.9
example:
- ${{ fromJson(needs.build-matrix.outputs.examples) }}
steps:
- name: Checkout
uses: actions/[email protected]
- name: Set up Helm
uses: azure/[email protected]
with:
version: ${{ env.HELM_VERSION }}
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Create kind cluster
uses: helm/[email protected]
# Only build a kind cluster if there are chart changes to test.
with:
version: ${{ env.KIND_VERSION }}
node_image: kindest/node:v1.26.4
config: .github/kind/conf/kind-config.yaml
verbosity: 1
- name: Install and test example
run: ${{ matrix.example }}/run-tests.sh