Skip to content

Merge pull request #333 from mark5cinco/gke-maintenance-exclusions #692

Merge pull request #333 from mark5cinco/gke-maintenance-exclusions

Merge pull request #333 from mark5cinco/gke-maintenance-exclusions #692

Workflow file for this run

name: Build Test Publish
on:
push:
branches:
- "*" # run for branches
tags:
- "*" # run for tags
jobs:
build-test-artifacts:
runs-on: ubuntu-latest
steps:
- name: 'Checkout'
uses: actions/checkout@v3
- name: 'Setup buildx'
uses: docker/setup-buildx-action@v2
with:
install: true
- name: 'Docker login'
uses: docker/login-action@v2
with:
username: kbstci
password: ${{ secrets.DOCKER_AUTH }}
- name: 'Build artifacts'
env:
DOCKER_PUSH: true
GIT_SHA: ${{ github.sha }}
GIT_REF: ${{ github.ref }}
run: make dist
- name: 'Upload artifacts'
uses: actions/upload-artifact@v3
with:
name: test-artifacts
path: ./quickstart/_dist
build-image:
runs-on: ubuntu-latest
needs: [build-test-artifacts]
strategy:
matrix:
starter: ["multi-cloud", "aks", "eks", "gke" ,"kind"]
permissions:
id-token: write # needed for keyless signing
steps:
- name: 'Free disk space'
# https://github.com/actions/runner-images/issues/2840#issuecomment-790492173
run: |
sudo rm -rf /usr/share/dotnet
sudo rm -rf /opt/ghc
sudo rm -rf /usr/local/share/boost
sudo rm -rf $AGENT_TOOLSDIRECTORY
- name: 'Checkout'
uses: actions/checkout@v3
- name: 'Download test-artifacts'
uses: actions/download-artifact@v3
with:
name: test-artifacts
path: ./quickstart/_dist
- name: Install Cosign
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 #v3.3.0
- name: 'Setup buildx'
uses: docker/setup-buildx-action@v2
with:
install: true
- name: 'Docker login'
uses: docker/login-action@v2
with:
username: kbstci
password: ${{ secrets.DOCKER_AUTH }}
- name: Build ${{ matrix.starter }} image
env:
DOCKER_PUSH: true
DOCKER_TARGET: ${{ matrix.starter }}
run: make build
- name: 'Sign Images'
env:
COSIGN_EXPERIMENTAL: true
run: |
cosign sign --yes -a GIT_HASH=${{ github.sha }} -a GIT_REF=${{ github.ref }} kubestack/framework-dev:test-${{ github.sha }}-${{ matrix.starter }}
test:
runs-on: ubuntu-latest
needs: [build-test-artifacts, build-image]
strategy:
fail-fast: false
matrix:
starter: ["multi-cloud", "aks", "eks", "gke" ,"kind"]
steps:
- name: 'Download test-artifacts'
uses: actions/download-artifact@v3
with:
name: test-artifacts
path: ./quickstart/_dist
- name: 'Unzip ${{ matrix.starter }} quickstart'
run: |
unzip quickstart/_dist/kubestack-starter-${{ matrix.starter }}-*.zip
- name: 'Docker login'
uses: docker/login-action@v2
with:
username: kbstci
password: ${{ secrets.DOCKER_AUTH }}
- name: 'Docker build'
env:
DOCKER_BUILDKIT: 1
working-directory: ./kubestack-starter-${{ matrix.starter }}
# retagging here is necessary because we only push images
# to kubestack/framework after they have been tested
# but the Dockerfiles in the artifact have the target image name
run: |
SOURCE_IMAGE=kubestack/framework-dev:test-${{ github.sha }}-${{ matrix.starter }}
docker pull $SOURCE_IMAGE
TARGET_IMAGE=$(cat Dockerfile | sed 's/FROM //')
docker tag $SOURCE_IMAGE $TARGET_IMAGE
docker build -t test-image:${{ github.sha }} .
- name: 'Configure Kubestack for ${{ matrix.starter }}'
working-directory: ./kubestack-starter-${{ matrix.starter }}
run: |
# ALL: set name_prefix
sed -i 's/name_prefix = ""/name_prefix = "test"/g' *_cluster.tf
# ALL: set base_domain
sed -i 's/base_domain = ""/base_domain = "infra.serverwolken.de"/g' *_cluster.tf
# AKS: set resource_group
sed -i 's/resource_group = ""/resource_group = "terraform-kubestack-testing"/g' aks_zero_cluster.tf || true
# EKS: set region
sed -i 's/region = ""/region = "eu-west-1"/g' eks_zero_providers.tf || true
# EKS: set cluster_availability_zones
sed -i 's/cluster_availability_zones = ""/cluster_availability_zones = "eu-west-1a,eu-west-1b"/g' eks_zero_cluster.tf || true
# GKE: set project_id
sed -i 's/project_id = ""/project_id = "terraform-kubestack-testing"/g' gke_zero_cluster.tf || true
# GKE: set region
sed -i 's/region = ""/region = "europe-west1"/g' gke_zero_cluster.tf || true
# GKE: set cluster_node_locations
sed -i 's/cluster_node_locations = ""/cluster_node_locations = "europe-west1-b,europe-west1-c,europe-west1-d"/g' gke_zero_cluster.tf || true
- name: 'Terraform init'
working-directory: ./kubestack-starter-${{ matrix.starter }}
run: |
docker run --rm \
-v `pwd`:/infra \
test-image:${{ github.sha }} \
terraform init
- name: 'Terraform workspace new ops'
working-directory: ./kubestack-starter-${{ matrix.starter }}
run: |
docker run --rm \
-v `pwd`:/infra \
test-image:${{ github.sha }} \
terraform workspace new ops
- name: 'Terraform validate'
working-directory: ./kubestack-starter-${{ matrix.starter }}
run: |
docker run --rm \
-v `pwd`:/infra \
test-image:${{ github.sha }} \
terraform validate
- name: 'Terraform plan'
working-directory: ./kubestack-starter-${{ matrix.starter }}
env:
KBST_AUTH_AWS: ${{ secrets.KBST_AUTH_AWS }}
KBST_AUTH_AZ: ${{ secrets.KBST_AUTH_AZ }}
KBST_AUTH_GCLOUD: ${{ secrets.KBST_AUTH_GCLOUD }}
run: |
docker run --rm \
-e KBST_AUTH_AWS \
-e KBST_AUTH_AZ \
-e KBST_AUTH_GCLOUD \
-v `pwd`:/infra \
-v /var/run/docker.sock:/var/run/docker.sock \
test-image:${{ github.sha }} \
terraform plan --target module.aks_zero --target module.eks_zero --target module.gke_zero
publish-image:
runs-on: ubuntu-latest
needs: [test]
strategy:
matrix:
starter: ["multi-cloud", "aks", "eks", "gke" ,"kind"]
steps:
- name: 'Download test-artifacts'
uses: actions/download-artifact@v3
with:
name: test-artifacts
path: ./quickstart/_dist
- name: Install Cosign
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 #v3.3.0
- name: 'Docker login'
uses: docker/login-action@v2
with:
username: kbstci
password: ${{ secrets.DOCKER_AUTH }}
- name: 'Docker push'
# cosign copy copies the images and the signature from one place to another
# then we dont need to sign again the same image
env:
COSIGN_EXPERIMENTAL: true
run: |
SOURCE_IMAGE=kubestack/framework-dev:test-${{ github.sha }}-${{ matrix.starter }}
TARGET_IMAGE=$(cat quickstart/_dist/kubestack-starter-${{ matrix.starter }}/Dockerfile | sed 's/FROM //')
echo "Source image $SOURCE_IMAGE will be pushed to $TARGET_IMAGE"
cosign copy $SOURCE_IMAGE $TARGET_IMAGE
publish-starter:
runs-on: ubuntu-latest
# only publish the artifacts when tests passed and images are pushed
# because publishing the starter is what makes a release public
needs: [test, publish-image]
permissions:
id-token: write # needed for keyless signing
strategy:
matrix:
starter: ["multi-cloud", "aks", "eks", "gke" ,"kind"]
steps:
- name: 'Download test-artifacts'
uses: actions/download-artifact@v3
with:
name: test-artifacts
path: ./quickstart/_dist
- name: Install Cosign
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 #v3.3.0
- id: 'auth'
uses: 'google-github-actions/auth@v1'
with:
credentials_json: ${{ secrets.GCLOUD_AUTH }}
- name: 'Setup gcloud'
uses: google-github-actions/setup-gcloud@v1
- name: 'Publish ${{ matrix.starter }} starter'
env:
COSIGN_EXPERIMENTAL: true
run: |
SOURCE_FILE=quickstart/_dist/kubestack-starter-${{ matrix.starter }}-${{ github.sha }}.zip
COSIGN_OUTPUT=kubestack-starter-${{ matrix.starter }}-${{ github.sha }}
TARGET_BUCKET=dev.quickstart.kubestack.com
if [[ $GITHUB_REF = refs/tags/v* ]]
then
VERSION=$(echo $GITHUB_REF | sed -e "s#^refs/tags/##")
SOURCE_FILE=quickstart/_dist/kubestack-starter-${{ matrix.starter }}-${VERSION}.zip
COSIGN_OUTPUT=kubestack-starter-${{ matrix.starter }}-${VERSION}
TARGET_BUCKET=quickstart.kubestack.com
fi
cosign sign-blob --yes --output-certificate $COSIGN_OUTPUT.pem --output-signature $COSIGN_OUTPUT.sig $SOURCE_FILE
gsutil -m cp $SOURCE_FILE gs://$TARGET_BUCKET
gsutil -m cp $COSIGN_OUTPUT.pem gs://$TARGET_BUCKET
gsutil -m cp $COSIGN_OUTPUT.sig gs://$TARGET_BUCKET