fix: Add Security context constrint for openshift #700
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - '**' | |
| - '!dependabot/**' | |
| tags: | |
| - '**' | |
| pull_request: {} | |
| jobs: | |
| test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v4 | |
| with: | |
| go-version: 1.18.x | |
| - name: Test | |
| run: go test ./... -coverprofile cover.out | |
| - name: Scan Inclusive Terminology | |
| uses: get-woke/woke-action@v0 | |
| with: | |
| fail-on-error: true | |
| woke-args: -c https://via.vmw.com/its-woke-rules | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@v3 | |
| stage: | |
| needs: test | |
| runs-on: ubuntu-latest | |
| env: | |
| REGISTRY_NAME: registry.local | |
| REGISTRY_PORT: 5000 | |
| KO_DOCKER_REPO: registry.local:5000/service-bindings | |
| BUNDLE: registry.local:5000/service-bindings/bundle | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v4 | |
| with: | |
| go-version: 1.18.x | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: carvel-dev/setup-action@v1 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - run: | | |
| imgpkg version | |
| kbld version | |
| ytt version | |
| - name: Install ko | |
| run: | | |
| cd $(mktemp -d -t ko.XXXX) | |
| curl -sL https://github.com/google/ko/releases/download/v0.8.1/ko_0.8.1_Linux_x86_64.tar.gz | tar -xz | |
| sudo mv ./ko /usr/local/bin | |
| cd - | |
| - name: Setup local registry | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| # Run a registry. | |
| docker run \ | |
| -d --restart=always -p "127.0.0.1:${REGISTRY_PORT}:5000" --name local-registry \ | |
| registry:2 | |
| # Make the $REGISTRY_NAME -> 127.0.0.1 | |
| echo "127.0.0.1 $REGISTRY_NAME" | sudo tee -a /etc/hosts | |
| - name: Stage | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| readonly version=$(cat VERSION) | |
| readonly git_sha=$(git rev-parse HEAD) | |
| readonly git_timestamp=$(TZ=UTC git show --quiet --date='format-local:%Y%m%d%H%M%S' --format="%cd") | |
| readonly slug=${version}-${git_timestamp}-${git_sha:0:16} | |
| mkdir -p bundle/.imgpkg | |
| mkdir -p bundle/config | |
| mkdir -p bundle/samples | |
| cp LICENSE "bundle/LICENSE" | |
| cp NOTICE "bundle/NOTICE" | |
| cp VERSION "bundle/VERSION" | |
| cp config/carvel/bundle.yaml "bundle/bundle.yaml" | |
| cp config/carvel/bundle.yaml "bundle/openshift.yaml" | |
| cp -r samples "bundle/samples" | |
| echo "##[group]Build Service Bindings" | |
| cp hack/boilerplate/boilerplate.yaml.txt bundle/config/service-bindings.yaml | |
| ko resolve -t ${slug} -t latest -B -f config \ | |
| | ytt -f - -f config/carvel/release-version.overlay.yaml \ | |
| --data-value version=${slug} \ | |
| >> bundle/config/service-bindings.yaml | |
| kbld -f bundle/config/service-bindings.yaml --imgpkg-lock-output bundle/.imgpkg/images.yml | |
| echo "##[endgroup]" | |
| echo "##[group]Create bundle" | |
| imgpkg push -f "bundle" -b "${BUNDLE}" | |
| imgpkg copy -b "${BUNDLE}" --to-tar bundle/service-bindings-bundle.tar | |
| echo "##[endgroup]" | |
| - name: Upload Service Bindings build | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: service-bindings-bundle.tar | |
| path: bundle/service-bindings-bundle.tar | |
| - name: Grype scan | |
| run: | | |
| echo "##[group]Install grype" | |
| curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin | |
| echo "##[endgroup]" | |
| echo "##[group]Scan source ." | |
| grype dir:. --exclude ./hack | |
| echo "##[endgroup]" | |
| echo "##[group]Scan manager image" | |
| grype registry:registry.local:5000/service-bindings/manager:latest | |
| echo "##[endgroup]" | |
| continue-on-error: true | |
| acceptance: | |
| needs: stage | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| k8s: | |
| - 1.20.15 | |
| - 1.21.12 | |
| - 1.22.9 | |
| - 1.23.6 | |
| - 1.24.2 | |
| - 1.25.2 | |
| - 1.26.0 | |
| - 1.27.0 | |
| fail-fast: false | |
| env: | |
| REGISTRY_NAME: registry.local | |
| REGISTRY_PORT: 5000 | |
| BUNDLE: registry.local:5000/service-bindings/bundle | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: carvel-dev/setup-action@v1 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - run: | | |
| imgpkg version | |
| kbld version | |
| ytt version | |
| - name: Install kind | |
| run: | | |
| cd $(mktemp -d -t kind.XXXX) | |
| curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.16.0/kind-$(go env GOHOSTOS)-$(go env GOHOSTARCH) | |
| chmod +x ./kind | |
| sudo mv ./kind /usr/local/bin | |
| cd - | |
| - name: Setup local registry | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| # Run a registry. | |
| docker run \ | |
| -d --restart=always -p "${REGISTRY_PORT}:5000" --name local-registry \ | |
| registry:2 | |
| # Make the $REGISTRY_NAME -> local-registry | |
| echo "$(hostname -I | cut -d' ' -f1) $REGISTRY_NAME" | sudo tee -a /etc/hosts | |
| - name: Create Cluster | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| # create a cluster with the local registry enabled in containerd | |
| cat <<EOF | kind create cluster --config=- | |
| kind: Cluster | |
| apiVersion: kind.x-k8s.io/v1alpha4 | |
| containerdConfigPatches: | |
| - |- | |
| [plugins."io.containerd.grpc.v1.cri".registry.mirrors."${REGISTRY_NAME}:${REGISTRY_PORT}"] | |
| endpoint = ["http://local-registry:${REGISTRY_PORT}"] | |
| nodes: | |
| - role: control-plane | |
| image: kindest/node:v${{ matrix.k8s }} | |
| EOF | |
| # connect the registry to the cluster network | |
| docker network connect kind local-registry | |
| # Document the local registry | |
| # https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry # wokeignore:rule=master | |
| cat <<EOF | kubectl apply -f - | |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: local-registry-hosting | |
| namespace: kube-public | |
| data: | |
| localRegistryHosting.v1: | | |
| host: "localhost:${REGISTRY_PORT}" | |
| help: "https://kind.sigs.k8s.io/docs/user/local-registry/" | |
| EOF | |
| - name: Download staged Service Bindings build | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: service-bindings-bundle.tar | |
| - name: Install kapp-controller | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| kapp deploy -a kapp-controller -y -f https://github.com/vmware-tanzu/carvel-kapp-controller/releases/download/v0.39.0/release.yml | |
| - name: Deploy Service Bindings Package | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| imgpkg copy --tar service-bindings-bundle.tar --to-repo "${BUNDLE}" | |
| kapp deploy -a service-bindings-package -y \ | |
| -f <( \ | |
| ytt -f config/carvel/package.yaml -f config/carvel/package.values.yaml \ | |
| --data-value version=$(cat VERSION) \ | |
| --data-value image=${BUNDLE} \ | |
| ) | |
| - name: Deploy Service Bindings | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| kapp deploy -a service-bindings -y \ | |
| -f <( \ | |
| ytt -f config/carvel/package-install.yaml -f config/carvel/package-install.values.yaml \ | |
| --data-value package_constraints=$(cat VERSION) \ | |
| --data-value-yaml 'package_prerelease={}' \ | |
| --data-value sync_period=10s \ | |
| ) | |
| - name: Deploy Spring Petclinic | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| kapp deploy -a spring-petclinic-db -f samples/spring-petclinic/service.yaml -y | |
| kapp deploy -a spring-petclinic-binding -f samples/spring-petclinic/service-binding.yaml -y | |
| kapp deploy -a spring-petclinic -f samples/spring-petclinic/workload.yaml -y | |
| # check that the workload and servicebinding are healthy | |
| kubectl wait deployment spring-petclinic --for condition=available | |
| kubectl wait servicebinding.servicebinding.io spring-petclinic-db --for condition=ready | |
| - name: Collect diagnostics | |
| run: | | |
| set +o errexit | |
| echo "##[group]All resources" | |
| kubectl get all,secrets,servicebindings.servicebinding.io -A | |
| echo "##[endgroup]" | |
| echo "##[group]Describe servicebindings" | |
| kubectl describe servicebindings.servicebinding.io | |
| echo "##[endgroup]" | |
| echo "##[group]Describe nodes" | |
| kubectl describe nodes | |
| echo "##[endgroup]" | |
| echo "##[group]Describe pods" | |
| kubectl describe pods | |
| echo "##[endgroup]" | |
| echo "##[group]Packages" | |
| kubectl get package -A -oyaml | |
| echo "##[endgroup]" | |
| echo "##[group]Package Installs" | |
| kubectl get packageinstall -A -oyaml | |
| echo "##[endgroup]" | |
| echo "##[group]Kapp list apps" | |
| kapp list -A | |
| echo "##[endgroup]" | |
| echo "##[group]Package changesets" | |
| kapp app-change list -a service-bindings-ctrl | |
| echo "##[endgroup]" | |
| echo "##[group]Service Binding manager logs" | |
| kubectl logs -n service-bindings -l app=manager -c manager --tail 1000 | |
| echo "##[endgroup]" | |
| echo "##[group]Petclinic deployment" | |
| kubectl get deployment spring-petclinic -oyaml | |
| echo "##[endgroup]" | |
| echo "##[group]Petclinic logs" | |
| kubectl logs -l app=spring-petclinic -c workload --tail 1000 | |
| echo "##[endgroup]" | |
| echo "##[group]MySQL deployment" | |
| kubectl get deployment spring-petclinic-db -oyaml | |
| echo "##[endgroup]" | |
| echo "##[group]MySQL logs" | |
| kubectl logs -l app=spring-petclinic-db -c mysql --tail 1000 | |
| echo "##[endgroup]" | |
| if: always() | |
| continue-on-error: true | |
| - name: Fail for multiple kapp changes | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| deploys=$(kapp app-change list -a service-bindings.app --json | jq '.Tables[0].Rows | length') | |
| if [ "$((deploys))" -gt 1 ]; then | |
| echo "Too many app changes for the service-binding package, expected 1 found ${deploys}" | |
| exit 1 | |
| fi | |
| - name: Cleanup Spring Petclinic | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| kapp delete -a spring-petclinic-db -y | |
| kapp delete -a spring-petclinic-binding -y | |
| kapp delete -a spring-petclinic -y | |
| - name: Cleanup Service Bindings | |
| run: kapp delete -a service-bindings -y | |
| if: always() | |
| - name: Cleanup Service Bindings Package | |
| run: kapp delete -a service-bindings-package -y | |
| if: always() | |
| - name: Cleanup kapp-controller | |
| run: kapp delete -a kapp-controller -y | |
| if: always() | |
| - name: Cleanup cluster | |
| run: kind delete cluster | |
| if: always() | |
| release: | |
| needs: acceptance | |
| if: startsWith(github.ref, 'refs/tags/') | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: carvel-dev/setup-action@v1 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - run: | | |
| imgpkg version | |
| kbld version | |
| ytt version | |
| - name: Install crane | |
| run: | | |
| cd $(mktemp -d -t kind.XXXX) | |
| curl -L https://github.com/google/go-containerregistry/releases/download/v0.5.1/go-containerregistry_Linux_x86_64.tar.gz | tar -xz | |
| chmod +x ./crane | |
| sudo mv ./crane /usr/local/bin | |
| cd - | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Get release version | |
| id: get-version | |
| run: | | |
| echo "version=$(cat VERSION)" >> $GITHUB_OUTPUT | |
| - name: Draft release | |
| id: create_release | |
| uses: actions/create-release@v1.1.4 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| tag_name: ${{ github.ref }} | |
| release_name: Release ${{ github.ref }} | |
| draft: true | |
| - name: Download staged Service Bindings build | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: service-bindings-bundle.tar | |
| - name: Relocate bundle to public registry | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| version="${{ steps.get-version.outputs.version }}" | |
| repo="ghcr.io/${{ github.repository }}/bundle" | |
| repo_tag="${repo}:${version}" | |
| imgpkg copy --tar service-bindings-bundle.tar --to-repo "${repo}" | |
| crane tag "${repo}" "${version}" | |
| repo_digest="${repo_tag}@$(crane digest "${repo_tag}")" | |
| mkdir -p bundle | |
| imgpkg pull -b "${repo_digest}" -o bundle | |
| cp hack/boilerplate/boilerplate.yaml.txt service-bindings.yaml | |
| kbld -f bundle/config/service-bindings.yaml -f bundle/.imgpkg/images.yml \ | |
| >> service-bindings.yaml | |
| cp hack/boilerplate/boilerplate.yaml.txt service-bindings-package.yaml | |
| ytt -f config/carvel/package.yaml -f config/carvel/package.values.yaml \ | |
| --data-value version=${version} \ | |
| --data-value image=${repo_digest} \ | |
| >> service-bindings-package.yaml | |
| - name: Upload Service Bindings release bundle | |
| uses: actions/upload-release-asset@v1.0.2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps | |
| asset_path: service-bindings-bundle.tar | |
| asset_name: service-bindings-bundle-${{ steps.get-version.outputs.version }}.tar | |
| asset_content_type: application/x-yaml | |
| - name: Upload Service Bindings package yaml | |
| uses: actions/upload-release-asset@v1.0.2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps | |
| asset_path: service-bindings-package.yaml | |
| asset_name: service-bindings-package-${{ steps.get-version.outputs.version }}.yaml | |
| asset_content_type: application/x-yaml | |
| - name: Upload Service Bindings release yaml | |
| uses: actions/upload-release-asset@v1.0.2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps | |
| asset_path: service-bindings.yaml | |
| asset_name: service-bindings-${{ steps.get-version.outputs.version }}.yaml | |
| asset_content_type: application/x-yaml |