Set DefaultMode for projected ProjectedVolumeSource #909
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: | |
- '**' | |
- '!dependabot/**' | |
tags: | |
# semver tags | |
- 'v[0-9]+\.[0-9]+\.[0-9]+-?**' | |
pull_request: {} | |
env: | |
IMGPKG: go run -modfile hack/imgpkg/go.mod github.com/vmware-tanzu/carvel-imgpkg/cmd/imgpkg | |
KAPP: go run -modfile hack/kapp/go.mod github.com/k14s/kapp/cmd/kapp | |
KBLD: go run -modfile hack/kbld/go.mod github.com/vmware-tanzu/carvel-kbld/cmd/kbld | |
KO: go run -modfile hack/ko/go.mod github.com/google/ko | |
jobs: | |
unit: | |
name: Unit Test | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/setup-go@v5 | |
with: | |
go-version: 1.21.x | |
- uses: actions/checkout@v4 | |
- name: Test | |
run: make test | |
- name: Report coverage | |
uses: codecov/codecov-action@v4 | |
env: | |
CODECOV_TOKEN: 0e521354-90f7-4a17-a876-73ca69b59cb5 | |
- name: Disallow generated drift | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
git diff --exit-code . | |
stage: | |
name: Stage | |
runs-on: ubuntu-latest | |
env: | |
REGISTRY_NAME: registry.local | |
KO_DOCKER_REPO: registry.local/servicebinding | |
KO_PLATFORMS: linux/amd64,linux/arm64 | |
BUNDLE: registry.local/servicebinding/bundle | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version: 1.21.x | |
- name: Generate certs | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
CERT_DIR=$(mktemp -d -t certs.XXXX) | |
echo "CERT_DIR=$CERT_DIR" >> $GITHUB_ENV | |
echo "##[group]Install cfssl" | |
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64 -o cfssl | |
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64 -o cfssljson | |
chmod +x cfssl* | |
sudo mv cfssl* /usr/local/bin | |
echo "##[endgroup]" | |
echo "##[group]Generate CA" | |
cfssl gencert -initca .github/tls/root-csr.json \ | |
| cfssljson -bare ${CERT_DIR}/root-ca | |
cfssl gencert -ca ${CERT_DIR}/root-ca.pem -ca-key ${CERT_DIR}/root-ca-key.pem \ | |
-config=".github/tls/config.json" \ | |
-profile="intermediate" .github/tls/intermediate-csr.json \ | |
| cfssljson -bare ${CERT_DIR}/signing-ca | |
cat ${CERT_DIR}/signing-ca.pem ${CERT_DIR}/root-ca.pem > ${CERT_DIR}/ca.pem | |
echo "##[endgroup]" | |
echo "##[group]Install CA" | |
# https://ubuntu.com/server/docs/security-trust-store | |
sudo apt-get install -y ca-certificates | |
sudo cp ${CERT_DIR}/ca.pem /usr/local/share/ca-certificates/ca.crt | |
sudo update-ca-certificates | |
echo "##[endgroup]" | |
echo "##[group]Generate cert" | |
cfssl gencert -ca ${CERT_DIR}/signing-ca.pem -ca-key ${CERT_DIR}/signing-ca-key.pem \ | |
-config=".github/tls/config.json" \ | |
-profile="server" \ | |
-hostname="${REGISTRY_NAME},local-registry" \ | |
.github/tls/server-csr.json \ | |
| cfssljson -bare ${CERT_DIR}/server | |
echo "##[endgroup]" | |
- name: Setup local registry | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
# Run a registry. | |
docker run -d \ | |
--restart=always \ | |
--name local-registry \ | |
-v ${CERT_DIR}:/certs \ | |
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ | |
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.pem \ | |
-e REGISTRY_HTTP_TLS_KEY=/certs/server-key.pem \ | |
-p "443:443" \ | |
registry:2 | |
# Make the $REGISTRY_NAME -> local-registry | |
echo "$(hostname -I | cut -d' ' -f1) $REGISTRY_NAME" | sudo tee -a /etc/hosts | |
- name: Build all platforms for tags | |
if: startsWith(github.ref, 'refs/tags/') | |
run: | | |
echo "KO_PLATFORMS=all" >> $GITHUB_ENV | |
- name: Build | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
scratch=$(mktemp -d -t bundle.XXXX) | |
mkdir -p "${scratch}/.imgpkg" | |
mkdir -p "${scratch}/config" | |
cp LICENSE "${scratch}/LICENSE" | |
echo "##[group]Build" | |
cat hack/boilerplate.yaml.txt > "${scratch}/config/servicebinding-runtime.yaml" | |
${KO} resolve --platform ${KO_PLATFORMS} -f config/servicebinding-runtime.yaml >> "${scratch}/config/servicebinding-runtime.yaml" | |
cat hack/boilerplate.yaml.txt > "${scratch}/config/servicebinding-workloadresourcemappings.yaml" | |
cat config/servicebinding-workloadresourcemappings.yaml >> "${scratch}/config/servicebinding-workloadresourcemappings.yaml" | |
${KBLD} --imgpkg-lock-output "${scratch}/.imgpkg/images.yml" \ | |
-f "${scratch}/config/servicebinding-runtime.yaml" \ | |
-f "${scratch}/config/servicebinding-workloadresourcemappings.yaml" \ | |
> /dev/null | |
echo "##[endgroup]" | |
echo "##[group]Create bundle" | |
${IMGPKG} push -f "${scratch}" -b "${BUNDLE}" | |
${IMGPKG} copy -b "${BUNDLE}" --to-tar servicebinding-runtime-bundle.tar | |
echo "##[endgroup]" | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: servicebinding-runtime-bundle.tar | |
path: servicebinding-runtime-bundle.tar | |
retention-days: 7 | |
acceptance: | |
name: Acceptance Test | |
needs: stage | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- node: kindest/node:v1.23.17@sha256:14d0a9a892b943866d7e6be119a06871291c517d279aedb816a4b4bc0ec0a5b3 | |
version: v1.23.17 | |
os: ubuntu-latest | |
- node: kindest/node:v1.24.17@sha256:bad10f9b98d54586cba05a7eaa1b61c6b90bfc4ee174fdc43a7b75ca75c95e51 | |
version: v1.24.17 | |
os: ubuntu-latest | |
- node: kindest/node:v1.25.16@sha256:e8b50f8e06b44bb65a93678a65a26248fae585b3d3c2a669e5ca6c90c69dc519 | |
version: v1.25.16 | |
os: ubuntu-latest | |
- node: kindest/node:v1.26.14@sha256:5d548739ddef37b9318c70cb977f57bf3e5015e4552be4e27e57280a8cbb8e4f | |
version: v1.26.14 | |
os: ubuntu-latest | |
- node: kindest/node:v1.27.11@sha256:681253009e68069b8e01aad36a1e0fa8cf18bb0ab3e5c4069b2e65cafdd70843 | |
version: v1.27.11 | |
os: ubuntu-latest | |
- node: kindest/node:v1.28.7@sha256:9bc6c451a289cf96ad0bbaf33d416901de6fd632415b076ab05f5fa7e4f65c58 | |
version: v1.28.7 | |
os: ubuntu-latest | |
- node: kindest/node:v1.29.2@sha256:51a1434a5397193442f0be2a297b488b6c919ce8a3931be0ce822606ea5ca245 | |
version: v1.29.2 | |
os: ubuntu-latest | |
env: | |
REGISTRY_NAME: registry.local | |
BUNDLE: registry.local/bundle | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version: 1.21.x | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: "3.10" | |
- name: Install kind | |
run: | | |
cd $(mktemp -d -t kind.XXXX) | |
curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.22.0/kind-$(go env GOHOSTOS)-$(go env GOHOSTARCH) | |
chmod +x ./kind | |
sudo mv ./kind /usr/local/bin | |
cd - | |
- name: Generate certs | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
CERT_DIR=$(mktemp -d -t certs.XXXX) | |
echo "CERT_DIR=$CERT_DIR" >> $GITHUB_ENV | |
echo "##[group]Install cfssl" | |
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64 -o cfssl | |
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64 -o cfssljson | |
chmod +x cfssl* | |
sudo mv cfssl* /usr/local/bin | |
echo "##[endgroup]" | |
echo "##[group]Generate CA" | |
cfssl gencert -initca .github/tls/root-csr.json \ | |
| cfssljson -bare ${CERT_DIR}/root-ca | |
cfssl gencert -ca ${CERT_DIR}/root-ca.pem -ca-key ${CERT_DIR}/root-ca-key.pem \ | |
-config=".github/tls/config.json" \ | |
-profile="intermediate" .github/tls/intermediate-csr.json \ | |
| cfssljson -bare ${CERT_DIR}/signing-ca | |
cat ${CERT_DIR}/signing-ca.pem ${CERT_DIR}/root-ca.pem > ${CERT_DIR}/ca.pem | |
echo "##[endgroup]" | |
echo "##[group]Install CA" | |
# https://ubuntu.com/server/docs/security-trust-store | |
sudo apt-get install -y ca-certificates | |
sudo cp ${CERT_DIR}/ca.pem /usr/local/share/ca-certificates/ca.crt | |
sudo update-ca-certificates | |
echo "##[endgroup]" | |
echo "##[group]Generate cert" | |
cfssl gencert -ca ${CERT_DIR}/signing-ca.pem -ca-key ${CERT_DIR}/signing-ca-key.pem \ | |
-config=".github/tls/config.json" \ | |
-profile="server" \ | |
-hostname="${REGISTRY_NAME},local-registry" \ | |
.github/tls/server-csr.json \ | |
| cfssljson -bare ${CERT_DIR}/server | |
echo "##[endgroup]" | |
- name: Setup local registry | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
# Run a registry. | |
docker run -d \ | |
--restart=always \ | |
--name local-registry \ | |
-v ${CERT_DIR}:/certs \ | |
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ | |
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.pem \ | |
-e REGISTRY_HTTP_TLS_KEY=/certs/server-key.pem \ | |
-p "443:443" \ | |
registry:2 | |
# Make the $REGISTRY_NAME -> local-registry | |
echo "$(hostname -I | cut -d' ' -f1) $REGISTRY_NAME" | sudo tee -a /etc/hosts | |
- name: Create Cluster | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
# create a cluster with the local registry enabled in containerd | |
cat <<EOF | kind create cluster --config=- | |
kind: Cluster | |
apiVersion: kind.x-k8s.io/v1alpha4 | |
containerdConfigPatches: | |
- |- | |
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."${REGISTRY_NAME}"] | |
endpoint = ["https://local-registry"] | |
- |- | |
[plugins."io.containerd.grpc.v1.cri".registry.configs."local-registry".tls] | |
ca_file = "/etc/docker/certs.d/local-registry/ca.pem" | |
nodes: | |
- role: control-plane | |
image: ${{ matrix.node }} | |
extraMounts: | |
- containerPath: /etc/docker/certs.d/local-registry | |
hostPath: ${CERT_DIR} | |
EOF | |
# connect the registry to the cluster network | |
docker network connect kind local-registry | |
# Document the local registry | |
# https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry | |
cat <<EOF | kubectl apply -f - | |
apiVersion: v1 | |
kind: ConfigMap | |
metadata: | |
name: local-registry-hosting | |
namespace: kube-public | |
data: | |
localRegistryHosting.v1: | | |
host: "localhost" | |
help: "https://kind.sigs.k8s.io/docs/user/local-registry/" | |
EOF | |
- name: Download staged bundle | |
uses: actions/download-artifact@v4 | |
with: | |
name: servicebinding-runtime-bundle.tar | |
- name: Relocate bundle | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
${IMGPKG} copy --tar servicebinding-runtime-bundle.tar --to-repo "${BUNDLE}" | |
mkdir -p bundle | |
${IMGPKG} pull -b "${BUNDLE}" -o bundle | |
- name: Deploy | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
echo "##[group]Create namespace" | |
kubectl create ns apps | |
echo "##[endgroup]" | |
echo "##[group]Deploy cert-manager" | |
${KAPP} deploy -a cert-manager -n apps --wait-timeout 5m -y \ | |
-f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml | |
echo "##[endgroup]" | |
echo "##[group]Deploy servicebinding-runtime" | |
${KAPP} deploy -a servicebinding-runtime -n apps --wait-timeout 5m -y \ | |
-f <(${KBLD} -f bundle/.imgpkg/images.yml -f bundle/config) | |
echo "##[endgroup]" | |
- name: Test samples | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
echo "##[group]Deploy spring-petclinic" | |
${KAPP} deploy -a servicebinding-sample-spring-petclinic -n apps --wait-timeout 5m -y \ | |
-f samples/spring-petclinic | |
echo "##[endgroup]" | |
- name: Checkout conformance tests | |
uses: actions/checkout@v4 | |
with: | |
repository: servicebinding/conformance.git | |
ref: v0.3.2 | |
fetch-depth: 1 | |
path: conformance-tests | |
- name: Conformance tests | |
working-directory: conformance-tests | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
echo "##[group]Setup conformance tests" | |
./setup.sh | |
echo "##[endgroup]" | |
echo "##[group]Run conformance tests" | |
./run_tests.sh -j 4 | |
echo "##[endgroup]" | |
- name: Collect diagnostics | |
run: | | |
set +o errexit | |
set -o nounset | |
set +o pipefail | |
if [ -e conformance-tests/test-output/results/failing_scenarios.txt ] ; then | |
echo "##[group]failing conformance tests" | |
cat conformance-tests/test-output/results/failing_scenarios.txt | |
echo "##[endgroup]" | |
fi | |
echo "##[group]kubectl get clusterworkloadresourcemappings.servicebinding.io" | |
kubectl get clusterworkloadresourcemappings.servicebinding.io | |
echo "##[endgroup]" | |
echo "##[group]kubectl get servicebindings.servicebinding.io -A" | |
kubectl get servicebindings.servicebinding.io -A | |
echo "##[endgroup]" | |
echo "##[group]kubectl describe servicebindings.servicebinding.io -A" | |
kubectl describe servicebindings.servicebinding.io -A | |
echo "##[endgroup]" | |
echo "##[group]kapp list -A" | |
${KAPP} list -A | |
echo "##[endgroup]" | |
echo "##[group]kubectl get all -n servicebinding-system" | |
kubectl get all -n servicebinding-system | |
echo "##[endgroup]" | |
echo "##[group]kubectl get all -n servicebinding-cts" | |
kubectl get all -n servicebindings-cts | |
echo "##[endgroup]" | |
echo "##[group]kubectl describe deployments.apps -n servicebinding-system" | |
kubectl describe deployments.apps -n servicebinding-system | |
echo "##[endgroup]" | |
echo "##[group]kubectl describe deployments.apps -n servicebinding-cts" | |
kubectl describe deployments.apps -n servicebindings-cts | |
echo "##[endgroup]" | |
echo "##[group]kubectl describe mutatingwebhookconfigurations.admissionregistration.k8s.io servicebinding-admission-projector" | |
kubectl describe mutatingwebhookconfigurations.admissionregistration.k8s.io servicebinding-admission-projector | |
echo "##[endgroup]" | |
echo "##[group]kubectl describe validatingwebhookconfigurations.admissionregistration.k8s.io servicebinding-trigger" | |
kubectl describe validatingwebhookconfigurations.admissionregistration.k8s.io servicebinding-trigger | |
echo "##[endgroup]" | |
echo "##[group]kubectl logs -n servicebinding-system -l control-plane=controller-manager --tail 10000" | |
kubectl logs -n servicebinding-system -l control-plane=controller-manager --tail 10000 | |
echo "##[endgroup]" | |
if: always() | |
continue-on-error: true | |
- name: Save test results | |
uses: actions/upload-artifact@v4 | |
if: always() | |
with: | |
name: acceptance-test-results-${{ matrix.version }} | |
path: conformance-tests/test-output/results | |
- name: Delete Gracefully | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
echo "##[group]Delete spring-petclinic" | |
${KAPP} delete -a servicebinding-sample-spring-petclinic -n apps --wait-timeout 5m -y | |
echo "##[endgroup]" | |
echo "##[group]Delete servicebinding-runtime" | |
${KAPP} delete -a servicebinding-runtime -n apps --wait-timeout 5m -y | |
echo "##[endgroup]" | |
echo "##[group]Delete cert-manager" | |
${KAPP} delete -a cert-manager -n apps --wait-timeout 5m -y | |
echo "##[endgroup]" | |
if: always() | |
- name: Cleanup cluster | |
run: kind delete cluster | |
if: always() | |
# aggregate the unit and acceptance results into a single job | |
test: | |
name: Test | |
needs: | |
- unit | |
- acceptance | |
runs-on: ubuntu-latest | |
steps: | |
- run: echo "it passed" | |
release: | |
name: Release | |
needs: | |
- test | |
if: startsWith(github.ref, 'refs/tags/') | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version: 1.21.x | |
- name: Get the version | |
id: get_version | |
run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//} | |
- name: Draft release | |
id: create_release | |
uses: actions/create-release@v1.1.4 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
tag_name: ${{ github.ref }} | |
release_name: ${{ steps.get_version.outputs.VERSION }} | |
draft: true | |
- name: Download staged bundle | |
uses: actions/download-artifact@v4 | |
with: | |
name: servicebinding-runtime-bundle.tar | |
- name: Upload servicebinding-runtime-bundle.tar | |
uses: actions/upload-release-asset@v1.0.2 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps | |
asset_path: servicebinding-runtime-bundle.tar | |
asset_name: servicebinding-runtime-bundle-${{ steps.get_version.outputs.VERSION }}.tar | |
asset_content_type: application/x-tar | |
- name: Install crane | |
run: | | |
cd $(mktemp -d -t crane.XXXX) | |
curl -L https://github.com/google/go-containerregistry/releases/download/v0.9.0/go-containerregistry_Linux_x86_64.tar.gz | tar -xz | |
chmod +x ./crane | |
sudo mv ./crane /usr/local/bin | |
cd - | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Relocate bundle to public registry | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
version=${{ steps.get_version.outputs.VERSION }} | |
${IMGPKG} copy --tar servicebinding-runtime-bundle.tar --to-repo "ghcr.io/${{ github.repository }}/bundle" | |
crane tag "ghcr.io/${{ github.repository }}/bundle" "${version}" | |
digest=$(crane digest "ghcr.io/${{ github.repository }}/bundle:${version}") | |
scratch=$(mktemp -d -t bundle.XXXX) | |
mkdir -p ${scratch} | |
${IMGPKG} pull -b "ghcr.io/${{ github.repository }}/bundle:${version}@${digest}" -o ${scratch} | |
cp hack/boilerplate.yaml.txt servicebinding-runtime.yaml | |
${KBLD} -f ${scratch}/config/servicebinding-runtime.yaml -f ${scratch}/.imgpkg/images.yml \ | |
>> servicebinding-runtime.yaml | |
cp hack/boilerplate.yaml.txt servicebinding-workloadresourcemappings.yaml | |
${KBLD} -f ${scratch}/config/servicebinding-workloadresourcemappings.yaml -f ${scratch}/.imgpkg/images.yml \ | |
>> servicebinding-workloadresourcemappings.yaml | |
- name: Upload servicebinding-runtime.yaml | |
uses: actions/upload-release-asset@v1.0.2 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps | |
asset_path: servicebinding-runtime.yaml | |
asset_name: servicebinding-runtime-${{ steps.get_version.outputs.VERSION }}.yaml | |
asset_content_type: application/x-yaml | |
- name: Upload servicebinding-workloadresourcemappings.yaml | |
uses: actions/upload-release-asset@v1.0.2 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps | |
asset_path: servicebinding-workloadresourcemappings.yaml | |
asset_name: servicebinding-workloadresourcemappings-${{ steps.get_version.outputs.VERSION }}.yaml | |
asset_content_type: application/x-yaml |