generated from curium-rocks/kube-starter-template
-
Notifications
You must be signed in to change notification settings - Fork 0
200 lines (197 loc) · 6.65 KB
/
ci.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
name: CI
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
jobs:
build:
timeout-minutes: 10
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [16.x, 18.x]
steps:
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'
- run: npm ci
- run: npm run build --if-present
- run: npm run lint --if-present
- run: npm test
- uses: actions/upload-artifact@v4
if: ${{ matrix.node-version == '16.x' }}
with:
name: coverage
path: |
coverage
sonar:
runs-on: ubuntu-latest
needs:
- build
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/download-artifact@v4
with:
name: coverage
path: coverage
- name: SonarCloud Scan
uses: SonarSource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
SONAR_TOKEN: ${{ secrets.SONARQUBE_KEY }}
build-image:
timeout-minutes: 10
runs-on: ubuntu-latest
needs:
- build
env:
REGISTRY: 'ghcr.io'
IMAGE_NAME: 'curium-rocks/k8s-validating-webhook'
permissions:
contents: read
packages: write
id-token: write
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install cosign
uses: sigstore/cosign-installer@162dfdf7b9ab8be88c95b4fc982792c4c273e27a
with:
cosign-release: 'v1.13.1'
# for multi arch container builds
- name: Set up QEMU
uses: docker/setup-qemu-action@master
with:
platforms: all
- name: Setup Docker buildx
id: buildx
timeout-minutes: 4
uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20
- name: Log into registry
timeout-minutes: 5
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract Docker metadata
id: meta
timeout-minutes: 5
uses: docker/metadata-action@38b36773831fce8789962056bf155ba063580c34
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=sha
type=raw,value={{date 'YYYYMMDD'}}-{{sha}}
- name: Build Docker image
id: push
timeout-minutes: 25
uses: docker/build-push-action@090ca155fc9b214cbcac536c450455a0e96f52c6
with:
context: .
load: false
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
platforms: linux/amd64, linux/arm64
- name: Sign the published Docker image
env:
COSIGN_EXPERIMENTAL: "true"
run: cosign sign --force --recursive ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }}
# deploy it and verify that expected things are allowed or disallowed
verify:
runs-on: ubuntu-latest
timeout-minutes: 15
strategy:
fail-fast: false
matrix:
k8s-version: [1.22.13, 1.23.10, 1.24.4, 1.25.0]
needs:
- build-image
env:
REGISTRY: 'ghcr.io'
IMAGE_NAME: 'curium-rocks/k8s-validating-webhook'
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Use Node.js 18
uses: actions/setup-node@v4
with:
node-version: 18
cache: 'npm'
- name: Install Dependencies
run: npm ci
- name: Start Minikube
run: npm run minikube:start -- --kubernetes-version=${{ matrix.k8s-version }}
- name: Create Pull Secret
run: npm run k8s:createPullSecret --helm_namespace=default --registry_username=${{ github.actor }} --registry_password=${{ github.token }}
- name: Add Helm Repos
run: npm run helm:addRepos
- name: Deploy CertManager
run: npm run helm:deployCertManager
- name: Deploy (PR)
if: ${{ github.event_name == 'pull_request' }}
run: npm run helm:deploy -- --set 'imagePullSecrets[0].name'=ghcr-credentials --set image.tag=pr-${{ github.event.number }}
- name: Deploy (Branch)
if: ${{ github.event_name != 'pull_request' }}
timeout-minutes: 10
run: npm run helm:deploy -- --set 'imagePullSecrets[0].name'=ghcr-credentials --set image.tag=main
- name: Run E2E Tests
run: npm run test:e2e
- name: Collect Logs On Failure
if: ${{ failure() }}
run: |
mkdir -p /tmp/failure-logs
minikube logs > /tmp/failure-logs/minikube.log
kubectl logs deployments/k8s-validating-webhook --prefix=true --ignore-errors=true --timestamps --pod-running-timeout=60s > /tmp/failure-logs/k8s-validating-webhook.deployment.log
kubectl describe deployment k8s-validating-webhook > /tmp/failure-logs/k8s-validating-webhook.deployment.describe
kubectl get deployment k8s-validating-webhook -o yaml > /tmp/failure-logs/k8s-validating-webhook.deployment.yaml
kubectl describe configmap k8s-validating-webhook-config > /tmp/failure-logs/k8s-validating-webhook.configmap.describe
- name: Upload Logs On Failure
if: ${{ failure() }}
uses: actions/upload-artifact@v4
with:
name: ${{ runner.name }} minikube logs
path: |
/tmp/failure-logs
publish-chart:
if: ${{ github.event_name != 'pull_request' }}
needs:
- verify
timeout-minutes: 5
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Install Helm
uses: azure/setup-helm@v4
with:
version: v3.8.1
- name: Run chart-releaser
uses: helm/chart-releaser-action@v1.6.0
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
with:
charts_dir: helm