support client certificates when communicating with REQ_URL #340
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Build and Test" | |
| on: | |
| - pull_request | |
| - workflow_dispatch | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| - name: Build sidecar | |
| uses: docker/build-push-action@v4 | |
| with: | |
| push: false | |
| outputs: type=docker,dest=/tmp/k8s-sidecar.tar | |
| tags: "kiwigrid/k8s-sidecar:testing" | |
| - name: Prepare dummy server static resources | |
| run: | | |
| cp test/kubelogo.png test/server/static/ | |
| - name: Build dummy server | |
| uses: docker/build-push-action@v4 | |
| with: | |
| context: "test/server" | |
| push: false | |
| outputs: type=docker,dest=/tmp/dummy-server.tar | |
| tags: "dummy-server:1.0.0" | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: images | |
| path: /tmp/*.tar | |
| test: | |
| needs: | |
| - build | |
| strategy: | |
| matrix: | |
| # see https://github.com/kubernetes-sigs/kind/releases for supported k8s versions per kind version | |
| k8s: | |
| - maj_min: v1.21 | |
| digest: sha256:8a4e9bb3f415d2bb81629ce33ef9c76ba514c14d707f9797a01e3216376ba093 | |
| - maj_min: v1.22 | |
| digest: sha256:f5b2e5698c6c9d6d0adc419c0deae21a425c07d81bbf3b6a6834042f25d4fba2 | |
| - maj_min: v1.23 | |
| digest: sha256:fbb92ac580fce498473762419df27fa8664dbaa1c5a361b5957e123b4035bdcf | |
| - maj_min: v1.24 | |
| digest: sha256:ea292d57ec5dd0e2f3f5a2d77efa246ac883c051ff80e887109fabefbd3125c7 | |
| - maj_min: v1.25 | |
| digest: sha256:9d0a62b55d4fe1e262953be8d406689b947668626a357b5f9d0cfbddbebbc727 | |
| - maj_min: v1.26 | |
| digest: sha256:15ae92d507b7d4aec6e8920d358fc63d3b980493db191d7327541fbaaed1f789 | |
| - maj_min: v1.27 | |
| digest: sha256:3700c811144e24a6c6181065265f69b9bf0b437c45741017182d7c82b908918f | |
| - maj_min: v1.28 | |
| digest: sha256:b7e1cf6b2b729f604133c667a6be8aab6f4dde5bb042c1891ae248d9154f665b | |
| - maj_min: v1.29 | |
| digest: sha256:a0cc28af37cf39b019e2b448c54d1a3f789de32536cb5a5db61a49623e527144 | |
| name: "Test on k8s ${{ matrix.k8s.maj_min }}" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| - name: Create k8s Kind Cluster | |
| # make sure the k8s versions match the kind version of the action version 🤯 | |
| uses: helm/kind-action@v1.10.0 | |
| with: | |
| node_image: kindest/node@${{ matrix.k8s.digest }} | |
| config: test/kind-config.yaml | |
| cluster_name: sidecar-testing | |
| wait: 5m | |
| - name: Download artifact | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: images | |
| path: /tmp | |
| - name: Install Helm | |
| run: | | |
| wget https://get.helm.sh/helm-v3.16.1-linux-amd64.tar.gz | |
| tar -zxf helm-v3.16.1-linux-amd64.tar.gz | |
| mv linux-amd64/helm /usr/local/bin/helm | |
| - name: Install cert-manager | |
| run: | | |
| helm repo add jetstack https://charts.jetstack.io | |
| helm repo update | |
| helm install cert-manager jetstack/cert-manager --version v1.11.0 --set installCRDs=true | |
| - name: Load images into kind cluster | |
| run: | | |
| kind load image-archive /tmp/k8s-sidecar.tar --name sidecar-testing | |
| kind load image-archive /tmp/dummy-server.tar --name sidecar-testing | |
| - name: Install Sidecar and Dummy Server | |
| run: | | |
| wait_for_pod_ready() { | |
| while [[ $(kubectl get pods $1 -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True" ]]; do echo "waiting for pod '$1' to become ready..." && sleep 5; done | |
| echo "Pod '$1' ready." | |
| } | |
| echo "Installing sidecar..." | |
| kubectl apply -f "test/resources/sidecar.yaml" | |
| sleep 10 | |
| kubectl get pods | |
| wait_for_pod_ready "sidecar" | |
| wait_for_pod_ready "sidecar-basicauth-args" | |
| wait_for_pod_ready "sidecar-5xx" | |
| wait_for_pod_ready "sidecar-tls" | |
| wait_for_pod_ready "sidecar-pythonscript" | |
| wait_for_pod_ready "sidecar-pythonscript-logfile" | |
| wait_for_pod_ready "sidecar-logtofile-pythonscript" | |
| wait_for_pod_ready "dummy-server-pod" | |
| - name: Install Configmaps and Secrets | |
| run: | | |
| wait_for_pod_log() { | |
| while [[ $(kubectl logs $1 | grep $2) == "" ]]; do echo "waiting 5 more seconds for '$2' to appear in logs of pod '$1'..." && sleep 5; done | |
| echo "Pod '$1' logs contains '$2'" | |
| } | |
| # because the sidecar pods signal ready state before we actually opened up all watching subprocesses, we wait some more time | |
| sleep 20 | |
| echo "Installing resources..." | |
| kubectl apply -f "test/resources/resources.yaml" | |
| pods=("sidecar" "sidecar-basicauth-args" "sidecar-5xx" "sidecar-pythonscript" "sidecar-pythonscript-logfile") | |
| resources=("sample-configmap" "sample-secret-binary" "absolute-configmap" "relative-configmap" "change-dir-configmap" "similar-configmap-secret" "url-configmap-500" "url-configmap-basic-auth" "sample-configmap") | |
| for p in ${pods[*]}; do | |
| for r in ${resources[*]}; do | |
| wait_for_pod_log $p $r | |
| done | |
| done | |
| wait_for_pod_log "sidecar-tls" "tls-url-configmap-200" | |
| # 10 more seconds after the last thing appeared in the logs. | |
| sleep 10 | |
| - name: Retrieve pod logs | |
| run: | | |
| mkdir /tmp/logs | |
| kubectl logs sidecar > /tmp/logs/sidecar.log | |
| kubectl logs sidecar-basicauth-args > /tmp/logs/sidecar-basicauth-args.log | |
| kubectl logs sidecar-5xx > /tmp/logs/sidecar-5xx.log | |
| kubectl logs sidecar-pythonscript > /tmp/logs/sidecar-pythonscript.log | |
| kubectl logs sidecar-pythonscript-logfile > /tmp/logs/sidecar-pythonscript-logfile.log | |
| kubectl logs dummy-server-pod > /tmp/logs/dummy-server.log | |
| kubectl logs sidecar-tls > /tmp/logs/sidecar-tls.log | |
| - name: Upload artifacts (pod logs) | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: pod-logs_${{ matrix.k8s.maj_min }} | |
| path: /tmp/logs/* | |
| - name: Download expected files from cluster | |
| run: | | |
| mkdir /tmp/sidecar | |
| mkdir /tmp/sidecar-tls | |
| mkdir /tmp/sidecar-5xx | |
| echo "Downloading resource files from sidecar..." | |
| kubectl cp sidecar:/tmp/hello.world /tmp/sidecar/hello.world | |
| kubectl cp sidecar:/tmp/cm-kubelogo.png /tmp/sidecar/cm-kubelogo.png | |
| kubectl cp sidecar:/tmp/secret-kubelogo.png /tmp/sidecar/secret-kubelogo.png | |
| kubectl cp sidecar:/tmp/url-downloaded-kubelogo.png /tmp/sidecar/url-downloaded-kubelogo.png | |
| # script also generates into '/tmp' | |
| kubectl cp sidecar:/tmp/script_result /tmp/sidecar/script_result | |
| # absolute path in configmap points to /tmp in 'absolute-configmap' | |
| kubectl cp sidecar:/tmp/absolute/absolute.txt /tmp/sidecar/absolute.txt | |
| kubectl cp sidecar:/tmp/relative/relative.txt /tmp/sidecar/relative.txt | |
| kubectl cp sidecar:/tmp/orig-dir/change-dir.txt /tmp/sidecar/change-dir.txt | |
| kubectl cp sidecar:/tmp/500.txt /tmp/sidecar/500.txt || true | |
| kubectl cp sidecar:/tmp/secured.txt /tmp/sidecar/secured.txt | |
| kubectl cp sidecar:/tmp/similar-configmap.txt /tmp/sidecar/similar-configmap.txt | |
| kubectl cp sidecar:/tmp/similar-secret.txt /tmp/sidecar/similar-secret.txt | |
| echo "Downloading resource files from sidecar-basicauth-args pod" | |
| kubectl cp sidecar-basicauth-args:/tmp/secured.txt /tmp/sidecar-basicauth-args/secured.txt | |
| echo "Downloading resource files from sidecar-5xx..." | |
| kubectl cp sidecar-5xx:/tmp-5xx/hello.world /tmp/sidecar-5xx/hello.world | |
| kubectl cp sidecar-5xx:/tmp-5xx/cm-kubelogo.png /tmp/sidecar-5xx/cm-kubelogo.png | |
| kubectl cp sidecar-5xx:/tmp-5xx/secret-kubelogo.png /tmp/sidecar-5xx/secret-kubelogo.png | |
| kubectl cp sidecar-5xx:/tmp-5xx/url-downloaded-kubelogo.png /tmp/sidecar-5xx/url-downloaded-kubelogo.png | |
| # script also generates into '/tmp' | |
| kubectl cp sidecar-5xx:/tmp/script_result /tmp/sidecar-5xx/script_result | |
| # absolute path in configmap points to /tmp in 'absolute-configmap' | |
| kubectl cp sidecar-5xx:/tmp/absolute/absolute.txt /tmp/sidecar-5xx/absolute.txt | |
| kubectl cp sidecar-5xx:/tmp-5xx/relative/relative.txt /tmp/sidecar-5xx/relative.txt | |
| kubectl cp sidecar-5xx:/tmp-5xx/orig-dir/change-dir.txt /tmp/sidecar-5xx/change-dir.txt | |
| kubectl cp sidecar-5xx:/tmp-5xx/500.txt /tmp/sidecar-5xx/500.txt | |
| kubectl cp sidecar-5xx:/tmp-5xx/secured.txt /tmp/sidecar-5xx/secured.txt | |
| kubectl cp sidecar-5xx:/tmp-5xx/similar-configmap.txt /tmp/sidecar-5xx/similar-configmap.txt | |
| kubectl cp sidecar-5xx:/tmp-5xx/similar-secret.txt /tmp/sidecar-5xx/similar-secret.txt | |
| echo "Downloading resource files from sidecar-tls pod" | |
| kubectl cp sidecar-tls:/tmp/200-tls.txt /tmp/sidecar-tls/200-tls.txt | |
| - name: Upload artifacts (expected files from cluster) | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: expected-files_${{ matrix.k8s.maj_min }} | |
| path: | | |
| /tmp/sidecar/** | |
| /tmp/sidecar-tls/** | |
| /tmp/sidecar-5xx/** | |
| - name: Update Configmaps and Secrets | |
| run: | | |
| sleep 5 | |
| current_time=$(date -u +"%Y-%m-%dT%H:%M:%SZ") | |
| wait_for_pod_log() { | |
| while [[ $(kubectl logs $1 --since-time ${current_time} | grep $2) == "" ]]; do echo "waiting 5 more seconds for '$2' to appear in logs of pod '$1'..." && sleep 5; done | |
| echo "Pod '$1' logs contains '$2'" | |
| } | |
| echo "Updating resources..." | |
| kubectl apply -f "test/resources/change_resources.yaml" | |
| pods=("sidecar" "sidecar-5xx") | |
| resources=("sample-configmap" "sample-secret-binary" "absolute-configmap" "relative-configmap" "change-dir-configmap" "similar-configmap-secret" "url-configmap-500" "url-configmap-basic-auth" "sample-configmap") | |
| for p in ${pods[*]}; do | |
| for r in ${resources[*]}; do | |
| wait_for_pod_log $p $r | |
| done | |
| done | |
| # 20 more seconds after the last thing appeared in the logs. | |
| sleep 20 | |
| - name: Verify sidecar files after initial sync | |
| run: | | |
| echo -n "Hello World!" | diff - /tmp/sidecar/hello.world && | |
| diff test/kubelogo.png /tmp/sidecar/cm-kubelogo.png && | |
| diff test/kubelogo.png /tmp/sidecar/secret-kubelogo.png && | |
| diff test/kubelogo.png /tmp/sidecar/url-downloaded-kubelogo.png && | |
| echo -n "This absolutely exists" | diff - /tmp/sidecar/absolute.txt && | |
| echo -n "This relatively exists" | diff - /tmp/sidecar/relative.txt && | |
| echo -n "This change-dir exists" | diff - /tmp/sidecar/change-dir.txt && | |
| echo -n "I'm very similar" | diff - /tmp/sidecar/similar-configmap.txt && | |
| echo -n "I'm very similar" | diff - /tmp/sidecar/similar-secret.txt && | |
| echo -n "allowed" | diff - /tmp/sidecar/secured.txt && | |
| [ -f /tmp/sidecar-tls/200-tls.txt ] && echo "200-tls.txt file created" && | |
| echo -n "200" | diff - /tmp/sidecar-tls/200-tls.txt && | |
| [ ! -f /tmp/sidecar/500.txt ] && echo "No 5xx file created" && | |
| ls /tmp/sidecar/script_result | |
| - name: Verify sidecar-basicauth-args pod file after initial sync | |
| run: | | |
| echo -n "allowed" | diff - /tmp/sidecar-basicauth-args/secured.txt | |
| - name: Verify sidecar-5xx files after initial sync | |
| run: | | |
| echo -n '{"detail":"Not authenticated"}' | diff - /tmp/sidecar-5xx/secured.txt && | |
| echo -n "Hello World!" | diff - /tmp/sidecar-5xx/hello.world && | |
| diff test/kubelogo.png /tmp/sidecar-5xx/cm-kubelogo.png && | |
| diff test/kubelogo.png /tmp/sidecar-5xx/secret-kubelogo.png && | |
| diff test/kubelogo.png /tmp/sidecar-5xx/url-downloaded-kubelogo.png && | |
| echo -n "This absolutely exists" | diff - /tmp/sidecar-5xx/absolute.txt && | |
| echo -n "This relatively exists" | diff - /tmp/sidecar-5xx/relative.txt && | |
| echo -n "This change-dir exists" | diff - /tmp/sidecar-5xx/change-dir.txt && | |
| echo -n "I'm very similar" | diff - /tmp/sidecar-5xx/similar-configmap.txt && | |
| echo -n "I'm very similar" | diff - /tmp/sidecar-5xx/similar-secret.txt && | |
| echo -n "500" | diff - /tmp/sidecar-5xx/500.txt && | |
| ls /tmp/sidecar-5xx/script_result | |
| - name: Verify sidecar-python logs after initial sync | |
| run: | | |
| # Make sure to update this number this when adding or removing configmap or secrets | |
| # For log to a file, Need to consider Jobs "Install Configmaps and Secrets" and "Update Configmaps and Secrets" | |
| # Total is (9 + 7) | |
| test $(cat /tmp/logs/sidecar-pythonscript.log | grep "Hello from python script!" | wc -l) = "9" && | |
| test $(cat /tmp/logs/sidecar-pythonscript-logfile.log | grep "Hello from python script!" | wc -l) = "9" && | |
| kubectl exec sidecar-logtofile-pythonscript -- sh -c "test -e /opt/logs/sidecar.log" && | |
| test $(kubectl exec sidecar-logtofile-pythonscript -- sh -c 'cat /opt/logs/sidecar.log | grep "Hello from python script!" | wc -l') = "16" | |
| - name: Verify sidecar files after update | |
| run: | | |
| kubectl exec sidecar -- sh -c "ls /tmp/" && | |
| kubectl exec sidecar -- sh -c "! test -e /tmp/hello.world" && kubectl exec sidecar -- sh -c "test -e /tmp/change-hello.world" && | |
| kubectl exec sidecar -- sh -c "! test -e /tmp/cm-kubelogo.png" && kubectl exec sidecar -- sh -c "test -e /tmp/change-cm-kubelogo.png" && | |
| kubectl exec sidecar -- sh -c "! test -e /tmp/secret-kubelogo.png" && kubectl exec sidecar -- sh -c "test -e /tmp/change-secret-kubelogo.png" && | |
| kubectl exec sidecar -- sh -c "! test -e /tmp/absolute/absolute.txt" && kubectl exec sidecar -- sh -c "test -e /tmp/absolute/change-absolute.txt" && | |
| kubectl exec sidecar -- sh -c "! test -e /tmp/relative/relative.txt" && kubectl exec sidecar -- sh -c "test -e /tmp/relative/change-relative.txt" && | |
| kubectl exec sidecar -- sh -c "! test -e /tmp/orig-dir/change-dir.txt" && kubectl exec sidecar -- sh -c "test -e /tmp/new-dir/change-dir.txt" && | |
| kubectl exec sidecar -- sh -c "! test -e /tmp/similar-configmap.txt" && kubectl exec sidecar -- sh -c "test -e /tmp/change-similar-configmap.txt" && | |
| kubectl exec sidecar -- sh -c "! test -e /tmp/similar-secret.txt" && kubectl exec sidecar -- sh -c "test -e /tmp/change-similar-secret.txt" |