|
| 1 | +# Copyright 2022 The Sigstore Authors. |
| 2 | +# |
| 3 | +# Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | +# you may not use this file except in compliance with the License. |
| 5 | +# You may obtain a copy of the License at |
| 6 | +# |
| 7 | +# http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | +# |
| 9 | +# Unless required by applicable law or agreed to in writing, software |
| 10 | +# distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | +# See the License for the specific language governing permissions and |
| 13 | +# limitations under the License. |
| 14 | + |
| 15 | +name: Test policy-controller with ClusterImagePolicy resync period |
| 16 | + |
| 17 | +on: |
| 18 | + pull_request: |
| 19 | + branches: [ 'main', 'release' ] |
| 20 | + |
| 21 | +defaults: |
| 22 | + run: |
| 23 | + shell: bash |
| 24 | + |
| 25 | +permissions: read-all |
| 26 | + |
| 27 | +jobs: |
| 28 | + cip-test-policy-resync-period: |
| 29 | + name: ClusterImagePolicy e2e tests policy resync period |
| 30 | + runs-on: ubuntu-latest |
| 31 | + |
| 32 | + strategy: |
| 33 | + fail-fast: false # Keep running if one leg fails. |
| 34 | + matrix: |
| 35 | + k8s-version: |
| 36 | + - v1.27.x |
| 37 | + - v1.28.x |
| 38 | + - v1.29.x |
| 39 | + |
| 40 | + env: |
| 41 | + KO_DOCKER_REPO: "registry.local:5000/policy-controller" |
| 42 | + SCAFFOLDING_RELEASE_VERSION: "v0.7.1" |
| 43 | + GO111MODULE: on |
| 44 | + GOFLAGS: -ldflags=-s -ldflags=-w |
| 45 | + KOCACHE: ~/ko |
| 46 | + |
| 47 | + steps: |
| 48 | + - name: free up disk space for the release |
| 49 | + run: | |
| 50 | + rm -rf /usr/share/dotnet/ |
| 51 | + rm -rf "$AGENT_TOOLSDIRECTORY" |
| 52 | + rm -rf "/usr/local/share/boost" |
| 53 | + rm -rf /opt/ghc |
| 54 | + docker rmi $(docker image ls -aq) || true |
| 55 | + swapoff /swapfile || true |
| 56 | + rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android /opt/ghc || true |
| 57 | + apt purge aria2 ansible hhvm mono-devel azure-cli shellcheck rpm xorriso zsync \ |
| 58 | + clang-6.0 lldb-6.0 lld-6.0 clang-format-6.0 clang-8 lldb-8 lld-8 clang-format-8 \ |
| 59 | + clang-9 lldb-9 lld-9 clangd-9 clang-format-9 dotnet-sdk-3.0 dotnet-sdk-3.1=3.1.101-1 \ |
| 60 | + esl-erlang firefox g++-8 g++-9 gfortran-8 gfortran-9 google-chrome-stable \ |
| 61 | + google-cloud-sdk ghc-8.0.2 ghc-8.2.2 ghc-8.4.4 ghc-8.6.2 ghc-8.6.3 ghc-8.6.4 \ |
| 62 | + ghc-8.6.5 ghc-8.8.1 ghc-8.8.2 ghc-8.8.3 ghc-8.10.1 cabal-install-2.0 cabal-install-2.2 \ |
| 63 | + cabal-install-2.4 cabal-install-3.0 cabal-install-3.2 heroku imagemagick \ |
| 64 | + libmagickcore-dev libmagickwand-dev libmagic-dev ant ant-optional kubectl \ |
| 65 | + mercurial apt-transport-https mono-complete mysql-client libmysqlclient-dev \ |
| 66 | + mysql-server mssql-tools unixodbc-dev yarn bazel chrpath libssl-dev libxft-dev \ |
| 67 | + libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev php7.1 php7.1-bcmath \ |
| 68 | + php7.1-bz2 php7.1-cgi php7.1-cli php7.1-common php7.1-curl php7.1-dba php7.1-dev \ |
| 69 | + php7.1-enchant php7.1-fpm php7.1-gd php7.1-gmp php7.1-imap php7.1-interbase php7.1-intl \ |
| 70 | + php7.1-json php7.1-ldap php7.1-mbstring php7.1-mcrypt php7.1-mysql php7.1-odbc \ |
| 71 | + php7.1-opcache php7.1-pgsql php7.1-phpdbg php7.1-pspell php7.1-readline php7.1-recode \ |
| 72 | + php7.1-snmp php7.1-soap php7.1-sqlite3 php7.1-sybase php7.1-tidy php7.1-xml \ |
| 73 | + php7.1-xmlrpc php7.1-xsl php7.1-zip php7.2 php7.2-bcmath php7.2-bz2 php7.2-cgi \ |
| 74 | + php7.2-cli php7.2-common php7.2-curl php7.2-dba php7.2-dev php7.2-enchant php7.2-fpm \ |
| 75 | + php7.2-gd php7.2-gmp php7.2-imap php7.2-interbase php7.2-intl php7.2-json php7.2-ldap \ |
| 76 | + php7.2-mbstring php7.2-mysql php7.2-odbc php7.2-opcache php7.2-pgsql php7.2-phpdbg \ |
| 77 | + php7.2-pspell php7.2-readline php7.2-recode php7.2-snmp php7.2-soap php7.2-sqlite3 \ |
| 78 | + php7.2-sybase php7.2-tidy php7.2-xml php7.2-xmlrpc php7.2-xsl php7.2-zip php7.3 \ |
| 79 | + php7.3-bcmath php7.3-bz2 php7.3-cgi php7.3-cli php7.3-common php7.3-curl php7.3-dba \ |
| 80 | + php7.3-dev php7.3-enchant php7.3-fpm php7.3-gd php7.3-gmp php7.3-imap php7.3-interbase \ |
| 81 | + php7.3-intl php7.3-json php7.3-ldap php7.3-mbstring php7.3-mysql php7.3-odbc \ |
| 82 | + php7.3-opcache php7.3-pgsql php7.3-phpdbg php7.3-pspell php7.3-readline php7.3-recode \ |
| 83 | + php7.3-snmp php7.3-soap php7.3-sqlite3 php7.3-sybase php7.3-tidy php7.3-xml \ |
| 84 | + php7.3-xmlrpc php7.3-xsl php7.3-zip php7.4 php7.4-bcmath php7.4-bz2 php7.4-cgi \ |
| 85 | + php7.4-cli php7.4-common php7.4-curl php7.4-dba php7.4-dev php7.4-enchant php7.4-fpm \ |
| 86 | + php7.4-gd php7.4-gmp php7.4-imap php7.4-interbase php7.4-intl php7.4-json php7.4-ldap \ |
| 87 | + php7.4-mbstring php7.4-mysql php7.4-odbc php7.4-opcache php7.4-pgsql php7.4-phpdbg \ |
| 88 | + php7.4-pspell php7.4-readline php7.4-snmp php7.4-soap php7.4-sqlite3 php7.4-sybase \ |
| 89 | + php7.4-tidy php7.4-xml php7.4-xmlrpc php7.4-xsl php7.4-zip php-amqp php-apcu \ |
| 90 | + php-igbinary php-memcache php-memcached php-mongodb php-redis php-xdebug \ |
| 91 | + php-zmq snmp pollinate libpq-dev postgresql-client powershell ruby-full \ |
| 92 | + sphinxsearch subversion mongodb-org -yq >/dev/null 2>&1 || true |
| 93 | + apt-get remove -y 'php.*' || true |
| 94 | + apt-get autoremove -y >/dev/null 2>&1 || true |
| 95 | + apt-get autoclean -y >/dev/null 2>&1 || true |
| 96 | + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 |
| 97 | + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 |
| 98 | + with: |
| 99 | + go-version-file: './go.mod' |
| 100 | + check-latest: true |
| 101 | + |
| 102 | + # will use the latest release available for ko |
| 103 | + - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 |
| 104 | + |
| 105 | + - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0 |
| 106 | + |
| 107 | + - name: Install yq |
| 108 | + uses: mikefarah/yq@557dcb87b8efe786f89a12c09e9046b4753ab72e # v4.44.1 |
| 109 | + |
| 110 | + - name: Setup mirror |
| 111 | + uses: chainguard-dev/actions/setup-mirror@main |
| 112 | + with: |
| 113 | + mirror: mirror.gcr.io |
| 114 | + |
| 115 | + - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 |
| 116 | + |
| 117 | + - name: Install cluster + sigstore |
| 118 | + uses: sigstore/scaffolding/actions/setup@main |
| 119 | + with: |
| 120 | + k8s-version: ${{ matrix.k8s-version}} |
| 121 | + version: ${{ env.SCAFFOLDING_RELEASE_VERSION }} |
| 122 | + |
| 123 | + - name: Copy TUF root to policy-controller namespace |
| 124 | + run: | |
| 125 | + kubectl create ns cosign-system |
| 126 | + kubectl -n tuf-system get secrets tuf-root -oyaml | sed 's/namespace: .*/namespace: cosign-system/' | kubectl create -f - |
| 127 | + echo "TUF_ROOT_FILE=./root.json" >> $GITHUB_ENV |
| 128 | +
|
| 129 | + - name: Install policy-controller with invalid policy-resync-period |
| 130 | + env: |
| 131 | + GIT_HASH: ${{ github.sha }} |
| 132 | + GIT_VERSION: ci |
| 133 | + LDFLAGS: "" |
| 134 | + POLICY_CONTROLLER_YAML: test/kustomize-invalid-policy-resync-period/policy-controller-e2e.yaml |
| 135 | + KO_PREFIX: registry.local:5000/policy-controller |
| 136 | + POLICY_CONTROLLER_ARCHS: linux/amd64 |
| 137 | + run: | |
| 138 | + make ko-policy-controller |
| 139 | + kustomize build test/kustomize-invalid-policy-resync-period | kubectl apply -f - |
| 140 | +
|
| 141 | + sleep 30 |
| 142 | +
|
| 143 | + # And make sure a panic occurred |
| 144 | + kubectl -n cosign-system logs deployment/webhook | grep "panic: Failed to parse --policy-resync-period '1d' : time: unknown unit \"d\" in duration \"1d\"" |
| 145 | +
|
| 146 | + sleep 10 |
| 147 | +
|
| 148 | + - name: Install policy-controller with valid policy-resync-period |
| 149 | + env: |
| 150 | + GIT_HASH: ${{ github.sha }} |
| 151 | + GIT_VERSION: ci |
| 152 | + LDFLAGS: "" |
| 153 | + POLICY_CONTROLLER_YAML: test/kustomize-policy-resync-period/policy-controller-e2e.yaml |
| 154 | + KO_PREFIX: registry.local:5000/policy-controller |
| 155 | + POLICY_CONTROLLER_ARCHS: linux/amd64 |
| 156 | + run: | |
| 157 | + make ko-policy-controller |
| 158 | + kustomize build test/kustomize-policy-resync-period | kubectl apply -f - |
| 159 | +
|
| 160 | + # Wait for the webhook to come up and become Ready |
| 161 | + kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook |
| 162 | + sleep 10 |
| 163 | +
|
| 164 | + - name: Collect diagnostics |
| 165 | + if: ${{ failure() }} |
| 166 | + uses: chainguard-dev/actions/kind-diag@84c993eaf02da1c325854fb272a4df9184bd80fc # main |
0 commit comments