-
Notifications
You must be signed in to change notification settings - Fork 17
236 lines (207 loc) · 8.75 KB
/
upgrade.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
name: Operator Upgrade
on:
workflow_dispatch:
push:
branches: [ "main", "release*" ]
tags: [ "*" ]
pull_request:
branches: [ "main", "release*" ]
env:
GO_VERSION: 1.21
jobs:
upgrade:
name: Upgrade operator test
runs-on: ubuntu-20.04
env:
IMG: ttl.sh/securesign/operator-upgrade-${{github.run_number}}:1h
BUNDLE_IMG: ttl.sh/securesign/bundle-upgrade-${{github.run_number}}:1h
CATALOG_IMG: ttl.sh/securesign/catalog-upgrade-${{github.run_number}}:1h
steps:
- name: Free Disk Space (Ubuntu)
uses: jlumbroso/free-disk-space@main
with:
tool-cache: true
- name: Checkout source
uses: actions/checkout@v2
- name: Install Go
uses: actions/setup-go@v3
with:
go-version: ${{ env.GO_VERSION }}
- uses: actions/cache@v3
with:
path: |
~/.cache/go-build
~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Log in to registry.redhat.io
uses: redhat-actions/podman-login@9184318aae1ee5034fbfbacc0388acf12669171f # v1
with:
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_PASSWORD }}
registry: registry.redhat.io
auth_file_path: /tmp/config.json
- name: Install OPM
run: |
make opm
echo "OPM=${{ github.workspace }}/bin/opm" >> $GITHUB_ENV
- name: Remove rhel9 suffix from images.go
uses: jacobtomlinson/gha-find-replace@v3
with:
find: "-rhel9@"
replace: "@"
include: "**images.go"
regex: false
- name: Replace trillian images
uses: jacobtomlinson/gha-find-replace@v3
with:
find: "registry.redhat.io/rhtas/trillian-"
replace: "quay.io/redhat-user-workloads/rhtas-tenant/trillian/"
include: "**images.go"
regex: false
- name: replace Fulcio images
uses: jacobtomlinson/gha-find-replace@v3
with:
find: "registry.redhat.io/rhtas/fulcio"
replace: "quay.io/redhat-user-workloads/rhtas-tenant/fulcio/fulcio-server"
include: "**images.go"
regex: false
- name: replace Rekor-search images
uses: jacobtomlinson/gha-find-replace@v3
with:
find: "registry.redhat.io/rhtas/rekor-search-ui"
replace: "quay.io/redhat-user-workloads/rhtas-tenant/rekor-search/rekor-search"
include: "**images.go"
regex: false
- name: replace Rekor images
uses: jacobtomlinson/gha-find-replace@v3
with:
find: 'registry.redhat.io/rhtas/rekor-'
replace: "quay.io/redhat-user-workloads/rhtas-tenant/rekor/rekor-"
include: "**images.go"
regex: false
- name: replace Tuf images
uses: jacobtomlinson/gha-find-replace@v3
with:
find: "registry.redhat.io/rhtas/tuf-"
replace: "quay.io/redhat-user-workloads/rhtas-tenant/scaffold/tuf-"
include: "**images.go"
regex: false
- name: replace CTL images
uses: jacobtomlinson/gha-find-replace@v3
with:
find: "registry.redhat.io/rhtas/certificate-transparency"
replace: "quay.io/redhat-user-workloads/rhtas-tenant/certificate-transparency-go/certificate-transparency-go"
include: "**images.go"
regex: false
- name: replace server-cg image
uses: jacobtomlinson/gha-find-replace@v3
with:
find: "registry.redhat.io/rhtas/client-server-cg"
replace: "quay.io/redhat-user-workloads/rhtas-tenant/cli/client-server-cg"
include: "**images.go"
regex: false
- name: replace server-re image
uses: jacobtomlinson/gha-find-replace@v3
with:
find: "registry.redhat.io/rhtas/client-server-re"
replace: "quay.io/redhat-user-workloads/rhtas-tenant/cli/client-server-re"
include: "**images.go"
regex: false
- name: replace segment job image
uses: jacobtomlinson/gha-find-replace@v3
with:
find: "registry.redhat.io/rhtas/segment-reporting"
replace: "quay.io/redhat-user-workloads/rhtas-tenant/segment-backup-job/segment-backup-job"
include: "**images.go"
regex: false
- name: Print Resulting images.go file
run: cat controllers/constants/images.go
- name: Build operator container
run: make docker-build docker-push
- name: Build operator bundle
run: make bundle bundle-build bundle-push
- name: Checkout FBC source
uses: actions/checkout@v2
with:
repository: "securesign/fbc"
path: fbc
- name: Build catalog
run: |
cd fbc
chmod +x ./generate-fbc.sh && OPM_CMD=${{ env.OPM }} ./generate-fbc.sh --init-basic v4.14 jq
cat << EOF >> v4.14/graph.json
{
"schema": "olm.bundle",
"image": "$BUNDLE_IMG"
}
EOF
#TODO: versions needs to be maintained - try to eliminate
cat <<< $(jq 'select(.schema == "olm.channel" and .name == "stable").entries += [{"name":"rhtas-operator.v1.0.2", "replaces": "rhtas-operator.v1.0.1"}]' v4.14/graph.json) > v4.14/graph.json
cat v4.14/graph.json
${{ env.OPM }} alpha render-template basic v4.14/graph.json > v4.14/catalog/rhtas-operator/catalog.json
${{ env.OPM }} validate v4.14/catalog/rhtas-operator
docker build v4.14 -f v4.14/catalog.Dockerfile -t $CATALOG_IMG
docker push $CATALOG_IMG
- name: Image prune
run: docker image prune -af
- name: Install Cluster
uses: container-tools/[email protected]
with:
version: v0.20.0
node_image: kindest/node:v1.26.6@sha256:6e2d8b28a5b601defe327b98bd1c2d1930b49e5d8c512e1895099e4504007adb
cpu: 3
registry: false
config: ./ci/config.yaml
- name: Configure cluster
run: |
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=90s
#install OLM
kubectl create -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.25.0/crds.yaml
# wait for a while to be sure CRDs are installed
sleep 1
kubectl create -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.25.0/olm.yaml
kubectl create --kustomize ci/keycloak/operator/overlay/kind
until [ ! -z "$(kubectl get pod -l name=keycloak-operator -n keycloak-system 2>/dev/null)" ]
do
echo "Waiting for keycloak operator. Pods in keycloak-system namespace:"
kubectl get pods -n keycloak-system
sleep 10
done
kubectl create --kustomize ci/keycloak/resources/overlay/kind
until [[ $( oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system 2>/dev/null) == "true" ]]
do
printf "Waiting for keycloak deployment. \n Keycloak ready: %s\n" $(oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system)
sleep 10
done
# HACK - expose keycloak under the same name as the internal SVC has so it will be accessible:
# - within the cluster (where the localhost does not work)
# - outside the cluster (resolved from /etc/hosts and redirect to the localhost)
kubectl create -n keycloak-system -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: keycloak
spec:
rules:
- host: keycloak-internal.keycloak-system.svc
http:
paths:
- backend:
service:
name: keycloak-internal
port:
number: 80
path: /
pathType: Prefix
EOF
shell: bash
- name: Add service hosts to /etc/hosts
run: |
sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local keycloak-internal.keycloak-system.svc rekor-search-ui.local cli-server.local" | sudo tee -a /etc/hosts
- name: Install cosign
run: go install github.com/sigstore/cosign/v2/cmd/[email protected]
- name: Run tests
run: TEST_BASE_CATALOG=registry.redhat.io/redhat/redhat-operator-index:v4.14 TEST_TARGET_CATALOG=$CATALOG_IMG OPENSHIFT=false go test ./e2e/... -tags=upgrade -timeout 20m