chore: bumped base image digest #702

Workflow file for this run

	name: CI

	on:
	push:
	branches:
	- main
	- '!dependabot/**'
	tags:
	- '**'
	pull_request: {}

	jobs:

	unit:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- uses: actions/setup-go@v5
	with:
	go-version-file: "go.mod"
	- name: Generate
	run: \|
	set -o errexit
	set -o nounset
	set -o pipefail

	make manifests generate
	git diff --exit-code
	- name: Test
	run: make test
	# TODO setup project with codecov
	# - name: Report coverage
	# run: bash <(curl -s https://codecov.io/bash)
	# env:
	# CODECOV_TOKEN: ...
	- name: Scan Inclusive Terminology
	uses: get-woke/woke-action@v0
	with:
	fail-on-error: true
	woke-args: -c its-woke-rules.yaml

	stage:
	runs-on: ubuntu-latest
	env:
	REGISTRY_NAME: registry.local
	KO_DOCKER_REPO: registry.local/source
	BUNDLE: registry.local/source/bundle
	steps:
	- uses: actions/checkout@v4
	- uses: actions/setup-go@v5
	with:
	go-version-file: "go.mod"
	- uses: carvel-dev/setup-action@v2
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	- name: Generate certs
	run: \|
	set -o errexit
	set -o nounset
	set -o pipefail

	CERT_DIR=$(mktemp -d -t certs.XXXX)
	echo "CERT_DIR=$CERT_DIR" >> $GITHUB_ENV

	echo "##[group]Install cfssl"
	go install github.com/cloudflare/cfssl/cmd/cfssl@v1.6.3
	go install github.com/cloudflare/cfssl/cmd/cfssljson@v1.6.3
	echo "##[endgroup]"

	echo "##[group]Generate CA"
	cfssl gencert -initca .github/tls/root-csr.json \
	\| cfssljson -bare ${CERT_DIR}/root-ca
	cfssl gencert -ca ${CERT_DIR}/root-ca.pem -ca-key ${CERT_DIR}/root-ca-key.pem \
	-config=".github/tls/config.json" \
	-profile="intermediate" .github/tls/intermediate-csr.json \
	\| cfssljson -bare ${CERT_DIR}/signing-ca
	cat ${CERT_DIR}/signing-ca.pem ${CERT_DIR}/root-ca.pem > ${CERT_DIR}/ca.pem
	echo "##[endgroup]"
	echo "##[group]Install CA"
	# https://ubuntu.com/server/docs/security-trust-store
	sudo apt-get install -y ca-certificates
	sudo cp ${CERT_DIR}/ca.pem /usr/local/share/ca-certificates/ca.crt
	sudo update-ca-certificates
	echo "##[endgroup]"

	echo "##[group]Generate cert"
	cfssl gencert -ca ${CERT_DIR}/signing-ca.pem -ca-key ${CERT_DIR}/signing-ca-key.pem \
	-config=".github/tls/config.json" \
	-profile="server" \
	-hostname="${REGISTRY_NAME},local-registry" \
	.github/tls/server-csr.json \
	\| cfssljson -bare ${CERT_DIR}/server
	echo "##[endgroup]"

	- name: Setup local registry
	run: \|
	set -o errexit
	set -o nounset
	set -o pipefail

	# Run a registry.
	docker run -d \
	--restart=always \
	--name local-registry \
	-v ${CERT_DIR}:/certs \
	-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
	-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.pem \
	-e REGISTRY_HTTP_TLS_KEY=/certs/server-key.pem \
	-p "443:443" \
	registry:2

	# Make the $REGISTRY_NAME -> local-registry
	echo "$(hostname -I \| cut -d' ' -f1) $REGISTRY_NAME" \| sudo tee -a /etc/hosts
	- uses: ko-build/setup-ko@v0.6
	- name: Build Source Controller
	run: \|
	set -o errexit
	set -o nounset
	set -o pipefail

	scratch=$(mktemp -d -t bundle.XXXX)
	mkdir -p "${scratch}/.imgpkg"
	mkdir -p "${scratch}/config"

	cp LICENSE "${scratch}/LICENSE"
	cp dist/bundle.yaml "${scratch}/bundle.yaml"
	cp dist/package-overlay.yaml "${scratch}/package-overlay.yaml"
	cp dist/ca.pem "${scratch}/ca.pem"

	echo "##[group]Build"
	ko resolve --platform=linux/amd64 -B -f dist/source-controller.yaml > "${scratch}/config/source-controller.yaml"
	kbld -f "${scratch}/config/source-controller.yaml" --imgpkg-lock-output "${scratch}/.imgpkg/images.yml" > /dev/null
	echo "##[endgroup]"

	echo "##[group]Create bundle"
	imgpkg push -f "${scratch}" -b "${BUNDLE}"
	imgpkg copy -b "${BUNDLE}" --to-tar source-controller-bundle.tar
	echo "##[endgroup]"
	- uses: actions/upload-artifact@v4
	with:
	name: source-controller-bundle.tar
	path: source-controller-bundle.tar
	retention-days: 1
	- name: Grype scan
	run: \|
	echo "##[group]Install grype"
	curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh \| sh -s -- -b /usr/local/bin
	echo "##[endgroup]"
	echo "##[group]Scan source"
	grype dir:. --exclude ./hack
	echo "##[endgroup]"
	echo "##[group]Scan manager image"
	grype registry.local/source/tanzu-source-controller
	echo "##[endgroup]"
	continue-on-error: true

	acceptance:
	needs: stage
	runs-on: ubuntu-latest
	strategy:
	matrix:
	k8s:
	- 1.24.15
	- 1.25.9
	- 1.26.6
	- 1.27.3
	- 1.28.0
	- 1.29.0
	env:
	REGISTRY_NAME: registry.local
	BUNDLE: registry.local/source/bundle
	steps:
	- uses: actions/checkout@v4
	- uses: actions/setup-go@v5
	with:
	go-version-file: "go.mod"
	- uses: carvel-dev/setup-action@v2
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	- name: Install kind
	run: \|
	cd $(mktemp -d -t kind.XXXX)
	curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.15.0/kind-$(go env GOHOSTOS)-$(go env GOHOSTARCH)
	chmod +x ./kind
	sudo mv ./kind /usr/local/bin
	cd -
	- name: Generate certs
	run: \|
	set -o errexit
	set -o nounset
	set -o pipefail

	CERT_DIR=$(mktemp -d -t certs.XXXX)
	echo "CERT_DIR=$CERT_DIR" >> $GITHUB_ENV

	echo "##[group]Install cfssl"
	go install github.com/cloudflare/cfssl/cmd/cfssl@v1.6.3
	go install github.com/cloudflare/cfssl/cmd/cfssljson@v1.6.3
	echo "##[endgroup]"

	echo "##[group]Generate CA"
	cfssl gencert -initca .github/tls/root-csr.json \
	\| cfssljson -bare ${CERT_DIR}/root-ca
	cfssl gencert -ca ${CERT_DIR}/root-ca.pem -ca-key ${CERT_DIR}/root-ca-key.pem \
	-config=".github/tls/config.json" \
	-profile="intermediate" .github/tls/intermediate-csr.json \
	\| cfssljson -bare ${CERT_DIR}/signing-ca
	cat ${CERT_DIR}/signing-ca.pem ${CERT_DIR}/root-ca.pem > ${CERT_DIR}/ca.pem
	echo "##[endgroup]"
	echo "##[group]Install CA"
	# https://ubuntu.com/server/docs/security-trust-store
	sudo apt-get install -y ca-certificates
	sudo cp ${CERT_DIR}/ca.pem /usr/local/share/ca-certificates/ca.crt
	sudo update-ca-certificates
	echo "##[endgroup]"

	echo "##[group]Generate cert"
	cfssl gencert -ca ${CERT_DIR}/signing-ca.pem -ca-key ${CERT_DIR}/signing-ca-key.pem \
	-config=".github/tls/config.json" \
	-profile="server" \
	-hostname="${REGISTRY_NAME},local-registry" \
	.github/tls/server-csr.json \
	\| cfssljson -bare ${CERT_DIR}/server
	echo "##[endgroup]"

	- name: Setup local registry
	run: \|
	set -o errexit
	set -o nounset
	set -o pipefail

	# Run a registry.
	docker run -d \
	--restart=always \
	--name local-registry \
	-v ${CERT_DIR}:/certs \
	-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
	-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.pem \
	-e REGISTRY_HTTP_TLS_KEY=/certs/server-key.pem \
	-p "443:443" \
	registry:2

	# Make the $REGISTRY_NAME -> local-registry
	echo "$(hostname -I \| cut -d' ' -f1) $REGISTRY_NAME" \| sudo tee -a /etc/hosts
	- name: Create Cluster
	run: \|
	set -o errexit
	set -o nounset
	set -o pipefail

	# create a cluster with the local registry enabled in containerd
	cat <<EOF \| kind create cluster --config=-
	kind: Cluster
	apiVersion: kind.x-k8s.io/v1alpha4
	containerdConfigPatches:
	- \|-
	[plugins."io.containerd.grpc.v1.cri".registry.mirrors."${REGISTRY_NAME}"]
	endpoint = ["https://local-registry"]
	- \|-
	[plugins."io.containerd.grpc.v1.cri".registry.configs."local-registry".tls]
	ca_file = "/etc/docker/certs.d/local-registry/ca.pem"
	nodes:
	- role: control-plane
	image: kindest/node:v${{ matrix.k8s }}
	extraMounts:
	- containerPath: /etc/docker/certs.d/local-registry
	hostPath: ${CERT_DIR}
	EOF

	# connect the registry to the cluster network
	docker network connect kind local-registry

	# Document the local registry
	# wokeignore:rule=master
	# https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry
	cat <<EOF \| kubectl apply -f -
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: local-registry-hosting
	namespace: kube-public
	data:
	localRegistryHosting.v1: \|
	host: "localhost"
	help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
	EOF
	- name: Download staged Source Controller build
	uses: actions/download-artifact@v4
	with:
	name: source-controller-bundle.tar
	- name: Relocate bundle
	run: \|
	set -o errexit
	set -o nounset
	set -o pipefail

	imgpkg copy --tar source-controller-bundle.tar --to-repo "${BUNDLE}"
	mkdir -p source-bundle
	imgpkg pull -b "${BUNDLE}" -o source-bundle
	- name: Install cert-manager
	run: \|
	set -o errexit
	set -o nounset
	set -o pipefail

	kapp deploy -a cert-manager -n kube-system \
	--wait-timeout 5m -y \
	-f https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.yaml
	- name: Install kapp-controller
	run: \|
	set -o errexit
	set -o nounset
	set -o pipefail

	kapp deploy -a kapp-controller -n kube-system \
	--wait-timeout 5m -y \
	-f https://github.com/vmware-tanzu/carvel-kapp-controller/releases/latest/download/release.yml \
	-f <( \
	ytt -f .github/kapp/kapp-controller-config.yaml \
	--data-value-file ca_cert_data=${CERT_DIR}/ca.pem \
	)
	- name: Deploy Source Controller Package
	run: \|
	set -o errexit
	set -o nounset
	set -o pipefail

	kapp deploy -a source-controller-package -y \
	--wait-timeout 5m \
	-f <( \
	ytt -f dist/package.yaml -f dist/package.values.yaml \
	--data-value version=0.0.0-snapshot \
	--data-value image=${BUNDLE} \
	)

	- name: Test Install Source Controller with no package values
	run: \|
	set -o errexit
	set -o nounset
	set -o pipefail

	kapp deploy -a source-controller -y \
	--wait-timeout 5m \
	-f <( \
	ytt -f dist/package-install.yaml -f dist/package-install.values.yaml \
	--data-value package_constraints=0.0.0-snapshot \
	--data-value-yaml 'package_prerelease={}' \
	)

	kapp delete -a source-controller --wait-timeout 5m -y

	- name: Install Source Controller
	run: \|
	set -o errexit
	set -o nounset
	set -o pipefail

	kapp deploy -a source-controller -y \
	--wait-timeout 5m \
	-f <( \
	ytt -f dist/package-install.yaml -f dist/package-install.values.yaml \
	--data-value package_constraints=0.0.0-snapshot \
	--data-value-yaml 'package_prerelease={}' \
	--data-value sync_period=10s \
	--data-value-yaml 'has_values=true' \
	--data-value-file ca_cert_data=${CERT_DIR}/ca.pem \
	)

	- name: Smoke test
	run: \|
	set -o errexit
	set -o nounset
	set -o pipefail

	imgpkg push -i ${REGISTRY_NAME}/test -f .github/smoke/image/
	cat <<EOF \| kubectl create -f -
	apiVersion: source.apps.tanzu.vmware.com/v1alpha1
	kind: ImageRepository
	metadata:
	name: test
	spec:
	image: ${REGISTRY_NAME}/test
	EOF
	kubectl wait --for=condition=ready --timeout=30s imagerepositories.source.apps.tanzu.vmware.com test

	cat <<EOF \| kubectl create -f -
	apiVersion: batch/v1
	kind: Job
	metadata:
	name: image-test
	spec:
	template:
	spec:
	containers:
	- name: main
	image: krashed843/alpine-curl-kubectl@sha256:3421d505e5d1224160d4b118c3befb4f511660e665deb450019f2cd7f1e1274d
	command:
	- sh
	- -c
	- curl $(kubectl get imagerepositories.source.apps.tanzu.vmware.com test -ojsonpath='{.status.artifact.url}') \| tar -ztv
	restartPolicy: Never
	EOF
	kubectl wait --for=condition=complete --timeout=30s job image-test
	kubectl logs job/image-test \| grep hello.txt

	cat <<EOF \| kubectl create -f -
	apiVersion: source.apps.tanzu.vmware.com/v1alpha1
	kind: MavenArtifact
	metadata:
	name: test
	spec:
	artifact:
	groupId: org.springframework.boot
	artifactId: spring-boot
	version: "2.7.0"
	repository:
	url: https://repo1.maven.org/maven2
	interval: 5m0s
	EOF
	kubectl wait --for=condition=ready --timeout=30s mavenartifacts.source.apps.tanzu.vmware.com test

	cat <<EOF \| kubectl create -f -
	apiVersion: batch/v1
	kind: Job
	metadata:
	name: maven-test
	spec:
	template:
	spec:
	containers:
	- name: main
	image: krashed843/alpine-curl-kubectl@sha256:3421d505e5d1224160d4b118c3befb4f511660e665deb450019f2cd7f1e1274d
	command:
	- sh
	- -c
	- curl $(kubectl get mavenartifacts.source.apps.tanzu.vmware.com test -ojsonpath='{.status.artifact.url}') \| tar -ztv
	restartPolicy: Never
	EOF
	kubectl wait --for=condition=complete --timeout=30s job maven-test
	kubectl logs job/maven-test \| grep META-INF/MANIFEST.MF

	- name: Collect diagnostics
	run: \|
	set +o errexit
	set -o nounset
	set +o pipefail

	echo "##[group]Image Repositories"
	kubectl get imagerepositories.source.apps.tanzu.vmware.com -A -oyaml
	echo "##[endgroup]"
	echo "##[group]Maven Artifacts"
	kubectl get mavenartifacts.source.apps.tanzu.vmware.com -A -oyaml
	echo "##[endgroup]"
	echo "##[group]Source Controller Deployment"
	kubectl get deployments -n source-system -l control-plane=controller-manager -oyaml
	echo "---"
	kubectl get pods -n source-system -l control-plane=controller-manager -oyaml
	echo "---"
	kubectl get secrets -n source-system -l control-plane=controller-manager -oyaml
	echo "##[endgroup]"
	echo "##[group]Source Controller logs"
	kubectl logs -n source-system -l control-plane=controller-manager -c manager --tail 1000
	echo "##[endgroup]"
	echo "##[group]Packages"
	kubectl get packages.data.packaging.carvel.dev -A -oyaml
	echo "##[endgroup]"
	echo "##[group]Package Installs"
	kubectl get packageinstalls.packaging.carvel.dev -A -oyaml
	kubectl get secret source-controller-values -oyaml
	echo "##[endgroup]"
	echo "##[group]Kapp list apps"
	kapp list -A
	echo "##[endgroup]"
	echo "##[group]Package changesets"
	kapp app-change list -a source-controller.app
	echo "##[endgroup]"
	echo "##[group]kapp-controller logs"
	kubectl logs -n kapp-controller -l app=kapp-controller -c kapp-controller --tail 1000
	echo "##[endgroup]"
	echo "##[group]image-test job logs"
	kubectl logs job/image-test
	echo "##[endgroup]"
	echo "##[group]maven-test job logs"
	kubectl logs job/maven-test
	echo "##[endgroup]"
	echo "##[group]Docker processes"
	docker ps
	echo "##[endgroup]"
	echo "##[group]Registry logs"
	docker logs local-registry
	echo "##[endgroup]"
	echo "##[group]Registry certs"
	openssl s_client -connect ${REGISTRY_NAME}:443 -showcerts
	echo "##[endgroup]"
	echo "##[group]Registry request"
	curl -v https://${REGISTRY_NAME}/v2/
	echo "##[endgroup]"
	if: always()
	continue-on-error: true
	- name: Fail for multiple kapp changes
	run: \|
	set -o errexit
	set -o nounset
	set -o pipefail

	deploys=$(kapp app-change list -a source-controller.app --json \| jq '.Tables[0].Rows \| length')
	if [ "$((deploys))" -gt 1 ]; then
	echo "Too many app changes for the source-controller package, expected 1 found ${deploys}"
	exit 1
	fi
	- name: Delete Gracefully
	run: \|
	set -o errexit
	set -o nounset
	set -o pipefail

	echo "##[group]Delete source-controller"
	kapp delete -a source-controller --wait-timeout 5m -y
	echo "##[endgroup]"
	echo "##[group]Delete source-controller-package"
	kapp delete -a source-controller-package --wait-timeout 5m -y
	echo "##[endgroup]"
	echo "##[group]Delete kapp-controller"
	kapp delete -a kapp-controller -n kube-system --wait-timeout 5m -y
	echo "##[endgroup]"
	echo "##[group]Delete cert-manager"
	kapp delete -a cert-manager -n kube-system --wait-timeout 5m -y
	echo "##[endgroup]"
	if: always()
	- name: Cleanup cluster
	run: kind delete cluster
	if: always()

	release:
	needs:
	- unit
	- acceptance
	if: startsWith(github.ref, 'refs/tags/')
	runs-on: ubuntu-latest
	steps:
	- name: Get the version
	id: get_version
	run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//}
	- name: Draft release
	id: create_release
	uses: actions/create-release@v1.1.4
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	tag_name: ${{ github.ref }}
	release_name: Release ${{ steps.get_version.outputs.VERSION }}
	draft: true
	- name: Download staged Source Controller build
	uses: actions/download-artifact@v4
	with:
	name: source-controller-bundle.tar
	- name: Upload Source Controller release
	uses: actions/upload-release-asset@v1.0.2
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps
	asset_path: source-controller-bundle.tar
	asset_name: source-controller-bundle-${{ steps.get_version.outputs.VERSION }}.tar
	asset_content_type: application/x-tar

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: bumped base image digest #702

Workflow file

chore: bumped base image digest #702

Jobs

Run details

Workflow file for this run