Testing

.github/workflows/stale-issues.yaml → .github/workflows/admin-stale-issues.yaml

@@ -1,4 +1,4 @@
-name: 'Close stale issues'
+name: '[Admin] Close stale issues'
 on:
   schedule:
     # once a day at noon

.github/workflows/ci-build.yml

@@ -0,0 +1,38 @@
+name: '[CI] Build'
+on:
+  workflow_dispatch:
+  workflow_call:
+    inputs:
+      k8s_version:
+        required: true
+        type: string
+      build_id:
+        required: true
+        type: string        
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v2
+      - uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}          
+      - run: echo "AMI_NAME=amazon-eks-node-${{ inputs.k8s_version }}-${{ inputs.build_id }}" >> $GITHUB_ENV
+      - run: make ${{ inputs.k8s_version }} ami_name=${{ env.AMI_NAME }}
+      - id: ami_id
+        run: echo "ami_id=$(jq -r .builds[0].artifact_id "${{ env.AMI_NAME }}-manifest.json" | cut -d ':' -f 2)" >> $GITHUB_OUTPUT
+    outputs:
+      ami_id: ${{ steps.ami_id.outputs.ami_id }}
+  integration-test:
+    needs: build
+    uses: ./.github/workflows/ci-integration-test.yml
+    with:
+      k8s_version: ${{ inputs.k8s_version }}    
+      build_id: ${{ inputs.build_id }}
+      ami_id: ${{ needs.build.outputs.ami_id }}
+    secrets: inherit

.github/workflows/ci-integration-test.yml

@@ -0,0 +1,78 @@
+name: '[CI] Integration test'
+on:
+  workflow_dispatch:
+  workflow_call:
+    inputs:
+      build_id:
+        required: true
+        type: string
+      ami_id:
+        required: true
+        type: string
+      k8s_version:
+        required: true
+        type: string
+jobs:
+  launch:
+    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
+    permissions:
+      id-token: write
+    runs-on: ubuntu-latest
+    outputs:
+      cluster_name: ${{ steps.launch.outputs.cluster_name }}
+    steps:
+      - uses: aws-actions/configure-aws-credentials@v1-node16
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+      - id: launch
+        run: |
+          #!/usr/bin/env bash
+
+          wget --no-verbose -O eksctl.tar.gz "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_Linux_amd64.tar.gz"
+          tar xf eksctl.tar.gz && chmod +x ./eksctl
+
+          SANITIZED_K8S_VERSION=$(echo ${{ inputs.k8s_version }} | tr -d '.')
+          CLUSTER_NAME="$SANITIZED_K8S_VERSION-${{ inputs.build_id }}"
+
+          echo '---
+          apiVersion: eksctl.io/v1alpha5
+          kind: ClusterConfig
+          metadata:
+            name: "'$CLUSTER_NAME'"
+            region: "${{ secrets.AWS_REGION }}"
+            version: "${{ inputs.k8s_version }}"
+          nodeGroups:
+          - name: "${{ inputs.build_id }}"
+            instanceType: m5.large
+            minSize: 3
+            maxSize: 3
+            desiredCapacity: 3
+            ami: "${{ inputs.ami_id }}"
+            overrideBootstrapCommand: |
+              #!/bin/bash
+              source /var/lib/cloud/scripts/eksctl/bootstrap.helper.sh
+              /etc/eks/bootstrap.sh "'$CLUSTER_NAME'" --kubelet-extra-args "--node-labels=${NODE_LABELS}"' >> cluster.yaml
+          cat cluster.yaml
+
+          ./eksctl create cluster --config-file cluster.yaml
+          echo "cluster_name=$CLUSTER_NAME" >> $GITHUB_OUTPUT
+  sonobuoy:
+    needs: launch
+    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
+    permissions:
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: aws-actions/configure-aws-credentials@v1-node16
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          # 2 hours (job usually completes in 90 minutes)
+          role-duration-seconds: 7200
+      - run: |
+          aws eks update-kubeconfig --name ${{ needs.launch.outputs.cluster_name }}
+          wget --no-verbose -O sonobuoy.tar.gz "https://github.com/vmware-tanzu/sonobuoy/releases/download/v0.56.11/sonobuoy_0.56.11_linux_amd64.tar.gz"
+          tar xf sonobuoy.tar.gz && chmod +x ./sonobuoy
+          ./sonobuoy run --wait
+          ./sonobuoy results $(./sonobuoy retrieve)

.github/workflows/ci.yml

@@ -0,0 +1,45 @@
+name: '[CI] Entrypoint'
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+jobs:
+  setup:
+    runs-on: ubuntu-latest
+    outputs:
+      sha_short: ${{ steps.variables.outputs.sha_short }}    
+    steps:
+    - id: variables
+      run: echo "sha_short=$(echo ${{ github.sha }} | rev | cut -c-7 | rev)" >> $GITHUB_OUTPUT    
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - run: echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
+    - run: go install mvdan.cc/sh/v3/cmd/shfmt@latest
+    - run: make lint
+  unit-test:
+    needs: lint
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - run: make test  
+  version-workflow:
+    name: ${{ matrix.k8s_version }}
+    needs:
+      - setup
+      - unit-test
+    strategy:
+      matrix:
+        k8s_version: ['1.21', '1.22', '1.23', '1.24']
+    uses: ./.github/workflows/ci-build.yml
+    with:
+      k8s_version: ${{ matrix.k8s_version }}
+      build_id: ${{ github.event_name }}-${{ needs.setup.outputs.sha_short }}-${{ github.run_id }}-${{ github.run_number }}-${{ github.run_attempt }}
+    secrets: inherit

.github/workflows/janitor-ami-sweeper.yml

@@ -0,0 +1,54 @@
+name: '[Janitor] AMI sweeper'
+on:
+  workflow_dispatch:
+    inputs:
+      max_age_seconds:
+        required: true
+        type: number  
+  workflow_call:
+    inputs:
+      max_age_seconds:
+        required: true
+        type: number
+jobs:
+  ami-sweeper:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    steps:
+      - uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}          
+      - run: |
+          #!/usr/bin/env bash
+
+          set -o errexit
+          set -o pipefail
+          set -o nounset
+
+          function jqb64() {
+            if [ "$#" -lt 2 ]; then
+              echo "usage: jqb64 BASE64_JSON JQ_ARGS..."
+              exit 1
+            fi
+            BASE64_JSON="$1"
+            shift
+            echo "$BASE64_JSON" | base64 --decode | jq $@
+          }
+
+          for IMAGE_DETAILS in $(aws ec2 describe-images --owners self --output json | jq -r '.Images[] | @base64'); do
+            NAME=$(jqb64 "$IMAGE_DETAILS" -r '.Name')
+            IMAGE_ID=$(jqb64 "$IMAGE_DETAILS" -r '.ImageId')
+            CREATION_DATE=$(jqb64 "$IMAGE_DETAILS" -r '.CreationDate')
+            CREATION_DATE_SECONDS=$(date -d "$CREATION_DATE" '+%s')
+            CURRENT_TIME_SECONDS=$(date '+%s')
+            MIN_CREATION_DATE_SECONDS=$(($CURRENT_TIME_SECONDS - ${{ inputs.max_age_seconds }}))
+            if [ "$CREATION_DATE_SECONDS" -lt "$MIN_CREATION_DATE_SECONDS" ]; then
+              aws ec2 deregister-image --image-id "$IMAGE_ID"
+              for SNAPSHOT_ID in $(jqb64 "$IMAGE_DETAILS" -r '.BlockDeviceMappings[].Ebs.SnapshotId'); do
+                aws ec2 delete-snapshot --snapshot-id "$SNAPSHOT_ID"
+              done
+              echo "Deleted $IMAGE_ID: $NAME"
+            fi
+          done

.github/workflows/janitor-cluster-sweeper.yml

@@ -0,0 +1,65 @@
+name: '[Janitor] Cluster sweeper'
+on:
+  workflow_dispatch:
+    inputs:
+      max_age_seconds:
+        required: true
+        type: number
+  workflow_call:
+    inputs:
+      max_age_seconds:
+        required: true
+        type: number
+jobs:
+  cluster-sweeper:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    steps:
+      - uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}          
+      - run: |
+          #!/usr/bin/env bash
+
+          set -o errexit
+          set -o pipefail
+          set -o nounset
+
+          function iso8601_is_eligible_for_deletion() {
+            local TIME_IN_ISO8601="$1"
+            local TIME_IN_SECONDS=$(date -d "$TIME_IN_ISO8601" '+%s')
+            local CURRENT_TIME_IN_SECONDS=$(date '+%s')
+            MIN_TIME_SECONDS=$(($CURRENT_TIME_IN_SECONDS - ${{ inputs.max_age_seconds }}))
+            [ "$TIME_IN_SECONDS" -lt "$MIN_TIME_SECONDS" ]
+          }
+
+          function cluster_is_eligible_for_deletion() {
+            local CLUSTER_NAME="$1"
+            local CREATED_AT_ISO8601=$(aws eks describe-cluster --name $CLUSTER_NAME --query 'cluster.createdAt' --output text)
+            iso8601_is_eligible_for_deletion "$CREATED_AT_ISO8601"
+          }
+
+          function nodegroup_is_eligible_for_deletion() {
+            local CLUSTER_NAME="$1"
+            local NODEGROUP_NAME="$2"
+            local CREATED_AT_ISO8601=$(aws eks describe-nodegroup --cluster-name "$CLUSTER_NAME" --nodegroup-name $NODEGROUP_NAME --query 'nodegroup.createdAt' --output text)
+            iso8601_is_eligible_for_deletion "$CREATED_AT_ISO8601"
+          }          
+
+          wget --no-verbose -O eksctl.tar.gz "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_Linux_amd64.tar.gz"
+          tar xf eksctl.tar.gz && chmod +x ./eksctl      
+          for CLUSTER in $(aws eks list-clusters --query 'clusters[]' --output text); do
+            for NODEGROUP in $(aws eks list-nodegroups --cluster-name $CLUSTER --query 'nodegroups[]' --output text); do
+              if nodegroup_is_eligible_for_deletion $CLUSTER $NODEGROUP; then
+                ./eksctl delete nodegroup --cluster $CLUSTER --name $NODEGROUP
+              fi
+            done
+            if [ "$(aws eks list-nodegroups --cluster-name $CLUSTER --output json | jq '.nodegroups | length')" -gt 0 ]; then
+              echo "Skipping cluster $CLUSTER"
+            elif cluster_is_eligible_for_deletion $CLUSTER; then
+              echo "Deleting cluster $CLUSTER"
+              ./eksctl delete cluster --name "$CLUSTER"
+            fi
+          done

.github/workflows/janitor.yml

@@ -0,0 +1,18 @@
+name: '[Janitor] Entrypoint'
+on:
+  schedule:
+    # hourly at the top of the hour
+    - cron: '0 * * * *'
+jobs:
+  cluster-sweeper:
+    uses: ./.github/workflows/janitor-cluster-sweeper.yml
+    secrets: inherit
+    with:
+      # 6 hours
+      max_age_seconds: 21600
+  ami-sweeper:
+    uses: ./.github/workflows/janitor-ami-sweeper.yml
+    secrets: inherit
+    with:
+      # 30 days
+      max_age_seconds: 2592000

.github/workflows/sync-to-codecommit.yml

@@ -0,0 +1,26 @@
+name: '[Sync] Push to CodeCommit'
+
+on:
+  push:
+    branches:    
+      - 'master'
+
+jobs:
+  mirror:
+    runs-on: ubuntu-latest
+    # These permissions are needed to interact with GitHub's OIDC Token endpoint.
+    permissions:
+      id-token: write
+      contents: read    
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+      - run: git config credential.helper '!aws codecommit credential-helper $@'
+      - run: git config credential.UseHttpPath true
+      - run: git remote add mirror ${{ secrets.AWS_CODECOMMIT_REPO_URL }}
+      - run: git push mirror

test-file

@@ -0,0 +1,3 @@
+This file exists to test the PR workflow.
+
+Revision: 1