Network policy template #207
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: ci | |
on: | |
pull_request: | |
push: | |
branches: | |
- main | |
tags: | |
- '*' | |
jobs: | |
docker-base: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
# Build and push with docker buildx | |
- name: Setup docker buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Configure tags based on git tags + latest | |
uses: docker/metadata-action@v4 | |
id: meta | |
with: | |
images: clux/controller | |
tags: | | |
type=pep440,pattern={{version}} | |
type=raw,value=latest,enable={{is_default_branch}} | |
type=ref,event=pr | |
- name: Docker login on main origin | |
uses: docker/login-action@v2 | |
if: github.event_name != 'pull_request' | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- uses: actions/cache@v3 | |
with: | |
path: | | |
~/.cargo/registry/index/ | |
~/.cargo/registry/cache/ | |
~/.cargo/git/db/ | |
target/ | |
key: musl-cargo-${{ hashFiles('**/Cargo.lock') }} | |
- name: Compile base features | |
run: | | |
mkdir -p ~/.cargo/{git,registry} | |
docker run --rm -t \ | |
--mount type=bind,source=${{ github.workspace }},target=/volume \ | |
--mount type=bind,source=$HOME/.cargo/registry,target=/root/.cargo/registry \ | |
--mount type=bind,source=$HOME/.cargo/git,target=/root/.cargo/git \ | |
clux/muslrust:stable \ | |
cargo build --release --bin controller | |
cp target/x86_64-unknown-linux-musl/release/controller . | |
- name: Docker buildx and push with base features | |
uses: docker/build-push-action@v4 | |
with: | |
context: . | |
cache-from: type=gha,scope=base | |
cache-to: type=gha,scope=base,mode=max | |
push: ${{ github.ref == 'refs/heads/main' }} | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
platforms: linux/amd64 | |
- name: Persist base image build to a tarball | |
uses: docker/build-push-action@v4 | |
with: | |
context: . | |
platforms: linux/amd64 | |
tags: ${{ steps.meta.outputs.tags }} | |
cache-from: type=gha,scope=base | |
outputs: type=docker,dest=/tmp/image.tar | |
- name: Upload base docker image as artifact for e2e tests | |
uses: actions/upload-artifact@v3 | |
with: | |
name: controller-image | |
path: /tmp/image.tar | |
docker-otel: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
# Build and push with docker buildx | |
- name: Setup docker buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Configure tags based on git tags for otel | |
uses: docker/metadata-action@v4 | |
id: meta | |
with: | |
images: clux/controller | |
tags: | | |
type=pep440,pattern={{version}},prefix=otel- | |
type=raw,value=otel,enable={{is_default_branch}} | |
type=ref,event=pr,prefix=otel- | |
- uses: actions/cache@v3 | |
with: | |
path: | | |
~/.cargo/registry/index/ | |
~/.cargo/registry/cache/ | |
~/.cargo/git/db/ | |
target/ | |
key: musl-cargo-otel-${{ hashFiles('**/Cargo.lock') }} | |
- name: Compile with telemetry | |
run: | | |
mkdir -p ~/.cargo/{git,registry} | |
docker run --rm -t \ | |
--mount type=bind,source=${{ github.workspace }},target=/volume \ | |
--mount type=bind,source=$HOME/.cargo/registry,target=/root/.cargo/registry \ | |
--mount type=bind,source=$HOME/.cargo/git,target=/root/.cargo/git \ | |
clux/muslrust:stable \ | |
cargo build --features=telemetry --release --bin controller | |
cp target/x86_64-unknown-linux-musl/release/controller . | |
- name: Docker login on main origin | |
uses: docker/login-action@v2 | |
if: github.event_name != 'pull_request' | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Docker buildx and push with telemetry | |
uses: docker/build-push-action@v4 | |
with: | |
context: . | |
cache-from: type=gha,scope=otel | |
cache-to: type=gha,scope=otel,mode=max | |
push: ${{ github.ref == 'refs/heads/main' }} | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
platforms: linux/amd64 | |
e2e: | |
runs-on: ubuntu-latest | |
needs: [docker-base] | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: nolar/setup-k3d-k3s@v1 | |
with: | |
version: v1.27 | |
k3d-name: kube | |
k3d-args: "--no-lb --no-rollback --k3s-arg --disable=traefik,servicelb,metrics-server@server:*" | |
- run: kubectl apply -f yaml/crd.yaml | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Download docker image artifact from docker job | |
uses: actions/download-artifact@v3 | |
with: | |
name: controller-image | |
path: /tmp | |
- name: Load docker image from tarball | |
run: docker load --input /tmp/image.tar | |
- run: | | |
apiserver="$(kubectl get endpoints kubernetes -ojson | jq '.subsets[0].addresses[0].ip' -r)" | |
helm template charts/doc-controller \ | |
--set version=latest \ | |
--set networkPolicy.enabled=true \ | |
--set networkPolicy.apiserver.0=${apiserver}/32 \ | |
| kubectl apply -f - | |
- run: kubectl wait --for=condition=available deploy/doc-controller --timeout=30s | |
- run: kubectl apply -f yaml/instance-samuel.yaml | |
- run: sleep 2 # TODO: add condition on status and wait for it instead | |
# verify reconcile actions have happened | |
- run: kubectl get netpol doc-controller -oyaml | |
- run: kubectl logs deploy/doc-controller | |
- run: kubectl get event --field-selector "involvedObject.kind=Document,involvedObject.name=samuel" | grep "HideRequested" | |
- run: kubectl get doc -oyaml | grep -A1 finalizers | grep documents.kube.rs | |
lint: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Install protoc | |
run: sudo apt-get install -y protobuf-compiler | |
- uses: dtolnay/rust-toolchain@stable | |
with: | |
toolchain: nightly | |
components: rustfmt,clippy | |
- run: cargo +nightly fmt -- --check | |
- uses: giraffate/clippy-action@v1 | |
with: | |
reporter: 'github-pr-review' | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
clippy_flags: --all-features | |
integration: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: dtolnay/rust-toolchain@stable | |
- uses: Swatinem/rust-cache@v2 | |
- uses: nolar/setup-k3d-k3s@v1 | |
with: | |
version: v1.25 | |
k3d-name: kube | |
k3d-args: "--no-lb --no-rollback --k3s-arg --disable=traefik,servicelb,metrics-server@server:*" | |
- name: Build workspace | |
run: cargo build | |
- name: Install crd | |
run: cargo run --bin crdgen | kubectl apply -f - | |
- name: Run all default features integration library tests | |
run: cargo test --lib --all -- --ignored | |
unit: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
fetch-depth: 2 | |
- uses: dtolnay/rust-toolchain@stable | |
- uses: Swatinem/rust-cache@v2 | |
# Real CI work starts here | |
- name: Build workspace | |
run: cargo build | |
- name: Run workspace unit tests | |
run: cargo test | |
- name: Generate crd.yaml | |
run: cargo run --bin crdgen > yaml/crd.yaml | |
- name: Generate deployment.yaml | |
run: helm template charts/doc-controller > yaml/deployment.yaml | |
- name: Ensure generated output is committed | |
run: | | |
if ! git diff --exit-code yaml/; then | |
echo "Uncommitted changes in yaml directory" | |
echo "Please run 'just generate' and commit the results" | |
exit 1 | |
fi |