Skip to content

feat: Ability to set SANs to the API server certificate #220

feat: Ability to set SANs to the API server certificate

feat: Ability to set SANs to the API server certificate #220

Workflow file for this run

name: VM
on:
workflow_dispatch:
pull_request:
branches:
- main
paths-ignore:
- 'site/**'
permissions:
contents: read
jobs:
vm:
# Fedora is different from Ubuntu in LSM (SELinux), filesystem (btrfs), kernel version, etc.
name: "CGroupv2 (Fedora)"
runs-on: ubuntu-22.04
timeout-minutes: 30
strategy:
fail-fast: false
matrix:
provider: [docker, podman]
rootless: ["rootful", "rootless"]
env:
LIMA_VERSION: "0.23.2" # Fedora 40
KIND_EXPERIMENTAL_PROVIDER: "${{ matrix.provider }}"
ROOTLESS: "${{ matrix.rootless }}"
HELPER: "./hack/ci/lima-helper.sh"
JOB_NAME: "cgroup2-${{ matrix.provider }}-${{ matrix.rootless }}"
steps:
- name: Check out code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Get go version
id: golangversion
run: |
echo "go_version=$(cat .go-version)" >> "$GITHUB_OUTPUT"
- name: Set up Go
id: go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: ${{ steps.golangversion.outputs.go_version }}
check-latest: true
- name: "Install QEMU"
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends ovmf qemu-system-x86 qemu-utils
sudo modprobe kvm
# `sudo usermod -aG kvm $(whoami)` does not take an effect on GHA
sudo chown $(whoami) /dev/kvm
- name: "Install Lima"
run: curl -fsSL https://github.com/lima-vm/lima/releases/download/v${LIMA_VERSION}/lima-${LIMA_VERSION}-Linux-x86_64.tar.gz | sudo tar Cxzvf /usr/local -
- name: "Cache ~/.cache/lima"
uses: actions/cache@v4
with:
path: ~/.cache/lima
key: lima-${{ env.LIMA_VERSION }}
- name: "Start Fedora"
# --plain is set to disable file sharing, port forwarding, built-in containerd, etc.
run: limactl start --name=default --plain template://fedora
- name: "Initialize Fedora"
# plain old rsync and ssh are used for the initialization of the guest,
# so that people who are not familiar with Lima can understand the initialization steps.
run: |
set -eux -o pipefail
# Initialize SSH
mkdir -p -m 0700 ~/.ssh
cat ~/.lima/default/ssh.config >> ~/.ssh/config
# Sync the current directory to /tmp/kind in the guest
rsync -a -e ssh . lima-default:/tmp/kind
# Install packages
ssh lima-default sudo /tmp/kind/hack/ci/init-fedora.sh
# Enable systemd lingering for rootless
ssh lima-default sudo loginctl enable-linger "$USER"
# Install kind
ssh lima-default sudo git config --global --add safe.directory /tmp/kind
ssh lima-default sudo make -C /tmp/kind install INSTALL_DIR=/usr/local/bin
- name: Set up Rootless Docker
if: ${{ matrix.provider == 'docker' && matrix.rootless == 'rootless' }}
run: |
# Disable the rootful daemon
"$HELPER" sudo systemctl disable --now docker
# Install the systemd unit
"$HELPER" dockerd-rootless-setuptool.sh install
# Modify the client config to use the rootless daemon by default
"$HELPER" docker context use rootless
- name: Set up Rootless Podman
if: ${{ matrix.provider == 'podman' && matrix.rootless == 'rootless' }}
run: |
# Restart the user session to ensure the cgroup delegation
# ref: https://github.com/kubernetes-sigs/kind/pull/2754#issuecomment-1124027063
"$HELPER" sudo loginctl terminate-user vagrant || true
# We have modprobe ip6_tables in Vagrantfile, but it seems we have to modprobe it once again
"$HELPER" sudo modprobe ip6_tables
- name: Show provider info
run: |
"$HELPER" "$KIND_EXPERIMENTAL_PROVIDER" info
"$HELPER" "$KIND_EXPERIMENTAL_PROVIDER" version
- name: Create a cluster
run: |
"$HELPER" kind create cluster -v7 --wait 10m --retain
- name: Get Cluster status
run: |
"$HELPER" kubectl wait --for=condition=ready pods --namespace=kube-system -l k8s-app=kube-dns
"$HELPER" kubectl get nodes -o wide
"$HELPER" kubectl get pods -A
- name: Export logs
if: always()
run: |
"$HELPER" kind export logs /tmp/kind/logs
mkdir -p /tmp/kind/logs/lima
cp -a ~/.lima/default/*.log /tmp/kind/logs/lima || true
"$HELPER" tar cC /tmp/kind/logs . | tar xC /tmp/kind/logs
- name: Upload logs
if: always()
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: kind-logs-${{ env.JOB_NAME }}-${{ github.run_id }}
path: /tmp/kind/logs