-
Notifications
You must be signed in to change notification settings - Fork 2
262 lines (236 loc) · 9.27 KB
/
Copy pathcall-test-containers.yaml
File metadata and controls
262 lines (236 loc) · 9.27 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
name: Reusable workflow to run container tests
on:
workflow_call:
inputs:
ref:
description: The commit, SHA or branch to use in this repository.
required: false
type: string
default: main
image:
description: The full image name to test.
required: false
default: "ghcr.io/telemetryforge/agent"
type: string
image-tag:
description: The image tag to test.
required: true
type: string
secrets:
github-token:
description: Token to use to pull images from GitHub Container Registry.
required: true
env:
# Set once from repo variable or override here for testing
STEP_SECURITY_EGRESS_POLICY: ${{ vars.STEP_SECURITY_EGRESS_POLICY || 'audit' }}
jobs:
get-meta:
name: Get meta information required
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
kind-versions: ${{ steps.set-meta.outputs.kind-versions }}
steps:
- name: Harden the runner
uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
with:
egress-policy: ${{ env.STEP_SECURITY_EGRESS_POLICY }}
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
repository: telemetryforge/agent
ref: ${{ inputs.ref || github.ref }}
- name: Extract the configuration from the JSON file
id: set-meta
run: |
KIND_VERSIONS=$(cat "$JSON_FILE_NAME" | jq -c .kind_versions )
echo "kind-versions=$KIND_VERSIONS"
echo "kind-versions=$KIND_VERSIONS" >> $GITHUB_OUTPUT
shell: bash
env:
JSON_FILE_NAME: build-config.json
test-bats-container:
name: Run BATS tests for ${{ inputs.image }}/test:${{ inputs.image-tag }}
runs-on: ubuntu-latest
env:
TELEMETRY_FORGE_AGENT_TAG: ${{ inputs.image-tag }}
# Support legacy tag variable for backwards compatibility
FLUENTDO_AGENT_TAG: ${{ inputs.image-tag }}
permissions:
packages: read
steps:
- name: Harden the runner
uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
with:
egress-policy: ${{ env.STEP_SECURITY_EGRESS_POLICY }}
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
repository: telemetryforge/agent
ref: ${{ inputs.ref || github.ref }}
token: ${{ secrets.github-token }}
- name: Log in to the Container registry
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.github-token }}
- name: Run all functional BATS tests
run: docker run --rm -t "${{ inputs.image }}/test:${{ inputs.image-tag }}"
shell: bash
- name: Install BATS
uses: bats-core/bats-action@77d6fb60505b4d0d1d73e48bd035b55074bbfb43 # 4.0.0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
assert-install: false
detik-install: false
file-install: false
support-install: false
- name: Install Rush for parallelism
run: curl -sSfL https://github.com/shenwei356/rush/releases/download/v0.7.0/rush_linux_amd64.tar.gz | sudo tar xzf - -C /usr/local/bin
shell: bash
- name: Ensure we use the right version during a release
if: startsWith(github.ref, 'refs/tags/v')
run: |
echo "TELEMETRY_FORGE_AGENT_VERSION=${{ inputs.image-tag }}" >> $GITHUB_ENV
echo "FLUENTDO_AGENT_VERSION=${{ inputs.image-tag }}" >> $GITHUB_ENV
shell: bash
- name: Run container integration tests
run: ./testing/bats/run-container-integration-tests.sh
shell: bash
env:
# We use the actual image here for testing against
TELEMETRY_FORGE_AGENT_IMAGE: ${{ inputs.image }}
# Support legacy image variable for backwards compatibility
FLUENTDO_AGENT_IMAGE: ${{ inputs.image }}
# allow for some parallelity without GNU parallel, since it is not installed by default
BATS_NO_PARALLELIZE_ACROSS_FILES: 1
BATS_NUMBER_OF_PARALLEL_JOBS: 4
BATS_PARALLEL_BINARY_NAME: rush
test-verify-signatures:
name: Verify image signatures for ${{ inputs.image }}:${{ inputs.image-tag }}
runs-on: ubuntu-latest
permissions:
packages: read
steps:
- name: Harden the runner
uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
with:
egress-policy: ${{ env.STEP_SECURITY_EGRESS_POLICY }}
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
repository: telemetryforge/agent
ref: ${{ inputs.ref || github.ref }}
token: ${{ secrets.github-token }}
- name: Log in to the Container registry
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.github-token }}
- name: Set up cosign
run: |
curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"
sudo mv cosign-linux-amd64 /usr/local/bin/cosign
sudo chmod +x /usr/local/bin/cosign
cosign version
shell: bash
- name: Verify image signature
run: cosign verify --key ./cosign.pub ${{ inputs.image }}:${{ inputs.image-tag }}
shell: bash
test-redhat-certification:
name: Test UBI container will pass certification
if: contains( inputs.image, 'ubi' )
runs-on: ubuntu-latest
permissions:
packages: read
steps:
- name: Harden the runner
uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
with:
egress-policy: ${{ env.STEP_SECURITY_EGRESS_POLICY }}
- name: Log in to the Container registry
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.github-token }}
- name: Set up preflight binary
uses: redhat-actions/openshift-tools-installer@144527c7d98999f2652264c048c7a9bd103f8a82 # v1.13.1
with:
preflight: latest
source: github
- name: Run tests
run: preflight check container ${{ inputs.image }}:${{ inputs.image-tag }}
shell: bash
# https://github.com/redhat-openshift-ecosystem/openshift-preflight/issues/1235
# https://github.com/redhat-openshift-ecosystem/openshift-preflight/issues/535
- name: Ensure we pass as preflight does not use error code exit
run: |
if grep 'Preflight result: FAILED' preflight.log; then
echo "ERROR: failed checks"
exit 1
elif ! grep 'Preflight result: PASSED' preflight.log; then
echo "ERROR: checks did not pass"
exit 1
fi
echo "INFO: checks passed"
shell: bash
- name: Preflight log
if: always()
continue-on-error: true
run: cat preflight.log
shell: bash
- name: Image debug
continue-on-error: true
if: always()
run: |
docker pull ${{ inputs.image }}:${{ inputs.image-tag }}
docker inspect ${{ inputs.image }}:${{ inputs.image-tag }}
shell: bash
test-kubernetes:
name: Run container tests for ${{ inputs.image }}:${{ inputs.image-tag }} on K8S version ${{ matrix.kind-version }}
uses: ./.github/workflows/call-test-containers-k8s.yaml
needs:
- get-meta
permissions:
contents: read
packages: read
with:
kind-version: ${{ matrix.kind-version }}
image: ${{ inputs.image }}
image-tag: ${{ inputs.image-tag }}
ref: ${{ inputs.ref }}
secrets:
github-token: ${{ secrets.github-token }}
strategy:
matrix:
kind-version: ${{ fromJson(needs.get-meta.outputs.kind-versions) }}
test-complete:
name: All container tests complete
# Always run this to check the results of the other jobs including skipped ones
if: always()
runs-on: ubuntu-latest
needs:
- test-kubernetes
- test-redhat-certification
- test-verify-signatures
- test-bats-container
steps:
- name: Harden the runner
uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0
with:
egress-policy: ${{ env.STEP_SECURITY_EGRESS_POLICY }}
- name: Decide whether the needed jobs succeeded or failed
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
with:
# Add any jobs that can be skipped here to avoid failure of this job
# test-redhat-certification is skipped if not UBI image
allowed-skips: test-redhat-certification
# Convert the needs object to JSON to pass it in
jobs: ${{ toJSON(needs) }}
- name: All tests passed
run: echo "All tests passed for ${{ inputs.image }}:${{ inputs.image-tag }}"
shell: bash