chore(deps): Bump github.com/CycloneDX/cyclonedx-go in /webhook #2683
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: | |
- 'main' | |
- '!dependabot/**' | |
tags: | |
# semver tags | |
- 'v[0-9]+\.[0-9]+\.[0-9]+-?**' | |
pull_request: {} | |
jobs: | |
unit: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version-file: "go.mod" | |
- name: Go mod tidy | |
run: make tidy | |
- name: Test | |
run: make test | |
- uses: codecov/codecov-action@v5 | |
- name: Build | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
make dist | |
git diff --exit-code dist | |
stage: | |
runs-on: ubuntu-latest | |
env: | |
REGISTRY_NAME: registry.local | |
KO_DOCKER_REPO: registry.local/conventions | |
BUNDLE: registry.local/conventions/bundle | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version-file: "go.mod" | |
- uses: carvel-dev/setup-action@v2 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- uses: ko-build/setup-ko@v0.7 | |
- name: Generate certs | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
CERT_DIR=$(mktemp -d -t certs.XXXX) | |
echo "CERT_DIR=$CERT_DIR" >> $GITHUB_ENV | |
echo "##[group]Install cfssl" | |
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64 -o cfssl | |
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64 -o cfssljson | |
chmod +x cfssl* | |
sudo mv cfssl* /usr/local/bin | |
echo "##[endgroup]" | |
echo "##[group]Generate CA" | |
cfssl gencert -initca .github/tls/root-csr.json \ | |
| cfssljson -bare ${CERT_DIR}/root-ca | |
cfssl gencert -ca ${CERT_DIR}/root-ca.pem -ca-key ${CERT_DIR}/root-ca-key.pem \ | |
-config=".github/tls/config.json" \ | |
-profile="intermediate" .github/tls/intermediate-csr.json \ | |
| cfssljson -bare ${CERT_DIR}/signing-ca | |
cat ${CERT_DIR}/signing-ca.pem ${CERT_DIR}/root-ca.pem > ${CERT_DIR}/ca.pem | |
echo "##[endgroup]" | |
echo "##[group]Install CA" | |
# https://ubuntu.com/server/docs/security-trust-store | |
sudo apt-get install -y ca-certificates | |
sudo cp ${CERT_DIR}/ca.pem /usr/local/share/ca-certificates/ca.crt | |
sudo update-ca-certificates | |
echo "##[endgroup]" | |
echo "##[group]Generate cert" | |
cfssl gencert -ca ${CERT_DIR}/signing-ca.pem -ca-key ${CERT_DIR}/signing-ca-key.pem \ | |
-config=".github/tls/config.json" \ | |
-profile="server" \ | |
-hostname="${REGISTRY_NAME},local-registry" \ | |
.github/tls/server-csr.json \ | |
| cfssljson -bare ${CERT_DIR}/server | |
echo "##[endgroup]" | |
- name: Setup local registry | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
# Run a registry. | |
docker run -d \ | |
--restart=always \ | |
--name local-registry \ | |
-v ${CERT_DIR}:/certs \ | |
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ | |
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.pem \ | |
-e REGISTRY_HTTP_TLS_KEY=/certs/server-key.pem \ | |
-p "443:443" \ | |
registry:2 | |
# Make the $REGISTRY_NAME -> local-registry | |
echo "$(hostname -I | cut -d' ' -f1) $REGISTRY_NAME" | sudo tee -a /etc/hosts | |
- name: Go mod tidy | |
run: make tidy | |
- name: Build Cartographer Conventions | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
scratch=$(mktemp -d -t bundle.XXXX) | |
mkdir -p "${scratch}/.imgpkg" | |
mkdir -p "${scratch}/config" | |
cp LICENSE "${scratch}/LICENSE" | |
cp CHANGELOG.md "${scratch}/CHANGELOG.md" | |
cp dist/bundle.yaml "${scratch}/bundle.yaml" | |
cp dist/bundle.values.yaml "${scratch}/bundle.values.yaml" | |
cp dist/ca-overlay.yaml "${scratch}/ca-overlay.yaml" | |
echo "##[group]Build" | |
cat hack/boilerplate.ytt.txt > "${scratch}/config/cartographer-conventions.yaml" | |
ko resolve -f dist/cartographer-conventions.yaml >> "${scratch}/config/cartographer-conventions.yaml" | |
kbld -f "${scratch}/config/cartographer-conventions.yaml" --imgpkg-lock-output "${scratch}/.imgpkg/images.yml" > /dev/null | |
echo "##[endgroup]" | |
echo "##[group]Create bundle" | |
imgpkg push -f "${scratch}" -b "${BUNDLE}/controller" | |
imgpkg copy -b "${BUNDLE}/controller" --to-tar cartographer-conventions-bundle.tar | |
echo "##[endgroup]" | |
- name: Build samples | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
scratch=$(mktemp -d -t bundle.XXXX) | |
mkdir "${scratch}/.imgpkg" | |
cp LICENSE "${scratch}/LICENSE" | |
echo "##[group]Build" | |
mkdir -p ${scratch}/convention-server | |
cp samples/convention-server/*.{md,yaml} ${scratch}/convention-server/ | |
pushd samples/convention-server | |
ko resolve -f server.yaml > "${scratch}/convention-server/server.yaml" | |
popd | |
mkdir -p ${scratch}/dumper-server | |
cp samples/dumper-server/*.{md,yaml} ${scratch}/dumper-server/ | |
pushd samples/dumper-server | |
ko resolve -f server.yaml > "${scratch}/dumper-server/server.yaml" | |
popd | |
mkdir -p ${scratch}/spring-convention-server | |
cp samples/spring-convention-server/*.{md,yaml} ${scratch}/spring-convention-server/ | |
pushd samples/spring-convention-server | |
ko resolve -f server.yaml > "${scratch}/spring-convention-server/server.yaml" | |
popd | |
kbld --imgpkg-lock-output "${scratch}/.imgpkg/images.yml" \ | |
-f "${scratch}/convention-server/server.yaml" \ | |
-f "${scratch}/dumper-server/server.yaml" \ | |
-f "${scratch}/spring-convention-server/server.yaml" \ | |
> /dev/null | |
echo "##[endgroup]" | |
echo "##[group]Create sample bundle" | |
imgpkg push -f "${scratch}" -b "${BUNDLE}/samples" | |
imgpkg copy -b "${BUNDLE}/samples" --to-tar cartographer-conventions-samples-bundle.tar | |
echo "##[endgroup]" | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: cartographer-conventions-bundle.tar | |
path: cartographer-conventions-bundle.tar | |
retention-days: 1 | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: cartographer-conventions-samples-bundle.tar | |
path: cartographer-conventions-samples-bundle.tar | |
retention-days: 1 | |
acceptance: | |
needs: stage | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
k8s: | |
- 1.25.11 | |
- 1.26.6 | |
- 1.27.16 | |
- 1.28.15 | |
- 1.29.12 | |
- 1.30.8 | |
- 1.31.4 | |
- 1.32.0 | |
env: | |
REGISTRY_NAME: registry.local | |
BUNDLE: registry.local/conventions/bundle | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version-file: "go.mod" | |
- uses: carvel-dev/setup-action@v2 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Install kind | |
run: | | |
cd $(mktemp -d -t kind.XXXX) | |
curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.19.0/kind-$(go env GOHOSTOS)-$(go env GOHOSTARCH) | |
chmod +x ./kind | |
sudo mv ./kind /usr/local/bin | |
cd - | |
- name: Generate certs | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
CERT_DIR=$(mktemp -d -t certs.XXXX) | |
echo "CERT_DIR=$CERT_DIR" >> $GITHUB_ENV | |
echo "##[group]Install cfssl" | |
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64 -o cfssl | |
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64 -o cfssljson | |
chmod +x cfssl* | |
sudo mv cfssl* /usr/local/bin | |
echo "##[endgroup]" | |
echo "##[group]Generate CA" | |
cfssl gencert -initca .github/tls/root-csr.json \ | |
| cfssljson -bare ${CERT_DIR}/root-ca | |
cfssl gencert -ca ${CERT_DIR}/root-ca.pem -ca-key ${CERT_DIR}/root-ca-key.pem \ | |
-config=".github/tls/config.json" \ | |
-profile="intermediate" .github/tls/intermediate-csr.json \ | |
| cfssljson -bare ${CERT_DIR}/signing-ca | |
cat ${CERT_DIR}/signing-ca.pem ${CERT_DIR}/root-ca.pem > ${CERT_DIR}/ca.pem | |
echo "##[endgroup]" | |
echo "##[group]Install CA" | |
# https://ubuntu.com/server/docs/security-trust-store | |
sudo apt-get install -y ca-certificates | |
sudo cp ${CERT_DIR}/ca.pem /usr/local/share/ca-certificates/ca.crt | |
sudo update-ca-certificates | |
echo "##[endgroup]" | |
echo "##[group]Generate cert" | |
cfssl gencert -ca ${CERT_DIR}/signing-ca.pem -ca-key ${CERT_DIR}/signing-ca-key.pem \ | |
-config=".github/tls/config.json" \ | |
-profile="server" \ | |
-hostname="${REGISTRY_NAME},local-registry" \ | |
.github/tls/server-csr.json \ | |
| cfssljson -bare ${CERT_DIR}/server | |
echo "##[endgroup]" | |
- name: Setup local registry | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
# Run a registry. | |
docker run -d \ | |
--restart=always \ | |
--name local-registry \ | |
-v ${CERT_DIR}:/certs \ | |
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ | |
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.pem \ | |
-e REGISTRY_HTTP_TLS_KEY=/certs/server-key.pem \ | |
-p "443:443" \ | |
registry:2 | |
# Make the $REGISTRY_NAME -> local-registry | |
echo "$(hostname -I | cut -d' ' -f1) $REGISTRY_NAME" | sudo tee -a /etc/hosts | |
- name: Create Cluster | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
# create a cluster with the local registry enabled in containerd | |
cat <<EOF | kind create cluster --config=- | |
kind: Cluster | |
apiVersion: kind.x-k8s.io/v1alpha4 | |
containerdConfigPatches: | |
- |- | |
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."${REGISTRY_NAME}"] | |
endpoint = ["https://local-registry"] | |
- |- | |
[plugins."io.containerd.grpc.v1.cri".registry.configs."local-registry".tls] | |
ca_file = "/etc/docker/certs.d/local-registry/ca.pem" | |
nodes: | |
- role: control-plane | |
image: kindest/node:v${{ matrix.k8s }} | |
extraMounts: | |
- containerPath: /etc/docker/certs.d/local-registry | |
hostPath: ${CERT_DIR} | |
EOF | |
# connect the registry to the cluster network | |
docker network connect kind local-registry | |
# Document the local registry | |
# https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry | |
cat <<EOF | kubectl apply -f - | |
apiVersion: v1 | |
kind: ConfigMap | |
metadata: | |
name: local-registry-hosting | |
namespace: kube-public | |
data: | |
localRegistryHosting.v1: | | |
host: "localhost" | |
help: "https://kind.sigs.k8s.io/docs/user/local-registry/" | |
EOF | |
- name: Download staged Cartographer Conventions build | |
uses: actions/download-artifact@v4 | |
with: | |
name: cartographer-conventions-bundle.tar | |
- name: Download staged Cartographer Conventions build | |
uses: actions/download-artifact@v4 | |
with: | |
name: cartographer-conventions-samples-bundle.tar | |
- name: Relocate bundles | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
imgpkg copy --tar cartographer-conventions-bundle.tar --to-repo "${BUNDLE}/controller" | |
mkdir -p convention-bundle/controller | |
imgpkg pull -b "${BUNDLE}/controller" -o convention-bundle/controller | |
imgpkg copy --tar cartographer-conventions-samples-bundle.tar --to-repo "${BUNDLE}/samples" | |
mkdir -p convention-bundle/samples | |
imgpkg pull -b "${BUNDLE}/samples" -o convention-bundle/samples | |
- name: Install kapp-controller | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
kapp deploy -a kapp-controller -n kube-system \ | |
--wait-timeout 5m -y \ | |
-f https://github.com/vmware-tanzu/carvel-kapp-controller/releases/latest/download/release.yml \ | |
-f <( \ | |
ytt -f .github/kapp/kapp-controller-config.yaml \ | |
--data-value-file ca_cert_data=${CERT_DIR}/ca.pem \ | |
) | |
- name: Install cert-manager | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
kapp deploy -a cert-manager -n kube-system -y -f dist/third-party/cert-manager.yaml | |
- name: Deploy Cartographer Conventions Package | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
kapp deploy -a cartographer-conventions-controller-package -y \ | |
--wait-timeout 5m \ | |
-f <( \ | |
ytt -f dist/package.yaml -f dist/package.values.yaml \ | |
--data-value version=0.0.0-snapshot \ | |
--data-value image=${BUNDLE}/controller \ | |
) | |
- name: Deploy Cartographer Conventions with no package values | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
kapp deploy -a cartographer-conventions-controller -y \ | |
-f <( \ | |
ytt -f dist/package-install.yaml -f dist/package-install.values.yaml \ | |
--data-value package_constraints=0.0.0-snapshot \ | |
--data-value-yaml 'package_prerelease={}' \ | |
) | |
kapp delete -a cartographer-conventions-controller --wait-timeout 5m -y | |
- name: Deploy Cartographer Conventions | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
kapp deploy -a cartographer-conventions-controller -y \ | |
-f <( \ | |
ytt -f dist/package-install.yaml -f dist/package-install.values.yaml \ | |
--data-value package_constraints=0.0.0-snapshot \ | |
--data-value-yaml 'package_prerelease={}' \ | |
--data-value sync_period=10s \ | |
--data-value-yaml 'has_values=true' \ | |
--data-value-file ca_cert_data=${CERT_DIR}/ca.pem | |
) | |
- name: Deploy Convention Dumper | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
echo "##[group]Deploy convention server" | |
kapp deploy -a convention-dumper -n kube-system \ | |
-f <(kbld -f convention-bundle/samples/dumper-server/server.yaml -f convention-bundle/samples/.imgpkg/images.yml) -y | |
echo "##[endgroup]" | |
- name: Deploy Sample Convention Server | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
echo "##[group]Deploy convention server" | |
kapp deploy -a convention-server -n kube-system \ | |
-f <(kbld -f convention-bundle/samples/convention-server/server.yaml -f convention-bundle/samples/.imgpkg/images.yml) -y | |
echo "##[endgroup]" | |
echo "##[group]Deploy workload" | |
kapp deploy -a convention-server-workload -f convention-bundle/samples/convention-server/workload.yaml -y | |
echo "##[endgroup]" | |
echo "##[group]Wait for workload status to be ready" | |
kubectl wait podintents.conventions.carto.run sample --for condition=ready | |
echo "##[endgroup]" | |
echo "##[group]Verify convention is applied to workload" | |
actual=$(kubectl get podintent.conventions.carto.run sample -ojson | jq -r ".status.template.spec.containers[].env[] | select(.name==\"CONVENTION_SERVER\") | .value ") | |
expects="HELLO FROM CONVENTION" | |
if [ "$actual" != "$expects" ]; then echo "Environmental variable do not match. Got \"$actual\"; expected \"$expects\". Exiting..."; exit 1; fi; | |
echo "Environmental variables matched. Got \"$actual\"; expected \"$expects\"" | |
echo "##[endgroup]" | |
- name: Deploy Spring Sample Convention Server | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
echo "##[group]Deploy spring convention server" | |
kapp deploy -a spring-convention-server -n kube-system \ | |
-f <(kbld -f convention-bundle/samples/spring-convention-server/server.yaml -f convention-bundle/samples/.imgpkg/images.yml) -y | |
echo "##[endgroup]" | |
echo "##[group]Deploy workload" | |
kapp deploy -a spring-convention-server-workload -f convention-bundle/samples/spring-convention-server/workload.yaml -y | |
echo "##[endgroup]" | |
echo "##[group]Wait for workload status to be ready" | |
kubectl wait podintents.conventions.carto.run spring-sample --for condition=ready | |
echo "##[endgroup]" | |
echo "##[group]Verify spring convention is applied to workload" | |
actual_annotation=$(kubectl get podintent.conventions.carto.run spring-sample -ojson | jq -r ".status.template.metadata.annotations"[\"boot.spring.io/version\"]) | |
if [[ "${actual_annotation}" == "null" || -z "${actual_annotation}" ]]; then echo "Annotations \"boot.spring.io/version\" is not present. Exiting..."; exit 1; fi; | |
echo "Found Annotation \"boot.spring.io/version\" with value \"$actual_annotation\";" | |
actual_label=$(kubectl get podintent.conventions.carto.run spring-sample -ojson | jq -r ".status.template.metadata.labels"[\"conventions.carto.run/framework\"]) | |
if [[ "${actual_label}" == "null" || -z "${actual_label}" ]]; then echo "Label \"conventions.carto.run/framework\" is not present. Exiting..."; exit 1; fi; | |
echo "Found Label \"conventions.carto.run/framework\" with value \"$actual_label\";" | |
echo "##[endgroup]" | |
- name: Collect diagnostics | |
run: | | |
set +o errexit | |
set -o nounset | |
set +o pipefail | |
echo "##[group]Packages" | |
kubectl get package -A -oyaml | |
echo "##[endgroup]" | |
echo "##[group]Package Installs" | |
kubectl get packageinstall -A -oyaml | |
echo "##[endgroup]" | |
echo "##[group]Kapp list apps" | |
kapp list -A | |
echo "##[endgroup]" | |
echo "##[group]Package changesets" | |
kapp app-change list -a cartographer-conventions-controller.app | |
echo "##[endgroup]" | |
echo "##[group]kapp-controller logs" | |
kubectl logs -n kapp-controller -l app=kapp-controller -c kapp-controller --tail 1000 | |
echo "##[endgroup]" | |
echo "##[group]Cartographer Conventions logs" | |
kubectl logs -n conventions-system -l component=conventions.carto.run,control-plane=controller-manager -c manager --tail 1000 | |
echo "##[endgroup]" | |
echo "##[group]Convention Server deployment" | |
kubectl describe deployment webhook -n sample-conventions | |
echo "##[endgroup]" | |
echo "##[group]ClusterPodConvention resource" | |
kubectl describe clusterpodconventions.conventions.carto.run sample | |
kubectl describe clusterpodconventions.conventions.carto.run spring-sample | |
echo "##[endgroup]" | |
echo "##[group]WorkloadPodIntent resource" | |
kubectl describe podintents.conventions.carto.run sample | |
kubectl describe podintents.conventions.carto.run spring-sample | |
echo "##[endgroup]" | |
echo "##[group]Convention Dumper logs" | |
# NOTE: uncomment if you need dumper logs, deactivated because it can be very slow | |
# kubectl logs -n dumper-conventions -l app=webhook --tail 500 | |
echo "##[endgroup]" | |
echo "##[group]Convention Server logs" | |
kubectl logs -l app=webhook -n sample-conventions --tail 100 | |
echo "##[endgroup]" | |
echo "##[group]Resources in sample-conventions namespace" | |
kubectl get deployments,pods,svc,secrets,cm -n sample-conventions | |
echo "##[endgroup]" | |
echo "##[group]Spring Convention Server deployment" | |
kubectl describe deployment spring-webhook -n sample-spring-conventions | |
echo "##[endgroup]" | |
echo "##[group]Spring Convention Server logs" | |
kubectl logs -l app=spring-webhook -n sample-spring-conventions --tail 100 | |
echo "##[endgroup]" | |
echo "##[group]Resources in sample-spring-conventions namespace" | |
kubectl get deployments,pods,svc,secrets,cm -n sample-spring-conventions | |
echo "##[endgroup]" | |
echo "##[group]Docker processes" | |
docker ps | |
echo "##[endgroup]" | |
echo "##[group]Registry logs" | |
docker logs local-registry | |
echo "##[endgroup]" | |
echo "##[group]Registry certs" | |
openssl s_client -connect ${REGISTRY_NAME}:443 -showcerts | |
echo "##[endgroup]" | |
echo "##[group]Registry request" | |
curl -v https://${REGISTRY_NAME}/v2/ | |
echo "##[endgroup]" | |
if: always() | |
continue-on-error: true | |
- name: Fail for multiple kapp changes | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
deploys=$(kapp app-change list -a cartographer-conventions-controller.app --json | jq '.Tables[0].Rows | length') | |
if [ "$deploys" != "1" ]; then | |
echo "Too many app changes for the cartographer-conventions-controller package, expected 1 found ${deploys}" | |
exit 1 | |
fi | |
- name: Delete Gracefully | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
echo "##[group]Delete sample convention servers" | |
kapp delete -a convention-dumper -n kube-system -y | |
kapp delete -a convention-server -n kube-system -y | |
kapp delete -a spring-convention-server -n kube-system -y | |
echo "##[endgroup]" | |
echo "##[group]Delete PodIntent resources" | |
kapp delete -a convention-server-workload -y | |
kapp delete -a spring-convention-server-workload -y | |
echo "##[endgroup]" | |
echo "##[group]Delete cartographer-conventions-controller" | |
kapp delete -a cartographer-conventions-controller -y | |
echo "##[endgroup]" | |
echo "##[group]Delete cartographer-conventions-controller-package" | |
kapp delete -a cartographer-conventions-controller-package --wait-timeout 5m -y | |
echo "##[endgroup]" | |
echo "##[group]Delete kapp-controller" | |
kapp delete -a kapp-controller -n kube-system --wait-timeout 5m -y | |
echo "##[endgroup]" | |
echo "##[group]Delete cert-manager" | |
kapp delete -a cert-manager -n kube-system --wait-timeout 5m -y | |
echo "##[endgroup]" | |
if: always() | |
- name: Cleanup cluster | |
run: kind delete cluster | |
if: always() | |
security: | |
needs: stage | |
runs-on: ubuntu-latest | |
env: | |
REGISTRY_NAME: registry.local | |
BUNDLE: registry.local/conventions/bundle | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: carvel-dev/setup-action@v2 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Generate certs | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
CERT_DIR=$(mktemp -d -t certs.XXXX) | |
echo "CERT_DIR=$CERT_DIR" >> $GITHUB_ENV | |
echo "##[group]Install cfssl" | |
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64 -o cfssl | |
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64 -o cfssljson | |
chmod +x cfssl* | |
sudo mv cfssl* /usr/local/bin | |
echo "##[endgroup]" | |
echo "##[group]Generate CA" | |
cfssl gencert -initca .github/tls/root-csr.json \ | |
| cfssljson -bare ${CERT_DIR}/root-ca | |
cfssl gencert -ca ${CERT_DIR}/root-ca.pem -ca-key ${CERT_DIR}/root-ca-key.pem \ | |
-config=".github/tls/config.json" \ | |
-profile="intermediate" .github/tls/intermediate-csr.json \ | |
| cfssljson -bare ${CERT_DIR}/signing-ca | |
cat ${CERT_DIR}/signing-ca.pem ${CERT_DIR}/root-ca.pem > ${CERT_DIR}/ca.pem | |
echo "##[endgroup]" | |
echo "##[group]Install CA" | |
# https://ubuntu.com/server/docs/security-trust-store | |
sudo apt-get install -y ca-certificates | |
sudo cp ${CERT_DIR}/ca.pem /usr/local/share/ca-certificates/ca.crt | |
sudo update-ca-certificates | |
echo "##[endgroup]" | |
echo "##[group]Generate cert" | |
cfssl gencert -ca ${CERT_DIR}/signing-ca.pem -ca-key ${CERT_DIR}/signing-ca-key.pem \ | |
-config=".github/tls/config.json" \ | |
-profile="server" \ | |
-hostname="${REGISTRY_NAME},local-registry" \ | |
.github/tls/server-csr.json \ | |
| cfssljson -bare ${CERT_DIR}/server | |
echo "##[endgroup]" | |
- name: Setup local registry | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
# Run a registry. | |
docker run -d \ | |
--restart=always \ | |
--name local-registry \ | |
-v ${CERT_DIR}:/certs \ | |
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ | |
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.pem \ | |
-e REGISTRY_HTTP_TLS_KEY=/certs/server-key.pem \ | |
-p "443:443" \ | |
registry:2 | |
# Make the $REGISTRY_NAME -> local-registry | |
echo "$(hostname -I | cut -d' ' -f1) $REGISTRY_NAME" | sudo tee -a /etc/hosts | |
- name: Install grype | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin | |
- name: Download staged Cartographer Conventions bundle | |
uses: actions/download-artifact@v4 | |
with: | |
name: cartographer-conventions-bundle.tar | |
- name: Scan source | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
echo "##[group]Scan source ." | |
grype dir:. | |
echo "##[endgroup]" | |
echo "##[group]Scan source ./webhook" | |
grype dir:webhook | |
echo "##[endgroup]" | |
- name: Scan bundle images | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
imgpkg copy --tar cartographer-conventions-bundle.tar --to-repo "${BUNDLE}/controller" | |
mkdir -p convention-bundle/controller | |
imgpkg pull -b "${BUNDLE}/controller" -o convention-bundle/controller | |
# scan each image from .imgpkg/images.yml | |
buffer="" | |
for line in $(yq -o=json '.images[]' convention-bundle/controller/.imgpkg/images.yml) ; do | |
buffer="${buffer}${line}" | |
if [ "$line" = "}" ] ; then | |
echo "##[group]Scan image $(jq -r '.annotations["kbld.carvel.dev/id"]' <(echo "$buffer"))" | |
grype registry:$(jq -r '.image' <(echo "$buffer")) | |
echo "##[endgroup]" | |
buffer="" | |
fi | |
done | |
# aggregate the unit, acceptance, and security results into a single job | |
test: | |
needs: | |
- unit | |
- acceptance | |
- security | |
runs-on: ubuntu-latest | |
steps: | |
- run: echo "it passed" | |
release: | |
needs: | |
- test | |
if: startsWith(github.ref, 'refs/tags/') | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Get the version | |
id: get_version | |
run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//} | |
- name: Draft release | |
id: create_release | |
uses: actions/create-release@v1.1.4 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
tag_name: ${{ github.ref }} | |
release_name: Release ${{ steps.get_version.outputs.VERSION }} | |
draft: true | |
- name: Download staged Cartographer Conventions build | |
uses: actions/download-artifact@v4 | |
with: | |
name: cartographer-conventions-bundle.tar | |
- name: Download staged samples build | |
uses: actions/download-artifact@v4 | |
with: | |
name: cartographer-conventions-samples-bundle.tar | |
- name: Upload Cartographer Conventions release | |
uses: actions/upload-release-asset@v1.0.2 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps | |
asset_path: cartographer-conventions-bundle.tar | |
asset_name: cartographer-conventions-bundle-${{ steps.get_version.outputs.VERSION }}.tar | |
asset_content_type: application/x-tar | |
- name: Upload Convention samples | |
uses: actions/upload-release-asset@v1.0.2 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps | |
asset_path: cartographer-conventions-samples-bundle.tar | |
asset_name: cartographer-conventions-samples-bundle-${{ steps.get_version.outputs.VERSION }}.tar | |
asset_content_type: application/x-tar | |
- uses: carvel-dev/setup-action@v2 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Install crane | |
run: | | |
cd $(mktemp -d -t kind.XXXX) | |
curl -L https://github.com/google/go-containerregistry/releases/download/v0.8.0/go-containerregistry_Linux_x86_64.tar.gz | tar -xz | |
chmod +x ./crane | |
sudo mv ./crane /usr/local/bin | |
cd - | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Relocate bundle to public registry | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
version=${{ steps.get_version.outputs.VERSION }} | |
imgpkg copy --tar cartographer-conventions-bundle.tar --to-repo "ghcr.io/${{ github.repository }}/bundle" | |
crane tag "ghcr.io/${{ github.repository }}/bundle" "${version}" | |
digest=$(crane digest "ghcr.io/${{ github.repository }}/bundle:${version}") | |
scratch=$(mktemp -d -t bundle.XXXX) | |
mkdir -p ${scratch} | |
imgpkg pull -b "ghcr.io/${{ github.repository }}/bundle:${version}@${digest}" -o ${scratch} | |
cp hack/boilerplate.ytt.txt cartographer-conventions.yaml | |
kbld -f ${scratch}/config/cartographer-conventions.yaml -f ${scratch}/.imgpkg/images.yml \ | |
>> cartographer-conventions.yaml | |
cp hack/boilerplate.ytt.txt cartographer-conventions-package.yaml | |
ytt -f dist/package.yaml -f dist/package.values.yaml \ | |
--data-value version=${version} \ | |
--data-value image="ghcr.io/${{ github.repository }}/bundle:${version}@${digest}" \ | |
>> cartographer-conventions-package.yaml | |
- name: Relocate samples to public registry | |
run: | | |
set -o errexit | |
set -o nounset | |
set -o pipefail | |
version=${{ steps.get_version.outputs.VERSION }} | |
imgpkg copy --tar cartographer-conventions-samples-bundle.tar --to-repo "ghcr.io/${{ github.repository }}/samples" | |
crane tag "ghcr.io/${{ github.repository }}/samples" "${version}" | |
digest=$(crane digest "ghcr.io/${{ github.repository }}/samples:${version}") | |
scratch=$(mktemp -d -t bundle.XXXX) | |
mkdir -p ${scratch} | |
imgpkg pull -b "ghcr.io/${{ github.repository }}/samples:${version}@${digest}" -o ${scratch} | |
cp hack/boilerplate.ytt.txt cartographer-conventions-samples-convention-server.yaml | |
kbld -f ${scratch}/convention-server/server.yaml -f ${scratch}/.imgpkg/images.yml \ | |
>> cartographer-conventions-samples-convention-server.yaml | |
cp hack/boilerplate.ytt.txt cartographer-conventions-samples-dumper-server.yaml | |
kbld -f ${scratch}/dumper-server/server.yaml -f ${scratch}/.imgpkg/images.yml \ | |
>> cartographer-conventions-samples-dumper-server.yaml | |
cp hack/boilerplate.ytt.txt cartographer-conventions-samples-spring-convention-server.yaml | |
kbld -f ${scratch}/spring-convention-server/server.yaml -f ${scratch}/.imgpkg/images.yml \ | |
>> cartographer-conventions-samples-spring-convention-server.yaml | |
- name: Upload cartographer-conventions.yaml | |
uses: actions/upload-release-asset@v1.0.2 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps | |
asset_path: cartographer-conventions.yaml | |
asset_name: cartographer-conventions-${{ steps.get_version.outputs.VERSION }}.yaml | |
asset_content_type: application/x-yaml | |
- name: Upload cartographer-conventions-package.yaml | |
uses: actions/upload-release-asset@v1.0.2 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps | |
asset_path: cartographer-conventions-package.yaml | |
asset_name: cartographer-conventions-package-${{ steps.get_version.outputs.VERSION }}.yaml | |
asset_content_type: application/x-yaml | |
- name: Upload cartographer-conventions-samples-convention-server.yaml | |
uses: actions/upload-release-asset@v1.0.2 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps | |
asset_path: cartographer-conventions-samples-convention-server.yaml | |
asset_name: cartographer-conventions-samples-convention-server-${{ steps.get_version.outputs.VERSION }}.yaml | |
asset_content_type: application/x-yaml | |
- name: Upload cartographer-conventions-samples-dumper-server.yaml | |
uses: actions/upload-release-asset@v1.0.2 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps | |
asset_path: cartographer-conventions-samples-dumper-server.yaml | |
asset_name: cartographer-conventions-samples-dumper-server-${{ steps.get_version.outputs.VERSION }}.yaml | |
asset_content_type: application/x-yaml | |
- name: Upload cartographer-conventions-samples-spring-convention-server.yaml | |
uses: actions/upload-release-asset@v1.0.2 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps | |
asset_path: cartographer-conventions-samples-spring-convention-server.yaml | |
asset_name: cartographer-conventions-samples-spring-convention-server-${{ steps.get_version.outputs.VERSION }}.yaml | |
asset_content_type: application/x-yaml |