EKS support and testing #636

Workflow file for this run

	name: Validate SecureSign
	on:
	workflow_dispatch:
	push:
	branches: ["main", "release*"]
	tags: ["*"]
	pull_request:
	branches: ["main", "release*"]

	env:
	GO_VERSION: 1.21
	AWS_REGION: us-east-2
	AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
	AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

	jobs:
	build-operator:
	name: Build-operator
	runs-on: ubuntu-20.04
	steps:
	- name: Checkout source
	uses: actions/checkout@v2

	- name: Install Go
	uses: actions/setup-go@v3
	with:
	go-version: ${{ env.GO_VERSION }}

	- name: Build operator container
	run: IMG=ttl.sh/securesign make docker-build docker-push

	test-kind:
	name: Test kind deployment
	runs-on: ubuntu-20.04
	needs: build-operator
	steps:
	- name: Checkout source
	uses: actions/checkout@v2

	- name: Install Go
	uses: actions/setup-go@v3
	with:
	go-version: ${{ env.GO_VERSION }}

	- name: Log in to registry.redhat.io
	uses: redhat-actions/podman-login@9184318aae1ee5034fbfbacc0388acf12669171f # v1
	with:
	username: ${{ secrets.REGISTRY_USER }}
	password: ${{ secrets.REGISTRY_PASSWORD }}
	registry: registry.redhat.io
	auth_file_path: /tmp/config.json

	- name: Install Cluster
	uses: container-tools/[email protected]
	with:
	version: v0.20.0
	node_image: kindest/node:v1.26.6@sha256:6e2d8b28a5b601defe327b98bd1c2d1930b49e5d8c512e1895099e4504007adb
	cpu: 3
	config: ./ci/config.yaml

	- name: Install Ingress
	run: \|
	kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
	kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=90s

	- name: Deploy operator container
	run: IMG=ttl.sh/securesign make deploy

	- name: Wait for operator to be ready
	run: \|
	kubectl wait --for=condition=available deployment/rhtas-operator-controller-manager --timeout=60s -n openshift-rhtas-operator

	- name: Install Keycloak
	run: \|
	#install OLM
	kubectl create -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.25.0/crds.yaml
	# wait for a while to be sure CRDs are installed
	sleep 1
	kubectl create -f https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.25.0/olm.yaml

	kubectl create --kustomize https://github.com/securesign/sigstore-ocp/keycloak/operator/overlay/kind
	until [ ! -z "$(kubectl get pod -l name=keycloak-operator -n keycloak-system 2>/dev/null)" ]
	do
	echo "Waiting for keycloak operator. Pods in keycloak-system namespace:"
	kubectl get pods -n keycloak-system
	sleep 10
	done
	kubectl create --kustomize https://github.com/securesign/sigstore-ocp/keycloak/resources/overlay/kind
	until [[ $( oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system 2>/dev/null) == "true" ]]
	do
	printf "Waiting for keycloak deployment. \n Keycloak ready: %s\n" $(oc get keycloak keycloak -o jsonpath='{.status.ready}' -n keycloak-system)
	sleep 10
	done

	# HACK - expose keycloak under the same name as the internal SVC has so it will be accessible:
	# - within the cluster (where the localhost does not work)
	# - outside the cluster (resolved from /etc/hosts and redirect to the localhost)
	kubectl create -n keycloak-system -f - <<EOF
	apiVersion: networking.k8s.io/v1
	kind: Ingress
	metadata:
	name: keycloak
	spec:
	rules:
	- host: keycloak-internal.keycloak-system.svc
	http:
	paths:
	- backend:
	service:
	name: keycloak-internal
	port:
	number: 80
	path: /
	pathType: Prefix
	EOF
	shell: bash

	- name: Add service hosts to /etc/hosts
	run: \|
	sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local keycloak-internal.keycloak-system.svc rekor-search-ui.local cli-server.local" \| sudo tee -a /etc/hosts
	- name: Install cosign
	run: go install github.com/sigstore/cosign/v2/cmd/[email protected]

	- name: Run tests
	run: make integration-test

	- name: dump the logs of the operator
	run: kubectl logs -n openshift-rhtas-operator deployment/rhtas-operator-controller-manager
	if: always()

	test-eks:
	name: Test EKS deployment
	runs-on: ubuntu-20.04
	needs: build-operator
	steps:
	- name: Checkout source
	uses: actions/checkout@v2

	- name: Install Go
	uses: actions/setup-go@v3
	with:
	go-version: ${{ env.GO_VERSION }}

	- name: Install eksctl
	run: \|
	ARCH=amd64
	PLATFORM=$(uname -s)_$ARCH
	curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_$PLATFORM.tar.gz"
	tar -xzf eksctl_$PLATFORM.tar.gz -C /tmp && rm eksctl_$PLATFORM.tar.gz
	sudo mv /tmp/eksctl /usr/local/bin

	- name: Install kubectl
	run: \|
	ARCH=amd64
	PLATFORM=$(uname -s)_$ARCH
	curl -sLO "https://dl.k8s.io/release/v1.22.0/bin/linux/amd64/kubectl"
	chmod +x kubectl
	sudo mv kubectl /usr/local/bin

	- name: run eksctl create cluster
	run: \|
	eksctl create cluster --alb-ingress-access --external-dns-access --name rhtas-eks-${GITHUB_SHA} --nodes 1 --node-type m5.xlarge --spot
	eksctl utils associate-iam-oidc-provider --region=us-east-2 --cluster=rhtas-eks-${GITHUB_SHA} --approve
	eksctl create iamserviceaccount --region us-east-2 --name ebs-csi-controller-sa --namespace kube-system --cluster rhtas-eks-${GITHUB_SHA} --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy --approve --role-only --role-name AmazonEKS_EBS_CSI_DriverRole
	eksctl create addon --name aws-ebs-csi-driver --cluster rhtas-eks-${GITHUB_SHA} --service-account-role-arn arn:aws:iam::${{ secrets.AWS }}:role/AmazonEKS_EBS_CSI_DriverRole --force
	kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/aws/deploy.yaml

	- name: Deploy operator container
	run: IMG=ttl.sh/securesign make deploy

	- name: Wait for operator to be ready
	run: \|
	kubectl wait --for=condition=available deployment/rhtas-operator-controller-manager --timeout=60s -n openshift-rhtas-operator

	- name: Install cosign
	run: go install github.com/sigstore/cosign/v2/cmd/[email protected]

	- name: Deploy RTHAS
	run: \|
	sed -i 's\|"https://your-oidc-issuer-url"\|${{ secrets.testing_keycloak }}\|g' config/samples/rhtas_v1alpha1_securesign.yaml
	sed -i 's\|"trusted-artifact-signer"\|"sigstore"\|g' config/samples/rhtas_v1alpha1_securesign.yaml

	- name: Test deployments are ready
	run: \|
	kubectl wait --for-condition=available deployment/trillian-db -n test
	kubectl wait --for-condition=available deployment/trillian-logserver -n test
	kubectl wait --for-condition=available deployment/trillian-logsigner -n test
	kubectl wait --for-condition=available deployment/fulcio-server -n test
	kubectl wait --for-condition=available deployment/tuf -n test
	kubectl wait --for-condition=available deployment/ctlog -n test
	kubectl wait --for-condition=available deployment/rekor-redis -n test
	kubectl wait --for-condition=available deployment/rekor-server -n test

	- name: dump the logs of the operator
	run: kubectl logs -n openshift-rhtas-operator deployment/rhtas-operator-controller-manager
	if: always()

	- name: delete the cluster
	run: eksctl delete cluster --name rhtas-eks-${GITHUB_SHA} --region us-east-2 --wait
	if: always()

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

EKS support and testing #636

Workflow file

EKS support and testing #636

Jobs

Run details

Workflow file for this run