jetstack-secure/.github/workflows/tests.yaml at 6572f1ecae740b7d282c2b46f6039773e92edc2f · jetstack/jetstack-secure · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
name: tests
on:
  push:
    branches: [master]
  pull_request: {}
jobs:
  verify:
    runs-on: ubuntu-latest
    timeout-minutes: 15

    steps:
      - uses: actions/checkout@v5
        with:
          fetch-depth: 0

      - uses: ./.github/actions/repo_access
        with:
          DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }}

      - id: go-version
        run: |
          make print-go-version >> "$GITHUB_OUTPUT"

      - uses: actions/setup-go@v6
        with:
          go-version: ${{ steps.go-version.outputs.result }}

      - uses: actions/cache@v4
        with:
          path: _bin/downloaded
          key: downloaded-${{ runner.os }}-${{ hashFiles('klone.yaml') }}-verify

      - run: make -j verify

  test:
    runs-on: ubuntu-latest
    timeout-minutes: 15

    permissions:
      contents: read # needed for checkout
      id-token: write # needed for google auth

    steps:
      - uses: actions/checkout@v5
        with:
          fetch-depth: 0

      - uses: ./.github/actions/repo_access
        with:
          DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }}

      - id: go-version
        run: |
          make print-go-version >> "$GITHUB_OUTPUT"

      - uses: actions/setup-go@v6
        with:
          go-version: ${{ steps.go-version.outputs.result }}

      - uses: actions/cache@v4
        with:
          path: _bin/downloaded
          key: downloaded-${{ runner.os }}-${{ hashFiles('klone.yaml') }}-test-unit

      - run: make -j test-unit test-helm

      - name: Upload test artifacts
        uses: actions/upload-artifact@v4
        with:
          name: unit-artifacts
          path: _bin/artifacts

  test-e2e:
    if: contains(github.event.pull_request.labels.*.name, 'test-e2e')
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
        with:
          fetch-depth: 0

      - uses: ./.github/actions/repo_access
        with:
          DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB: ${{ secrets.DEPLOY_KEY_READ_VENAFI_CONNECTION_LIB }}

      - name: Authenticate to Google Cloud
        id: auth
        uses: google-github-actions/auth@v3
        with:
          credentials_json: '${{ secrets.GCP_SA_KEY }}'

      - name: Set up gcloud
        id: setup-gcloud
        uses: google-github-actions/setup-gcloud@v3
        with:
          install_components: "gke-gcloud-auth-plugin"
          project_id: machineidentitysecurity-jsci-e

      - name: Configure Docker for Google Artifact Registry
        run: gcloud auth configure-docker europe-west1-docker.pkg.dev

      - id: go-version
        run: |
          make print-go-version >> "$GITHUB_OUTPUT"

      - uses: actions/setup-go@v6
        with:
          go-version: ${{ steps.go-version.outputs.result }}

      - name: Generate timestamp for cluster name
        id: timestamp # Give the step an ID to reference its output
        run: |
          # Generate a timestamp in the format YYMMDD-HHMMSS.
          # Extracting from PR name would require sanitization due to GKE cluster naming constraints
          TIMESTAMP=$(date +'%y%m%d-%H%M%S')
          CLUSTER_NAME="test-secretless-${TIMESTAMP}"
          echo "Generated cluster name: ${CLUSTER_NAME}"
          echo "cluster_name=${CLUSTER_NAME}" >> $GITHUB_OUTPUT

      - run: |
          make helm-plugins
          make -j test-e2e-gke
        # The VEN_API_KEY_PULL secret is set to my API key (Mladen) for glow.in.the.dark tenant.
        env:
          VEN_API_KEY: ${{ secrets.VEN_API_KEY_PULL }}
          VEN_API_KEY_PULL: ${{ secrets.VEN_API_KEY_PULL }}
          OCI_BASE: europe-west1-docker.pkg.dev/machineidentitysecurity-jsci-e/js-agent-ci-repo
          VEN_API_HOST: api.venafi.cloud
          VEN_ZONE: k8s-agent-CI\Default
          VEN_VCP_REGION: us
          CLOUDSDK_CORE_PROJECT: machineidentitysecurity-jsci-e
          CLOUDSDK_COMPUTE_ZONE: europe-west1-b
          CLUSTER_NAME: ${{ steps.timestamp.outputs.cluster_name }}

      - name: Delete GKE Cluster
        # 'always()' - Run this step regardless of success or failure.
        # '!contains(...)' - AND only run if the list of PR labels DOES NOT contain 'keep-e2e-cluster'.
        # NOTE: You will have to delete the test cluster manually when finished with debugging or incur costs.
        if: always() && !contains(github.event.pull_request.labels.*.name, 'keep-e2e-cluster')
        run: |
          echo "Label 'keep-e2e-cluster' not found. Cleaning up GKE cluster ${{ steps.timestamp.outputs.cluster_name }}"
          gcloud container clusters delete ${{ steps.timestamp.outputs.cluster_name }} \
            --project=machineidentitysecurity-jsci-e \
            --zone=europe-west1-b \
            --quiet

#          TODO: REMOVE THIS DEBUGGING!
      - name: Setup upterm session
        if: always()
        uses: owenthereal/action-upterm@v1
        with:
          limit-access-to-actor: true

      - name: Upload test artifacts
        uses: actions/upload-artifact@v4
        with:
          name: e2e-artifacts
          path: _bin/artifacts