Skip to content
Validate SecureSign

Migrate segment jobs and securesign resources #3448

Sign in to view logs

Migrate segment jobs and securesign resources

Migrate segment jobs and securesign resources #3448

Workflow file for this run

.github/workflows/main.yml at 9b92580
name: Validate SecureSign
on:
workflow_dispatch:
push:
branches: [ "main", "release*" ]
tags: [ "*" ]
pull_request:
branches: [ "main", "release*" ]
env:
GO_VERSION: 1.22
IMG: ttl.sh/securesign/secure-sign-operator-${{github.run_number}}:1h
BUNDLE_IMG: ttl.sh/securesign/bundle-secure-sign-${{github.run_number}}:1h
CATALOG_IMG: ttl.sh/securesign/catalog-${{github.run_number}}:1h
CONTAINER_TOOL: podman
jobs:
build-operator:
name: Build-operator
runs-on: ubuntu-20.04
steps:
- name: Checkout source
uses: actions/checkout@v4
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: Replace images
run: make dev-images && cat internal/controller/constants/images.go
- name: Build operator container
run: make docker-build docker-push
- name: Save container image
run: podman save -o /tmp/operator-oci.tar --format oci-archive $IMG
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: operator-image
path: /tmp/operator-oci.tar
retention-days: 1
build-bundle:
name: Build-bundle-image
runs-on: ubuntu-20.04
steps:
- name: Checkout source
uses: actions/checkout@v4
- name: Replace images
run: make dev-images && cat internal/controller/constants/images.go
- name: Build operator bundle
run: make bundle bundle-build bundle-push
- name: Save container image
run: podman save -o /tmp/bundle-oci.tar --format oci-archive $BUNDLE_IMG
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: bundle-image
path: /tmp/bundle-oci.tar
retention-days: 1
build-fbc:
name: Build-fbc
runs-on: ubuntu-20.04
needs: build-bundle
steps:
- name: Checkout source
uses: actions/checkout@v4
- name: Log in to registry.redhat.io
uses: redhat-actions/podman-login@v1
with:
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_PASSWORD }}
registry: registry.redhat.io
auth_file_path: /tmp/config.json
- name: Download artifact
uses: actions/download-artifact@v4
with:
pattern: "*-image"
merge-multiple: true
path: /tmp
- name: Load images
run: podman load -i /tmp/bundle-oci.tar
- name: Install OPM
run: |
make opm
echo "OPM=${{ github.workspace }}/bin/opm" >> $GITHUB_ENV
- name: Checkout FBC source
uses: actions/checkout@v4
with:
repository: "securesign/fbc"
path: fbc
- name: Build catalog
run: |
cd fbc
chmod +x ./generate-fbc.sh && OPM_CMD=${{ env.OPM }} ./generate-fbc.sh --init-basic v4.14 jq
cat << EOF >> v4.14/graph.json
{
"schema": "olm.bundle",
"image": "$BUNDLE_IMG"
}
EOF
#TODO: versions needs to be maintained - try to eliminate
cat <<< $(jq 'select(.schema == "olm.channel" and .name == "stable").entries += [{"name":"rhtas-operator.v1.2.0", "replaces": "rhtas-operator.v1.1.0"}]' v4.14/graph.json) > v4.14/graph.json
cat v4.14/graph.json
${{ env.OPM }} alpha render-template basic v4.14/graph.json > v4.14/catalog/rhtas-operator/catalog.json
${{ env.OPM }} validate v4.14/catalog/rhtas-operator
podman build v4.14 -f v4.14/catalog.Dockerfile -t $CATALOG_IMG
podman push $CATALOG_IMG
- name: Save container image
run: podman save -o /tmp/catalog-oci.tar --format oci-archive $CATALOG_IMG
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: catalog-image
path: /tmp/catalog-oci.tar
retention-days: 1
build-tuftool:
name: Build-tuftool
runs-on: ubuntu-20.04
steps:
- name: Checkout tough source
uses: actions/checkout@v4
with:
repository: "securesign/tough"
path: tough
- uses: actions-rs/toolchain@v1
with:
toolchain: stable
profile: minimal
- uses: actions/cache@v4
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
/tmp/tuftool
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
- run: cd tough && cargo build --release --target-dir /tmp/tuftool
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: tuftool
path: /tmp/tuftool/release/tuftool
retention-days: 1
if-no-files-found: error
test-kind:
name: Test kind deployment
runs-on: ubuntu-20.04
needs:
- build-operator
- build-tuftool
steps:
- name: Checkout source
uses: actions/checkout@v4
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: Download tuftool
uses: actions/download-artifact@v4
with:
name: tuftool
path: /tmp/tuftool
- run: echo "/tmp/tuftool" >> $GITHUB_PATH
- name: Log in to registry.redhat.io
uses: redhat-actions/podman-login@v1
with:
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_PASSWORD }}
registry: registry.redhat.io
auth_file_path: /tmp/config.json
- name: Download artifact
uses: actions/download-artifact@v4
with:
pattern: "*-image"
merge-multiple: true
path: /tmp
- name: Load images
run: podman load -i /tmp/operator-oci.tar
- name: Install Cluster
uses: ./.github/actions/kind-cluster
with:
config: ./ci/config.yaml
prometheus: 'true'
keycloak: 'true'
olm: 'true'
- name: Deploy operator container
env:
OPENSHIFT: false
run: make deploy
- name: Wait for operator to be ready
run: |
kubectl wait --for=condition=available deployment/rhtas-operator-controller-manager --timeout=120s -n openshift-rhtas-operator
- name: Add service hosts to /etc/hosts
run: |
sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local keycloak-internal.keycloak-system.svc rekor-search-ui.local cli-server.local tsa-server.local" | sudo tee -a /etc/hosts
- name: Install cosign
run: go install github.com/sigstore/cosign/v2/cmd/[email protected]
- name: Replace images
run: make dev-images && cat internal/controller/constants/images.go
- name: Run tests
run: make test-e2e
- name: Archive test artifacts
uses: actions/upload-artifact@v4
if: always()
with:
name: test-kind
path: test/**/k8s-dump-*.tar.gz
- name: dump the logs of the operator
run: kubectl logs -n openshift-rhtas-operator deployment/rhtas-operator-controller-manager
if: always()
test-upgrade:
name: Test upgrade operator
runs-on: ubuntu-20.04
needs:
- build-operator
- build-bundle
- build-fbc
steps:
- name: Free Disk Space (Ubuntu)
uses: jlumbroso/free-disk-space@main
with:
tool-cache: true
- name: Checkout source
uses: actions/checkout@v4
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: Log in to registry.redhat.io
uses: redhat-actions/podman-login@v1
with:
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_PASSWORD }}
registry: registry.redhat.io
auth_file_path: /tmp/config.json
- name: Download artifact
uses: actions/download-artifact@v4
with:
pattern: "*-image"
merge-multiple: true
path: /tmp
- name: Load images
run: |
podman load -i /tmp/operator-oci.tar
podman load -i /tmp/bundle-oci.tar
podman load -i /tmp/catalog-oci.tar
- name: Install Cluster
uses: ./.github/actions/kind-cluster
with:
config: ./ci/config.yaml
prometheus: 'true'
keycloak: 'true'
olm: 'true'
- name: Add service hosts to /etc/hosts
run: |
sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local keycloak-internal.keycloak-system.svc rekor-search-ui.local cli-server.local tsa-server.local" | sudo tee -a /etc/hosts
- name: Install cosign
run: go install github.com/sigstore/cosign/v2/cmd/[email protected]
- name: Replace images
run: make dev-images && cat internal/controller/constants/images.go
- name: Run tests
env:
TEST_BASE_CATALOG: registry.redhat.io/redhat/redhat-operator-index:v4.14
TEST_TARGET_CATALOG: ${{ env.CATALOG_IMG }}
OPENSHIFT: false
run: go test -p 1 ./test/e2e/... -tags=upgrade -timeout 20m
- name: Archive test artifacts
uses: actions/upload-artifact@v4
if: always()
with:
name: test-upgrade
path: test/**/k8s-dump-*.tar.gz
test-custom-install:
name: Test with custom operator installation
runs-on: ubuntu-20.04
needs:
- build-operator
steps:
- name: Free Disk Space (Ubuntu)
uses: jlumbroso/free-disk-space@main
with:
tool-cache: true
- name: Checkout source
uses: actions/checkout@v4
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: Log in to registry.redhat.io
uses: redhat-actions/podman-login@9184318aae1ee5034fbfbacc0388acf12669171f # v1
with:
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_PASSWORD }}
registry: registry.redhat.io
auth_file_path: /tmp/config.json
- name: Image prune
run: podman image prune -af
- name: Download artifact
uses: actions/download-artifact@v4
with:
pattern: "*-image"
merge-multiple: true
path: /tmp
- name: Load images
run: podman load -i /tmp/operator-oci.tar
- name: Install Cluster
uses: ./.github/actions/kind-cluster
with:
config: ./ci/config.yaml
- name: Add service hosts to /etc/hosts
run: |
sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local rekor-search-ui.local cli-server.local" | sudo tee -a /etc/hosts
- name: Replace images
run: make dev-images && cat internal/controller/constants/images.go
- name: Run tests
env:
TEST_MANAGER_IMAGE: ${{ env.IMG }}
OPENSHIFT: false
run: make install && go test ./test/e2e/... -tags=custom_install -p 1 -timeout 20m
- name: Archive test artifacts
uses: actions/upload-artifact@v4
if: always()
with:
name: test-custom-install
path: test/**/k8s-dump-*.tar.gz
test-e2e:
name: Execute securesign/sigstore-e2e
runs-on: ubuntu-24.04
needs:
- build-operator
env:
TEST_NAMESPACE: test
steps:
- name: Checkout source
uses: actions/checkout@v4
- name: Checkout test source repository
uses: actions/checkout@v4
with:
repository: "securesign/sigstore-e2e"
path: e2e
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: Log in to registry.redhat.io
uses: redhat-actions/podman-login@9184318aae1ee5034fbfbacc0388acf12669171f # v1
with:
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_PASSWORD }}
registry: registry.redhat.io
auth_file_path: /tmp/config.json
- name: Image prune
run: podman image prune -af
- name: Download artifact
uses: actions/download-artifact@v4
with:
pattern: "*-image"
merge-multiple: true
path: /tmp
- name: Load images
run: |
podman load -i /tmp/operator-oci.tar
- name: Install Cluster
id: kind
uses: ./.github/actions/kind-cluster
with:
config: ./ci/config.yaml
keycloak: 'true'
olm: 'true'
prometheus: 'true'
- name: Add service hosts to /etc/hosts
run: |
sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local rekor-search-ui.local cli-server.local" | sudo tee -a /etc/hosts
- name: Deploy operator container
env:
OPENSHIFT: false
run: make deploy
- name: Wait for operator to be ready
run: |
kubectl wait --for=condition=available deployment/rhtas-operator-controller-manager --timeout=120s -n openshift-rhtas-operator
- name: Install securesign
run: |
sed -i 's#https://your-oidc-issuer-url#${{ steps.kind.outputs.oidc_url }}#' config/samples/rhtas_v1alpha1_securesign.yaml
sed -i 's#rhtas.redhat.com/metrics: "true"#rhtas.redhat.com/metrics: "false"#' config/samples/rhtas_v1alpha1_securesign.yaml
kubectl create ns ${{ env.TEST_NAMESPACE }}
kubectl create -f config/samples/rhtas_v1alpha1_securesign.yaml -n ${{ env.TEST_NAMESPACE }}
sleep 1
kubectl wait --for=condition=Ready securesign/securesign-sample -n ${{ env.TEST_NAMESPACE }}
- name: Run tests
run: |
export SIGSTORE_OIDC_ISSUER=${{ steps.kind.outputs.oidc_url }}
export FULCIO_URL=$(kubectl get securesign -o jsonpath='{.items[0].status.fulcio.url}' -n ${{ env.TEST_NAMESPACE }})
export REKOR_URL=$(kubectl get securesign -o jsonpath='{.items[0].status.rekor.url}' -n ${{ env.TEST_NAMESPACE }})
export TUF_URL=$(kubectl get securesign -o jsonpath='{.items[0].status.tuf.url}' -n ${{ env.TEST_NAMESPACE }})
export TSA_URL=$(kubectl get securesign -o jsonpath='{.items[0].status.tsa.url}' -n ${{ env.TEST_NAMESPACE }})
export CLI_STRATEGY=cli_server
export CLI_SERVER_URL="http://cli-server.local"
cd e2e
go test -v ./test/...
- name: dump the logs of the operator
run: |
kubectl logs -n openshift-rhtas-operator deployment/rhtas-operator-controller-manager
if: failure()
test-eks:
name: Test EKS deployment
runs-on: ubuntu-20.04
needs: build-operator
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
env:
AWS_REGION: us-east-2
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
TEST_NAMESPACE: test
OIDC_ISSUER_URL: ${{ secrets.testing_keycloak }}
steps:
- name: Checkout source
uses: actions/checkout@v4
- name: Install Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: Install eksctl
run: |
ARCH=amd64
PLATFORM=$(uname -s)_$ARCH
curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_$PLATFORM.tar.gz"
tar -xzf eksctl_$PLATFORM.tar.gz -C /tmp && rm eksctl_$PLATFORM.tar.gz
sudo mv /tmp/eksctl /usr/local/bin
- name: Install kubectl
run: |
ARCH=amd64
PLATFORM=$(uname -s)_$ARCH
curl -sLO "https://dl.k8s.io/release/v1.22.0/bin/linux/amd64/kubectl"
chmod +x kubectl
sudo mv kubectl /usr/local/bin
- name: run eksctl create cluster
run: |
eksctl create cluster --alb-ingress-access --external-dns-access --name rhtas-eks-${GITHUB_RUN_ID} --nodes 1 --node-type m5.xlarge --spot
eksctl utils associate-iam-oidc-provider --region=us-east-2 --cluster=rhtas-eks-${GITHUB_RUN_ID} --approve
eksctl create iamserviceaccount --region us-east-2 --name ebs-csi-controller-sa --namespace kube-system --cluster rhtas-eks-${GITHUB_RUN_ID} --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy --approve --role-only --role-name AmazonEKS_EBS_CSI_DriverRole
eksctl create addon --name aws-ebs-csi-driver --cluster rhtas-eks-${GITHUB_RUN_ID} --service-account-role-arn arn:aws:iam::${{ secrets.AWS }}:role/AmazonEKS_EBS_CSI_DriverRole --force
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/aws/deploy.yaml
kubectl patch storageclass gp2 -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
- name: Log in to registry.redhat.io
uses: redhat-actions/podman-login@v1
with:
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_PASSWORD }}
registry: registry.redhat.io
auth_file_path: /tmp/config.json
- name: Download artifact
uses: actions/download-artifact@v4
with:
pattern: "*-image"
merge-multiple: true
path: /tmp
- name: Load images
run: podman load -i /tmp/operator-oci.tar
- name: Push images
run: podman push $IMG
- name: Create namespace and serviceaccounts with redhat registry login
run: |
kubectl create ns ${{ env.TEST_NAMESPACE }}
kubectl create secret generic redhat-registry -n ${{ env.TEST_NAMESPACE }} --from-file=.dockerconfigjson=/tmp/config.json --type=kubernetes.io/dockerconfigjson
kubectl patch serviceaccount default --type=merge -p '{"imagePullSecrets": [{"name":"redhat-registry"}]}' -n ${{ env.TEST_NAMESPACE }}
for NAME in "fulcio" "ctlog" "trillian" "rekor" "tuf" "tsa"
do
echo """
apiVersion: v1
kind: ServiceAccount
metadata:
name: $NAME
namespace: $TEST_NAMESPACE
imagePullSecrets:
- name: redhat-registry
""" |
kubectl create -f -
done
- name: Deploy operator container
env:
OPENSHIFT: false
run: make deploy
# TODO: deploy ingress and execute e2e
- name: Deploy RTHAS
run: |
sed -i 's|"https://your-oidc-issuer-url"|${{ secrets.testing_keycloak }}|g' config/samples/rhtas_v1alpha1_securesign.yaml
sed -i 's|enabled: true|enabled: false|g' config/samples/rhtas_v1alpha1_securesign.yaml
sed -i 's|rhtas.redhat.com/metrics: "true"|rhtas.redhat.com/metrics: "false"|g' config/samples/rhtas_v1alpha1_securesign.yaml
kubectl apply -f config/samples/rhtas_v1alpha1_securesign.yaml -n ${{ env.TEST_NAMESPACE }}
- name: Until shell script to wait for deployment to be created
run: |
for i in trillian fulcio rekor tuf ctlog timestampAuthority; do
until [ ! -z "$(kubectl get $i -n ${{ env.TEST_NAMESPACE }} 2>/dev/null)" ]
do
echo "Waiting for $i to be created."
sleep 3
done
done
shell: bash
- name: Test components are ready
run: |
kubectl wait --for=condition=ready trillian/securesign-sample -n ${{ env.TEST_NAMESPACE }} --timeout=5m
kubectl wait --for=condition=ready fulcio/securesign-sample -n ${{ env.TEST_NAMESPACE }} --timeout=5m
kubectl wait --for=condition=ready rekor/securesign-sample -n ${{ env.TEST_NAMESPACE }} --timeout=5m
kubectl wait --for=condition=ready ctlog/securesign-sample -n ${{ env.TEST_NAMESPACE }} --timeout=5m
kubectl wait --for=condition=ready tuf/securesign-sample -n ${{ env.TEST_NAMESPACE }} --timeout=5m
kubectl wait --for=condition=ready timestampAuthority/securesign-sample -n ${{ env.TEST_NAMESPACE }} --timeout=5m
- name: Test deployments are ready
run: |
kubectl wait --for=condition=available deployment/trillian-db -n ${{ env.TEST_NAMESPACE }}
kubectl wait --for=condition=available deployment/trillian-logserver -n ${{ env.TEST_NAMESPACE }}
kubectl wait --for=condition=available deployment/trillian-logsigner -n ${{ env.TEST_NAMESPACE }}
kubectl wait --for=condition=available deployment/fulcio-server -n ${{ env.TEST_NAMESPACE }}
kubectl wait --for=condition=available deployment/rekor-server -n ${{ env.TEST_NAMESPACE }}
kubectl wait --for=condition=available deployment/rekor-redis -n ${{ env.TEST_NAMESPACE }}
kubectl wait --for=condition=available deployment/rekor-search-ui -n ${{ env.TEST_NAMESPACE }}
kubectl wait --for=condition=available deployment/tuf -n ${{ env.TEST_NAMESPACE }}
kubectl wait --for=condition=available deployment/ctlog -n ${{ env.TEST_NAMESPACE }}
kubectl wait --for=condition=available deployment/tsa-server -n ${{ env.TEST_NAMESPACE }}
- name: Archive test artifacts
uses: actions/upload-artifact@v4
if: always()
with:
name: test-eks
path: test/**/k8s-dump-*.tar.gz
- name: dump the logs of the operator
run: |
kubectl logs -n openshift-rhtas-operator deployment/rhtas-operator-controller-manager
if: always()
- name: delete the cluster
run: eksctl delete cluster --name rhtas-eks-${GITHUB_RUN_ID} --region us-east-2 --wait
if: always()