fix: add token to build_test
This commit is contained in:
28
.github/workflows/workflow.yaml
vendored
28
.github/workflows/workflow.yaml
vendored
@@ -28,10 +28,18 @@ jobs:
|
||||
with:
|
||||
egress-policy: audit
|
||||
|
||||
- name: Set up Go 1.19
|
||||
- name: Generate GitHub App Token
|
||||
id: app-token
|
||||
uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1.10.1
|
||||
with:
|
||||
app-id: ${{ vars.DOCKER_READ_APP_ID }}
|
||||
private-key: ${{ secrets.DOCKER_READ_APP_PRIVATE_KEY }}
|
||||
repositories: "attest,attest-external-data-provider"
|
||||
|
||||
- name: Set up Go 1.22
|
||||
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
|
||||
with:
|
||||
go-version: 1.19
|
||||
go-version: 1.22
|
||||
|
||||
- name: Check out code into the Go module directory
|
||||
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
|
||||
@@ -40,7 +48,8 @@ jobs:
|
||||
- name: golangci-lint
|
||||
uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
|
||||
with:
|
||||
version: v1.50.0
|
||||
version: v1.59
|
||||
github-token: ${{ steps.app-token.outputs.token }}
|
||||
|
||||
helm_build_test:
|
||||
name: "[Helm] Build and Test"
|
||||
@@ -54,14 +63,22 @@ jobs:
|
||||
with:
|
||||
egress-policy: audit
|
||||
|
||||
- name: Set up Go 1.19
|
||||
- name: Set up Go 1.22
|
||||
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
|
||||
with:
|
||||
go-version: 1.19
|
||||
go-version: 1.22
|
||||
|
||||
- name: Check out code into the Go module directory
|
||||
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
|
||||
|
||||
- name: Generate GitHub App Token
|
||||
id: app-token
|
||||
uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1.10.1
|
||||
with:
|
||||
app-id: ${{ vars.DOCKER_READ_APP_ID }}
|
||||
private-key: ${{ secrets.DOCKER_READ_APP_PRIVATE_KEY }}
|
||||
repositories: "attest,attest-external-data-provider"
|
||||
|
||||
- name: Bootstrap e2e
|
||||
env:
|
||||
KIND_VERSION: 0.17.0
|
||||
@@ -91,6 +108,7 @@ jobs:
|
||||
- name: Build and install attest-external-data-provider
|
||||
run: |
|
||||
./scripts/generate-tls-cert.sh
|
||||
export GITHUB_TOKEN=${{ steps.app-token.outputs.token }}
|
||||
make docker-buildx kind-load-image
|
||||
helm install attest-provider charts/external-data-provider \
|
||||
--set provider.tls.caBundle="$(cat certs/ca.crt | base64 | tr -d '\n\r')" \
|
||||
|
||||
@@ -19,33 +19,33 @@ teardown_file() {
|
||||
wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl -n ${GATEKEEPER_NAMESPACE} wait --for=condition=Ready --timeout=60s pod -l control-plane=audit-controller"
|
||||
}
|
||||
|
||||
@test "external-data-provider is running" {
|
||||
wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl -n ${GATEKEEPER_NAMESPACE} wait --for=condition=Ready --timeout=60s pod -l run=external-data-provider"
|
||||
@test "attest-provider is running" {
|
||||
wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl -n ${GATEKEEPER_NAMESPACE} wait --for=condition=Ready --timeout=60s pod -l run=attest-provider"
|
||||
}
|
||||
|
||||
@test "external data validation" {
|
||||
run kubectl apply -f validation/external-data-provider-constraint-template.yaml
|
||||
@test "attest validation" {
|
||||
run kubectl apply -f validation/attest-constraint-template.yaml
|
||||
assert_success
|
||||
wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced constrainttemplate k8sexternaldatavalidation"
|
||||
wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced constrainttemplate k8sattestexternaldata"
|
||||
|
||||
run kubectl apply -f validation/external-data-provider-constraint.yaml
|
||||
run kubectl apply -f validation/attest-constraint.yaml
|
||||
assert_success
|
||||
wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced k8sexternaldatavalidation deny-images-with-invalid-suffix"
|
||||
wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced k8sattestexternaldata deny-images-that-fail-policy"
|
||||
|
||||
run kubectl run nginx --image=error_nginx --dry-run=server
|
||||
# should deny pod admission if the image name has an "error_" prefix
|
||||
run kubectl run nginx --image=nginx --dry-run=server
|
||||
# should deny pod admission if the image doesn't pass policy
|
||||
assert_failure
|
||||
assert_match 'error_nginx' "${output}"
|
||||
assert_match 'error_nginx_invalid' "${output}"
|
||||
assert_match 'admit: false' "${output}"
|
||||
}
|
||||
|
||||
@test "external data mutation" {
|
||||
run kubectl apply -f mutation/external-data-provider-mutation.yaml
|
||||
assert_success
|
||||
wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "mutator_enforced Assign append-valid-suffix-to-image"
|
||||
|
||||
run kubectl run nginx --image=nginx --dry-run=server --output json
|
||||
assert_success
|
||||
# should mutate the image field by appending "_valid" suffix
|
||||
assert_match "nginx_valid" "$(jq -r '.spec.containers[0].image' <<< ${output})"
|
||||
}
|
||||
# TODO: write mutating webhook policy
|
||||
#@test "attest mutation" {
|
||||
# run kubectl apply -f mutation/external-data-provider-mutation.yaml
|
||||
# assert_success
|
||||
# wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "mutator_enforced Assign append-valid-suffix-to-image"
|
||||
#
|
||||
# run kubectl run nginx --image=nginx --dry-run=server --output json
|
||||
# assert_success
|
||||
# # should mutate the image field by appending "_valid" suffix
|
||||
# assert_match "nginx_valid" "$(jq -r '.spec.containers[0].image' <<< ${output})"
|
||||
#}
|
||||
|
||||
Reference in New Issue
Block a user