Merge pull request #1399 from anurag-rajawat/feat-k0s-deploy #36
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: ci-latest-release | |
on: | |
push: | |
branches: | |
- "main" | |
- "v*" | |
paths: | |
- "KubeArmor/**" | |
- "protobuf/**" | |
- ".github/workflows/ci-latest-release.yml" | |
- "pkg/**" | |
- "!STABLE-RELEASE" | |
create: | |
branches: | |
- "v*" | |
jobs: | |
check: | |
name: Check what pkg were updated | |
if: github.repository == 'kubearmor/kubearmor' | |
runs-on: ubuntu-20.04 | |
timeout-minutes: 5 | |
outputs: | |
kubearmor: ${{ steps.filter.outputs.kubearmor}} | |
controller: ${{ steps.filter.outputs.controller }} | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: dorny/paths-filter@v2 | |
id: filter | |
with: | |
filters: | | |
kubearmor: | |
- "KubeArmor/**" | |
- "protobuf/**" | |
controller: | |
- 'pkg/KubeArmorController/**' | |
build: | |
name: Create KubeArmor latest release | |
needs: check | |
if: github.repository == 'kubearmor/kubearmor' && (needs.check.outputs.kubearmor == 'true' || ${{ github.ref }} != 'refs/heads/main') | |
runs-on: ubuntu-20.04 | |
permissions: | |
id-token: write | |
timeout-minutes: 120 | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
submodules: true | |
- uses: actions/setup-go@v3 | |
with: | |
go-version: "v1.20" | |
- name: Install the latest LLVM toolchain | |
run: ./.github/workflows/install-llvm.sh | |
- name: Compile libbpf | |
run: ./.github/workflows/install-libbpf.sh | |
- name: Setup a Kubernetes enviroment | |
id: vars | |
run: | | |
if [ ${{ github.ref }} == "refs/heads/main" ]; then | |
echo "tag=latest" >> $GITHUB_OUTPUT | |
else | |
echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT | |
fi | |
RUNTIME=docker ./contribution/k3s/install_k3s.sh | |
- name: Generate KubeArmor artifacts | |
run: GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/build_kubearmor.sh ${{ steps.vars.outputs.tag }} | |
- name: Deploy KubeArmor into Kubernetes | |
run: | | |
helm upgrade --install kubearmor ./deployments/helm/KubeArmor \ | |
--values ./KubeArmor/build/kubearmor-helm-test-values.yaml \ | |
--set kubearmor.image.tag=${{ steps.vars.outputs.tag }} \ | |
--set kubearmorInit.image.tag=${{ steps.vars.outputs.tag }} \ | |
-n kube-system; | |
kubectl wait --for=condition=ready --timeout=5m -n kube-system pod -l kubearmor-app | |
kubectl get pods -A | |
- name: Test KubeArmor using Ginkgo | |
run: | | |
go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo | |
make -C tests/ | |
timeout-minutes: 30 | |
- name: Login to Docker Hub | |
uses: docker/login-action@v2 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_AUTHTOK }} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v2 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
with: | |
platforms: linux/amd64,linux/arm64/v8 | |
- name: Push KubeArmor images to Docker | |
run: GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/push_kubearmor.sh ${{ steps.vars.outputs.tag }} | |
- name: Install Cosign | |
uses: sigstore/cosign-installer@main | |
- name: Get Image Digest | |
id: digest | |
run: | | |
echo "imagedigest=$(jq -r '.["containerimage.digest"]' kubearmor.json)" >> $GITHUB_OUTPUT | |
echo "initdigest=$(jq -r '.["containerimage.digest"]' kubearmor-init.json)" >> $GITHUB_OUTPUT | |
echo "ubidigest=$(jq -r '.["containerimage.digest"]' kubearmor-ubi.json)" >> $GITHUB_OUTPUT | |
- name: Sign the Container Images | |
run: | | |
cosign sign -r kubearmor/kubearmor@${{ steps.digest.outputs.imagedigest }} --yes | |
cosign sign -r kubearmor/kubearmor-init@${{ steps.digest.outputs.initdigest }} --yes | |
cosign sign -r kubearmor/kubearmor-ubi@${{ steps.digest.outputs.ubidigest }} --yes | |
push-stable-version: | |
name: Create KubeArmor stable release | |
needs: [build, check] | |
if: github.ref != 'refs/heads/main' | |
runs-on: ubuntu-20.04 | |
permissions: | |
id-token: write | |
timeout-minutes: 60 | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
ref: main | |
- name: Install regctl | |
run: | | |
curl -L https://github.com/regclient/regclient/releases/latest/download/regctl-linux-amd64 >regctl | |
chmod 755 regctl | |
mv regctl /usr/local/bin | |
- name: Check install | |
run: regctl version | |
- name: Get tag | |
id: match | |
run: | | |
value=`cat STABLE-RELEASE` | |
if [ ${{ github.ref }} == "refs/heads/$value" ]; then | |
echo "tag=true" >> $GITHUB_OUTPUT | |
else | |
echo "tag=false" >> $GITHUB_OUTPUT | |
fi | |
- name: Login to Docker Hub | |
if: steps.match.outputs.tag == 'true' | |
uses: docker/login-action@v2 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_AUTHTOK }} | |
- name: Generate the stable version of KubeArmor in Docker Hub | |
if: steps.match.outputs.tag == 'true' | |
run: | | |
STABLE_VERSION=`cat STABLE-RELEASE` | |
regctl image copy kubearmor/kubearmor:$STABLE_VERSION kubearmor/kubearmor:stable --digest-tags | |
regctl image copy kubearmor/kubearmor-ubi:$STABLE_VERSION kubearmor/kubearmor-ubi:stable --digest-tags | |
regctl image copy kubearmor/kubearmor-controller:$STABLE_VERSION kubearmor/kubearmor-controller:stable --digest-tags | |
kubearmor-controller-release: | |
name: Build & Push KubeArmorController | |
needs: check | |
if: github.repository == 'kubearmor/kubearmor' && (needs.check.outputs.controller == 'true' || ${{ github.ref }} != 'refs/heads/main') | |
defaults: | |
run: | |
working-directory: ./pkg/KubeArmorController | |
runs-on: ubuntu-20.04 | |
timeout-minutes: 60 | |
steps: | |
- uses: actions/setup-go@v3 | |
with: | |
go-version: "v1.20" | |
- uses: actions/checkout@v3 | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v2 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
with: | |
platforms: linux/amd64,linux/arm64/v8 | |
- name: Login to Docker Hub | |
uses: docker/login-action@v2 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_AUTHTOK }} | |
- name: Get tag | |
id: tag | |
run: | | |
if [ ${{ github.ref }} == "refs/heads/main" ]; then | |
echo "tag=latest" >> $GITHUB_OUTPUT | |
else | |
echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT | |
fi | |
- name: Build & Push KubeArmorController | |
run: make docker-buildx TAG=${{ steps.tag.outputs.tag }} |