chore(deps): update gcr.io/kubebuilder/kube-rbac-proxy docker tag to v0.16.0 #277
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Tests | |
on: | |
pull_request: | |
paths: | |
- 'charts/**' | |
push: | |
branches: | |
- main | |
paths: | |
- 'charts/**' | |
workflow_dispatch: | |
jobs: | |
test: | |
name: Test Helm charts | |
runs-on: ubuntu-22.04 | |
environment: Production | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
fetch-depth: 0 | |
- name: Set up Helm | |
uses: Azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 | |
with: | |
version: 'v3.13.1' | |
- name: Login to Azure - CI Subscription | |
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve secrets | |
id: retrieve-secrets | |
uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "helm-sm-operator-ci-test-access-token" | |
- name: Set up lynx | |
run: sudo apt install lynx | |
- name: Set up Python | |
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 | |
with: | |
python-version: '3.12' | |
check-latest: true | |
- name: Set up chart-testing | |
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 | |
- name: Run chart-testing (list-changed) | |
id: list-changed | |
run: | | |
CHANGED=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }}) | |
if [[ -n "$CHANGED" ]]; then | |
echo "changed=true" >> $GITHUB_OUTPUT | |
echo "changed-list=$CHANGED" >> $GITHUB_OUTPUT | |
fi | |
- name: Create kind cluster | |
if: steps.list-changed.outputs.changed == 'true' | |
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 | |
with: | |
config: .github/workflows/config/cluster.yaml | |
- name: Set up cluster | |
if: steps.list-changed.outputs.changed == 'true' | |
run: | | |
installation_id=$(uuidgen) | |
echo $installation_id | |
installation_key=$(openssl rand -base64 12) | |
sa_password=$(openssl rand -base64 12) | |
cert_pass=$(openssl rand -base64 12) | |
#TLS setup | |
echo "Creating root CA cert" | |
openssl req -x509 -sha256 -days 1 -newkey rsa:2048 -keyout rootCA.key -out rootCA.crt -subj "/CN=Bitwarden Ingress" --passout pass:$cert_pass | |
echo "Generating TLS key" | |
openssl genrsa -out bitwarden.localhost.key 2048 | |
echo "Generating TLS cert" | |
openssl req -key bitwarden.localhost.key -new -out bitwarden.localhost.csr --passin pass:$cert_pass -subj "/CN=bitwarden.localhost" | |
echo "Signing TLS cert" | |
cat > bitwarden.localhost.ext << EOF | |
authorityKeyIdentifier=keyid,issuer | |
basicConstraints=CA:FALSE | |
subjectAltName = @alt_names | |
[alt_names] | |
DNS.1 = bitwarden.localhost | |
EOF | |
openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in bitwarden.localhost.csr -out bitwarden.localhost.crt -days 1 -CAcreateserial -extfile bitwarden.localhost.ext --passin pass:$cert_pass | |
echo "Exporting TLS certs to PEM" | |
openssl x509 -in bitwarden.localhost.crt -out bitwarden.localhost.pem --passin pass:$cert_pass | |
openssl x509 -in rootCA.crt -out rootCA.pem --passin pass:$cert_pass | |
#Ingress | |
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml | |
kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission | |
sudo echo "127.0.0.1 bitwarden.localhost" | sudo tee -a /etc/hosts | |
#Namespace | |
kubectl create ns bitwarden | |
kubectl config set-context --current --namespace=bitwarden | |
#Secrets | |
kubectl create secret generic custom-secret \ | |
--from-literal=globalSettings__installation__id=$installation_id \ | |
--from-literal=globalSettings__installation__key=$installation_key \ | |
--from-literal=globalSettings__mail__smtp__username="REPLACE" \ | |
--from-literal=globalSettings__mail__smtp__password="REPLACE" \ | |
--from-literal=globalSettings__yubico__clientId="REPLACE" \ | |
--from-literal=globalSettings__yubico__key="REPLACE" \ | |
--from-literal=SA_PASSWORD=$sa_password | |
kubectl create secret tls tls-secret --cert=bitwarden.localhost.pem --key=bitwarden.localhost.key | |
- name: Run chart-testing (install) | |
if: steps.list-changed.outputs.changed == 'true' | |
run: ct install --target-branch ${{ github.event.repository.default_branch }} --skip-clean-up --namespace bitwarden | |
- name: Test install (self-host) | |
if: steps.list-changed.outputs.changed == 'true' && contains(steps.list-changed.outputs.changed-list,'self-host') | |
run: | | |
#For review purposes | |
echo "*****DEPLOYMENTS*****" | |
kubectl get deployments | |
echo "*****PODS*****" | |
kubectl get pods | |
echo "*****SERVICES*****" | |
kubectl get svc | |
echo "*****JOBS*****" | |
kubectl get jobs | |
echo "*****INGRESS*****" | |
kubectl describe ingress | |
echo "*****HOME*****" | |
home=$(curl -Ls https://bitwarden.localhost -w httpcode=%{http_code} --cacert rootCA.pem) | |
echo $home | lynx -stdin -dump -width=100 | |
httpCode=$(echo "${home}" | grep -Po 'httpcode=\K(\d\d\d)') | |
bodyCheck=$(echo "${home}" | grep -Po 'Bitwarden Web Vault') | |
if [[ ${httpCode} -ne 200 ]]; then | |
echo "::error::ERROR: Home page failed to load. HTTP code was $httpCode" | |
exit 1 | |
fi | |
if [[ "$bodyCheck" != "Bitwarden Web Vault" ]]; then | |
echo "::error::ERROR: Home page failed to load. Please check body output above." | |
exit 1 | |
fi | |
echo "Home OK." | |
echo "*****API/CONFIG*****" | |
config=$(curl -Ls https://bitwarden.localhost/api/config -w httpcode=%{http_code} --cacert rootCA.pem) | |
echo $config | lynx -stdin -dump -width=100 | |
httpCode=$(echo "${config}" | grep -Po 'httpcode=\K(\d\d\d)') | |
bodyCheck=$(echo "${config}" | grep -Po '\"vault\":\"https://bitwarden\.localhost\"') | |
if [[ ${httpCode} -ne 200 ]]; then | |
echo "::error::ERROR: Home page failed to load. HTTP code was $httpCode" | |
exit 1 | |
fi | |
if [[ "$bodyCheck" != '"vault":"https://bitwarden.localhost"' ]]; then | |
echo "::error::ERROR: API/Config page failed to load. Please check body output above." | |
exit 1 | |
fi | |
echo "API/Config OK." | |
echo "*****ADMIN*****" | |
admin=$(curl -Ls https://bitwarden.localhost/admin -w httpcode=%{http_code} --cacert rootCA.pem) | |
echo $admin | lynx -stdin -dump -width=100 | |
httpCode=$(echo "${admin}" | grep -Po 'httpcode=\K(\d\d\d)') | |
bodyCheck=$(echo "${admin}" | grep -Po "We'll email you a secure login link") | |
if [[ ${httpCode} -ne 200 ]]; then | |
echo "::error::ERROR: Home page failed to load. HTTP code was $httpCode" | |
exit 1 | |
fi | |
if [[ "$bodyCheck" != "We'll email you a secure login link" ]]; then | |
echo "::error::ERROR: Admin page failed to load. Please check body output above." | |
exit 1 | |
fi | |
echo "Admin OK." | |
- name: Test install (sm-operator) | |
if: steps.list-changed.outputs.changed == 'true' && contains(steps.list-changed.outputs.changed-list,'sm-operator') | |
run: | | |
#For review purposes | |
echo "*****DEPLOYMENTS*****" | |
kubectl get deployments | |
echo "*****PODS*****" | |
pods=$(kubectl get pods -l app.kubernetes.io/name=sm-operator | grep 2/2) | |
echo $pods | |
if [[ -z "$pods" ]]; then | |
echo "::error::No pods found." | |
exit 1 | |
fi | |
echo "*****CREATING AUTH SECRET*****" | |
kubectl create secret generic bw-auth-token -n bitwarden --from-literal=token="$AUTH_TOKEN" | |
echo "*****CREATING BW SECRET*****" | |
kubectl apply -f .github/workflows/config/sample-bw-secret.yaml | |
# Sleeping while BitwardenSecret is being created and synced | |
sleep 2s | |
echo "*****LOGS*****" | |
logs=$(kubectl logs -l app.kubernetes.io/name=sm-operator -c manager) | |
echo "$logs" | |
completed=$(echo "$logs"| grep "Completed sync for bitwarden/bitwardensecret-sample") | |
if [[ -z "$completed" ]]; then | |
echo "::error::Secret did not sync." | |
exit 1 | |
fi | |
# Sleeping to ensure everything completes | |
sleep 2s | |
echo "*****RESULTING SECRETS*****" | |
secrets=$(kubectl get secrets) | |
echo "$secrets" | |
secretCreated=$(echo "$secrets" | grep -Po "bw-sample-secret\s+Opaque\s+3") | |
if [[ -z "$secretCreated" ]]; then | |
echo "::error::Secret not created correctly." | |
exit 1 | |
fi | |
echo "*****OPERATOR OK*****" | |
env: | |
AUTH_TOKEN: ${{ steps.retrieve-secrets.outputs.helm-sm-operator-ci-test-access-token }} | |
- name: Clean-up | |
if: steps.list-changed.outputs.changed == 'true' | |
run: | | |
helm ls --all --short | xargs -L1 helm delete | |
kubectl delete ns bitwarden | |
kind delete cluster |