Skip to content

chore(deps): update gcr.io/kubebuilder/kube-rbac-proxy docker tag to v0.16.0 #277

chore(deps): update gcr.io/kubebuilder/kube-rbac-proxy docker tag to v0.16.0

chore(deps): update gcr.io/kubebuilder/kube-rbac-proxy docker tag to v0.16.0 #277

Workflow file for this run

name: Tests
on:
pull_request:
paths:
- 'charts/**'
push:
branches:
- main
paths:
- 'charts/**'
workflow_dispatch:
jobs:
test:
name: Test Helm charts
runs-on: ubuntu-22.04
environment: Production
steps:
- name: Checkout repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Set up Helm
uses: Azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
with:
version: 'v3.13.1'
- name: Login to Azure - CI Subscription
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve secrets
id: retrieve-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "helm-sm-operator-ci-test-access-token"
- name: Set up lynx
run: sudo apt install lynx
- name: Set up Python
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: '3.12'
check-latest: true
- name: Set up chart-testing
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
- name: Run chart-testing (list-changed)
id: list-changed
run: |
CHANGED=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
if [[ -n "$CHANGED" ]]; then
echo "changed=true" >> $GITHUB_OUTPUT
echo "changed-list=$CHANGED" >> $GITHUB_OUTPUT
fi
- name: Create kind cluster
if: steps.list-changed.outputs.changed == 'true'
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
with:
config: .github/workflows/config/cluster.yaml
- name: Set up cluster
if: steps.list-changed.outputs.changed == 'true'
run: |
installation_id=$(uuidgen)
echo $installation_id
installation_key=$(openssl rand -base64 12)
sa_password=$(openssl rand -base64 12)
cert_pass=$(openssl rand -base64 12)
#TLS setup
echo "Creating root CA cert"
openssl req -x509 -sha256 -days 1 -newkey rsa:2048 -keyout rootCA.key -out rootCA.crt -subj "/CN=Bitwarden Ingress" --passout pass:$cert_pass
echo "Generating TLS key"
openssl genrsa -out bitwarden.localhost.key 2048
echo "Generating TLS cert"
openssl req -key bitwarden.localhost.key -new -out bitwarden.localhost.csr --passin pass:$cert_pass -subj "/CN=bitwarden.localhost"
echo "Signing TLS cert"
cat > bitwarden.localhost.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
subjectAltName = @alt_names
[alt_names]
DNS.1 = bitwarden.localhost
EOF
openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in bitwarden.localhost.csr -out bitwarden.localhost.crt -days 1 -CAcreateserial -extfile bitwarden.localhost.ext --passin pass:$cert_pass
echo "Exporting TLS certs to PEM"
openssl x509 -in bitwarden.localhost.crt -out bitwarden.localhost.pem --passin pass:$cert_pass
openssl x509 -in rootCA.crt -out rootCA.pem --passin pass:$cert_pass
#Ingress
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission
sudo echo "127.0.0.1 bitwarden.localhost" | sudo tee -a /etc/hosts
#Namespace
kubectl create ns bitwarden
kubectl config set-context --current --namespace=bitwarden
#Secrets
kubectl create secret generic custom-secret \
--from-literal=globalSettings__installation__id=$installation_id \
--from-literal=globalSettings__installation__key=$installation_key \
--from-literal=globalSettings__mail__smtp__username="REPLACE" \
--from-literal=globalSettings__mail__smtp__password="REPLACE" \
--from-literal=globalSettings__yubico__clientId="REPLACE" \
--from-literal=globalSettings__yubico__key="REPLACE" \
--from-literal=SA_PASSWORD=$sa_password
kubectl create secret tls tls-secret --cert=bitwarden.localhost.pem --key=bitwarden.localhost.key
- name: Run chart-testing (install)
if: steps.list-changed.outputs.changed == 'true'
run: ct install --target-branch ${{ github.event.repository.default_branch }} --skip-clean-up --namespace bitwarden
- name: Test install (self-host)
if: steps.list-changed.outputs.changed == 'true' && contains(steps.list-changed.outputs.changed-list,'self-host')
run: |
#For review purposes
echo "*****DEPLOYMENTS*****"
kubectl get deployments
echo "*****PODS*****"
kubectl get pods
echo "*****SERVICES*****"
kubectl get svc
echo "*****JOBS*****"
kubectl get jobs
echo "*****INGRESS*****"
kubectl describe ingress
echo "*****HOME*****"
home=$(curl -Ls https://bitwarden.localhost -w httpcode=%{http_code} --cacert rootCA.pem)
echo $home | lynx -stdin -dump -width=100
httpCode=$(echo "${home}" | grep -Po 'httpcode=\K(\d\d\d)')
bodyCheck=$(echo "${home}" | grep -Po 'Bitwarden Web Vault')
if [[ ${httpCode} -ne 200 ]]; then
echo "::error::ERROR: Home page failed to load. HTTP code was $httpCode"
exit 1
fi
if [[ "$bodyCheck" != "Bitwarden Web Vault" ]]; then
echo "::error::ERROR: Home page failed to load. Please check body output above."
exit 1
fi
echo "Home OK."
echo "*****API/CONFIG*****"
config=$(curl -Ls https://bitwarden.localhost/api/config -w httpcode=%{http_code} --cacert rootCA.pem)
echo $config | lynx -stdin -dump -width=100
httpCode=$(echo "${config}" | grep -Po 'httpcode=\K(\d\d\d)')
bodyCheck=$(echo "${config}" | grep -Po '\"vault\":\"https://bitwarden\.localhost\"')
if [[ ${httpCode} -ne 200 ]]; then
echo "::error::ERROR: Home page failed to load. HTTP code was $httpCode"
exit 1
fi
if [[ "$bodyCheck" != '"vault":"https://bitwarden.localhost"' ]]; then
echo "::error::ERROR: API/Config page failed to load. Please check body output above."
exit 1
fi
echo "API/Config OK."
echo "*****ADMIN*****"
admin=$(curl -Ls https://bitwarden.localhost/admin -w httpcode=%{http_code} --cacert rootCA.pem)
echo $admin | lynx -stdin -dump -width=100
httpCode=$(echo "${admin}" | grep -Po 'httpcode=\K(\d\d\d)')
bodyCheck=$(echo "${admin}" | grep -Po "We'll email you a secure login link")
if [[ ${httpCode} -ne 200 ]]; then
echo "::error::ERROR: Home page failed to load. HTTP code was $httpCode"
exit 1
fi
if [[ "$bodyCheck" != "We'll email you a secure login link" ]]; then
echo "::error::ERROR: Admin page failed to load. Please check body output above."
exit 1
fi
echo "Admin OK."
- name: Test install (sm-operator)
if: steps.list-changed.outputs.changed == 'true' && contains(steps.list-changed.outputs.changed-list,'sm-operator')
run: |
#For review purposes
echo "*****DEPLOYMENTS*****"
kubectl get deployments
echo "*****PODS*****"
pods=$(kubectl get pods -l app.kubernetes.io/name=sm-operator | grep 2/2)
echo $pods
if [[ -z "$pods" ]]; then
echo "::error::No pods found."
exit 1
fi
echo "*****CREATING AUTH SECRET*****"
kubectl create secret generic bw-auth-token -n bitwarden --from-literal=token="$AUTH_TOKEN"
echo "*****CREATING BW SECRET*****"
kubectl apply -f .github/workflows/config/sample-bw-secret.yaml
# Sleeping while BitwardenSecret is being created and synced
sleep 2s
echo "*****LOGS*****"
logs=$(kubectl logs -l app.kubernetes.io/name=sm-operator -c manager)
echo "$logs"
completed=$(echo "$logs"| grep "Completed sync for bitwarden/bitwardensecret-sample")
if [[ -z "$completed" ]]; then
echo "::error::Secret did not sync."
exit 1
fi
# Sleeping to ensure everything completes
sleep 2s
echo "*****RESULTING SECRETS*****"
secrets=$(kubectl get secrets)
echo "$secrets"
secretCreated=$(echo "$secrets" | grep -Po "bw-sample-secret\s+Opaque\s+3")
if [[ -z "$secretCreated" ]]; then
echo "::error::Secret not created correctly."
exit 1
fi
echo "*****OPERATOR OK*****"
env:
AUTH_TOKEN: ${{ steps.retrieve-secrets.outputs.helm-sm-operator-ci-test-access-token }}
- name: Clean-up
if: steps.list-changed.outputs.changed == 'true'
run: |
helm ls --all --short | xargs -L1 helm delete
kubectl delete ns bitwarden
kind delete cluster