-
Notifications
You must be signed in to change notification settings - Fork 1.6k
205 lines (188 loc) · 6.89 KB
/
call-test-images.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
---
name: Reusable workflow to test container images
on:
workflow_call:
inputs:
registry:
description: The registry to pull the images to test from.
type: string
required: true
username:
description: The username for authentication with the registry.
type: string
required: true
image:
description: The name of the image to pull from the registry for testing.
type: string
required: true
image-tag:
description: The tag of the image to pull from the registry for testing.
type: string
required: true
environment:
description: The Github environment to run this workflow on.
type: string
required: false
ref:
description: The commit, tag or branch to checkout for testing scripts.
type: string
default: master
required: false
secrets:
token:
description: The Github token or similar to authenticate with for the registry.
required: true
cosign_key:
description: The optional Cosign key to use for verifying the images.
required: false
jobs:
call-test-images-cosign-verify:
name: Cosign verification of container image
environment: ${{ inputs.environment }}
runs-on: ubuntu-latest
steps:
- name: Install cosign
uses: sigstore/cosign-installer@v2
- name: Log in to the Container registry
uses: docker/login-action@v2
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}
password: ${{ secrets.token }}
# There is currently no way to verify a local image, e.g. for a particular architecture
# https://github.com/sigstore/cosign/issues/60
- name: Verify image with a key
# Only key-based verification currently
if: ${{ env.COSIGN_PUBLIC_KEY }}
run: |
echo -e "${COSIGN_PUBLIC_KEY}" > /tmp/my_cosign.pub
cosign verify --key /tmp/my_cosign.pub "$REGISTRY/$IMAGE_NAME:$IMAGE_TAG"
rm -f /tmp/my_cosign.key
shell: bash
env:
COSIGN_PUBLIC_KEY: ${{ secrets.cosign_key }}
REGISTRY: ${{ inputs.registry }}
IMAGE_NAME: ${{ inputs.image }}
IMAGE_TAG: ${{ inputs.image-tag }}
call-test-images-container-architecture:
name: ${{ matrix.arch }} image architecture verification
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
# Test as much as we can
continue-on-error: true
strategy:
fail-fast: false
matrix:
arch: [ linux/amd64, linux/arm64, linux/arm/v7 ]
include:
# Rather than extract the specific central arch we just provide it
- arch: linux/amd64
expected: amd64
- arch: linux/arm64
expected: arm64
- arch: linux/arm/v7
expected: arm
steps:
- name: Log in to the Container registry
uses: docker/login-action@v2
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}
password: ${{ secrets.token }}
- name: Pull and extract architecture of image
id: extract_arch
run: |
docker pull --platform=${{ matrix.arch }} "$REGISTRY/$IMAGE_NAME:$IMAGE_TAG"
ACTUAL_ARCH=$(docker image inspect --format '{{.Architecture}}' "$REGISTRY/$IMAGE_NAME:$IMAGE_TAG")
echo "ACTUAL_ARCH=$ACTUAL_ARCH" >> $GITHUB_OUTPUT
docker image inspect "$REGISTRY/$IMAGE_NAME:$IMAGE_TAG"
shell: bash
env:
REGISTRY: ${{ inputs.registry }}
IMAGE_NAME: ${{ inputs.image }}
IMAGE_TAG: ${{ inputs.image-tag }}
- name: Validate architecture of image
run: |
if [[ "$ACTUAL_ARCH" != "$EXPECTED_ARCH" ]]; then
echo "Invalid architecture for $REGISTRY/$IMAGE_NAME: $ACTUAL_ARCH != $EXPECTED_ARCH"
exit 1
fi
env:
EXPECTED_ARCH: ${{ matrix.expected }}
ACTUAL_ARCH: ${{ steps.extract_arch.outputs.ACTUAL_ARCH }}
shell: bash
call-test-images-container-smoke:
# Ensure each architecture container runs up correctly with default configuration.
name: ${{ matrix.arch }} smoke test for local container images
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
# No point running if the architecture is incorrect
needs: [ call-test-images-container-architecture ]
continue-on-error: true
strategy:
fail-fast: false # verify all
matrix:
arch: [ linux/amd64, linux/arm64, linux/arm/v7 ]
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}
- name: Log in to the Container registry
uses: docker/login-action@v2
with:
registry: ${{ inputs.registry }}
username: ${{ inputs.username }}
password: ${{ secrets.token }}
- name: Set up QEMU using standard action
if: ${{ matrix.arch != 'linux/arm64' }}
uses: docker/setup-qemu-action@v2
# Without this QEMU fails for ARM64
- name: Set up binary emulation for QEMU
if: ${{ matrix.arch == 'linux/arm64' }}
run: |
docker run --privileged --rm tonistiigi/binfmt --install all
- name: Verify platform is supported with Alpine container
# We make sure there is not an inherent issue with this architecture on this runner
run: |
docker run --rm --platform=${{ matrix.arch }} alpine uname -a
- name: Test the HTTP server is responding
timeout-minutes: 10
run: |
packaging/testing/smoke/container/container-smoke-test.sh
shell: bash
env:
CONTAINER_NAME: local-smoke-${{ matrix.arch }}
CONTAINER_ARCH: ${{ matrix.arch }}
REGISTRY: ${{ inputs.registry }}
IMAGE_NAME: ${{ inputs.image }}
IMAGE_TAG: ${{ inputs.image-tag }}
call-test-images-k8s-smoke:
# No need to test every architecture here, that is covered by local container tests.
# Testing helm chart deployment on KIND here.
name: Helm chart test on KIND
environment: ${{ inputs.environment }}
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}
- name: Create k8s Kind Cluster
uses: helm/[email protected]
- name: Set up Helm
uses: azure/[email protected]
with:
version: v3.6.3
- name: Set up Kubectl
uses: azure/[email protected]
- name: Test the HTTP server is responding
timeout-minutes: 5
run: |
packaging/testing/smoke/k8s/k8s-smoke-test.sh
shell: bash
env:
NAMESPACE: default
REGISTRY: ${{ inputs.registry }}
IMAGE_NAME: ${{ inputs.image }}
IMAGE_TAG: ${{ inputs.image-tag }}