Add strict TLS mode support #3663
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Run E2E tests for Fleet standalone | |
name: E2E Fleet | |
on: | |
workflow_dispatch: | |
inputs: | |
enable_tmate: | |
description: 'Enable debugging via tmate' | |
required: false | |
default: "false" | |
pull_request: | |
push: | |
branches: | |
- 'release/*' | |
env: | |
GOARCH: amd64 | |
CGO_ENABLED: 0 | |
SETUP_K3D_VERSION: 'v5.5.1' | |
jobs: | |
e2e-fleet-test: | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
k3s_version: | |
# k3d version list k3s | sed 's/+/-/' | sort -h | |
# https://hub.docker.com/r/rancher/k3s/tags | |
- v1.29.0-k3s1 | |
- v1.24.17-k3s1 | |
steps: | |
- | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- | |
name: Install Ginkgo CLI | |
run: go install github.com/onsi/ginkgo/v2/ginkgo | |
- | |
name: Build Fleet Binaries | |
run: | | |
./.github/scripts/build-fleet-binaries.sh | |
cd e2e/testenv/infra | |
go build | |
- | |
name: Build Docker Images | |
run: | | |
./.github/scripts/build-fleet-images.sh | |
cd e2e/assets/gitrepo | |
# Buildkit needed here for proper here-document support | |
DOCKER_BUILDKIT=1 docker build -f Dockerfile.gitserver -t nginx-git:test --build-arg="passwd=$(openssl passwd foo)" . | |
- | |
name: Provision k3d Cluster | |
uses: AbsaOSS/k3d-action@v2 | |
# k3d will automatically create a network named k3d-test-cluster-1 with the range 172.18.0.0/16 | |
with: | |
k3d-version: ${{ env.SETUP_K3D_VERSION }} | |
cluster-name: "upstream" | |
args: >- | |
--agents 1 | |
--network "nw01" | |
--image docker.io/rancher/k3s:${{matrix.k3s_version}} | |
- | |
name: Import Images Into k3d | |
run: | | |
./.github/scripts/k3d-import-retry.sh rancher/fleet:dev rancher/fleet-agent:dev nginx-git:test -c upstream | |
- | |
name: Set Up Tmate Debug Session | |
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.enable_tmate == 'true' }} | |
uses: mxschmitt/action-tmate@v3 | |
timeout-minutes: 15 | |
with: | |
limit-access-to-actor: true | |
- | |
name: Deploy Fleet | |
run: | | |
SHARDS="shard1,shard2,shard3" ./.github/scripts/deploy-fleet.sh | |
- | |
name: Create Zot certificates for OCI tests | |
env: | |
FLEET_E2E_NS: fleet-local | |
run: | | |
# Generate cert and key for TLS | |
./.github/scripts/create-zot-certs.sh "FleetCI-RootCA" | |
- | |
name: E2E Tests | |
env: | |
FLEET_E2E_NS: fleet-local | |
# Git and OCI credentials are here used in a local, ephemeral environment. Leaks would be harmless. | |
GIT_HTTP_USER: "fleet-ci" | |
GIT_HTTP_PASSWORD: "foo" | |
CI_OCI_USERNAME: "fleet-ci" | |
CI_OCI_PASSWORD: "foo" | |
HELM_PATH: /usr/local/bin/helm | |
run: | | |
export CI_OCI_CERTS_DIR="$(git rev-parse --show-toplevel)/FleetCI-RootCA" | |
# 1. Run test cases not needing infra | |
ginkgo --github-output --label-filter='!infra-setup' e2e/single-cluster e2e/keep-resources e2e/drift | |
# 2. Run tests for metrics | |
ginkgo --github-output e2e/metrics | |
SHARD=shard1 ginkgo --github-output e2e/metrics | |
# 3. Run tests requiring only the git server | |
e2e/testenv/infra/infra setup --git-server=true | |
ginkgo --github-output --label-filter='infra-setup && !helm-registry && !oci-registry' e2e/single-cluster/ | |
# 4. Run tests requiring a Helm registry | |
e2e/testenv/infra/infra setup --helm-registry=true | |
ginkgo --github-output --label-filter='helm-registry' e2e/single-cluster | |
e2e/testenv/infra/infra teardown --helm-registry=true | |
# 5. Run tests requiring an OCI registry | |
e2e/testenv/infra/infra setup --oci-registry=true | |
ginkgo --github-output --label-filter='oci-registry' e2e/single-cluster | |
# 6. Tear down all infra | |
e2e/testenv/infra/infra teardown | |
- | |
name: Acceptance Tests for Examples | |
if: > | |
github.event_name == 'schedule' | |
env: | |
FLEET_E2E_NS: fleet-local | |
run: | | |
ginkgo --github-output e2e/acceptance/single-cluster-examples | |
- | |
name: Fleet Tests Requiring Github Secrets | |
# These tests can't run for PRs, because PRs don't have access to the secrets | |
if: > | |
github.event_name != 'pull_request' && | |
github.repository == 'rancher/fleet' | |
env: | |
FLEET_E2E_NS: fleet-local | |
GIT_REPO_URL: "[email protected]:fleetrepoci/test.git" | |
GIT_REPO_HOST: "github.com" | |
GIT_REPO_USER: "git" | |
GIT_REPO_BRANCH: ${{ matrix.k3s_version }} | |
CI_OCI_USERNAME: ${{ secrets.CI_OCI_USERNAME }} | |
CI_OCI_PASSWORD: ${{ secrets.CI_OCI_PASSWORD }} | |
run: | | |
export GIT_SSH_KEY="$GITHUB_WORKSPACE/id_ecdsa" | |
export GIT_SSH_PUBKEY="$GITHUB_WORKSPACE/id_ecdsa.pub" | |
echo "${{ secrets.CI_SSH_KEY }}" > "$GIT_SSH_KEY" | |
echo "${{ secrets.CI_SSH_PUBKEY }}" > "$GIT_SSH_PUBKEY" | |
ginkgo --github-output e2e/require-secrets | |
- | |
name: Dump Failed Environment | |
if: failure() | |
run: | | |
mkdir -p tmp | |
./.github/scripts/dump-failed-k3ds.sh | |
- | |
name: Upload Logs | |
uses: actions/upload-artifact@v4 | |
if: failure() | |
with: | |
name: gha-fleet-e2e-logs-${{ github.sha }}-${{ matrix.k3s_version }}-${{ github.run_id }} | |
path: | | |
tmp/*.json | |
tmp/*.log | |
retention-days: 2 |