[v0.8] Add strict TLS mode #4155
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: E2E Multi-Cluster Fleet | |
on: | |
schedule: | |
# Run everyday day at 9:00 AM | |
- cron: '0 9 * * *' | |
workflow_dispatch: | |
inputs: | |
enable_tmate: | |
description: 'Enable debugging via tmate' | |
required: false | |
default: "false" | |
pull_request: | |
push: | |
branches: | |
- 'release/*' | |
env: | |
GOARCH: amd64 | |
CGO_ENABLED: 0 | |
SETUP_K3D_VERSION: 'v5.5.1' | |
jobs: | |
e2e-fleet-mc-test: | |
runs-on: ubuntu-latest | |
steps: | |
- | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- | |
name: Install Ginkgo CLI | |
run: go install github.com/onsi/ginkgo/v2/ginkgo | |
- | |
name: Build Fleet Binaries | |
run: | | |
go build -o bin/fleetcontroller-linux-$GOARCH ./cmd/fleetcontroller | |
go build -o "bin/fleet-linux-$GOARCH" ./cmd/fleetcli | |
go build -o "bin/fleetagent-linux-$GOARCH" ./cmd/fleetagent | |
- | |
name: Build Docker Images | |
run: | | |
docker build -f package/Dockerfile -t rancher/fleet:dev --build-arg="ARCH=$GOARCH" . | |
docker build -f package/Dockerfile.agent -t rancher/fleet-agent:dev --build-arg="ARCH=$GOARCH" . | |
- | |
name: Provision k3d Cluster | |
uses: AbsaOSS/k3d-action@v2 | |
with: | |
k3d-version: ${{ env.SETUP_K3D_VERSION }} | |
cluster-name: "upstream" | |
args: >- | |
-p "80:80@agent:0:direct" | |
-p "443:443@agent:0:direct" | |
--api-port 6443 | |
--agents 1 | |
--network "nw01" | |
- | |
name: Provision k3d Downstream Cluster for agent-initiated registration | |
uses: AbsaOSS/k3d-action@v2 | |
with: | |
k3d-version: ${{ env.SETUP_K3D_VERSION }} | |
cluster-name: "downstream" | |
args: >- | |
-p "81:80@agent:0:direct" | |
-p "444:443@agent:0:direct" | |
--api-port 6644 | |
--agents 1 | |
--network "nw01" | |
- | |
name: Provision k3d Downstream Cluster for manager-initiated registration | |
uses: AbsaOSS/k3d-action@v2 | |
with: | |
k3d-version: ${{ env.SETUP_K3D_VERSION }} | |
cluster-name: "managed-downstream" | |
args: >- | |
-p "82:80@agent:0:direct" | |
-p "445:443@agent:0:direct" | |
--api-port 6645 | |
--agents 1 | |
--network "nw01" | |
- | |
name: Import Images Into k3d | |
run: | | |
./.github/scripts/k3d-import-retry.sh rancher/fleet:dev rancher/fleet-agent:dev -c upstream | |
./.github/scripts/k3d-import-retry.sh rancher/fleet-agent:dev -c downstream | |
./.github/scripts/k3d-import-retry.sh rancher/fleet-agent:dev -c managed-downstream | |
- | |
name: Set Up Tmate Debug Session | |
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.enable_tmate == 'true' }} | |
uses: mxschmitt/action-tmate@v3 | |
timeout-minutes: 15 | |
with: | |
limit-access-to-actor: true | |
- | |
name: Deploy Fleet | |
run: | | |
kubectl config use-context k3d-upstream | |
./.github/scripts/deploy-fleet.sh | |
- | |
name: Deploy and Register Downstream Fleet | |
run: | | |
kubectl create ns fleet-default | |
kubectl apply -f - <<EOF | |
apiVersion: "fleet.cattle.io/v1alpha1" | |
kind: ClusterRegistrationToken | |
metadata: | |
name: second-token | |
namespace: fleet-default | |
spec: | |
ttl: 12h | |
EOF | |
{ grep -q -m 1 "second-token"; kill $!; } < <(kubectl get secrets -n fleet-default -l "fleet.cattle.io/managed=true" -w) | |
token=$(kubectl get secret -n fleet-default second-token -o go-template='{{index .data "values" | base64decode}}' | yq eval .token -) | |
ca=$(kubectl get secret -n cattle-fleet-system fleet-controller-bootstrap-token -o go-template='{{index .data "ca.crt" | base64decode}}') | |
apiServerIP=$(kubectl get node k3d-upstream-server-0 -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}') | |
# agent initiated cluster registration | |
kubectl config use-context k3d-downstream | |
helm -n cattle-fleet-system upgrade --install --create-namespace --wait fleet-agent charts/fleet-agent \ | |
--set-string labels.env=test \ | |
--set apiServerCA="$ca" \ | |
--set apiServerURL="https://$apiServerIP:6443" \ | |
--set clusterNamespace="fleet-default" \ | |
--set token="$token" | |
- | |
name: Deploy and Register Managed Downstream Fleet | |
run: | | |
kubectl config use-context k3d-managed-downstream | |
host=$(kubectl get node k3d-managed-downstream-server-0 -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}') | |
ca=$( kubectl config view --flatten -o jsonpath='{.clusters[?(@.name == "k3d-managed-downstream")].cluster.certificate-authority-data}' ) | |
client_cert=$( kubectl config view --flatten -o jsonpath='{.users[?(@.name == "admin@k3d-managed-downstream")].user.client-certificate-data}' ) | |
token=$( kubectl config view --flatten -o jsonpath='{.users[?(@.name == "admin@k3d-managed-downstream")].user.client-key-data}' ) | |
server="https://$host:6443" | |
kubectl config use-context k3d-upstream | |
value=$(cat <<EOF | |
apiVersion: v1 | |
kind: Config | |
current-context: default | |
clusters: | |
- cluster: | |
certificate-authority-data: $ca | |
server: $server | |
name: cluster | |
contexts: | |
- context: | |
cluster: cluster | |
user: user | |
name: default | |
preferences: {} | |
users: | |
- name: user | |
user: | |
client-certificate-data: $client_cert | |
client-key-data: $token | |
EOF | |
) | |
kubectl create ns fleet-default || true | |
kubectl delete secret -n fleet-default kbcfg-second || true | |
# Rancher sets a token value in the secret, but our docs don't mention it | |
# * https://github.com/rancher/rancher/blob/c24fb8b0869a0b445f55b3307c6ed4582e147747/pkg/provisioningv2/kubeconfig/manager.go#L362 | |
# * https://fleet.rancher.io/0.5/manager-initiated#kubeconfig-secret-1 | |
kubectl create secret generic -n fleet-default kbcfg-second --from-literal=token="$token" --from-literal=value="$value" | |
kubectl apply -n fleet-default -f - <<EOF | |
apiVersion: "fleet.cattle.io/v1alpha1" | |
kind: Cluster | |
metadata: | |
name: second | |
namespace: fleet-default | |
labels: | |
name: second | |
spec: | |
kubeConfigSecret: kbcfg-second | |
EOF | |
- | |
name: E2E tests | |
env: | |
FLEET_E2E_NS: fleet-local | |
FLEET_E2E_NS_DOWNSTREAM: fleet-default | |
run: | | |
kubectl config use-context k3d-upstream | |
ginkgo e2e/multi-cluster | |
- | |
name: E2E tests with managed downstream agent | |
env: | |
FLEET_E2E_NS: fleet-local | |
FLEET_E2E_NS_DOWNSTREAM: fleet-default | |
FLEET_E2E_CLUSTER_DOWNSTREAM: k3d-managed-downstream | |
run: | | |
kubectl config use-context k3d-upstream | |
ginkgo e2e/multi-cluster/installation | |
- | |
name: Acceptance Tests for Examples | |
if: > | |
github.event_name == 'schedule' | |
env: | |
FLEET_E2E_NS: fleet-local | |
FLEET_E2E_NS_DOWNSTREAM: fleet-default | |
run: | | |
ginkgo e2e/acceptance/multi-cluster-examples | |
- | |
name: Dump Failed Environment | |
if: failure() | |
run: | | |
./.github/scripts/dump-failed-k3ds.sh | |
- | |
name: Upload Logs | |
uses: actions/upload-artifact@v4 | |
if: failure() | |
with: | |
name: gha-fleet-mc-e2e-logs-${{ github.sha }}-${{ github.run_id }} | |
path: | | |
tmp/*.json | |
tmp/*.log | |
retention-days: 2 |