Skip to content

Security via operator, OIDC trusted certificates #5081

Security via operator, OIDC trusted certificates

Security via operator, OIDC trusted certificates #5081

Workflow file for this run

name: Build
on:
push:
branches:
- 'main'
- '[0-9]+.[0-9]+.x'
pull_request:
branches:
- 'main'
- '[0-9]+.[0-9]+.x'
types: [ opened, reopened, synchronize ]
jobs:
build-images:
runs-on: ubuntu-24.04
services:
registry:
image: registry:2
ports:
- 5000:5000
env:
PLATFORMS: linux/amd64,linux/arm64,linux/ppc64le
steps:
# ==================== Setup ====================
- name: Checkout
uses: actions/checkout@v4
- name: Set Image Tag Env
run: echo "PROJECT_VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
- name: Operator Version Check
run: ./operator/bin/version-check.sh "${{ env.PROJECT_VERSION }}"
- name: Set Up JDK 17
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'adopt'
- name: Cache Maven Packages
uses: actions/cache@v4
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-
- name: Set Up QEMU
uses: docker/setup-qemu-action@v3
- name: Set Up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: network=host
# ==================== UI ====================
- name: Build UI Project
working-directory: ui
run: |
npm ci --omit=dev
export BACKEND_URL=http://example
export CONSOLE_METRICS_PROMETHEUS_URL=http://example
export NEXTAUTH_SECRET=examplesecret
export LOG_LEVEL=info
export CONSOLE_MODE=read-only
npm run build
- name: Build UI Image
uses: docker/build-push-action@v6
with:
context: ui/
platforms: ${{ env.PLATFORMS }}
provenance: false
push: true
tags: |
localhost:5000/streamshub/console-ui:${{ env.PROJECT_VERSION }}
# ==================== API & Operator ====================
- name: Test Projects and Build API and Operator Images
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
SONAR_ORG: ${{secrets.SONAR_ORG}}
SONAR_PROJECT: ${{secrets.SONAR_PROJECT}}
SONAR_TOKEN: ${{secrets.SONAR_TOKEN}}
run: |
#
# Set write-transformed-bytecode-to-build-output for IT coverage. Do NOT use the container image
# created by this step.
#
# See: https://quarkus.io/guides/tests-with-coverage#coverage-for-integration-tests
#
export QUARKUS_CONTAINER_IMAGE_REGISTRY="localhost:5000"
export QUARKUS_CONTAINER_IMAGE_PUSH=true
export QUARKUS_CONTAINER_IMAGE_TAG="${{ env.PROJECT_VERSION }}"
export QUARKUS_KUBERNETES_VERSION="${{ env.PROJECT_VERSION }}"
mvn verify -P container-image -B --no-transfer-progress \
-Dquarkus.kubernetes.namespace='$${NAMESPACE}' \
-Dquarkus.package.write-transformed-bytecode-to-build-output=true \
-Dquarkus.docker.buildx.platform=${{ env.PLATFORMS }}
# ==================== Operator-Bundle ====================
- name: Modify Bundle CSV Metadata
run: ./operator/bin/modify-bundle-metadata.sh "VERSION=${{ env.PROJECT_VERSION }}"
- name: Build Operator Bundle Image
uses: docker/build-push-action@v6
with:
context: operator/target/bundle/streamshub-console-operator/
platforms: ${{ env.PLATFORMS }}
provenance: false
push: true
file: operator/target/bundle/streamshub-console-operator/bundle.Dockerfile
tags: |
localhost:5000/streamshub/console-operator-bundle:${{ env.PROJECT_VERSION }}
# ==================== Operator-Catalog ====================
- name: Generate Operator Catalog Config
run: |
curl -L -o opm https://github.com/operator-framework/operator-registry/releases/download/v1.43.1/linux-amd64-opm
chmod +x opm
sudo cp -v opm /usr/bin/
rm -vf opm
operator/bin/generate-catalog.sh localhost:5000/streamshub/console-operator-bundle true
- name: Build Operator Catalog Image
uses: docker/build-push-action@v6
with:
context: operator/
platforms: ${{ env.PLATFORMS }}
network: none
provenance: false
push: true
file: operator/src/main/docker/catalog.Dockerfile
tags: |
localhost:5000/streamshub/console-operator-catalog:${{ env.PROJECT_VERSION }}
# ==================== Archive artifacts ====================
- name: Archive Operator Kubernetes Resources
uses: actions/upload-artifact@v4
with:
name: k8s-resources
path: |
operator/target/bundle/
operator/target/catalog/
operator/target/kubernetes/*.yml
- name: Archive Failed Tests Results
uses: actions/upload-artifact@v4
if: failure()
with:
name: artifacts
path: api/target/failsafe-reports/
## Save the context information for use in Sonar analysis
- name: Save Build Context
run: |
mkdir -vp target
echo "$GITHUB_CONTEXT" > target/build-context.json
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
## Attach the target directory for use in Sonar analysis
- name: Archive Build Output
uses: actions/upload-artifact@v4
with:
name: target
path: |
**/target/
!**/target/**/*.jar
!**/target/failsafe-reports/**/*
!**/target/surefire-reports/**/*
- name: Save [UI, API, Operator, Operator-Bundle, Operator-Catalog] Images To Files
run: |
mkdir streamshub-images
for img in console-ui console-api console-operator console-operator-bundle console-operator-catalog ; do
skopeo sync --all --scoped --src docker --src-tls-verify=false --dest dir \
localhost:5000/streamshub/${img}:${{ env.PROJECT_VERSION }} \
$(pwd)/streamshub-images
done
tar -czf streamshub-images.tgz -C streamshub-images .
- name: Archive [UI, API, Operator-Bundle, Operator, Operator-Catalog] Image Files
uses: actions/upload-artifact@v4
with:
name: streamshub-images
path: streamshub-images.tgz
test-storybook:
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build Storybook
working-directory: ./ui
run: |
npm ci
npx playwright install
npm run build-storybook
- name: Test Storybook
working-directory: ./ui
run: |
npx --yes concurrently -k -s first -n "SB,TEST" -c "magenta,blue" \
"npx http-server storybook-static --port 6006 --silent" \
"npx wait-on tcp:127.0.0.1:6006 && npm run test-storybook"
Playwright:
if: ${{ contains(github.event.pull_request.labels.*.name, 'safe to test') || github.repository == 'streamshub/console' }}
uses: ./.github/workflows/playwright-tests.yml
needs:
- build-images