Update Kyverno v1.9.2 -> v1.11.4 #1762
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: CI | |
| on: | |
| pull_request: | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| push: | |
| branches: | |
| - main | |
| workflow_dispatch: {} | |
| permissions: | |
| contents: read | |
| jobs: | |
| lint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - uses: mfinelli/setup-shfmt@031e887e39d899d773a7e9b6dd6472c2c23ff50d # v3.0.1 | |
| - name: Lint all | |
| run: make lint | |
| setup: | |
| runs-on: ubuntu-latest | |
| needs: | |
| lint | |
| name: Test FRSCA Installation | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Setup go | |
| uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
| with: | |
| go-version: "~1.19.0" | |
| - name: Vendor Dependencies | |
| run: | | |
| ./platform/vendor/vendor.sh | |
| ./platform/vendor/vendor-helm-all.sh | |
| - name: Check commit is clean | |
| run: test -z "$(git status --porcelain)" || (git status; git diff; false) | |
| - name: Start minikube | |
| run: | | |
| make setup-minikube | |
| - name: Try the cluster ! | |
| run: kubectl get pods -A | |
| - name: Initialize FRSCA | |
| env: | |
| REGISTRY: "registry.registry" | |
| run: | | |
| make setup-frsca | |
| - name: Run buildpacks pipeline | |
| env: | |
| REGISTRY: "registry.registry" | |
| run: | | |
| make registry-proxy >/dev/null & | |
| # wait for PipelineRun to be created | |
| WAIT_CNT=0 | |
| RETRIES=0 | |
| while [ -z $(tkn pr ls -o jsonpath='{.items[?(@.metadata.generateName == "example-buildpacks-")].metadata.name}') ]; do | |
| if [ $WAIT_CNT -eq 0 ]; then | |
| if [ $RETRIES -lt 2 ]; then | |
| RETRIES=$(expr $RETRIES + 1) | |
| make example-buildpacks | |
| else | |
| exit 1 | |
| fi | |
| fi | |
| if [ $WAIT_CNT -gt 15 ]; then | |
| echo "Retrying example-buildpacks-" | |
| WAIT_CNT=0 | |
| else | |
| WAIT_CNT=$(expr $WAIT_CNT + 1) | |
| echo "Waiting for PipelineRun example-buildpacks-" | |
| sleep 1 | |
| fi | |
| done | |
| # tail PipelineRun logs | |
| tkn pr logs --last -f | |
| if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then | |
| tkn pr describe --last | |
| exit 1 | |
| fi | |
| sleep 60 | |
| TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name')) | |
| echo "TASK_RUNS=${TASK_RUNS[@]}" | |
| TASK_RUN="none"; IMAGE_URL="none" | |
| for tr in "${TASK_RUNS[@]}"; do | |
| image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name | match("IMAGE_URL$")) | .value') | |
| if [ -n "${image}" ]; then | |
| TASK_RUN="${tr}" | |
| IMAGE_URL="${image}" | |
| break | |
| fi | |
| done | |
| if [ "${REGISTRY}" = "registry.registry" ]; then | |
| IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:5000#')" | |
| fi | |
| echo "TASK_RUN=${TASK_RUN}" | |
| echo "IMAGE_URL=${IMAGE_URL}" | |
| crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')" | |
| tkn tr describe --last -o json | jq -r '.metadata.annotations["chains.tekton.dev/signed"]' | |
| cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" | |
| cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" | |
| kill %?registry-proxy | |
| - name: Run sample pipeline to test kyverno | |
| env: | |
| REGISTRY: "registry.registry" | |
| run: | | |
| make registry-proxy >/dev/null & | |
| # wait for PipelineRun to be created | |
| WAIT_CNT=0 | |
| RETRIES=0 | |
| while [ -z $(tkn pr ls -o jsonpath='{.items[?(@.metadata.generateName == "example-sample-pipeline-")].metadata.name}') ]; do | |
| if [ $WAIT_CNT -eq 0 ]; then | |
| if [ $RETRIES -lt 2 ]; then | |
| RETRIES=$(expr $RETRIES + 1) | |
| make example-sample-pipeline | |
| else | |
| exit 1 | |
| fi | |
| fi | |
| if [ $WAIT_CNT -gt 15 ]; then | |
| echo "Retrying example-sample-pipeline-" | |
| WAIT_CNT=0 | |
| else | |
| WAIT_CNT=$(expr $WAIT_CNT + 1) | |
| echo "Waiting for PipelineRun example-sample-pipeline-" | |
| sleep 1 | |
| fi | |
| done | |
| # tail PipelineRun logs | |
| tkn pr logs --last -f | |
| if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then | |
| tkn pr describe --last | |
| exit 1 | |
| fi | |
| sleep 60 | |
| TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name')) | |
| echo "TASK_RUNS=${TASK_RUNS[@]}" | |
| TASK_RUN="none"; IMAGE_URL="none" | |
| for tr in "${TASK_RUNS[@]}"; do | |
| image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name == "IMAGE_URL") | .value') | |
| if [ -n "${image}" ]; then | |
| TASK_RUN="${tr}" | |
| IMAGE_URL="${image}" | |
| break | |
| fi | |
| done | |
| if [ "${REGISTRY}" = "registry.registry" ]; then | |
| IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:5000#')" | |
| fi | |
| echo "TASK_RUN=${TASK_RUN}" | |
| echo "IMAGE_URL=${IMAGE_URL}" | |
| crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')" | |
| cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" | |
| cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" | |
| kubectl wait --timeout=5m --for=condition=ready pods -l app=picalc -n prod | |
| kill %?registry-proxy |