name: CI on: pull_request: branches: - "*" push: branches: - main workflow_dispatch: inputs: run_e2e: description: 'Force e2e to run' required: true type: boolean permissions: contents: read jobs: changes: permissions: contents: read # for dorny/paths-filter to fetch a list of changed files pull-requests: read # for dorny/paths-filter to read pull requests runs-on: ubuntu-latest outputs: go: ${{ steps.filter.outputs.go }} charts: ${{ steps.filter.outputs.charts }} steps: - name: Checkout uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.2 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2 id: filter with: token: ${{ secrets.GITHUB_TOKEN }} filters: | go: - '**/*.go' - 'go.mod' - 'go.sum' - 'rootfs/**/*' - 'TAG' - 'test/e2e/**/*' - 'NGINX_BASE' charts: - 'charts/ingress-nginx/Chart.yaml' - 'charts/ingress-nginx/**/*' - 'NGINX_BASE' security: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.2 - name: Run Gosec Security Scanner uses: securego/gosec@1af1d5bb49259b62e45c505db397dd2ada5d74f8 # master with: # G601 for zz_generated.deepcopy.go # G306 TODO: Expect WriteFile permissions to be 0600 or less # G307 TODO: Deferring unsafe method "Close" args: -exclude=G109,G601,G104,G204,G304,G306,G307 -tests=false -exclude-dir=test -exclude-dir=images/ -exclude-dir=docs/ ./... build: name: Build runs-on: ubuntu-latest needs: changes steps: - name: Checkout uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.2 - name: Set up Go 1.19.2 id: go uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # v3.2.0 with: go-version: '1.19.2' - name: Set up QEMU uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 #v2.0.0 - name: Set up Docker Buildx id: buildx uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.0.0 with: version: latest - name: Available platforms run: echo ${{ steps.buildx.outputs.platforms }} - name: Prepare Host run: | sudo apt-get -qq update || true sudo apt-get install -y pigz curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.17.0/bin/linux/amd64/kubectl chmod +x ./kubectl sudo mv ./kubectl /usr/local/bin/kubectl - name: Build images env: TAG: 1.0.0-dev ARCH: amd64 REGISTRY: ingress-controller run: | echo "building images..." make clean-image build image image-chroot make -C test/e2e-image image echo "creating images cache..." docker save \ nginx-ingress-controller:e2e \ ingress-controller/controller:1.0.0-dev \ ingress-controller/controller-chroot:1.0.0-dev \ | pigz > docker.tar.gz - name: cache uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 with: name: docker.tar.gz path: docker.tar.gz helm: name: Helm chart runs-on: ubuntu-latest needs: - changes - build if: | (needs.changes.outputs.charts == 'true') || ${{ inputs.run_e2e }} strategy: matrix: k8s: [v1.23.13, v1.24.7, v1.25.3] steps: - name: Checkout uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.2 - name: Setup Go uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # v3.2.0 with: go-version: '1.19.2' - name: cache uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3 with: name: docker.tar.gz - name: Lint run: | ./build/run-in-docker.sh ./hack/verify-chart-lint.sh - name: Run helm-docs run: | GOBIN=$PWD GO111MODULE=on go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.11.0 ./helm-docs --chart-search-root=${GITHUB_WORKSPACE}/charts DIFF=$(git diff ${GITHUB_WORKSPACE}/charts/ingress-nginx/README.md) if [ ! -z "$DIFF" ]; then echo "Please use helm-docs in your clone, of your fork, of the project, and commit a updated README.md for the chart. https://github.com/kubernetes/ingress-nginx/blob/main/RELEASE.md#d-edit-the-valuesyaml-and-run-helm-docs" fi git diff --exit-code rm -f ./helm-docs - name: Run Artifact Hub lint run: | wget https://github.com/artifacthub/hub/releases/download/v1.5.0/ah_1.5.0_linux_amd64.tar.gz echo 'ad0e44c6ea058ab6b85dbf582e88bad9fdbc64ded0d1dd4edbac65133e5c87da *ah_1.5.0_linux_amd64.tar.gz' | shasum -c tar -xzvf ah_1.5.0_linux_amd64.tar.gz ah ./ah lint -p charts/ingress-nginx || exit 1 rm -f ./ah ./ah_1.5.0_linux_amd64.tar.gz - name: fix permissions run: | sudo mkdir -p $HOME/.kube sudo chmod -R 777 $HOME/.kube - name: Create Kubernetes ${{ matrix.k8s }} cluster id: kind uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 #v0.5.0 with: version: v0.15.0 image: kindest/node:${{ matrix.k8s }} - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v1 with: name: docker.tar.gz failOnError: false - name: Load images from cache run: | echo "loading docker images..." pigz -dc docker.tar.gz | docker load - name: Test env: KIND_CLUSTER_NAME: kind SKIP_CLUSTER_CREATION: true SKIP_IMAGE_CREATION: true run: | kind get kubeconfig > $HOME/.kube/kind-config-kind make kind-e2e-chart-tests kubernetes: name: Kubernetes runs-on: ubuntu-latest needs: - changes - build if: | (needs.changes.outputs.go == 'true') || ${{ inputs.run_e2e }} strategy: matrix: k8s: [v1.23.13, v1.24.7, v1.25.3] steps: - name: Checkout uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.2 - name: cache uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v2 with: name: docker.tar.gz - name: Create Kubernetes ${{ matrix.k8s }} cluster id: kind uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 #v0.5.0 with: version: v0.15.0 config: test/e2e/kind.yaml image: kindest/node:${{ matrix.k8s }} - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v1 with: name: docker.tar.gz failOnError: false - name: Prepare cluster for testing uses: azure/setup-helm@f382f75448129b3be48f8121b9857be18d815a82 #v2.1 with: version: 'v3.8.0' id: local-path - name: Load images from cache run: | echo "loading docker images..." pigz -dc docker.tar.gz | docker load - name: Run e2e tests env: KIND_CLUSTER_NAME: kind SKIP_CLUSTER_CREATION: true SKIP_IMAGE_CREATION: true run: | kind get kubeconfig > $HOME/.kube/kind-config-kind make kind-e2e-test kubernetes-chroot: name: Kubernetes chroot runs-on: ubuntu-latest needs: - changes - build if: | (needs.changes.outputs.go == 'true') || ${{ inputs.run_e2e }} strategy: matrix: k8s: [v1.23.13, v1.24.7, v1.25.3] steps: - name: Checkout uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.2 - name: cache uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 with: name: docker.tar.gz - name: Create Kubernetes ${{ matrix.k8s }} cluster id: kind uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 #v0.5.0 with: version: v0.15.0 config: test/e2e/kind.yaml image: kindest/node:${{ matrix.k8s }} - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af with: name: docker.tar.gz failOnError: false - name: Prepare cluster for testing uses: azure/setup-helm@f382f75448129b3be48f8121b9857be18d815a82 #v2.1 with: version: 'v3.8.0' id: local-path - name: Load images from cache run: | echo "loading docker images..." pigz -dc docker.tar.gz | docker load - name: Run e2e tests env: KIND_CLUSTER_NAME: kind SKIP_CLUSTER_CREATION: true SKIP_IMAGE_CREATION: true IS_CHROOT: true run: | kind get kubeconfig > $HOME/.kube/kind-config-kind make kind-e2e-test test-image-build: permissions: contents: read # for dorny/paths-filter to fetch a list of changed files pull-requests: read # for dorny/paths-filter to read pull requests runs-on: ubuntu-latest env: PLATFORMS: linux/amd64,linux/arm64 steps: - name: Checkout uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.2 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2 id: filter-images with: token: ${{ secrets.GITHUB_TOKEN }} filters: | custom-error-pages: - 'images/custom-error-pages/**' cfssl: - 'images/cfssl/**' fastcgi-helloserver: - 'images/fastcgi-helloserver/**' echo: - 'images/echo/**' go-grpc-greeter-server: - 'images/go-grpc-greeter-server/**' httpbin: - 'images/httpbin/**' kube-webhook-certgen: - 'images/kube-webhook-certgen/**' ext-auth-example-authsvc: - 'images/ext-auth-example-authsvc/**' - name: custom-error-pages image build if: ${{ steps.filter-images.outputs.custom-error-pages == 'true' }} run: | cd images/custom-error-pages && make build - name: cfssl image build if: ${{ steps.filter-images.outputs.cfssl == 'true' }} run: | cd images/cfssl && make build - name: fastcgi-helloserver if: ${{ steps.filter-images.outputs.fastcgi-helloserver == 'true' }} run: | cd images/fastcgi-helloserver && make build - name: echo image build if: ${{ steps.filter-images.outputs.echo == 'true' }} run: | cd images/echo && make build - name: go-grpc-greeter-server image build if: ${{ steps.filter-images.outputs.go-grpc-greeter-server == 'true' }} run: | cd images/go-grpc-greeter-server && make build - name: httpbin image build if: ${{ steps.filter-images.outputs.httpbin == 'true' }} run: | cd images/httpbin && make build - name: kube-webhook-certgen image build if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }} run: | cd images/kube-webhook-certgen && make build - name: ext-auth-example-authsvc if: ${{ steps.filter-images.outputs.ext-auth-example-authsvc == 'true' }} run: | cd images/ext-auth-example-authsvc && make build test-image: permissions: contents: read # for dorny/paths-filter to fetch a list of changed files pull-requests: read # for dorny/paths-filter to read pull requests runs-on: ubuntu-latest env: PLATFORMS: linux/amd64 steps: - name: Checkout uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.0.2 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2 id: filter-images with: token: ${{ secrets.GITHUB_TOKEN }} filters: | kube-webhook-certgen: - 'images/kube-webhook-certgen/**' - name: Create Kubernetes cluster id: kind if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }} uses: engineerd/setup-kind@aa272fe2a7309878ffc2a81c56cfe3ef108ae7d0 #v0.5.0 with: version: v0.15.0 image: kindest/node:v1.25.2 - name: Set up Go 1.19.2 id: go if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }} uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # v3.2.0 with: go-version: '1.19.2' - name: kube-webhook-certgen image build if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }} run: | cd images/kube-webhook-certgen && make test test-e2e