1.15.7 CVE's #876
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: e2e-tests | |
| on: | |
| push: | |
| tags: | |
| - "test-*" | |
| env: | |
| HUB: ${{ secrets.TEST_HUB }} | |
| jobs: | |
| # copied from make_release.yml | |
| build_proxy: | |
| # Only run this job when the release type equals "fips". | |
| if: contains(github.event.ref, 'envoy') | |
| name: build proxy binary | |
| timeout-minutes: 840 | |
| runs-on: ['self-hosted','Linux','x64','c5.4xlarge'] | |
| env: | |
| RELEASE_GCS_PATH: gs://getistio-build/proxy-fips | |
| steps: | |
| - name: Get the tag | |
| id: get_tag | |
| run: echo ::set-output name=TAG::${GITHUB_REF#refs/tags/} | |
| - name: Get normalized tag | |
| id: get_minor_ver | |
| run: echo ::set-output name=NORMALIZED_TAG::$(echo $TAG | sed 's/test-//g' | sed 's/-.*//g') | |
| shell: bash | |
| env: | |
| TAG: ${{ steps.get_tag.outputs.TAG }} | |
| - name: Checkout | |
| uses: actions/checkout@v2 | |
| with: | |
| repository: "istio/proxy" | |
| ref: ${{ steps.get_minor_ver.outputs.NORMALIZED_TAG }} | |
| - name: Set up Cloud SDK | |
| uses: google-github-actions/setup-gcloud@v0 | |
| with: | |
| project_id: ${{ secrets.GCP_PROJECT_ID }} | |
| service_account_key: ${{ secrets.GCP_SA_KEY }} | |
| export_default_credentials: true | |
| - name: Check if already built | |
| id: check_already_built | |
| run: | | |
| SHA="574c3dd2c41fb18431eb79ad574042c0b865bc1f" | |
| SHOULD_BUILD=1 | |
| if gsutil ls ${RELEASE_GCS_PATH} | grep "${SHA}[^-]" ; then | |
| SHOULD_BUILD=0 | |
| fi | |
| echo ::set-output name=should_build::${SHOULD_BUILD} | |
| - name: Tweak make recipe | |
| if: ${{ steps.check_already_built.outputs.should_build == '1' }} | |
| # 1) remove unnecessary dependency on naive "build" target | |
| # 2) remove "-p" flag to not push and build container, | |
| # 3) replace RELEASE_GCS_PATH var with the literal due to docker build. | |
| # from push_release. | |
| run: | | |
| ESCAPED_RELEASE_GCS_PATH=$(printf '%s\n' "$RELEASE_GCS_PATH" | sed -e 's/[\/&]/\\&/g') | |
| sed -i "s/\-p//g; s/push_release: build/push_release:/g; s/\"\$(RELEASE_GCS_PATH)\"/${ESCAPED_RELEASE_GCS_PATH}/g" Makefile.core.mk | |
| - name: Tweak release-binary script | |
| if: ${{ steps.check_already_built.outputs.should_build == '1' }} | |
| # 1) Setup in-docker auth against gcloud | |
| # 2) Remove unnecessary debug build | |
| # 3) Remove unnecessary Wasm build and publish | |
| # Note that /work is the mount destination of the current home of make command with BUILD_WITH_CONTAINER=1. | |
| run: | | |
| CREDENTIAL_FILE_NAME=$(echo ${GOOGLE_APPLICATION_CREDENTIALS} | awk -F/ '{print $NF}') | |
| cp scripts/release-binary.sh scripts/release-binary.sh.tmp | |
| echo gcloud auth activate-service-account --key-file="/work/${CREDENTIAL_FILE_NAME}" > scripts/release-binary.sh | |
| cat scripts/release-binary.sh.tmp >> scripts/release-binary.sh | |
| sed -i 's/87bbee939d9691d20c72936a03dd38457368babd/574c3dd2c41fb18431eb79ad574042c0b865bc1f/g' WORKSPACE | |
| sed -i '/strip_prefix/a\ auth_patterns = {\n "github.com": "Token <password>",\n },' WORKSPACE | |
| sed -i 's/ENVOY_ORG = "envoyproxy"/ENVOY_ORG = "tetratelabs"/g' WORKSPACE | |
| sed -i 's/6359991c3c7f6a52820d82416a8bba8788488cc3e0d9de59d61787c31a69906f/a25626fa4dcd58bebd2faed9a9762901009e9dc436e530102519dc30de396d2f/g' WORKSPACE | |
| sed -i 's/SHA=.*/SHA=574c3dd2c41fb18431eb79ad574042c0b865bc1f/g' scripts/release-binary.sh | |
| sed -i 's/for config in release release-symbol asan debug/for config in release/g' scripts/release-binary.sh | |
| echo password $TOKEN >> .netrc | |
| cat scripts/release-binary.sh | |
| cat Makefile.core.mk | |
| cat WORKSPACE | |
| cat scripts/release-binary.sh | |
| - name: Build and push | |
| if: ${{ steps.check_already_built.outputs.should_build == '1' }} | |
| env: | |
| BUILD_WITH_CONTAINER: 1 | |
| run: make push_release | |
| build_fips_proxy: | |
| # Only run this job when the release type equals "fips". | |
| if: contains(github.event.ref, 'fips') | |
| name: build fips proxy binary | |
| timeout-minutes: 840 | |
| runs-on: ['self-hosted','Linux','x64','m5.large'] | |
| env: | |
| RELEASE_GCS_PATH: gs://getistio-build/proxy-fips | |
| steps: | |
| - name: Get the tag | |
| id: get_tag | |
| run: echo ::set-output name=TAG::${GITHUB_REF#refs/tags/} | |
| - name: Get normalized tag | |
| id: get_minor_ver | |
| run: echo ::set-output name=NORMALIZED_TAG::$(echo $TAG | sed 's/test-//g' | sed 's/-.*//g') | |
| shell: bash | |
| env: | |
| TAG: ${{ steps.get_tag.outputs.TAG }} | |
| - name: Checkout | |
| uses: actions/checkout@v2 | |
| with: | |
| repository: "istio/proxy" | |
| ref: ${{ steps.get_minor_ver.outputs.NORMALIZED_TAG }} | |
| - name: Set up Cloud SDK | |
| uses: google-github-actions/setup-gcloud@v0 | |
| with: | |
| project_id: ${{ secrets.GCP_PROJECT_ID }} | |
| service_account_key: ${{ secrets.GCP_SA_KEY }} | |
| export_default_credentials: true | |
| - name: Check if already built | |
| id: check_already_built | |
| run: | | |
| SHA=$(git rev-parse --verify HEAD) | |
| SHOULD_BUILD=1 | |
| if gsutil ls ${RELEASE_GCS_PATH} | grep "${SHA}[^-]" ; then | |
| SHOULD_BUILD=0 | |
| fi | |
| echo ::set-output name=should_build::${SHOULD_BUILD} | |
| - name: Tweak make recipe | |
| if: ${{ steps.check_already_built.outputs.should_build == '1' }} | |
| # 1) remove unnecessary dependency on naive "build" target | |
| # 2) remove "-p" flag to not push and build container, | |
| # 3) replace RELEASE_GCS_PATH var with the literal due to docker build. | |
| # from push_release. | |
| run: | | |
| ESCAPED_RELEASE_GCS_PATH=$(printf '%s\n' "$RELEASE_GCS_PATH" | sed -e 's/[\/&]/\\&/g') | |
| sed -i "s/\-p//g; s/push_release: build/push_release:/g; s/\"\$(RELEASE_GCS_PATH)\"/${ESCAPED_RELEASE_GCS_PATH}/g" Makefile.core.mk | |
| - name: Tweak release-binary script | |
| if: ${{ steps.check_already_built.outputs.should_build == '1' }} | |
| # 1) Setup in-docker auth against gcloud | |
| # 2) Remove unnecessary debug build | |
| # 3) Remove unnecessary Wasm build and publish | |
| # Note that /work is the mount destination of the current home of make command with BUILD_WITH_CONTAINER=1. | |
| run: | | |
| CREDENTIAL_FILE_NAME=$(echo ${GOOGLE_APPLICATION_CREDENTIALS} | awk -F/ '{print $NF}') | |
| cp scripts/release-binary.sh scripts/release-binary.sh.tmp | |
| echo gcloud auth activate-service-account --key-file="/work/${CREDENTIAL_FILE_NAME}" > scripts/release-binary.sh | |
| cat scripts/release-binary.sh.tmp >> scripts/release-binary.sh | |
| sed -i 's/release release\-symbol debug/release release\-symbol/' scripts/release-binary.sh | |
| sed -i -n '/Build and publish Wasm plugins/q;p' scripts/release-binary.sh | |
| cat scripts/release-binary.sh | |
| - name: Add FIPS flag | |
| if: ${{ steps.check_already_built.outputs.should_build == '1' }} | |
| run: echo "build --define boringssl=fips" >> .bazelrc | |
| - name: Build and push | |
| if: ${{ steps.check_already_built.outputs.should_build == '1' }} | |
| env: | |
| BUILD_WITH_CONTAINER: 1 | |
| run: make push_release | |
| - name: Put CentOS binary | |
| # Copy the binary built on Ubuntu to CentOS path - this binar cannot run on CentOS/RHEL 7, but fine with CentOS 8. | |
| # The point is that we cannot build FIPS binary directly on CentOS 7 due to the constraints described in the BoringCrypto certification. | |
| run: | | |
| SHA=$(git rev-parse --verify HEAD) | |
| gsutil cp ${RELEASE_GCS_PATH}/envoy-alpha-${SHA}.tar.gz ${RELEASE_GCS_PATH}/envoy-centos-alpha-${SHA}.tar.gz | |
| - name: Put Wasm binary | |
| # Copy the built Wasm binary in the upstream to the bucket - Wasm is nothing to do with FIPS stuff. | |
| env: | |
| UPSTREAM_GCSP_PATH: gs://istio-build/proxy | |
| run: | | |
| SHA=$(git rev-parse --verify HEAD) | |
| gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA}*" ${RELEASE_GCS_PATH}/ | |
| gsutil cp "${UPSTREAM_GCSP_PATH}/stats-${SHA}*" ${RELEASE_GCS_PATH}/ | |
| gsutil cp "${UPSTREAM_GCSP_PATH}/attributegen-${SHA}*" ${RELEASE_GCS_PATH}/ | |
| build_fips_arm_proxy: | |
| # Do not run this job when the release type equals "fips"as we do not support fips compliant ARM build yet. | |
| if: contains(github.event.ref, 'fips') | |
| name: build ARM proxy binary | |
| timeout-minutes: 1440 # 12 hours | |
| runs-on: ['self-hosted','Linux','ARM64','m6.large'] | |
| env: | |
| RELEASE_GCS_PATH: gs://getistio-build/proxy-fips | |
| ARCH_SUFFIX: arm64 | |
| steps: | |
| - name: Get the tag | |
| id: get_tag | |
| run: echo ::set-output name=TAG::${GITHUB_REF#refs/tags/} | |
| - name: Get normalized tag | |
| id: get_minor_ver | |
| run: | | |
| echo ::set-output name=NORMALIZED_TAG::$(echo $TAG | sed 's/test-//g' | sed 's/-.*//g') | |
| echo ::set-output name=RELEASE_VERSION::$(echo $TAG | sed 's/test-//g' | sed 's/-.*//g' | sed 's/\.[^\.]*$//g') | |
| shell: bash | |
| env: | |
| TAG: ${{ steps.get_tag.outputs.TAG }} | |
| - name: Checkout | |
| uses: actions/checkout@v2 | |
| with: | |
| repository: "istio/proxy" | |
| ref: ${{ steps.get_minor_ver.outputs.NORMALIZED_TAG }} | |
| - name: Set up Cloud SDK | |
| uses: google-github-actions/setup-gcloud@v0 | |
| with: | |
| project_id: ${{ secrets.GCP_PROJECT_ID }} | |
| service_account_key: ${{ secrets.GCP_SA_KEY }} | |
| export_default_credentials: true | |
| - name: Check if already built | |
| id: check_already_built | |
| run: | | |
| SHA=$(git rev-parse --verify HEAD) | |
| SHOULD_BUILD=1 | |
| if gsutil ls ${RELEASE_GCS_PATH} | grep ${SHA}-arm64 ; then | |
| SHOULD_BUILD=0 | |
| fi | |
| echo ::set-output name=should_build::${SHOULD_BUILD} | |
| - name: Tweak make recipe | |
| if: ${{ steps.check_already_built.outputs.should_build == '1' }} | |
| # 1) remove unnecessary dependency on naive "build" target | |
| # 2) remove "-p" flag to not push and build container, | |
| # 3) replace RELEASE_GCS_PATH var with the literal due to docker build. | |
| # from push_release. | |
| run: | | |
| ESCAPED_RELEASE_GCS_PATH=$(printf '%s\n' "$RELEASE_GCS_PATH" | sed -e 's/[\/&]/\\&/g') | |
| sed -i "s/\-p//g; s/push_release: build/push_release:/g; s/\"\$(RELEASE_GCS_PATH)\"/${ESCAPED_RELEASE_GCS_PATH}/g" Makefile.core.mk | |
| - name: Tweak release-binary script | |
| if: ${{ steps.check_already_built.outputs.should_build == '1' }} | |
| # 1) Setup in-docker auth against gcloud | |
| # 2) Remove unnecessary debug build | |
| # 3) Remove unnecessary Wasm build and publish | |
| # Note that /work is the mount destination of the current home of make command with BUILD_WITH_CONTAINER=1. | |
| run: | | |
| CREDENTIAL_FILE_NAME=$(echo ${GOOGLE_APPLICATION_CREDENTIALS} | awk -F/ '{print $NF}') | |
| cp scripts/release-binary.sh scripts/release-binary.sh.tmp | |
| echo gcloud auth activate-service-account --key-file="/work/${CREDENTIAL_FILE_NAME}" > scripts/release-binary.sh | |
| cat scripts/release-binary.sh.tmp >> scripts/release-binary.sh | |
| sed -i 's/release release\-symbol debug/release release\-symbol/' scripts/release-binary.sh | |
| sed -i '/if \[\[ "${BUILD_ENVOY_BINARY_ONLY}" !/, +6d' scripts/release-binary.sh | |
| sed -i -n '/Build and publish Wasm plugins/q;p' scripts/release-binary.sh | |
| cat scripts/release-binary.sh | |
| - name: Add FIPS flag | |
| if: ${{ steps.check_already_built.outputs.should_build == '1' }} | |
| run: echo "build --define boringssl=fips" >> .bazelrc | |
| - name: Build and push | |
| if: ${{ steps.check_already_built.outputs.should_build == '1' }} | |
| env: | |
| BUILD_WITH_CONTAINER: 1 | |
| IMG: gcr.io/tetrate-istio-arm/build-tools-proxy:master-latest-arm64 | |
| run: make push_release | |
| - name: Put CentOS binary | |
| # Copy the binary built on Ubuntu to CentOS path - this binar cannot run on CentOS/RHEL 7, but fine with CentOS 8. | |
| # The point is that we cannot build FIPS binary directly on CentOS 7 due to the constraints described in the BoringCrypto certification. | |
| run: | | |
| SHA=$(git rev-parse --verify HEAD) | |
| gsutil cp ${RELEASE_GCS_PATH}/envoy-alpha-${SHA}.tar.gz ${RELEASE_GCS_PATH}/envoy-centos-alpha-${SHA}.tar.gz | |
| - name: Put Wasm binary | |
| # Copy the built Wasm binary in the upstream to the bucket - Wasm is nothing to do with FIPS stuff. | |
| env: | |
| UPSTREAM_GCSP_PATH: gs://istio-build/proxy | |
| run: | | |
| SHA=$(git rev-parse --verify HEAD) | |
| gsutil cp "${UPSTREAM_GCSP_PATH}/metadata_exchange-${SHA}*" ${RELEASE_GCS_PATH}/ | |
| gsutil cp "${UPSTREAM_GCSP_PATH}/stats-${SHA}*" ${RELEASE_GCS_PATH}/ | |
| gsutil cp "${UPSTREAM_GCSP_PATH}/attributegen-${SHA}*" ${RELEASE_GCS_PATH}/ | |
| create-test-images-arm64: | |
| name: create-test-images-arm64 | |
| runs-on: ["self-hosted", "arm64"] | |
| env: | |
| TARGETARCH: arm64 | |
| DOCKER_ARCHITECTURES: linux/arm64 | |
| needs: [build_fips_arm_proxy] | |
| # 'if' condition causes this job to run even if some of the dependent jobs | |
| # have been skipped, e.g. `build_fips_proxy`. | |
| # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful | |
| if: "contains(github.event.ref, 'multiarch')" | |
| steps: | |
| - name: checkout | |
| uses: actions/checkout@v2 | |
| - name: Get Registry | |
| id: get_registry | |
| run: | | |
| [[ ${HUB} == *.* ]] && REGISTRY=$(echo ${HUB} | cut -d/ -f1) | |
| echo REGISTRY=${REGISTRY} | |
| echo REGISTRY=${REGISTRY} >> $GITHUB_ENV | |
| - name: docker-login-non-docker | |
| uses: docker/login-action@v1 | |
| if: ${{ env.REGISTRY != null }} | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ secrets.TEST_HUB_USER }} | |
| password: ${{ secrets.TEST_HUB_PASS }} | |
| - name: docker-login-docker | |
| uses: docker/login-action@v1 | |
| if: ${{ env.REGISTRY == null }} | |
| with: | |
| username: ${{ secrets.TEST_HUB_USER }} | |
| password: ${{ secrets.TEST_HUB_PASS }} | |
| - name: Get the tag | |
| id: get_tag | |
| run: echo ::set-output name=TAG::${GITHUB_REF/refs\/tags\/test-/} | |
| shell: bash | |
| - name: Get minor version | |
| id: get_minor_ver | |
| run: echo ::set-output name=REL_BRANCH_VER::$(echo $TAG | grep -Eo '[0-9]+\.[0-9]+') | |
| shell: bash | |
| env: | |
| TAG: ${{ steps.get_tag.outputs.TAG }} | |
| - name: build and push images | |
| run: bash ./tetrateci/create_istio_release.sh | |
| env: | |
| TAG: ${{ steps.get_tag.outputs.TAG }} | |
| TEST: "true" | |
| # if the tag contains fips we are doing a fips build | |
| BUILD: ${{ contains(github.event.ref, 'fips') && 'fips' }} | |
| REL_BRANCH_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} | |
| create-test-images-amd64: | |
| name: create-test-images-amd64 | |
| #runs-on: ['self-hosted','Linux','x64','m5'] | |
| runs-on: ['self-hosted','Linux','x64','c5.4xlarge'] | |
| needs: [build_fips_proxy] | |
| # 'if' condition causes this job to run even if some of the dependent jobs | |
| # have been skipped, e.g. `build_fips_proxy`. | |
| # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful | |
| if: ${{ !cancelled() && !failure() }} | |
| steps: | |
| - name: checkout | |
| uses: actions/checkout@v2 | |
| - name: Get Registry | |
| id: get_registry | |
| run: | | |
| [[ ${HUB} == *.* ]] && REGISTRY=$(echo ${HUB} | cut -d/ -f1) | |
| echo REGISTRY=${REGISTRY} | |
| echo REGISTRY=${REGISTRY} >> $GITHUB_ENV | |
| - name: docker-login-non-docker | |
| uses: docker/login-action@v1 | |
| if: ${{ env.REGISTRY != null }} | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ secrets.TEST_HUB_USER }} | |
| password: ${{ secrets.TEST_HUB_PASS }} | |
| - name: docker-login-docker | |
| uses: docker/login-action@v1 | |
| if: ${{ env.REGISTRY == null }} | |
| with: | |
| username: ${{ secrets.TEST_HUB_USER }} | |
| password: ${{ secrets.TEST_HUB_PASS }} | |
| - name: Get the tag | |
| id: get_tag | |
| run: echo ::set-output name=TAG::${GITHUB_REF/refs\/tags\/test-/} | |
| shell: bash | |
| - name: Get minor version | |
| id: get_minor_ver | |
| run: echo ::set-output name=REL_BRANCH_VER::$(echo $TAG | grep -Eo '[0-9]+\.[0-9]+') | |
| shell: bash | |
| env: | |
| TAG: ${{ steps.get_tag.outputs.TAG }} | |
| - name: build and push images | |
| run: bash ./tetrateci/create_istio_release.sh | |
| env: | |
| TAG: ${{ steps.get_tag.outputs.TAG }} | |
| TEST: "true" | |
| # if the tag contains fips we are doing a fips build | |
| BUILD: ${{ contains(github.event.ref, 'fips') && 'fips' }} | |
| REL_BRANCH_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} | |
| create-multiarch-images: | |
| name: create-multiarch-images | |
| runs-on: ubuntu-latest | |
| needs: [create-test-images-amd64, create-test-images-arm64] | |
| # 'if' condition causes this job to run even if some of the dependent jobs | |
| # have been skipped, e.g. `build_fips_proxy`. | |
| # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful | |
| if: "contains(github.event.ref, 'multiarch')" | |
| steps: | |
| - name: checkout | |
| uses: actions/checkout@v2 | |
| - name: Get Registry | |
| id: get_registry | |
| run: | | |
| [[ ${HUB} == *.* ]] && REGISTRY=$(echo ${HUB} | cut -d/ -f1) | |
| echo REGISTRY=${REGISTRY} | |
| echo REGISTRY=${REGISTRY} >> $GITHUB_ENV | |
| - name: docker-login-non-docker | |
| uses: docker/login-action@v1 | |
| if: ${{ env.REGISTRY != null }} | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ secrets.TEST_HUB_USER }} | |
| password: ${{ secrets.TEST_HUB_PASS }} | |
| - name: docker-login-docker | |
| uses: docker/login-action@v1 | |
| if: ${{ env.REGISTRY == null }} | |
| with: | |
| username: ${{ secrets.TEST_HUB_USER }} | |
| password: ${{ secrets.TEST_HUB_PASS }} | |
| - name: Get the tag | |
| id: get_tag | |
| run: echo ::set-output name=TAG::${GITHUB_REF/refs\/tags\/test-/} | |
| shell: bash | |
| - name: Get minor version | |
| id: get_minor_ver | |
| run: echo ::set-output name=REL_BRANCH_VER::$(echo $TAG | grep -Eo '[0-9]+\.[0-9]+') | |
| shell: bash | |
| env: | |
| TAG: ${{ steps.get_tag.outputs.TAG }} | |
| - name: build and push images | |
| run: bash ./tetrateci/create_multiarch_images.sh | |
| env: | |
| TAG: ${{ steps.get_tag.outputs.TAG }} | |
| TEST: "true" | |
| # if the tag contains fips we are doing a fips build | |
| BUILD: ${{ contains(github.event.ref, 'fips') && 'fips' }} | |
| REL_BRANCH_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} | |
| eks-e2e-arm64-test: | |
| name: eks-e2e-arm64-test | |
| runs-on: ubuntu-latest | |
| needs: [create-test-images-amd64] | |
| # 'if' condition causes this job to run even if some of the dependent jobs | |
| # have been skipped, e.g. `build_fips_proxy`. | |
| # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful | |
| # if: false | |
| if: ${{ !cancelled() && !failure() }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| version: ["1.22", "1.23", "1.24"] # available versions according to https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html | |
| steps: | |
| - name: checkout | |
| uses: actions/checkout@v2 | |
| - name: aws-config | |
| uses: aws-actions/configure-aws-credentials@v1 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ secrets.AWS_REGION }} | |
| - name: Get the tag | |
| id: get_tag | |
| run: echo ::set-output name=TAG::${GITHUB_REF/refs\/tags\/test-/} | |
| shell: bash | |
| - name: Get minor version | |
| id: get_minor_ver | |
| run: echo ::set-output name=REL_BRANCH_VER::$(echo $TAG | grep -Eo '[0-9]+\.[0-9]+') | |
| shell: bash | |
| env: | |
| TAG: ${{ steps.get_tag.outputs.TAG }} | |
| - uses: actions/cache@v2 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }}-go- | |
| - name: eks-cluster-create | |
| run: bash ./tetrateci/create_eks_cluster.sh | |
| env: | |
| K8S_VERSION: ${{ matrix.version }} | |
| ISTIO_MINOR_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} | |
| TEST_ARCH: arm64 | |
| - name: integration-tests | |
| run: bash ./tetrateci/test_${ISTIO_MINOR_VER}_arm.sh | |
| env: | |
| TAG: ${{ steps.get_tag.outputs.TAG }} | |
| ISTIO_MINOR_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} | |
| CLUSTER: eks-arm64 | |
| K8S_VERSION: ${{ matrix.version }} | |
| - name: eks-cluster-delete | |
| if: always() | |
| run: bash ./tetrateci/cleanup_eks_cluster.sh | |
| env: | |
| K8S_VERSION: ${{ matrix.version }} | |
| ISTIO_MINOR_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} | |
| TEST_ARCH: arm64 | |
| eks-e2e-test: | |
| name: eks-e2e-test | |
| runs-on: ubuntu-latest | |
| needs: [create-multiarch-images] | |
| # 'if' condition causes this job to run even if some of the dependent jobs | |
| # have been skipped, e.g. `build_fips_proxy`. | |
| # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful | |
| if: ${{ !cancelled() && !failure() }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| version: ["1.23", "1.22", "1.24"] # available versions according to https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html | |
| steps: | |
| - name: checkout | |
| uses: actions/checkout@v2 | |
| - name: aws-config | |
| uses: aws-actions/configure-aws-credentials@v1 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ secrets.AWS_REGION }} | |
| - name: Get the tag | |
| id: get_tag | |
| run: echo ::set-output name=TAG::${GITHUB_REF/refs\/tags\/test-/} | |
| shell: bash | |
| - name: Get minor version | |
| id: get_minor_ver | |
| run: echo ::set-output name=REL_BRANCH_VER::$(echo $TAG | grep -Eo '[0-9]+\.[0-9]+') | |
| shell: bash | |
| env: | |
| TAG: ${{ steps.get_tag.outputs.TAG }} | |
| - uses: actions/cache@v2 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }}-go- | |
| - name: eks-cluster-create | |
| run: bash ./tetrateci/create_eks_cluster.sh | |
| env: | |
| K8S_VERSION: ${{ matrix.version }} | |
| ISTIO_MINOR_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} | |
| - name: integration-tests | |
| run: bash ./tetrateci/test_${ISTIO_MINOR_VER}.sh | |
| env: | |
| TAG: ${{ steps.get_tag.outputs.TAG }} | |
| ISTIO_MINOR_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} | |
| CLUSTER: eks | |
| K8S_VERSION: ${{ matrix.version }} | |
| - name: eks-cluster-delete | |
| if: always() | |
| run: bash ./tetrateci/cleanup_eks_cluster.sh | |
| env: | |
| K8S_VERSION: ${{ matrix.version }} | |
| ISTIO_MINOR_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} | |
| gke-e2e-test: | |
| name: gke-e2e-test | |
| runs-on: ubuntu-latest | |
| needs: [create-multiarch-images] | |
| # 'if' condition causes this job to run even if some of the dependent jobs | |
| # have been skipped, e.g. `build_fips_proxy`. | |
| # see https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-not-requiring-dependent-jobs-to-be-successful | |
| if: false | |
| strategy: | |
| fail-fast: false | |
| # available versions according to https://cloud.google.com/kubernetes-engine/versioning | |
| matrix: | |
| include: | |
| - version: "1.24" | |
| channel: "rapid" | |
| - version: "1.23" | |
| channel: "regular" | |
| - version: "1.22" | |
| channel: "regular" | |
| steps: | |
| - name: checkout | |
| uses: actions/checkout@v2 | |
| - name: Set up Cloud SDK | |
| uses: google-github-actions/setup-gcloud@v0 | |
| with: | |
| project_id: ${{ secrets.GCP_PROJECT_ID }} | |
| service_account_key: ${{ secrets.GCP_SA_KEY }} | |
| export_default_credentials: true | |
| - name: Get the tag | |
| id: get_tag | |
| run: echo ::set-output name=TAG::${GITHUB_REF/refs\/tags\/test-/} | |
| shell: bash | |
| - name: Get minor version | |
| id: get_minor_ver | |
| run: echo ::set-output name=REL_BRANCH_VER::$(echo $TAG | grep -Eo '[0-9]+\.[0-9]+') | |
| shell: bash | |
| env: | |
| TAG: ${{ steps.get_tag.outputs.TAG }} | |
| - uses: actions/cache@v2 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }}-go- | |
| - name: gke-cluster-create | |
| run: bash ./tetrateci/create_gke_cluster.sh | |
| env: | |
| K8S_VERSION: ${{ matrix.version }} | |
| CHAN: ${{ matrix.channel }} | |
| ISTIO_MINOR_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} | |
| - name: integration-tests | |
| run: bash ./tetrateci/test_${ISTIO_MINOR_VER}.sh | |
| env: | |
| TAG: ${{ steps.get_tag.outputs.TAG }} | |
| ISTIO_MINOR_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} | |
| CLUSTER: gke | |
| K8S_VERSION: ${{ matrix.version }} | |
| - name: gke-cluster-delete | |
| if: always() | |
| run: bash ./tetrateci/cleanup_gke_cluster.sh | |
| env: | |
| K8S_VERSION: ${{ matrix.version }} | |
| ISTIO_MINOR_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} | |
| aks-e2e-test: | |
| ## TODO: temporarily disabling it till credentials are set | |
| if: false | |
| name: aks-e2e-test | |
| runs-on: ubuntu-latest | |
| needs: [create-multiarch-images] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| version: [1.20, 1.19, 1.18, 1.17] | |
| steps: | |
| - name: checkout | |
| uses: actions/checkout@v2 | |
| - name: Set up Cloud SDK | |
| uses: azure/login@v1 | |
| with: | |
| creds: ${{ secrets.AZURE_CREDENTIALS }} | |
| - name: Get the tag | |
| id: get_tag | |
| run: echo ::set-output name=TAG::${GITHUB_REF/refs\/tags\/test-/} | |
| shell: bash | |
| - name: Get minor version | |
| id: get_minor_ver | |
| run: echo ::set-output name=REL_BRANCH_VER::$(echo $TAG | grep -Eo '[0-9]+\.[0-9]+') | |
| shell: bash | |
| env: | |
| TAG: ${{ steps.get_tag.outputs.TAG }} | |
| - uses: actions/cache@v2 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }}-go- | |
| - name: aks-cluster-create | |
| run: bash ./tetrateci/create_aks_cluster.sh | |
| env: | |
| RESOURCE: ${{ secrets.AZURE_RESOURCE }} | |
| K8S_VERSION: ${{ matrix.version }} | |
| ISTIO_MINOR_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} | |
| - name: integration-tests | |
| run: bash ./tetrateci/test_${ISTIO_MINOR_VER}.sh | |
| env: | |
| TAG: ${{ steps.get_tag.outputs.TAG }} | |
| ISTIO_MINOR_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} | |
| CLUSTER: aks | |
| K8S_VERSION: ${{ matrix.version }} | |
| - name: aks-cluster-delete | |
| if: always() | |
| run: bash ./tetrateci/cleanup_aks_cluster.sh | |
| env: | |
| K8S_VERSION: ${{ matrix.version }} | |
| ISTIO_MINOR_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} | |
| RESOURCE: ${{ secrets.AZURE_RESOURCE }} | |
| eksd-e2e-test: | |
| name: eksd-e2e-test | |
| runs-on: ubuntu-latest | |
| needs: [create-multiarch-images, eks-e2e-test] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| version: ["1.19", "1.18"] | |
| steps: | |
| - name: checkout | |
| uses: actions/checkout@v2 | |
| - name: aws-config | |
| uses: aws-actions/configure-aws-credentials@v1 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ secrets.AWS_REGION }} | |
| - name: Get the tag | |
| id: get_tag | |
| run: echo ::set-output name=TAG::${GITHUB_REF/refs\/tags\/test-/} | |
| shell: bash | |
| - name: Get minor version | |
| id: get_minor_ver | |
| run: echo ::set-output name=REL_BRANCH_VER::$(echo $TAG | grep -Eo '[0-9]+\.[0-9]+') | |
| shell: bash | |
| env: | |
| TAG: ${{ steps.get_tag.outputs.TAG }} | |
| - uses: actions/cache@v2 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }}-go- | |
| - name: eksd-cluster-create | |
| run: bash ./tetrateci/create_eksd_cluster.sh | |
| env: | |
| K8S_VERSION: ${{ matrix.version }} | |
| ISTIO_MINOR_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} | |
| S3_BUCKET: ${{ secrets.S3_BUCKET }} | |
| AWS_REGION: ${{ secrets.AWS_REGION }} | |
| - name: integration-tests | |
| run: bash ./tetrateci/test_${ISTIO_MINOR_VER}.sh | |
| env: | |
| TAG: ${{ steps.get_tag.outputs.TAG }} | |
| CLUSTER: eks # patches for eks and eksd should be same | |
| K8S_VERSION: ${{ matrix.version }} | |
| ISTIO_MINOR_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} | |
| - name: eksd-cluster-delete | |
| if: always() | |
| run: bash ./tetrateci/cleanup_eksd_cluster.sh | |
| env: | |
| K8S_VERSION: ${{ matrix.version }} | |
| ISTIO_MINOR_VER: ${{ steps.get_minor_ver.outputs.REL_BRANCH_VER }} | |
| S3_BUCKET: ${{ secrets.S3_BUCKET }} | |
| AWS_REGION: ${{ secrets.AWS_REGION }} | |
| create-new-tag: | |
| name: create-new-tag | |
| runs-on: ubuntu-latest | |
| # since aks tests are disabled | |
| # needs: [eks-e2e-test, gke-e2e-test, aks-e2e-test] | |
| needs: [eks-e2e-arm64-test, eksd-e2e-test, gke-e2e-test] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v2 | |
| - name: Get the tag | |
| id: get_tag | |
| run: echo ::set-output name=TAG::${GITHUB_REF/refs\/tags\/test-/} | |
| shell: bash | |
| - name: Create Release | |
| id: create_release | |
| uses: actions/create-release@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| tag_name: ${{ steps.get_tag.outputs.TAG }} | |
| release_name: Tetrate Istio | |
| draft: false | |
| prerelease: false |