Conformance tests #3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json | |
| name: Conformance tests | |
| permissions: {} | |
| on: | |
| pull_request: | |
| branches: | |
| - "main" | |
| - "release*" | |
| schedule: | |
| - cron: "43 0 * * 0" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| define-matrix: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| upgrades: ${{ steps.upgrades.outputs.upgrades }} | |
| steps: | |
| - name: Set Upgarde Scenarios | |
| id: upgrades | |
| run: | | |
| set -e | |
| if [[ ${{ github.event_name }} == 'schedule' ]]; then | |
| echo 'upgrades=["latest","minor","patch"]' >> $GITHUB_OUTPUT | |
| else | |
| echo 'upgrades=["none"]' >> $GITHUB_OUTPUT | |
| fi | |
| prepare-images: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Setup caches | |
| uses: ./.github/actions/setup-caches | |
| timeout-minutes: 5 | |
| continue-on-error: true | |
| with: | |
| build-cache-key: build-images | |
| - name: Setup build env | |
| uses: ./.github/actions/setup-build-env | |
| timeout-minutes: 10 | |
| with: | |
| free-disk-space: false | |
| - name: ko build | |
| shell: bash | |
| run: | | |
| set -e | |
| VERSION=${{ github.ref_name }} make docker-save-image-all | |
| - name: upload images archive | |
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
| with: | |
| name: kyverno.tar | |
| path: kyverno.tar | |
| retention-days: 1 | |
| if-no-files-found: error | |
| prepare-cli: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Setup caches | |
| uses: ./.github/actions/setup-caches | |
| timeout-minutes: 5 | |
| continue-on-error: true | |
| with: | |
| build-cache-key: build-cli | |
| - name: Setup build env | |
| uses: ./.github/actions/setup-build-env | |
| timeout-minutes: 10 | |
| with: | |
| free-disk-space: false | |
| - name: Build CLI | |
| shell: bash | |
| run: | | |
| set -e | |
| VERSION=${{ github.ref_name }} make build-cli | |
| - name: upload images archive | |
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
| with: | |
| name: kubectl-kyverno | |
| path: cmd/cli/kubectl-kyverno/kubectl-kyverno | |
| retention-days: 1 | |
| if-no-files-found: error | |
| assert: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kyverno-configs: standard | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: assert | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| autogen: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kyverno-configs: standard | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: autogen | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| background-only: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kyverno-configs: standard | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: background-only | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| cleanup: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kyverno-configs: standard | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: cleanup | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| deferred: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kyverno-configs: standard | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: deferred | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| events: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kyverno-configs: standard | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: events | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| exceptions: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| shard-index: [0,1] | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kyverno-configs: standard | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: exceptions | |
| shard-index: ${{ matrix.shard-index }} | |
| shard-count: 2 | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| filter: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kyverno-configs: standard | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: filter | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| force-failure-policy-ignore: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kyverno-configs: standard,force-failure-policy-ignore | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: force-failure-policy-ignore | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| generate: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| shard-index: [0,1,2,3,4,5,6,7] | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kyverno-configs: standard | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: generate | |
| shard-index: ${{ matrix.shard-index }} | |
| shard-count: 8 | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| generate-validating-admission-policy: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kind-config: ./scripts/config/kind/vap-v1beta1.yaml | |
| kyverno-configs: standard,generate-validating-admission-policy | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: generate-validating-admission-policy | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| globalcontext: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kyverno-configs: standard | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: globalcontext | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| lease: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kyverno-configs: standard | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: lease | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| mutate: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| shard-index: [0,1,2] | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kyverno-configs: standard | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: mutate | |
| shard-index: ${{ matrix.shard-index }} | |
| shard-count: 3 | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| policy-validation: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kyverno-configs: standard | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: policy-validation | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| rangeoperators: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kyverno-configs: standard | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: rangeoperators | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| rbac: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| kyverno-configs: [ standard, default, 'standard,force-failure-policy-ignore' ] | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kyverno-configs: ${{ matrix.kyverno-configs }} | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: rbac | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| reports: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| shard-index: [0,1] | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kyverno-configs: standard | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: reports | |
| shard-index: ${{ matrix.shard-index }} | |
| shard-count: 2 | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| ttl: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kyverno-configs: standard,ttl | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: ttl | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| validate: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| shard-index: [0,1,2,3,4,5] | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kyverno-configs: standard | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: validate | |
| shard-index: ${{ matrix.shard-index }} | |
| shard-count: 6 | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| validating-admission-policy-reports: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kind-config: ./scripts/config/kind/vap-v1beta1.yaml | |
| kyverno-configs: standard,validating-admission-policy-reports | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: validating-admission-policy-reports | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| verify-manifests: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kyverno-configs: standard | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: verify-manifests | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| verifyImages: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| shard-index: [0,1] | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kyverno-configs: standard | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: verifyImages | |
| shard-index: ${{ matrix.shard-index }} | |
| shard-count: 2 | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| webhook-configurations: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kind-config: ./scripts/config/kind/vap-v1beta1.yaml | |
| kyverno-configs: standard,generate-validating-admission-policy | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: webhook-configurations | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| webhooks: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kyverno-configs: standard | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: webhooks | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| sigstore-custom-tuf: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| upgrade: ${{ fromJSON(needs.define-matrix.outputs.upgrades) }} | |
| needs: [ define-matrix, prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: ./.github/actions/run-tests | |
| with: | |
| k8s-version: ${{ matrix.k8s-version }} | |
| kind-config: ./scripts/config/kind/vap-v1beta1.yaml | |
| kyverno-configs: standard,sigstore-custom-tuf | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| tests-path: sigstore-custom-tuf | |
| upgrade-scenario: ${{ matrix.upgrade }} | |
| custom-sigstore: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: | |
| - v1.28.x | |
| - v1.29.x | |
| - v1.30.x | |
| tests: | |
| - custom-sigstore | |
| needs: prepare-images | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| # install tools | |
| - name: Install helm | |
| id: helm | |
| uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 | |
| - name: Install crane | |
| uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4 | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
| - name: Install chainsaw | |
| uses: kyverno/action-install-chainsaw@d311eacde764f806c9658574ff64c9c3b21f8397 # v0.2.11 | |
| with: | |
| verify: true | |
| # create cluster | |
| - name: Create kind cluster and setup Sigstore Scaffolding | |
| uses: sigstore/scaffolding/actions/setup@0fb6c1e4d34c1d40f58a00da8380b7d5fa65a04c # v0.7.17 | |
| with: | |
| version: main | |
| k8s-version: ${{ matrix.k8s-version }} | |
| knative-version: "1.10.0" | |
| - name: Create TUF values config map | |
| run: | | |
| set -e | |
| kubectl create namespace kyverno | |
| kubectl -n kyverno create configmap tufvalues --from-literal=TUF_MIRROR=$TUF_MIRROR --from-literal=FULCIO_URL=$FULCIO_URL --from-literal=REKOR_URL=$REKOR_URL --from-literal=CTLOG_URL=$CTLOG_URL --from-literal=ISSUER_URL=$ISSUER_URL | |
| kubectl -n tuf-system get secrets tuf-root -oyaml | sed 's/namespace: .*/namespace: kyverno/' | kubectl create -f - | |
| # deploy kyverno | |
| - name: Download kyverno images archive | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: kyverno.tar | |
| - name: Load kyverno images archive in kind cluster | |
| shell: bash | |
| run: | | |
| set -e | |
| kind load image-archive kyverno.tar --name kind | |
| - name: Install kyverno | |
| shell: bash | |
| run: | | |
| set -e | |
| export HELM=${{ steps.helm.outputs.helm-path }} | |
| export USE_CONFIG=standard,custom-sigstore | |
| make kind-install-kyverno | |
| - name: Wait for kyverno ready | |
| uses: ./.github/actions/kyverno-wait-ready | |
| # prepare test image | |
| - name: Create test image | |
| shell: bash | |
| run: | | |
| DIGEST=$(crane digest cgr.dev/chainguard/static) | |
| IMAGE_NAME=$(uuidgen | tr "[:upper:]" "[:lower:]") | |
| TEST_IMAGE_URL=ttl.sh/${IMAGE_NAME}:1h | |
| crane copy cgr.dev/chainguard/static@$DIGEST $TEST_IMAGE_URL | |
| cosign initialize --mirror $TUF_MIRROR --root $TUF_MIRROR/root.json | |
| COSIGN_EXPERIMENTAL=1 cosign sign --rekor-url $REKOR_URL --fulcio-url $FULCIO_URL $TEST_IMAGE_URL --identity-token $OIDC_TOKEN -y | |
| echo "TEST_IMAGE_URL=$TEST_IMAGE_URL" >> $GITHUB_ENV | |
| # run tests | |
| - name: Test with Chainsaw | |
| shell: bash | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -e | |
| cd ./test/conformance/chainsaw && chainsaw test ${{ matrix.tests }} --config ../../../.chainsaw.yaml | |
| - name: Debug failure | |
| if: failure() | |
| uses: ./.github/actions/kyverno-logs | |
| policy-library: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: | |
| - v1.28.13 | |
| - v1.29.8 | |
| - v1.30.4 | |
| - v1.31.0 | |
| shard-index: [0,1,2,3,4,5,6,7,8,9,10,11] | |
| needs: | |
| - prepare-images | |
| - prepare-cli | |
| steps: | |
| - name: Checkout kyverno/kyverno | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Checkout kyverno/policies | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| repository: kyverno/policies | |
| path: policies | |
| # install tools | |
| - name: Install helm | |
| id: helm | |
| uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
| - name: Install chainsaw | |
| uses: kyverno/action-install-chainsaw@d311eacde764f806c9658574ff64c9c3b21f8397 # v0.2.11 | |
| with: | |
| verify: true | |
| - name: Download kyverno CLI archive | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: kubectl-kyverno | |
| - name: Install Kyverno CLI | |
| shell: bash | |
| run: | | |
| set -e | |
| chmod +x kubectl-kyverno && mv kubectl-kyverno ./cmd/cli/kubectl-kyverno/kyverno | |
| echo "$PWD/cmd/cli/kubectl-kyverno" >> $GITHUB_PATH | |
| # create cluster | |
| - name: Create kind cluster | |
| uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 | |
| with: | |
| node_image: kindest/node:${{ matrix.k8s-version }} | |
| cluster_name: kind | |
| config: ./scripts/config/kind/default.yaml | |
| # deploy kyverno | |
| - name: Download kyverno images archive | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: kyverno.tar | |
| - name: Load kyverno images archive in kind cluster | |
| shell: bash | |
| run: | | |
| set -e | |
| kind load image-archive kyverno.tar --name kind | |
| - name: Install kyverno | |
| shell: bash | |
| run: | | |
| set -e | |
| export HELM=${{ steps.helm.outputs.helm-path }} | |
| export USE_CONFIG=standard | |
| make kind-install-kyverno | |
| - name: Wait for kyverno ready | |
| uses: ./.github/actions/kyverno-wait-ready | |
| # run tests | |
| - name: Install CRDs | |
| run: | | |
| set -e | |
| kubectl apply -f ./policies/.chainsaw/crds | |
| - name: Test with Chainsaw | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -e | |
| cd policies | |
| chainsaw test . \ | |
| --shard-index ${{ matrix.shard-index }} \ | |
| --shard-count 12 \ | |
| --exclude-test-regex '^chainsaw$/^(tekton|traefik|velero)' \ | |
| --no-color=false | |
| - name: Debug failure | |
| if: failure() | |
| uses: ./.github/actions/kyverno-logs | |
| monitor-helm-secret-size: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| needs: prepare-images | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Setup caches | |
| uses: ./.github/actions/setup-caches | |
| timeout-minutes: 5 | |
| continue-on-error: true | |
| with: | |
| build-cache-key: run-conformance | |
| - name: Setup build env | |
| uses: ./.github/actions/setup-build-env | |
| timeout-minutes: 10 | |
| - name: Create kind cluster | |
| shell: bash | |
| run: | | |
| set -e | |
| make kind-create-cluster | |
| - name: Download kyverno images archive | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: kyverno.tar | |
| - name: Load kyverno images archive in kind cluster | |
| shell: bash | |
| run: | | |
| set -e | |
| make kind-load-image-archive | |
| - name: Install kyverno | |
| shell: bash | |
| run: | | |
| make kind-install-kyverno | |
| - name: Wait for kyverno ready | |
| uses: ./.github/actions/kyverno-wait-ready | |
| - name: Check secret size | |
| shell: bash | |
| run: | | |
| set -e | |
| set -u | |
| SIZE=$(kubectl get secrets -n kyverno sh.helm.release.v1.kyverno.v1 -o jsonpath='{.data.release}' | base64 -d | wc -c | awk '{print $1}') | |
| MAX_ALLOWED=1030000 | |
| if [ "$SIZE" -gt "$MAX_ALLOWED" ]; then | |
| echo "Helm secret size ($SIZE bytes) is above the max allowed ($MAX_ALLOWED bytes)" | |
| exit 1 | |
| else | |
| echo "Helm secret size ($SIZE bytes) is below the max allowed ($MAX_ALLOWED bytes)" | |
| fi | |
| check-tests: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| tests: | |
| - ^cli$ | |
| needs: | |
| - prepare-cli | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| # install tools | |
| - name: Download kyverno CLI archive | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: kubectl-kyverno | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
| - name: Install chainsaw | |
| uses: kyverno/action-install-chainsaw@d311eacde764f806c9658574ff64c9c3b21f8397 # v0.2.11 | |
| with: | |
| verify: true | |
| # create cluster | |
| - name: Create kind cluster | |
| uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 | |
| with: | |
| node_image: kindest/node:v1.30.0 | |
| cluster_name: kind | |
| config: ./scripts/config/kind/default.yaml | |
| - name: Install Kyverno CLI | |
| shell: bash | |
| run: | | |
| set -e | |
| chmod +x kubectl-kyverno && mv kubectl-kyverno ./cmd/cli/kubectl-kyverno/kyverno | |
| echo "$PWD/cmd/cli/kubectl-kyverno" >> $GITHUB_PATH | |
| # run tests | |
| - name: Test with Chainsaw | |
| shell: bash | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -e | |
| cd ./test/conformance/chainsaw && chainsaw test --include-test-regex '^chainsaw$/${{ matrix.tests }}' --config ../../../.chainsaw.yaml | |
| - name: Fix test files | |
| shell: bash | |
| run: | | |
| set -e | |
| KYVERNO_EXPERIMENTAL=true kyverno fix test ./test/cli --save --compress | |
| make verify-cli-tests | |
| cleanup-test: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: | |
| - name: v1.31 | |
| version: v1.31.0 | |
| kyverno-config: | |
| - name: cleanup | |
| values: | |
| - kyverno-cleanup | |
| needs: | |
| - prepare-images | |
| name: ${{ matrix.k8s-version.name }} - kyverno uninstall | |
| steps: | |
| - name: Checkout kyverno/kyverno | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Install helm | |
| id: helm | |
| uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 | |
| - name: Install Kubectl | |
| run: | | |
| set -e | |
| curl -LO "https://dl.k8s.io/release/${{ matrix.k8s-version.version }}/bin/linux/amd64/kubectl" | |
| sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl | |
| - name: Create kind cluster | |
| uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 | |
| with: | |
| node_image: kindest/node:${{ matrix.k8s-version.version }} | |
| cluster_name: kind | |
| config: ./scripts/config/kind/default.yaml | |
| - name: Download kyverno images archive | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: kyverno.tar | |
| - name: Load kyverno images archive in kind cluster | |
| shell: bash | |
| run: | | |
| set -e | |
| kind load image-archive kyverno.tar --name kind | |
| - name: Install kyverno | |
| shell: bash | |
| run: | | |
| set -e | |
| export HELM=${{ steps.helm.outputs.helm-path }} | |
| export USE_CONFIG=${{ join(matrix.kyverno-config.values, ',') }} | |
| make kind-install-kyverno | |
| - name: Wait for kyverno ready | |
| uses: ./.github/actions/kyverno-wait-ready | |
| - name: Log finalizers from deployments | |
| shell: bash | |
| run: | | |
| set -e | |
| kubectl get deploy kyverno-admission-controller -n kyverno --template='{{.metadata.finalizers}}' | |
| kubectl get deploy kyverno-cleanup-controller -n kyverno --template='{{.metadata.finalizers}}' | |
| - name: Uninstall kyverno | |
| shell: bash | |
| run: | | |
| set -e | |
| helm uninstall kyverno -n kyverno --wait --no-hooks | |
| - name: Check validating webhook count | |
| shell: bash | |
| run: | | |
| set -e | |
| if [ `kubectl get validatingwebhookconfigurations -l webhook.kyverno.io/managed-by=kyverno --no-headers | wc -l` -gt 0 ] | |
| then | |
| exit 1 | |
| fi | |
| - name: Debug failure | |
| if: failure() | |
| uses: ./.github/actions/kyverno-logs | |
| helm-upgrade: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| k8s-version: [ v1.28.13, v1.29.8, v1.30.4, v1.31.0 ] | |
| kyverno-version: [ '3.2' ] | |
| needs: [ prepare-images ] | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Install helm | |
| id: helm | |
| uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 | |
| # create cluster | |
| - name: Create kind cluster | |
| uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 | |
| with: | |
| node_image: kindest/node:${{ matrix.k8s-version }} | |
| cluster_name: kind | |
| config: ./scripts/config/kind/default.yaml | |
| # deploy kyverno | |
| - name: Download kyverno images archive | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: kyverno.tar | |
| - name: Load kyverno images archive in kind cluster | |
| shell: bash | |
| run: | | |
| set -e | |
| kind load image-archive kyverno.tar --name kind | |
| - name: Install kyverno | |
| shell: bash | |
| run: | | |
| set -e | |
| ${{ steps.helm.outputs.helm-path }} install kyverno --namespace kyverno --create-namespace --wait \ | |
| --repo https://kyverno.github.io/kyverno kyverno \ | |
| --version ${{ matrix.kyverno-version }} | |
| - name: Wait for kyverno ready | |
| uses: ./.github/actions/kyverno-wait-ready | |
| - name: Upgrade kyverno | |
| shell: bash | |
| run: | | |
| set -e | |
| export HELM=${{ steps.helm.outputs.helm-path }} | |
| make kind-install-kyverno | |
| - name: Wait for kyverno ready | |
| uses: ./.github/actions/kyverno-wait-ready | |
| # debug | |
| - name: Debug failure | |
| if: failure() | |
| uses: ./.github/actions/kyverno-logs | |
| conformance-required-success: | |
| name: conformance-required | |
| needs: | |
| - assert | |
| - autogen | |
| - background-only | |
| - cleanup | |
| - deferred | |
| - events | |
| - exceptions | |
| - filter | |
| - force-failure-policy-ignore | |
| - generate | |
| - generate-validating-admission-policy | |
| - globalcontext | |
| - lease | |
| - mutate | |
| - policy-validation | |
| - rangeoperators | |
| - rbac | |
| - reports | |
| - ttl | |
| - validate | |
| - validating-admission-policy-reports | |
| - verify-manifests | |
| - verifyImages | |
| - webhook-configurations | |
| - webhooks | |
| - custom-sigstore | |
| - monitor-helm-secret-size | |
| - check-tests | |
| - helm-upgrade | |
| runs-on: ubuntu-latest | |
| if: ${{ success() }} | |
| steps: | |
| - run: ${{ true }} | |
| conformance-required-failure: | |
| name: conformance-required | |
| needs: | |
| - assert | |
| - autogen | |
| - background-only | |
| - cleanup | |
| - deferred | |
| - events | |
| - exceptions | |
| - filter | |
| - force-failure-policy-ignore | |
| - generate | |
| - generate-validating-admission-policy | |
| - globalcontext | |
| - lease | |
| - mutate | |
| - policy-validation | |
| - rangeoperators | |
| - rbac | |
| - reports | |
| - ttl | |
| - validate | |
| - validating-admission-policy-reports | |
| - verify-manifests | |
| - verifyImages | |
| - webhook-configurations | |
| - webhooks | |
| - custom-sigstore | |
| - monitor-helm-secret-size | |
| - check-tests | |
| - helm-upgrade | |
| runs-on: ubuntu-latest | |
| if: ${{ failure() || cancelled() }} | |
| steps: | |
| - run: ${{ false }} |