diff --git a/.github/actions/smoke-tests/action.yaml b/.github/actions/smoke-tests/action.yaml index e0a02ca534..9c0a8ddc27 100644 --- a/.github/actions/smoke-tests/action.yaml +++ b/.github/actions/smoke-tests/action.yaml @@ -25,6 +25,9 @@ inputs: marker: description: Marker to use required: false + label: + description: Label for test + required: false azure-ad-secret: description: Azure Active Directory secret for JWKs required: false @@ -32,7 +35,10 @@ inputs: outputs: test-results-name: description: Test results name - value: tests-${{ steps.k8s.outputs.cluster }} + value: ${{ steps.k8s.outputs.test_name }} + test-results-path: + description: Test results full path + value: ${{ steps.k8s.outputs.test_output_path }} runs: using: composite @@ -42,12 +48,20 @@ runs: run: | make -f tests/Makefile create-kind-cluster K8S_CLUSTER_NAME=${{ github.run_id }} K8S_CLUSTER_VERSION=${{ inputs.k8s-version }} K8S_TIMEOUT=${{ inputs.k8s-timeout }} make -f tests/Makefile image-load REGISTRY="" PREFIX=${{ inputs.image-name }} TAG=${{ inputs.tag }} K8S_CLUSTER_NAME=${{ github.run_id }} - marker="${{ inputs.marker }}" - nospaces="${marker// /_}" - sanitized_marker="${nospaces//\'/}" - name="${sanitized_marker:-${{ inputs.k8s-version }}}" - echo "cluster_ip=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' ${{ github.run_id }}-control-plane)" >> $GITHUB_OUTPUT - echo "cluster=$(echo nginx-${{ inputs.image-type }}-$name)" >> $GITHUB_OUTPUT + label="${{ inputs.label }}" + nospaces="${label// /_}" + noslash="${nospaces//\//_}" + sanitized_marker="${noslash//\'/}" + name="${sanitized_marker}-${{ inputs.k8s-version }}" + cluster_ip=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' ${{ github.run_id }}-control-plane) + test_name=tests-nginx-${{ inputs.image-type }}-${name}.html + test_output_path=${{ github.workspace }}/tests/${test_name} + echo "cluster_ip=${cluster_ip}" >> $GITHUB_OUTPUT + echo "test_name=${test_name}" >> $GITHUB_OUTPUT + echo "test_output_path=${test_output_path}" >> $GITHUB_OUTPUT + echo "Output:" + echo " cluster_ip=${cluster_ip}" + echo " test_output_path=${test_output_path}" shell: bash - name: Setup Kubeconfig @@ -56,21 +70,23 @@ runs: shell: bash - name: Run Smoke Tests + id: smoke-tests run: | - touch tests-${{ steps.k8s.outputs.cluster }}.html + touch ${{ steps.k8s.outputs.test_output_path }} docker run --rm \ --name test-runner-${{ github.run_id }} \ --network=kind \ -v ${{ github.workspace }}/tests:/workspace/tests \ -v ${{ github.workspace }}/deployments:/workspace/deployments \ -v ${{ github.workspace }}/config:/workspace/config \ + -v ${{ steps.k8s.outputs.test_output_path }}:${{ steps.k8s.outputs.test_output_path }} \ -v ~/.kube/kind/config:/root/.kube/config ${{ inputs.test-image }} \ --context=kind-${{ github.run_id }} \ --image=${{ inputs.image-name }}:${{ inputs.tag }} \ --image-pull-policy=Never \ --ic-type=nginx${{ contains(inputs.image-type, 'plus') && '-plus' || '' }}-ingress \ --service=nodeport --node-ip=${{ steps.k8s.outputs.cluster_ip }} \ - --html=tests-${{ steps.k8s.outputs.cluster }}.html \ + --html=${{ steps.k8s.outputs.test_output_path }} \ --self-contained-html \ --durations=10 \ --show-ic-logs=yes \ diff --git a/.github/data/matrix-smoke-nap.json b/.github/data/matrix-smoke-nap.json new file mode 100644 index 0000000000..26b70227a1 --- /dev/null +++ b/.github/data/matrix-smoke-nap.json @@ -0,0 +1,53 @@ +{ + "images": [ + { + "label": "AP_WAF 1/4", + "image": "ubi-9-plus-nap", + "type": "plus", + "nap_modules": "waf", + "marker": "appprotect_waf_policies_allow", + "platforms": "linux/amd64" + }, + { + "label": "AP_WAF 2/4", + "image": "alpine-plus-nap-fips", + "type": "plus", + "nap_modules": "waf", + "marker": "'appprotect_waf_policies and not appprotect_waf_policies_allow'", + "platforms": "linux/amd64" + }, + { + "label": "AP_WAF 3/4", + "image": "debian-plus-nap", + "type": "plus", + "nap_modules": "waf", + "marker": "appprotect_waf_policies_grpc", + "platforms": "linux/amd64" + }, + { + "label": "AP_WAF 4/4", + "image": "debian-plus-nap", + "type": "plus", + "nap_modules": "waf", + "marker": "'appprotect_watch or appprotect_batch or appprotect_integration'", + "platforms": "linux/amd64" + }, + { + "label": "AP_DOS", + "image": "debian-plus-nap", + "type": "plus", + "nap_modules": "dos", + "marker": "'dos and not dos_learning'", + "platforms": "linux/amd64" + }, + { + "label": "AP_DOS_Learning", + "image": "ubi-8-plus-nap", + "type": "plus", + "nap_modules": "dos", + "marker": "dos_learning", + "platforms": "linux/amd64" + } + ], + "k8s": [] +} diff --git a/.github/data/matrix-smoke-oss.json b/.github/data/matrix-smoke-oss.json new file mode 100644 index 0000000000..a6965bfedd --- /dev/null +++ b/.github/data/matrix-smoke-oss.json @@ -0,0 +1,68 @@ +{ + "images": [ + { + "label": "ingresses 1/2", + "image": "debian", + "type": "oss", + "marker": "'ingresses and not annotations and not basic_auth and not hsts and not watch_namespace and not wildcard_tls'", + "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + }, + { + "label": "ingresses 2/2", + "image": "debian", + "type": "oss", + "marker": "'annotations or basic_auth or hsts or watch_namespace or wildcard_tls'", + "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + }, + { + "label": "VSR", + "image": "alpine", + "type": "oss", + "marker": "vsr", + "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + }, + { + "label": "policies 1/2", + "image": "alpine", + "type": "oss", + "marker": "'policies and not policies_rl and not policies_ac and not policies_jwt and not policies_mtls'", + "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + }, + { + "label": "policies 2/2", + "image": "alpine", + "type": "oss", + "marker": "'policies_rl or policies_ac or policies_jwt or policies_mtls'", + "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + }, + { + "label": "VS 1/3", + "image": "debian", + "type": "oss", + "marker": "'vs and not vs_ipv6 and not vs_rewrite and not vs_responses and not vs_grpc and not vs_redirects and not vs_externalname and not vs_externaldns and not vs_certmanager'", + "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + }, + { + "label": "VS 2/3", + "image": "debian", + "type": "oss", + "marker": "'vs_grpc or vs_redirects or vs_externalname or vs_externaldns'", + "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + }, + { + "label": "VS 3/3", + "image": "debian", + "type": "oss", + "marker": "'vs_responses or vs_ipv6 or vs_rewrite or vs_certmanager'", + "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + }, + { + "label": "TS", + "image": "ubi", + "type": "oss", + "marker": "ts", + "platforms": "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + } + ], + "k8s": [] +} diff --git a/.github/data/matrix-smoke-plus.json b/.github/data/matrix-smoke-plus.json new file mode 100644 index 0000000000..228a92b1cc --- /dev/null +++ b/.github/data/matrix-smoke-plus.json @@ -0,0 +1,68 @@ +{ + "images": [ + { + "label": "VS 1/3", + "image": "debian-plus", + "type": "plus", + "marker": "'vs and not vs_ipv6 and not vs_rewrite and not vs_responses and not vs_grpc and not vs_redirects and not vs_externalname and not vs_externaldns and not vs_certmanager'", + "platforms": "linux/arm64, linux/amd64" + }, + { + "label": "VS 2/3", + "image": "debian-plus", + "type": "plus", + "marker": "'vs_grpc or vs_redirects or vs_externalname or vs_externaldns'", + "platforms": "linux/arm64, linux/amd64" + }, + { + "label": "VS 3/3", + "image": "debian-plus", + "type": "plus", + "marker": "'vs_responses or vs_ipv6 or vs_rewrite or vs_certmanager'", + "platforms": "linux/arm64, linux/amd64" + }, + { + "label": "TS", + "image": "debian-plus", + "type": "plus", + "marker": "ts", + "platforms": "linux/arm64, linux/amd64" + }, + { + "label": "ingresses 1/2", + "image": "alpine-plus", + "type": "plus", + "marker": "'ingresses and not annotations and not basic_auth and not hsts and not watch_namespace and not wildcard_tls'", + "platforms": "linux/arm64, linux/amd64" + }, + { + "label": "ingresses 2/2", + "image": "alpine-plus", + "type": "plus", + "marker": "'annotations or basic_auth or hsts or watch_namespace or wildcard_tls'", + "platforms": "linux/arm64, linux/amd64" + }, + { + "label": "VSR", + "image": "alpine-plus", + "type": "plus", + "marker": "vsr", + "platforms": "linux/arm64, linux/amd64" + }, + { + "label": "policies 1/2", + "image": "ubi-plus", + "type": "plus", + "marker": "'policies and not policies_ac and not policies_jwt and not policies_mtls'", + "platforms": "linux/arm64, linux/amd64, linux/s390x" + }, + { + "label": "policies 2/2", + "image": "ubi-plus", + "type": "plus", + "marker": "'policies_ac or policies_jwt or policies_mtls'", + "platforms": "linux/arm64, linux/amd64, linux/s390x" + } + ], + "k8s": [] +} diff --git a/.github/data/matrix-smoke.json b/.github/data/matrix-smoke.json deleted file mode 100644 index 332475089b..0000000000 --- a/.github/data/matrix-smoke.json +++ /dev/null @@ -1,179 +0,0 @@ -{ - "images": [ - { - "label": "ingresses 1/2", - "image": "debian", - "type": "oss", - "marker": "'ingresses and not annotations and not basic_auth and not hsts and not watch_namespace and not wildcard_tls'", - "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - }, - { - "label": "ingresses 2/2", - "image": "debian", - "type": "oss", - "marker": "'annotations or basic_auth or hsts or watch_namespace or wildcard_tls'", - "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - }, - { - "label": "VSR", - "image": "alpine", - "type": "oss", - "marker": "vsr", - "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - }, - { - "label": "policies 1/2", - "image": "alpine", - "type": "oss", - "marker": "'policies and not policies_rl and not policies_ac and not policies_jwt and not policies_mtls'", - "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - }, - { - "label": "policies 2/2", - "image": "alpine", - "type": "oss", - "marker": "'policies_rl or policies_ac or policies_jwt or policies_mtls'", - "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - }, - { - "label": "VS 1/3", - "image": "debian", - "type": "oss", - "marker": "'vs and not vs_ipv6 and not vs_rewrite and not vs_responses and not vs_grpc and not vs_redirects and not vs_externalname and not vs_externaldns and not vs_certmanager'", - "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - }, - { - "label": "VS 2/3", - "image": "debian", - "type": "oss", - "marker": "'vs_grpc or vs_redirects or vs_externalname or vs_externaldns'", - "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - }, - { - "label": "VS 3/3", - "image": "debian", - "type": "oss", - "marker": "'vs_responses or vs_ipv6 or vs_rewrite or vs_certmanager'", - "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - }, - { - "label": "TS", - "image": "ubi", - "type": "oss", - "marker": "ts", - "platforms": "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - }, - { - "label": "VS 1/3", - "image": "debian-plus", - "type": "plus", - "marker": "'vs and not vs_ipv6 and not vs_rewrite and not vs_responses and not vs_grpc and not vs_redirects and not vs_externalname and not vs_externaldns and not vs_certmanager'", - "platforms": "linux/arm64, linux/amd64" - }, - { - "label": "VS 2/3", - "image": "debian-plus", - "type": "plus", - "marker": "'vs_grpc or vs_redirects or vs_externalname or vs_externaldns'", - "platforms": "linux/arm64, linux/amd64" - }, - { - "label": "VS 3/3", - "image": "debian-plus", - "type": "plus", - "marker": "'vs_responses or vs_ipv6 or vs_rewrite or vs_certmanager'", - "platforms": "linux/arm64, linux/amd64" - }, - { - "label": "TS", - "image": "debian-plus", - "type": "plus", - "marker": "ts", - "platforms": "linux/arm64, linux/amd64" - }, - { - "label": "ingresses 1/2", - "image": "alpine-plus", - "type": "plus", - "marker": "'ingresses and not annotations and not basic_auth and not hsts and not watch_namespace and not wildcard_tls'", - "platforms": "linux/arm64, linux/amd64" - }, - { - "label": "ingresses 2/2", - "image": "alpine-plus", - "type": "plus", - "marker": "'annotations or basic_auth or hsts or watch_namespace or wildcard_tls'", - "platforms": "linux/arm64, linux/amd64" - }, - { - "label": "VSR", - "image": "alpine-plus", - "type": "plus", - "marker": "vsr", - "platforms": "linux/arm64, linux/amd64" - }, - { - "label": "policies 1/2", - "image": "ubi-plus", - "type": "plus", - "marker": "'policies and not policies_ac and not policies_jwt and not policies_mtls'", - "platforms": "linux/arm64, linux/amd64, linux/s390x" - }, - { - "label": "policies 2/2", - "image": "ubi-plus", - "type": "plus", - "marker": "'policies_ac or policies_jwt or policies_mtls'", - "platforms": "linux/arm64, linux/amd64, linux/s390x" - }, - { - "label": "AP_WAF 1/4", - "image": "ubi-9-plus-nap", - "type": "plus", - "nap_modules": "waf", - "marker": "appprotect_waf_policies_allow", - "platforms": "linux/amd64" - }, - { - "label": "AP_WAF 2/4", - "image": "alpine-plus-nap-fips", - "type": "plus", - "nap_modules": "waf", - "marker": "'appprotect_waf_policies and not appprotect_waf_policies_allow'", - "platforms": "linux/amd64" - }, - { - "label": "AP_WAF 3/4", - "image": "debian-plus-nap", - "type": "plus", - "nap_modules": "waf", - "marker": "appprotect_waf_policies_grpc", - "platforms": "linux/amd64" - }, - { - "label": "AP_WAF 4/4", - "image": "debian-plus-nap", - "type": "plus", - "nap_modules": "waf", - "marker": "'appprotect_watch or appprotect_batch or appprotect_integration'", - "platforms": "linux/amd64" - }, - { - "label": "AP_DOS", - "image": "debian-plus-nap", - "type": "plus", - "nap_modules": "dos", - "marker": "'dos and not dos_learning'", - "platforms": "linux/amd64" - }, - { - "label": "AP_DOS_Learning", - "image": "ubi-8-plus-nap", - "type": "plus", - "nap_modules": "dos", - "marker": "dos_learning", - "platforms": "linux/amd64" - } - ], - "k8s": [] -} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 580f87c57e..76fa0885b9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -108,18 +108,6 @@ jobs: key: nginx-ingress-${{ steps.vars.outputs.go_code_md5 }} lookup-only: true - - name: Check if go.mod and go.sum are up to date - run: go mod tidy && git diff --exit-code -- go.mod go.sum - - - name: Check if CRDs changed - run: make update-crds && git diff --name-only --exit-code config/crd/bases - - - name: Check if Codegen changed - run: | - cd ../.. && mkdir -p github.com/nginxinc && mv kubernetes-ingress/kubernetes-ingress github.com/nginxinc/ && cd github.com/nginxinc/kubernetes-ingress - make update-codegen && git diff --name-only --exit-code pkg/** - cd ../../.. && mv github.com/nginxinc/kubernetes-ingress kubernetes-ingress/kubernetes-ingress - - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 @@ -161,6 +149,27 @@ jobs: echo stable_image_exists: ${{ steps.stable_exists.outputs.exists }} echo additional_tag: ${{ steps.vars.outputs.additional_tag }} + verify-codegen: + name: Verify generated code + runs-on: ubuntu-22.04 + permissions: + contents: read + steps: + - name: Checkout Repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Check if go.mod and go.sum are up to date + run: go mod tidy && git diff --exit-code -- go.mod go.sum + + - name: Check if CRDs changed + run: make update-crds && git diff --name-only --exit-code config/crd/bases + + - name: Check if Codegen changed + run: | + cd ../.. && mkdir -p github.com/nginxinc && mv kubernetes-ingress/kubernetes-ingress github.com/nginxinc/ && cd github.com/nginxinc/kubernetes-ingress + make update-codegen && git diff --name-only --exit-code pkg/** + cd ../../.. && mv github.com/nginxinc/kubernetes-ingress kubernetes-ingress/kubernetes-ingress + unit-tests: name: Unit Tests runs-on: ubuntu-22.04 @@ -189,7 +198,7 @@ jobs: release-notes: name: Release Notes runs-on: ubuntu-22.04 - needs: [checks, unit-tests] + needs: [checks, unit-tests, verify-codegen] outputs: release-url: ${{ steps.release-notes.outputs.release-url }} permissions: @@ -226,7 +235,7 @@ jobs: binaries: name: Build Binaries runs-on: ubuntu-22.04 - needs: [checks, unit-tests] + needs: [checks, unit-tests, verify-codegen] permissions: contents: write # for goreleaser/goreleaser-action to manage releases id-token: write # for goreleaser/goreleaser-action to sign artifacts @@ -561,14 +570,18 @@ jobs: contents: read id-token: write outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} + matrix_oss: ${{ steps.set-matrix.outputs.matrix_oss }} + matrix_plus: ${{ steps.set-matrix.outputs.matrix_plus }} + matrix_nap: ${{ steps.set-matrix.outputs.matrix_nap }} steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - id: set-matrix run: | - echo "matrix=$(cat .github/data/matrix-smoke.json | jq -c --arg latest "${{ needs.checks.outputs.k8s_latest }}" '.k8s += [$latest]')" >> $GITHUB_OUTPUT + echo "matrix_oss=$(cat .github/data/matrix-smoke-oss.json | jq -c --arg latest "${{ needs.checks.outputs.k8s_latest }}" '.k8s += [$latest]')" >> $GITHUB_OUTPUT + echo "matrix_plus=$(cat .github/data/matrix-smoke-plus.json | jq -c --arg latest "${{ needs.checks.outputs.k8s_latest }}" '.k8s += [$latest]')" >> $GITHUB_OUTPUT + echo "matrix_nap=$(cat .github/data/matrix-smoke-nap.json | jq -c --arg latest "${{ needs.checks.outputs.k8s_latest }}" '.k8s += [$latest]')" >> $GITHUB_OUTPUT - name: Docker Buildx uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 @@ -610,143 +623,90 @@ jobs: load: false if: ${{ steps.check-image.outcome == 'failure' && needs.checks.outputs.docs_only == 'false' }} - smoke-tests: + smoke-tests-oss: if: ${{ inputs.force || needs.checks.outputs.docs_only != 'true' }} name: ${{ matrix.images.label }} ${{ matrix.images.image }} ${{ matrix.k8s }} smoke tests - runs-on: ubuntu-22.04 needs: - checks - setup-matrix - build-docker - - build-docker-plus - - build-docker-nap strategy: fail-fast: false - matrix: ${{ fromJSON(needs.setup-matrix.outputs.matrix) }} + matrix: ${{ fromJSON(needs.setup-matrix.outputs.matrix_oss) }} permissions: contents: read id-token: write - steps: - - name: Checkout Repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: Set image variables - id: image_details - run: | - echo "name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(matrix.images.nap_modules, 'dos') && '-dos' || '' }}${{ contains(matrix.images.nap_modules, 'waf') && '-nap' || '' }}/nginx${{ contains(matrix.images.image, 'plus') && '-plus' || '' }}-ingress" >> $GITHUB_OUTPUT - echo "build_tag=${{ needs.checks.outputs.build_tag }}${{ contains(matrix.images.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.images.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.images.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.images.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT - echo "stable_tag=${{ needs.checks.outputs.stable_tag }}${{ contains(matrix.images.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.images.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.images.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.images.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT - - - name: Authenticate to Google Cloud - id: auth - uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 - with: - token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} - if: ${{ needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.docs_only == 'false' }} - - - name: Login to GCR - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 - with: - registry: gcr.io - username: oauth2accesstoken - password: ${{ steps.auth.outputs.access_token }} - if: ${{ needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.docs_only == 'false' }} - - - name: Check if stable image exists - id: stable_exists - run: | - if docker pull ${{ steps.image_details.outputs.name }}:${{ steps.image_details.outputs.stable_tag }}; then - echo "exists=true" >> $GITHUB_OUTPUT - fi - if: ${{ needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.docs_only == 'false' }} - - - name: NAP modules - id: nap_modules - run: | - [[ "${{ matrix.images.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || modules="${{ matrix.images.nap_modules }}" - echo "modules=${modules}" >> $GITHUB_OUTPUT - if: ${{ matrix.images.nap_modules }} - - - name: Pull build image - run: | - docker pull ${{ steps.image_details.outputs.name }}:${{ steps.image_details.outputs.build_tag }} - if: ${{ needs.checks.outputs.forked_workflow == 'false' && steps.stable_exists.outputs.exists != 'true' && needs.checks.outputs.docs_only == 'false' }} - - - name: Fetch Cached Artifacts - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - with: - path: ${{ github.workspace }}/dist - key: nginx-ingress-${{ needs.checks.outputs.go_code_md5 }} - fail-on-cache-miss: true - if: ${{ needs.checks.outputs.forked_workflow == 'true' && needs.checks.outputs.docs_only == 'false' }} - - - name: Check if test image exists - id: check-image - run: | - docker manifest inspect "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" - shell: bash - continue-on-error: true - if: ${{ needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.docs_only == 'false' }} - - - name: Build Test-Runner Container - uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2 - with: - file: tests/Dockerfile - context: "." - cache-from: type=gha,scope=test-runner - tags: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" - pull: true - push: ${{ needs.checks.outputs.forked_workflow == 'false' }} - load: ${{ needs.checks.outputs.forked_workflow == 'true' }} - if: ${{ ( needs.checks.outputs.forked_workflow == 'true' || steps.check-image.outcome == 'failure' ) && needs.checks.outputs.docs_only == 'false' }} - - - name: Build ${{ matrix.images.image }} Container - uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2 - with: - file: build/Dockerfile - context: "." - cache-from: type=gha,scope=${{ matrix.images.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }} - cache-to: type=gha,scope=${{ matrix.images.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }},mode=max - target: goreleaser - tags: "${{ steps.image_details.outputs.name }}:${{ steps.image_details.outputs.build_tag }}" - load: true - pull: true - build-args: | - BUILD_OS=${{ matrix.images.image }} - IC_VERSION=CI - ${{ contains(matrix.images.image, 'nap') && format('NAP_MODULES={0}', steps.nap_modules.outputs.modules) || '' }} - ${{ contains(matrix.images.marker, 'appprotect') && 'DEBIAN_VERSION=buster-slim' || '' }} - secrets: | - ${{ contains(matrix.images.image, 'nap') && format('"nginx-repo.crt={0}"', secrets.NGINX_AP_CRT) || format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) }} - ${{ contains(matrix.images.image, 'nap') && format('"nginx-repo.key={0}"', secrets.NGINX_AP_KEY) || format('"nginx-repo.key={0}"', secrets.NGINX_KEY) }} - ${{ contains(matrix.images.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} - if: ${{ needs.checks.outputs.forked_workflow == 'true' && needs.checks.outputs.docs_only == 'false' }} + uses: ./.github/workflows/setup-smoke.yml + secrets: inherit + with: + image: ${{ matrix.images.image }} + target: ${{ matrix.images.target }} + nap-modules: ${{ matrix.images.nap_modules }} + marker: ${{ matrix.images.marker }} + label: ${{ matrix.images.label }} + go-md5: ${{ needs.checks.outputs.go_code_md5 }} + build-tag: ${{ needs.checks.outputs.build_tag }} + stable-tag: ${{ needs.checks.outputs.stable_tag }} + authenticated: ${{ needs.checks.outputs.forked_workflow != 'true' }} + k8s-version: ${{ matrix.k8s }} - - name: Run Smoke Tests - id: smoke-tests - uses: ./.github/actions/smoke-tests - with: - image-type: ${{ matrix.images.image }} - image-name: ${{ steps.image_details.outputs.name }} - tag: ${{ steps.image_details.outputs.build_tag }} - marker: ${{ matrix.images.marker != '' && matrix.images.marker || '' }} - k8s-version: ${{ matrix.k8s }} - azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }} - test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" - if: ${{ steps.stable_exists.outputs.exists != 'true' && needs.checks.outputs.docs_only == 'false' }} + smoke-tests-plus: + if: ${{ inputs.force || needs.checks.outputs.docs_only != 'true' }} + name: ${{ matrix.images.label }} ${{ matrix.images.image }} ${{ matrix.k8s }} smoke tests + needs: + - checks + - setup-matrix + - build-docker-plus + strategy: + fail-fast: false + matrix: ${{ fromJSON(needs.setup-matrix.outputs.matrix_plus) }} + permissions: + contents: read + id-token: write + uses: ./.github/workflows/setup-smoke.yml + secrets: inherit + with: + image: ${{ matrix.images.image }} + target: ${{ matrix.images.target }} + nap-modules: ${{ matrix.images.nap_modules }} + marker: ${{ matrix.images.marker }} + label: ${{ matrix.images.label }} + go-md5: ${{ needs.checks.outputs.go_code_md5 }} + build-tag: ${{ needs.checks.outputs.build_tag }} + stable-tag: ${{ needs.checks.outputs.stable_tag }} + authenticated: ${{ needs.checks.outputs.forked_workflow != 'true' }} + k8s-version: ${{ matrix.k8s }} - - name: Upload Test Results - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 - with: - name: ${{ steps.smoke-tests.outputs.test-results-name }}-${{ matrix.k8s }} - path: ${{ github.workspace }}/tests/${{ steps.smoke-tests.outputs.test-results-name }}-${{ matrix.k8s }}.html - if: always() + smoke-tests-nap: + if: ${{ inputs.force || needs.checks.outputs.docs_only != 'true' }} + name: ${{ matrix.images.label }} ${{ matrix.images.image }} ${{ matrix.k8s }} smoke tests + needs: + - checks + - setup-matrix + - build-docker-nap + strategy: + fail-fast: false + matrix: ${{ fromJSON(needs.setup-matrix.outputs.matrix_nap) }} + permissions: + contents: read + id-token: write + uses: ./.github/workflows/setup-smoke.yml + secrets: inherit + with: + image: ${{ matrix.images.image }} + target: ${{ matrix.images.target }} + nap-modules: ${{ matrix.images.nap_modules }} + marker: ${{ matrix.images.marker }} + label: ${{ matrix.images.label }} + go-md5: ${{ needs.checks.outputs.go_code_md5 }} + build-tag: ${{ needs.checks.outputs.build_tag }} + stable-tag: ${{ needs.checks.outputs.stable_tag }} + authenticated: ${{ needs.checks.outputs.forked_workflow != 'true' }} + k8s-version: ${{ matrix.k8s }} tag-stable: name: Tag tested image as stable - needs: [checks, smoke-tests] + needs: [checks, smoke-tests-oss, smoke-tests-plus, smoke-tests-nap] permissions: contents: read # To checkout repository id-token: write # To sign into Google Container Registry @@ -762,15 +722,23 @@ jobs: if: ${{ always() }} runs-on: ubuntu-22.04 name: Final CI Results - needs: [tag-stable, smoke-tests] + needs: [tag-stable, smoke-tests-oss, smoke-tests-plus, smoke-tests-nap] steps: - run: | tagResult="${{ needs.tag-stable.result }}" - smokeResult="${{ needs.smoke-tests.result }}" + smokeOSSResult="${{ needs.smoke-tests-oss.result }}" + smokePlusResult="${{ needs.smoke-tests-plus.result }}" + smokeNAPResult="${{ needs.smoke-tests-nap.result }}" if [[ $tagResult != "success" && $tagResult != "skipped" ]]; then exit 1 fi - if [[ $smokeResult != "success" && $smokeResult != "skipped" ]]; then + if [[ $smokeOSSResult != "success" && $smokeOSSResult != "skipped" ]]; then + exit 1 + fi + if [[ $smokePlusResult != "success" && $smokePlusResult != "skipped" ]]; then + exit 1 + fi + if [[ $smokeNAPResult != "success" && $smokeNAPResult != "skipped" ]]; then exit 1 fi diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index fed0fb0ae3..34782a4232 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -191,7 +191,7 @@ jobs: regression-tests: name: ${{ matrix.images.label }} ${{ matrix.images.image }} ${{ matrix.k8s }} regression tests runs-on: ubuntu-22.04 - needs: [checks,setup-regression-matrix] + needs: [checks, setup-regression-matrix] strategy: fail-fast: false matrix: ${{ fromJSON(needs.setup-regression-matrix.outputs.matrix) }} @@ -245,14 +245,15 @@ jobs: tag: ${{ steps.image_details.outputs.tag }} marker: ${{ matrix.images.marker != '' && matrix.images.marker || '' }} k8s-version: ${{ matrix.k8s }} + label: ${{ matrix.images.label }} azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }} test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" - name: Upload Test Results uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: - name: ${{ steps.regression-tests.outputs.test-results-name }}-${{ matrix.k8s }} - path: ${{ github.workspace }}/tests/${{ steps.regression-tests.outputs.test-results-name }}-${{ matrix.k8s }}.html + name: ${{ steps.regression-tests.outputs.test-results-name }} + path: ${{ steps.regression-tests.outputs.test-results-path }} if: always() tag-stable: diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml new file mode 100644 index 0000000000..8298c9c019 --- /dev/null +++ b/.github/workflows/setup-smoke.yml @@ -0,0 +1,167 @@ +name: Setup Smoke tests + +on: + workflow_call: + inputs: + image: + required: true + type: string + target: + required: true + type: string + nap-modules: + required: true + type: string + marker: + required: true + type: string + label: + required: true + type: string + go-md5: + required: true + type: string + build-tag: + required: true + type: string + stable-tag: + required: true + type: string + authenticated: + required: true + type: boolean + k8s-version: + required: true + type: string + +defaults: + run: + shell: bash + +permissions: + contents: read + +jobs: + setup-smoke: + permissions: + contents: read # for docker/build-push-action to read repo content + id-token: write # for OIDC login to GCR + runs-on: ubuntu-22.04 + steps: + - name: Checkout Repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Set image variables + id: image_details + run: | + echo "name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(inputs.nap-modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap-modules, 'waf') && '-nap' || '' }}/nginx${{ contains(inputs.image, 'plus') && '-plus' || '' }}-ingress" >> $GITHUB_OUTPUT + echo "build_tag=${{ inputs.build-tag }}${{ contains(inputs.image, 'ubi') && '-ubi' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT + echo "stable_tag=${{ inputs.stable-tag }}${{ contains(inputs.image, 'ubi') && '-ubi' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + if: ${{ inputs.authenticated }} + + - name: Login to GCR + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + if: ${{ inputs.authenticated }} + + - name: Check if stable image exists + id: stable_exists + run: | + if docker pull ${{ steps.image_details.outputs.name }}:${{ steps.image_details.outputs.stable_tag }}; then + echo "exists=true" >> $GITHUB_OUTPUT + fi + if: ${{ inputs.authenticated }} + + - name: NAP modules + id: nap_modules + run: | + [[ "${{ inputs.nap-modules }}" == "waf,dos" ]] && modules="waf-dos" || modules="${{ inputs.nap-modules }}" + echo "modules=${modules}" >> $GITHUB_OUTPUT + if: ${{ inputs.nap-modules }} + + - name: Pull build image + run: | + docker pull ${{ steps.image_details.outputs.name }}:${{ steps.image_details.outputs.build_tag }} + if: ${{ inputs.authenticated && steps.stable_exists.outputs.exists != 'true' }} + + - name: Fetch Cached Artifacts + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + with: + path: ${{ github.workspace }}/dist + key: nginx-ingress-${{ inputs.go-md5 }} + fail-on-cache-miss: true + if: ${{ !inputs.authenticated }} + + - name: Check if test image exists + id: check-image + run: | + docker manifest inspect "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" + shell: bash + continue-on-error: true + if: ${{ inputs.authenticated }} + + - name: Build Test-Runner Container + uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2 + with: + file: tests/Dockerfile + context: "." + cache-from: type=gha,scope=test-runner + tags: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" + pull: true + push: ${{ inputs.authenticated }} + load: ${{ !inputs.authenticated }} + if: ${{ ( !inputs.authenticated || steps.check-image.outcome == 'failure' ) }} + + - name: Build ${{ inputs.image }} Container + uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2 + with: + file: build/Dockerfile + context: "." + cache-from: type=gha,scope=${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }} + cache-to: type=gha,scope=${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }},mode=max + target: goreleaser + tags: "${{ steps.image_details.outputs.name }}:${{ steps.image_details.outputs.build_tag }}" + load: true + pull: true + build-args: | + BUILD_OS=${{ inputs.image }} + IC_VERSION=CI + ${{ contains(inputs.image, 'nap') && format('NAP_MODULES={0}', steps.nap_modules.outputs.modules) || '' }} + ${{ contains(inputs.marker, 'appprotect') && 'DEBIAN_VERSION=buster-slim' || '' }} + secrets: | + ${{ contains(inputs.image, 'nap') && format('"nginx-repo.crt={0}"', secrets.NGINX_AP_CRT) || format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) }} + ${{ contains(inputs.image, 'nap') && format('"nginx-repo.key={0}"', secrets.NGINX_AP_KEY) || format('"nginx-repo.key={0}"', secrets.NGINX_KEY) }} + ${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} + if: ${{ !inputs.authenticated }} + + - name: Run Smoke Tests + id: smoke-tests + uses: ./.github/actions/smoke-tests + with: + image-type: ${{ inputs.image }} + image-name: ${{ steps.image_details.outputs.name }} + tag: ${{ steps.image_details.outputs.build_tag }} + marker: ${{ inputs.marker != '' && inputs.marker || '' }} + label: ${{ inputs.label }} + k8s-version: ${{ inputs.k8s-version }} + azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }} + test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" + if: ${{ steps.stable_exists.outputs.exists != 'true' }} + + - name: Upload Test Results + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + with: + name: ${{ steps.smoke-tests.outputs.test-results-name }} + path: ${{ steps.smoke-tests.outputs.test-results-path }} + if: always()