From 69b10ebb88efd2808d68d8fd244a05de1fe84f2e Mon Sep 17 00:00:00 2001 From: Akash Singhal Date: Wed, 5 Jun 2024 22:46:09 -0700 Subject: [PATCH 1/3] ci: improve azure test resiliency (#1546) --- scripts/azure-ci-test.sh | 6 ++++++ test/bats/azure-test.bats | 22 +++++++++++----------- 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/scripts/azure-ci-test.sh b/scripts/azure-ci-test.sh index 0289c684f..f0e67ed77 100755 --- a/scripts/azure-ci-test.sh +++ b/scripts/azure-ci-test.sh @@ -127,6 +127,12 @@ save_logs() { cleanup() { save_logs || true + echo "Delete key vault" + az keyvault delete --name "${KEYVAULT_NAME}" --resource-group "${GROUP_NAME}" || true + + echo "Purge key vault" + az keyvault purge --name "${KEYVAULT_NAME}" --no-wait || true + echo "Deleting group" az group delete --name "${GROUP_NAME}" --yes --no-wait || true } diff --git a/test/bats/azure-test.bats b/test/bats/azure-test.bats index bde205672..a30556dd7 100644 --- a/test/bats/azure-test.bats +++ b/test/bats/azure-test.bats @@ -32,7 +32,7 @@ SLEEP_TIME=1 # enable dynamic plugins helm upgrade --atomic --namespace gatekeeper-system --reuse-values --set featureFlags.RATIFY_EXPERIMENTAL_DYNAMIC_PLUGINS=true ratify ./charts/ratify - sleep 5 + sleep 30 latestpod=$(kubectl -n gatekeeper-system get pod -l=app.kubernetes.io/name=ratify --sort-by=.metadata.creationTimestamp -o=name | tail -n 1) run kubectl apply -f ./config/samples/clustered/verifier/config_v1beta1_verifier_dynamic.yaml @@ -60,7 +60,7 @@ SLEEP_TIME=1 assert_success # verify that the image can be run with a root cert, root verification cert should have been configured on deployment - run kubectl run demo-leaf --namespace default --image=${TEST_REGISTRY}/notation:leafSigned + wait_for_process 20 10 'kubectl run demo-leaf --namespace default --image=${TEST_REGISTRY}/notation:leafSigned' assert_success # add the leaf certificate as an inline certificate store @@ -93,7 +93,7 @@ SLEEP_TIME=1 run kubectl apply -f ./library/multi-tenancy-validation/samples/constraint.yaml assert_success sleep 5 - run kubectl run demo --namespace default --image=${TEST_REGISTRY}/notation:signed + wait_for_process 20 10 'kubectl run demo --namespace default --image=${TEST_REGISTRY}/notation:signed' assert_success run kubectl run demo1 --namespace default --image=${TEST_REGISTRY}/notation:unsigned assert_failure @@ -116,7 +116,7 @@ SLEEP_TIME=1 assert_success sleep 5 - run kubectl run cosign-demo --namespace default --image=${TEST_REGISTRY}/cosign:signed-key + wait_for_process 20 10 'kubectl run cosign-demo --namespace default --image=${TEST_REGISTRY}/cosign:signed-key' assert_success run kubectl run cosign-demo2 --namespace default --image=${TEST_REGISTRY}/cosign:unsigned assert_failure @@ -145,7 +145,7 @@ SLEEP_TIME=1 run kubectl apply -f ./config/samples/clustered/verifier/config_v1beta1_verifier_complete_licensechecker.yaml # wait for the httpserver cache to be invalidated sleep 15 - run kubectl run license-checker2 --namespace default --image=${TEST_REGISTRY}/licensechecker:v0 + wait_for_process 20 10 'kubectl run license-checker2 --namespace default --image=${TEST_REGISTRY}/licensechecker:v0' assert_success } @@ -165,7 +165,7 @@ SLEEP_TIME=1 run kubectl apply -f ./config/samples/clustered/verifier/config_v1beta1_verifier_sbom.yaml sleep 5 - run kubectl run sbom --namespace default --image=${TEST_REGISTRY}/sbom:v0 + wait_for_process 20 10 'kubectl run sbom --namespace default --image=${TEST_REGISTRY}/sbom:v0' assert_success run kubectl delete verifiers.config.ratify.deislabs.io/verifier-sbom @@ -196,7 +196,7 @@ SLEEP_TIME=1 run kubectl apply -f ./config/samples/clustered/verifier/config_v1beta1_verifier_schemavalidator.yaml sleep 5 - run kubectl run schemavalidator --namespace default --image=${TEST_REGISTRY}/schemavalidator:v0 + wait_for_process 20 10 'kubectl run schemavalidator --namespace default --image=${TEST_REGISTRY}/schemavalidator:v0' assert_success run kubectl apply -f ./config/samples/clustered/verifier/config_v1beta1_verifier_schemavalidator_bad.yaml @@ -230,7 +230,7 @@ SLEEP_TIME=1 run kubectl apply -f ./config/samples/clustered/verifier/config_v1beta1_verifier_schemavalidator.yaml sleep 5 - run kubectl run all-in-one --namespace default --image=${TEST_REGISTRY}/all:v0 + wait_for_process 20 10 'kubectl run all-in-one --namespace default --image=${TEST_REGISTRY}/all:v0' assert_success } @@ -256,7 +256,7 @@ SLEEP_TIME=1 # wait for the httpserver cache to be invalidated sleep 15 - run kubectl run crdtest --namespace default --image=${TEST_REGISTRY}/notation:signed + wait_for_process 20 10 'kubectl run crdtest --namespace default --image=${TEST_REGISTRY}/notation:signed' assert_success } @@ -268,7 +268,7 @@ SLEEP_TIME=1 run kubectl apply -f ./library/multi-tenancy-validation/samples/constraint.yaml assert_success sleep 5 - run kubectl run demo2 --image=${TEST_REGISTRY}/notation:signed + wait_for_process 20 10 'kubectl run demo2 --image=${TEST_REGISTRY}/notation:signed' assert_success run kubectl get configmaps ratify-configuration --namespace=gatekeeper-system -o yaml >currentConfig.yaml @@ -313,7 +313,7 @@ SLEEP_TIME=1 run kubectl apply -f ./library/multi-tenancy-validation/samples/constraint.yaml assert_success sleep 5 - run kubectl run mutate-demo --namespace default --image=${TEST_REGISTRY}/notation:signed + wait_for_process 20 10 'kubectl run mutate-demo --namespace default --image=${TEST_REGISTRY}/notation:signed' assert_success result=$(kubectl get pod mutate-demo --namespace default -o json | jq -r ".spec.containers[0].image" | grep @sha) assert_mutate_success From 59d2f8c1603919da5481fb815d420cb777a18372 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 6 Jun 2024 20:50:46 +0000 Subject: [PATCH 2/3] chore: Bump golang from `16438a8` to `a8edec5` in /httpserver (#1547) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Susan Shi --- httpserver/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/httpserver/Dockerfile b/httpserver/Dockerfile index 8e434f1af..be47fd96c 100644 --- a/httpserver/Dockerfile +++ b/httpserver/Dockerfile @@ -11,7 +11,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM --platform=$BUILDPLATFORM golang:1.21@sha256:16438a8e66c0c984f732e815ee5b7d715b8e33e81bac6d6a3750b1067744e7ca as builder +FROM --platform=$BUILDPLATFORM golang:1.21@sha256:a8edec58ba598e2f1259f4ec4ca1b06358468214225e73d7c841ab0980c12367 as builder ARG TARGETPLATFORM ARG TARGETOS From 12e39b9ba5a26fbb56c8a6873a91dec0f22a97a9 Mon Sep 17 00:00:00 2001 From: Akash Singhal Date: Thu, 6 Jun 2024 16:10:20 -0700 Subject: [PATCH 3/3] chore: update dev helmfile and publishing workflow (#1551) --- .github/workflows/publish-dev-assets.yml | 4 ++-- dev.helmfile.yaml | 4 ++-- dev.high-availability.helmfile.yaml | 12 ++++++------ 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/publish-dev-assets.yml b/.github/workflows/publish-dev-assets.yml index 0697e5154..b81daeaa5 100644 --- a/.github/workflows/publish-dev-assets.yml +++ b/.github/workflows/publish-dev-assets.yml @@ -72,8 +72,8 @@ jobs: --push . - name: replace version run: | - sed -i '/^ repository:/c\ repository: ghcr.io/deislabs/ratify-dev' charts/ratify/values.yaml - sed -i '/^ crdRepository:/c\ crdRepository: ghcr.io/deislabs/ratify-crds-dev' charts/ratify/values.yaml + sed -i '/^ repository:/c\ repository: ghcr.io/ratify-project/ratify-dev' charts/ratify/values.yaml + sed -i '/^ crdRepository:/c\ crdRepository: ghcr.io/ratify-project/ratify-crds-dev' charts/ratify/values.yaml sed -i '/^ tag:/c\ tag: ${{ steps.prepare.outputs.version }}' charts/ratify/values.yaml - name: helm package run: | diff --git a/dev.helmfile.yaml b/dev.helmfile.yaml index ac8f79d25..0a3f4060a 100644 --- a/dev.helmfile.yaml +++ b/dev.helmfile.yaml @@ -2,7 +2,7 @@ repositories: - name: gatekeeper url: https://open-policy-agent.github.io/gatekeeper/charts - name: ratify - url: ghcr.io/deislabs/ratify-chart-dev # PRERELEASE: Change to 'https://ratify-project.github.io/ratify' before copying to helmfile.yaml + url: ghcr.io/ratify-project/ratify-chart-dev # PRERELEASE: Change to 'https://ratify-project.github.io/ratify' before copying to helmfile.yaml oci: true # PRERELEASE: Remove before copying to helmfile.yaml releases: @@ -77,6 +77,6 @@ releases: - "gatekeeper-system" set: - name: notationCerts[0] - value: {{ exec "curl" (list "-sSL" "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/notation.crt") | quote }} + value: {{ exec "curl" (list "-sSL" "https://raw.githubusercontent.com/ratify-project/ratify/main/test/testdata/notation.crt") | quote }} - name: featureFlags.RATIFY_CERT_ROTATION value: true diff --git a/dev.high-availability.helmfile.yaml b/dev.high-availability.helmfile.yaml index 20f1fd408..3436a1c55 100644 --- a/dev.high-availability.helmfile.yaml +++ b/dev.high-availability.helmfile.yaml @@ -6,7 +6,7 @@ repositories: - name: bitnami url: https://charts.bitnami.com/bitnami - name: ratify - url: ghcr.io/deislabs/ratify-chart-dev # PRERELEASE: Change to 'https://ratify-project.github.io/ratify' before copying to helmfile.yaml + url: ghcr.io/ratify-project/ratify-chart-dev # PRERELEASE: Change to 'https://ratify-project.github.io/ratify' before copying to helmfile.yaml oci: true # PRERELEASE: Remove before copying to helmfile.yaml releases: @@ -63,14 +63,14 @@ releases: command: "bash" args: - "-c" - - "export SIGN_KEY=$(openssl rand 16 | hexdump -v -e '/1 \"%02x\"' | base64) && curl https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/dapr/dapr-redis-secret.yaml | yq e '.data.signingKey = strenv(SIGN_KEY)' | kubectl apply -f -" + - "export SIGN_KEY=$(openssl rand 16 | hexdump -v -e '/1 \"%02x\"' | base64) && curl https://raw.githubusercontent.com/ratify-project/ratify/main/test/testdata/dapr/dapr-redis-secret.yaml | yq e '.data.signingKey = strenv(SIGN_KEY)' | kubectl apply -f -" - events: ["presync"] showlogs: true command: "kubectl" args: - "apply" - "-f" - - "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/dapr/dapr-redis.yaml" + - "https://raw.githubusercontent.com/ratify-project/ratify/main/test/testdata/dapr/dapr-redis.yaml" - "-n" - "gatekeeper-system" - events: ["presync"] @@ -85,7 +85,7 @@ releases: args: - "delete" - "-f" - - "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/dapr/dapr-redis-secret.yaml" + - "https://raw.githubusercontent.com/ratify-project/ratify/main/test/testdata/dapr/dapr-redis-secret.yaml" - "-n" - "gatekeeper-system" - "--ignore-not-found=true" @@ -95,7 +95,7 @@ releases: args: - "delete" - "-f" - - "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/dapr/dapr-redis.yaml" + - "https://raw.githubusercontent.com/ratify-project/ratify/main/test/testdata/dapr/dapr-redis.yaml" - "-n" - "gatekeeper-system" - "--ignore-not-found=true" @@ -146,7 +146,7 @@ releases: - name: logger.level value: debug - name: notationCerts[0] - value: {{ exec "curl" (list "-sSL" "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/notation.crt") | quote }} + value: {{ exec "curl" (list "-sSL" "https://raw.githubusercontent.com/ratify-project/ratify/main/test/testdata/notation.crt") | quote }} - name: replicaCount value: 2 - name: provider.cache.type