Bump sigs.k8s.io/controller-tools from 0.19.0 to 0.20.0 in /hack/cont… #164
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - '**' | |
| - '!dependabot/**' | |
| tags: | |
| # semver tags | |
| - 'v[0-9]+\.[0-9]+\.[0-9]+-?**' | |
| pull_request: {} | |
| env: | |
| IMGPKG: go run -modfile hack/imgpkg/go.mod carvel.dev/imgpkg/cmd/imgpkg | |
| KAPP: go run -modfile hack/kapp/go.mod carvel.dev/kapp/cmd/kapp | |
| KBLD: go run -modfile hack/kbld/go.mod carvel.dev/kbld/cmd/kbld | |
| KO: go run -modfile hack/ko/go.mod github.com/google/ko | |
| jobs: | |
| unit: | |
| name: Unit Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/setup-go@v6 | |
| with: | |
| go-version: 1.25.x | |
| - uses: actions/checkout@v6 | |
| - name: Test | |
| run: make test | |
| - name: Report coverage | |
| uses: codecov/codecov-action@v5 | |
| env: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| - name: Disallow generated drift | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| git diff --exit-code . | |
| stage: | |
| name: Stage | |
| runs-on: ubuntu-latest | |
| env: | |
| REGISTRY_NAME: registry.local | |
| KO_DOCKER_REPO: registry.local/ducks | |
| KO_PLATFORMS: linux/amd64,linux/arm64 | |
| BUNDLE: registry.local/ducks/bundle | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: actions/setup-go@v6 | |
| with: | |
| go-version: 1.25.x | |
| - name: Generate certs | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| CERT_DIR=$(mktemp -d -t certs.XXXX) | |
| echo "CERT_DIR=$CERT_DIR" >> $GITHUB_ENV | |
| echo "##[group]Install cfssl" | |
| curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.5/cfssl_1.6.5_linux_amd64 -o cfssl | |
| curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.5/cfssljson_1.6.5_linux_amd64 -o cfssljson | |
| chmod +x cfssl* | |
| sudo mv cfssl* /usr/local/bin | |
| echo "##[endgroup]" | |
| echo "##[group]Generate CA" | |
| cfssl gencert -initca .github/tls/root-csr.json \ | |
| | cfssljson -bare ${CERT_DIR}/root-ca | |
| cfssl gencert -ca ${CERT_DIR}/root-ca.pem -ca-key ${CERT_DIR}/root-ca-key.pem \ | |
| -config=".github/tls/config.json" \ | |
| -profile="intermediate" .github/tls/intermediate-csr.json \ | |
| | cfssljson -bare ${CERT_DIR}/signing-ca | |
| cat ${CERT_DIR}/signing-ca.pem ${CERT_DIR}/root-ca.pem > ${CERT_DIR}/ca.pem | |
| echo "##[endgroup]" | |
| echo "##[group]Install CA" | |
| # https://ubuntu.com/server/docs/security-trust-store | |
| sudo apt-get install -y ca-certificates | |
| sudo cp ${CERT_DIR}/ca.pem /usr/local/share/ca-certificates/ca.crt | |
| sudo update-ca-certificates | |
| echo "##[endgroup]" | |
| echo "##[group]Generate cert" | |
| cfssl gencert -ca ${CERT_DIR}/signing-ca.pem -ca-key ${CERT_DIR}/signing-ca-key.pem \ | |
| -config=".github/tls/config.json" \ | |
| -profile="server" \ | |
| -hostname="${REGISTRY_NAME},local-registry" \ | |
| .github/tls/server-csr.json \ | |
| | cfssljson -bare ${CERT_DIR}/server | |
| echo "##[endgroup]" | |
| - name: Setup local registry | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| # Run a registry. | |
| docker run -d \ | |
| --restart=always \ | |
| --name local-registry \ | |
| -v ${CERT_DIR}:/certs \ | |
| -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ | |
| -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.pem \ | |
| -e REGISTRY_HTTP_TLS_KEY=/certs/server-key.pem \ | |
| -p "443:443" \ | |
| registry:2 | |
| # Make the $REGISTRY_NAME -> local-registry | |
| echo "$(hostname -I | cut -d' ' -f1) $REGISTRY_NAME" | sudo tee -a /etc/hosts | |
| - name: Build all platforms for tags | |
| if: startsWith(github.ref, 'refs/tags/') | |
| run: | | |
| echo "KO_PLATFORMS=all" >> $GITHUB_ENV | |
| - name: Build | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| scratch=$(mktemp -d -t bundle.XXXX) | |
| mkdir -p "${scratch}/.imgpkg" | |
| mkdir -p "${scratch}/config" | |
| cp LICENSE "${scratch}/LICENSE" | |
| echo "##[group]Build" | |
| cat hack/boilerplate.yaml.txt > "${scratch}/config/reconcilerio-ducks.yaml" | |
| ${KO} resolve --platform ${KO_PLATFORMS} -f config/ducks-runtime.yaml >> "${scratch}/config/reconcilerio-ducks.yaml" | |
| ${KBLD} --imgpkg-lock-output "${scratch}/.imgpkg/images.yml" \ | |
| -f "${scratch}/config/reconcilerio-ducks.yaml" \ | |
| > /dev/null | |
| echo "##[endgroup]" | |
| echo "##[group]Create bundle" | |
| ${IMGPKG} push -f "${scratch}" -b "${BUNDLE}" | |
| ${IMGPKG} copy -b "${BUNDLE}" --to-tar reconcilerio-ducks-bundle.tar | |
| echo "##[endgroup]" | |
| - uses: actions/upload-artifact@v6 | |
| with: | |
| name: reconcilerio-ducks-bundle.tar | |
| path: reconcilerio-ducks-bundle.tar | |
| retention-days: 7 | |
| acceptance: | |
| name: Acceptance Test | |
| needs: stage | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - node: kindest/node:v1.31.0@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7325357a1ac94ba865 | |
| version: v1.31.0 | |
| os: ubuntu-latest | |
| env: | |
| REGISTRY_NAME: registry.local | |
| BUNDLE: registry.local/bundle | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: actions/setup-go@v6 | |
| with: | |
| go-version: 1.25.x | |
| - name: Install kind | |
| run: | | |
| cd $(mktemp -d -t kind.XXXX) | |
| curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.24.0/kind-$(go env GOHOSTOS)-$(go env GOHOSTARCH) | |
| chmod +x ./kind | |
| sudo mv ./kind /usr/local/bin | |
| cd - | |
| - name: Generate certs | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| CERT_DIR=$(mktemp -d -t certs.XXXX) | |
| echo "CERT_DIR=$CERT_DIR" >> $GITHUB_ENV | |
| echo "##[group]Install cfssl" | |
| curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.5/cfssl_1.6.5_linux_amd64 -o cfssl | |
| curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.5/cfssljson_1.6.5_linux_amd64 -o cfssljson | |
| chmod +x cfssl* | |
| sudo mv cfssl* /usr/local/bin | |
| echo "##[endgroup]" | |
| echo "##[group]Generate CA" | |
| cfssl gencert -initca .github/tls/root-csr.json \ | |
| | cfssljson -bare ${CERT_DIR}/root-ca | |
| cfssl gencert -ca ${CERT_DIR}/root-ca.pem -ca-key ${CERT_DIR}/root-ca-key.pem \ | |
| -config=".github/tls/config.json" \ | |
| -profile="intermediate" .github/tls/intermediate-csr.json \ | |
| | cfssljson -bare ${CERT_DIR}/signing-ca | |
| cat ${CERT_DIR}/signing-ca.pem ${CERT_DIR}/root-ca.pem > ${CERT_DIR}/ca.pem | |
| echo "##[endgroup]" | |
| echo "##[group]Install CA" | |
| # https://ubuntu.com/server/docs/security-trust-store | |
| sudo apt-get install -y ca-certificates | |
| sudo cp ${CERT_DIR}/ca.pem /usr/local/share/ca-certificates/ca.crt | |
| sudo update-ca-certificates | |
| echo "##[endgroup]" | |
| echo "##[group]Generate cert" | |
| cfssl gencert -ca ${CERT_DIR}/signing-ca.pem -ca-key ${CERT_DIR}/signing-ca-key.pem \ | |
| -config=".github/tls/config.json" \ | |
| -profile="server" \ | |
| -hostname="${REGISTRY_NAME},local-registry" \ | |
| .github/tls/server-csr.json \ | |
| | cfssljson -bare ${CERT_DIR}/server | |
| echo "##[endgroup]" | |
| - name: Setup local registry | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| # Run a registry. | |
| docker run -d \ | |
| --restart=always \ | |
| --name local-registry \ | |
| -v ${CERT_DIR}:/certs \ | |
| -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ | |
| -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/server.pem \ | |
| -e REGISTRY_HTTP_TLS_KEY=/certs/server-key.pem \ | |
| -p "443:443" \ | |
| registry:2 | |
| # Make the $REGISTRY_NAME -> local-registry | |
| echo "$(hostname -I | cut -d' ' -f1) $REGISTRY_NAME" | sudo tee -a /etc/hosts | |
| - name: Create Cluster | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| # create a cluster with the local registry enabled in containerd | |
| cat <<EOF | kind create cluster --config=- | |
| kind: Cluster | |
| apiVersion: kind.x-k8s.io/v1alpha4 | |
| containerdConfigPatches: | |
| - |- | |
| [plugins."io.containerd.grpc.v1.cri".registry.mirrors."${REGISTRY_NAME}"] | |
| endpoint = ["https://local-registry"] | |
| - |- | |
| [plugins."io.containerd.grpc.v1.cri".registry.configs."local-registry".tls] | |
| ca_file = "/etc/docker/certs.d/local-registry/ca.pem" | |
| nodes: | |
| - role: control-plane | |
| image: ${{ matrix.node }} | |
| extraMounts: | |
| - containerPath: /etc/docker/certs.d/local-registry | |
| hostPath: ${CERT_DIR} | |
| EOF | |
| # connect the registry to the cluster network | |
| docker network connect kind local-registry | |
| # Document the local registry | |
| # https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry | |
| cat <<EOF | kubectl apply -f - | |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: local-registry-hosting | |
| namespace: kube-public | |
| data: | |
| localRegistryHosting.v1: | | |
| host: "localhost" | |
| help: "https://kind.sigs.k8s.io/docs/user/local-registry/" | |
| EOF | |
| - name: Download staged bundle | |
| uses: actions/download-artifact@v7 | |
| with: | |
| name: reconcilerio-ducks-bundle.tar | |
| - name: Relocate bundle | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| ${IMGPKG} copy --tar reconcilerio-ducks-bundle.tar --to-repo "${BUNDLE}" | |
| mkdir -p bundle | |
| ${IMGPKG} pull -b "${BUNDLE}" -o bundle | |
| - name: Deploy | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| echo "##[group]Create namespace" | |
| kubectl create ns apps | |
| echo "##[endgroup]" | |
| echo "##[group]Deploy cert-manager" | |
| ${KAPP} deploy -a cert-manager -n apps --wait-timeout 5m -y \ | |
| -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.1/cert-manager.yaml | |
| echo "##[endgroup]" | |
| echo "##[group]Deploy reconcilerio-ducks" | |
| ${KAPP} deploy -a reconcilerio-ducks -n apps --wait-timeout 5m -y \ | |
| -f <(${KBLD} -f bundle/.imgpkg/images.yml -f bundle/config) | |
| echo "##[endgroup]" | |
| - name: Delete Gracefully | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| echo "##[group]Delete reconcilerio-ducks" | |
| ${KAPP} delete -a reconcilerio-ducks -n apps --wait-timeout 5m -y | |
| echo "##[endgroup]" | |
| echo "##[group]Delete cert-manager" | |
| ${KAPP} delete -a cert-manager -n apps --wait-timeout 5m -y | |
| echo "##[endgroup]" | |
| if: always() | |
| - name: Cleanup cluster | |
| run: kind delete cluster | |
| if: always() | |
| # aggregate the unit and acceptance results into a single job | |
| test: | |
| name: Test | |
| needs: | |
| - unit | |
| - acceptance | |
| runs-on: ubuntu-latest | |
| steps: | |
| - run: echo "it passed" | |
| release: | |
| name: Release | |
| if: startsWith(github.ref, 'refs/tags/') | |
| needs: | |
| - test | |
| permissions: | |
| contents: write | |
| packages: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: actions/setup-go@v6 | |
| with: | |
| go-version: 1.25.x | |
| - name: Get the version | |
| id: get_version | |
| run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//} | |
| - name: Download staged bundle | |
| uses: actions/download-artifact@v7 | |
| with: | |
| name: reconcilerio-ducks-bundle.tar | |
| - name: Install crane | |
| run: | | |
| cd $(mktemp -d -t crane.XXXX) | |
| curl -L https://github.com/google/go-containerregistry/releases/download/v0.9.0/go-containerregistry_Linux_x86_64.tar.gz | tar -xz | |
| chmod +x ./crane | |
| sudo mv ./crane /usr/local/bin | |
| cd - | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Relocate bundle to public registry | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| version=${{ steps.get_version.outputs.VERSION }} | |
| ${IMGPKG} copy --tar reconcilerio-ducks-bundle.tar --to-repo "ghcr.io/${{ github.repository }}/bundle" | |
| crane tag "ghcr.io/${{ github.repository }}/bundle" "${version}" | |
| digest=$(crane digest "ghcr.io/${{ github.repository }}/bundle:${version}") | |
| scratch=$(mktemp -d -t bundle.XXXX) | |
| mkdir -p ${scratch} | |
| ${IMGPKG} pull -b "ghcr.io/${{ github.repository }}/bundle:${version}@${digest}" -o ${scratch} | |
| cp hack/boilerplate.yaml.txt reconcilerio-ducks.yaml | |
| ${KBLD} -f ${scratch}/config/reconcilerio-ducks.yaml -f ${scratch}/.imgpkg/images.yml \ | |
| >> reconcilerio-ducks.yaml | |
| - name: Rename artifacts with version | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| version=${{ steps.get_version.outputs.VERSION }} | |
| cp reconcilerio-ducks-bundle.tar reconcilerio-ducks-bundle-${version}.tar | |
| cp reconcilerio-ducks.yaml reconcilerio-ducks-${version}.yaml | |
| - name: Draft GitHub Release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| draft: true | |
| files: | | |
| reconcilerio-ducks-bundle-${{ steps.get_version.outputs.VERSION }}.tar | |
| reconcilerio-ducks-${{ steps.get_version.outputs.VERSION }}.yaml | |
| fail_on_unmatched_files: true | |
| token: ${{ secrets.GITHUB_TOKEN }} |