[Backport 1.28-strict] fix: ensure nf_conntrack module loaded for kubelite. #5053
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and test MicroK8s snap | |
on: | |
- pull_request | |
jobs: | |
build: | |
name: Create snap package | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checking out repo | |
uses: actions/[email protected] | |
- name: Install lxd | |
run: | | |
sudo lxd init --auto | |
sudo usermod --append --groups lxd $USER | |
sg lxd -c 'lxc version' | |
- name: Install snapcraft | |
run: | | |
sudo snap install snapcraft --classic | |
- name: Install snapd from candidate | |
run: | | |
# TODO(neoaggelos): revert this after latest/beta is working again | |
sudo snap refresh snapd --channel=latest/stable | |
- name: Build snap | |
run: | | |
sg lxd -c 'snapcraft --use-lxd' | |
sudo mv microk8s*.snap microk8s.snap | |
- name: Uploading snap | |
uses: actions/upload-artifact@v3 | |
with: | |
name: microk8s.snap | |
path: microk8s.snap | |
test-upgrade: | |
name: Upgrade path test | |
runs-on: ubuntu-20.04 | |
needs: build | |
steps: | |
- name: Checking out repo | |
uses: actions/[email protected] | |
- name: Install test dependencies | |
run: | | |
set -x | |
sudo apt-get install python3-setuptools | |
sudo pip3 install --upgrade pip | |
sudo pip3 install -U pytest sh | |
sudo apt-get -y install open-iscsi | |
sudo systemctl enable iscsid | |
- name: Fetch snap | |
uses: actions/[email protected] | |
with: | |
name: microk8s.snap | |
path: build | |
- name: Running upgrade path test | |
run: | | |
sudo -E STRICT=yes UPGRADE_MICROK8S_FROM=1.28-strict/edge UPGRADE_MICROK8S_TO=$PWD/build/microk8s.snap pytest -s ./tests/test-upgrade-path.py | |
test-addons-core: | |
name: Test core addons | |
runs-on: ubuntu-20.04 | |
needs: build | |
steps: | |
- name: Checking out repo | |
uses: actions/[email protected] | |
- name: Install test dependencies | |
run: | | |
set -x | |
sudo apt-get install python3-setuptools | |
sudo pip3 install --upgrade pip | |
sudo pip3 install -U pytest sh | |
sudo apt-get -y install open-iscsi | |
sudo systemctl enable iscsid | |
- name: Fetch snap | |
uses: actions/[email protected] | |
with: | |
name: microk8s.snap | |
path: build | |
- name: Running addons tests in strict mode | |
run: | | |
set -x | |
sudo snap install build/microk8s.snap --dangerous | |
sudo /snap/microk8s/current/connect-all-interfaces.sh | |
sudo microk8s status --wait-ready --timeout 300 | |
./tests/smoke-test.sh | |
export UNDER_TIME_PRESSURE="True" | |
export STRICT="yes" | |
sudo -E bash -c "cd /var/snap/microk8s/common/addons/core/tests; pytest -s -ra test-addons.py" | |
test-addons-community: | |
name: Test community addons | |
runs-on: ubuntu-20.04 | |
needs: build | |
steps: | |
- name: Checking out repo | |
uses: actions/[email protected] | |
- name: Install test dependencies | |
run: | | |
set -x | |
sudo apt-get install python3-setuptools | |
sudo pip3 install --upgrade pip | |
sudo pip3 install -U pytest sh | |
sudo apt-get -y install open-iscsi | |
sudo systemctl enable iscsid | |
- name: Fetch snap | |
uses: actions/[email protected] | |
with: | |
name: microk8s.snap | |
path: build | |
- name: Running addons tests | |
run: | | |
set -x | |
sudo snap install build/microk8s.snap --classic --dangerous | |
sudo /snap/microk8s/current/connect-all-interfaces.sh | |
sudo microk8s status --wait-ready --timeout 300 | |
sudo microk8s enable community | |
export UNDER_TIME_PRESSURE="True" | |
export STRICT="yes" | |
sudo -E bash -c "cd /var/snap/microk8s/common/addons/community/; pytest -s -ra ./tests/" | |
test-addons-core-upgrade: | |
name: Test core addons upgrade | |
runs-on: ubuntu-20.04 | |
needs: build | |
steps: | |
- name: Checking out repo | |
uses: actions/[email protected] | |
# - name: Setup tmate session | |
# uses: mxschmitt/action-tmate@v3 | |
- name: Install test dependencies | |
run: | | |
set -x | |
sudo apt-get install python3-setuptools | |
sudo pip3 install --upgrade pip | |
sudo pip3 install -U pytest sh | |
sudo apt-get -y install open-iscsi | |
sudo systemctl enable iscsid | |
- name: Fetch snap | |
uses: actions/[email protected] | |
with: | |
name: microk8s.snap | |
path: build | |
- name: Running upgrade tests | |
run: | | |
set -x | |
export UNDER_TIME_PRESSURE="True" | |
export STRICT="yes" | |
sudo -E bash -c "UPGRADE_MICROK8S_FROM=1.28-strict/edge UPGRADE_MICROK8S_TO=$PWD/build/microk8s.snap pytest -s ./tests/test-upgrade.py" | |
test-cluster-agent: | |
name: Cluster agent health check | |
runs-on: ubuntu-20.04 | |
needs: build | |
steps: | |
- name: Checking out repo | |
uses: actions/[email protected] | |
- name: Install test dependencies | |
run: | | |
set -x | |
sudo apt-get install python3-setuptools | |
sudo pip3 install --upgrade pip | |
sudo pip3 install -U pytest sh requests | |
- name: Fetch snap | |
uses: actions/[email protected] | |
with: | |
name: microk8s.snap | |
path: build | |
- name: Running cluster agent health check | |
run: | | |
set -x | |
sudo snap install build/microk8s.snap --classic --dangerous | |
sudo /snap/microk8s/current/connect-all-interfaces.sh | |
sudo -E bash -c "pytest -s ./tests/test-cluster-agent.py" | |
test-airgap: | |
name: Test airgap installation | |
runs-on: ubuntu-20.04 | |
needs: build | |
steps: | |
- name: Checking out repo | |
uses: actions/[email protected] | |
- name: Fetch snap | |
uses: actions/[email protected] | |
with: | |
name: microk8s.snap | |
path: build | |
- name: Initialize LXD | |
run: | | |
sudo lxd init --auto | |
sudo lxc network set lxdbr0 ipv6.address=none | |
sudo usermod --append --groups lxd $USER | |
sg lxd -c 'lxc version' | |
- name: Run airgap tests | |
run: | | |
sudo -E bash -x -c "./tests/libs/airgap.sh --distro ubuntu:20.04 --channel $PWD/build/microk8s.snap" | |
security-scan: | |
name: Security scan | |
runs-on: ubuntu-20.04 | |
needs: build | |
steps: | |
- name: Checking out repo | |
uses: actions/[email protected] | |
- name: Fetch snap | |
uses: actions/[email protected] | |
with: | |
name: microk8s.snap | |
path: build | |
- name: Setup Trivy vulnerability scanner | |
run: | | |
mkdir -p sarifs | |
VER=$(curl --silent -qI https://github.com/aquasecurity/trivy/releases/latest | awk -F '/' '/^location/ {print substr($NF, 1, length($NF)-1)}'); | |
wget https://github.com/aquasecurity/trivy/releases/download/${VER}/trivy_${VER#v}_Linux-64bit.tar.gz | |
tar -zxvf ./trivy_${VER#v}_Linux-64bit.tar.gz | |
- name: Run Trivy vulnerability scanner in repo mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: "fs" | |
ignore-unfixed: true | |
format: "sarif" | |
output: "trivy-microk8s-repo-scan--results.sarif" | |
severity: "CRITICAL" | |
- name: Gather Trivy repo scan results | |
run: | | |
cp trivy-microk8s-repo-scan--results.sarif ./sarifs/ | |
- name: Run Trivy vulnerability scanner on images | |
run: | | |
for i in $(cat ./build-scripts/images.txt) ; do | |
name=$(echo $i | awk -F ':|/' '{print $(NF-1)}') | |
./trivy image $i --format sarif > sarifs/$name.sarif | |
done | |
- name: Run Trivy vulnerability scanner on the snap | |
run: | | |
cp build/microk8s.snap . | |
unsquashfs microk8s.snap | |
./trivy rootfs ./squashfs-root/ --format sarif > sarifs/snap.sarif | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: "sarifs" |