name: Conformance tests permissions: {} on: pull_request: branches: - 'main' - 'release*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: prepare-images: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Setup build env uses: ./.github/actions/setup-build-env timeout-minutes: 10 with: build-cache-key: build-images - name: ko build shell: bash run: | set -e VERSION=${{ github.ref_name }} make docker-save-image-all - name: upload images archive uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: kyverno.tar path: kyverno.tar retention-days: 1 if-no-files-found: error # runs conformance test suites with configuration: standard: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: config: - name: standard values: - standard k8s-version: - name: v1.25 version: v1.25.11 - name: v1.26 version: v1.26.6 - name: v1.27 version: v1.27.3 - name: v1.28 version: v1.28.0 tests: - autogen - background-only - cleanup - deferred - events - exceptions - filter - generate/clusterpolicy - generate/policy - generate/validation - mutate - policy-validation - rangeoperators - rbac - reports - validate - verify-manifests - verifyImages - webhooks needs: prepare-images name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }} steps: - name: Checkout uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Setup build env uses: ./.github/actions/setup-build-env timeout-minutes: 10 with: build-cache-key: run-conformance - name: Create kind cluster shell: bash run: | set -e export KIND_IMAGE=kindest/node:${{ matrix.k8s-version.version }} make kind-create-cluster - name: Download kyverno images archive uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: kyverno.tar - name: Load kyverno images archive in kind cluster shell: bash run: | set -e make kind-load-image-archive - name: Install kyverno shell: bash run: | set -e export USE_CONFIG=${{ join(matrix.config.values, ',') }} make kind-install-kyverno - name: Wait for kyverno ready uses: ./.github/actions/kyverno-wait-ready - name: Test with kuttl shell: bash env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | set -e ./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} --config ./test/conformance/kuttl/_config/common.yaml - name: Debug failure if: failure() uses: ./.github/actions/kyverno-logs # runs conformance test suites with configuration: ttl: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: config: - name: ttl values: - standard - ttl k8s-version: - name: v1.25 version: v1.25.11 - name: v1.26 version: v1.26.6 - name: v1.27 version: v1.27.3 - name: v1.28 version: v1.28.0 tests: - ttl needs: prepare-images name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }} steps: - name: Checkout uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Setup build env uses: ./.github/actions/setup-build-env timeout-minutes: 10 with: build-cache-key: run-conformance - name: Create kind cluster shell: bash run: | set -e export KIND_IMAGE=kindest/node:${{ matrix.k8s-version.version }} make kind-create-cluster - name: Download kyverno images archive uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: kyverno.tar - name: Load kyverno images archive in kind cluster shell: bash run: | set -e make kind-load-image-archive - name: Install kyverno shell: bash run: | set -e export USE_CONFIG=${{ join(matrix.config.values, ',') }} make kind-install-kyverno - name: Wait for kyverno ready uses: ./.github/actions/kyverno-wait-ready - name: Test with kuttl shell: bash env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | set -e ./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} --config ./test/conformance/kuttl/_config/common.yaml - name: Debug failure if: failure() uses: ./.github/actions/kyverno-logs # runs conformance test suites with configuration: force-failure-policy-ignore: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: config: - name: force-failure-policy-ignore values: - standard - force-failure-policy-ignore k8s-version: - name: v1.25 version: v1.25.11 - name: v1.26 version: v1.26.6 - name: v1.27 version: v1.27.3 - name: v1.28 version: v1.28.0 tests: - force-failure-policy-ignore - rbac needs: prepare-images name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }} steps: - name: Checkout uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Setup build env uses: ./.github/actions/setup-build-env timeout-minutes: 10 with: build-cache-key: run-conformance - name: Create kind cluster shell: bash run: | set -e export KIND_IMAGE=kindest/node:${{ matrix.k8s-version.version }} make kind-create-cluster - name: Download kyverno images archive uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: kyverno.tar - name: Load kyverno images archive in kind cluster shell: bash run: | set -e make kind-load-image-archive - name: Install kyverno shell: bash run: | set -e export USE_CONFIG=${{ join(matrix.config.values, ',') }} make kind-install-kyverno - name: Wait for kyverno ready uses: ./.github/actions/kyverno-wait-ready - name: Test with kuttl shell: bash env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | set -e ./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} --config ./test/conformance/kuttl/_config/common.yaml - name: Debug failure if: failure() uses: ./.github/actions/kyverno-logs # runs conformance test suites with configuration: validating-admission-policies: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: config: - name: validating-admission-policies values: - standard - generate-validating-admission-policy k8s-version: - name: v1.26 version: v1.26.6 - name: v1.27 version: v1.27.3 tests: - generate-validating-admission-policy needs: prepare-images name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }} steps: - name: Checkout uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Setup build env uses: ./.github/actions/setup-build-env with: build-cache-key: run-conformance - name: Create kind cluster run: | export KIND_IMAGE=kindest/node:${{ matrix.k8s-version.version }} export KIND_CONFIG=vap-v1alpha1 make kind-create-cluster - name: Download kyverno images archive uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: kyverno.tar - name: Load kyverno images archive in kind cluster run: make kind-load-image-archive - name: Install kyverno run: | export USE_CONFIG=${{ join(matrix.config.values, ',') }} make kind-install-kyverno - name: Wait for kyverno ready uses: ./.github/actions/kyverno-wait-ready - name: Test with kuttl env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | ./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} \ --config ./test/conformance/kuttl/_config/common.yaml - name: Debug failure if: failure() uses: ./.github/actions/kyverno-logs # runs conformance test suites with configuration: default: runs-on: ubuntu-latest permissions: packages: read strategy: fail-fast: false matrix: config: - name: default values: - default k8s-version: - name: v1.25 version: v1.25.11 - name: v1.26 version: v1.26.6 - name: v1.27 version: v1.27.3 - name: v1.28 version: v1.28.0 tests: - rbac needs: prepare-images name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }} steps: - name: Checkout uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Setup build env uses: ./.github/actions/setup-build-env timeout-minutes: 10 with: build-cache-key: run-conformance - name: Create kind cluster shell: bash run: | set -e export KIND_IMAGE=kindest/node:${{ matrix.k8s-version.version }} make kind-create-cluster - name: Download kyverno images archive uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: kyverno.tar - name: Load kyverno images archive in kind cluster shell: bash run: | set -e make kind-load-image-archive - name: Install kyverno shell: bash run: | set -e export USE_CONFIG=${{ join(matrix.config.values, ',') }} make kind-install-kyverno - name: Wait for kyverno ready uses: ./.github/actions/kyverno-wait-ready - name: Test with kuttl shell: bash env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | set -e ./.tools/kubectl-kuttl test ./test/conformance/kuttl/${{ matrix.tests }} --config ./test/conformance/kuttl/_config/common.yaml - name: Debug failure if: failure() uses: ./.github/actions/kyverno-logs # runs conformance test suites with configuration: policy-library: runs-on: ubuntu-latest strategy: fail-fast: false matrix: config: - name: policy-library values: - standard k8s-version: - name: v1.25 version: v1.25.11 - name: v1.26 version: v1.26.6 - name: v1.27 version: v1.27.3 - name: v1.28 version: v1.28.0 tests: - argo - aws - best-practices - castai - cert-manager - consul - external-secret-operator - flux - istio - karpenter - kasten - kubecost - kubeops - kubevirt - linkerd - nginx-ingress - openshift # - other - other/a - other/b-d - other/e-l - other/m-q - other/rec-req - other/res - other/s-z # - pod-security # - psa - psp-migration # - tekton # - traefik # - velero needs: prepare-images name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }} steps: - name: Checkout kyverno/kyverno uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Checkout kyverno/policies uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: repository: kyverno/policies path: policies - name: Setup build env uses: ./.github/actions/setup-build-env timeout-minutes: 10 with: build-cache-key: run-conformance - name: Create kind cluster shell: bash run: | set -e export KIND_IMAGE=kindest/node:${{ matrix.k8s-version.version }} make kind-create-cluster - name: Download kyverno images archive uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: kyverno.tar - name: Load kyverno images archive in kind cluster shell: bash run: | set -e make kind-load-image-archive - name: Install kyverno shell: bash run: | set -e export USE_CONFIG=${{ join(matrix.config.values, ',') }} make kind-install-kyverno - name: Wait for kyverno ready uses: ./.github/actions/kyverno-wait-ready - name: Build Kyverno CLI shell: bash run: | set -e make build-cli ln -s $PWD/cmd/cli/kubectl-kyverno/kubectl-kyverno ./cmd/cli/kubectl-kyverno/kyverno echo "$PWD/cmd/cli/kubectl-kyverno" >> $GITHUB_PATH - name: Test policy library with kuttl shell: bash run: | set -e cd policies ../.tools/kubectl-kuttl test ./${{ matrix.tests }} --config ./kuttl-test.yaml - name: Debug failure if: failure() uses: ./.github/actions/kyverno-logs monitor-helm-secret-size: runs-on: ubuntu-latest permissions: packages: read needs: prepare-images steps: - name: Checkout uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Setup build env uses: ./.github/actions/setup-build-env timeout-minutes: 10 with: build-cache-key: run-conformance - name: Create kind cluster shell: bash run: | set -e make kind-create-cluster - name: Download kyverno images archive uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: kyverno.tar - name: Load kyverno images archive in kind cluster shell: bash run: | set -e make kind-load-image-archive - name: Install kyverno shell: bash run: | make kind-install-kyverno - name: Wait for kyverno ready uses: ./.github/actions/kyverno-wait-ready - name: Check secret size shell: bash run: | set -e set -u SIZE=$(kubectl get secrets -n kyverno sh.helm.release.v1.kyverno.v1 -o jsonpath='{.data.release}' | base64 -d | wc -c | awk '{print $1}') MAX_ALLOWED=1030000 if [ "$SIZE" -gt "$MAX_ALLOWED" ]; then echo "Helm secret size ($SIZE bytes) is above the max allowed ($MAX_ALLOWED bytes)" exit 1 else echo "Helm secret size ($SIZE bytes) is below the max allowed ($MAX_ALLOWED bytes)" fi