feat(helm chart): Add metrics-server hardening options #249
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Lint and Test Chart | |
| on: | |
| pull_request: | |
| paths: | |
| - .github/workflows/lint-test-chart.yaml | |
| - "charts/metrics-server/**" | |
| jobs: | |
| lint-test: | |
| name: Lint & Test | |
| if: github.repository == 'kubernetes-sigs/metrics-server' | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| shell: bash | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set-up Python | |
| uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 | |
| with: | |
| python-version: "3.x" | |
| - name: Set-up Helm | |
| uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| version: latest | |
| - name: Set-up chart-testing | |
| uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 | |
| - name: Check for changes | |
| id: changes | |
| run: | | |
| changed="$(ct list-changed)" | |
| if [[ -n "${changed}" ]] | |
| then | |
| echo "changed=true" >> "${GITHUB_OUTPUT}" | |
| else | |
| echo "changed=false" >> "${GITHUB_OUTPUT}" | |
| fi | |
| - name: Get chart version | |
| id: chart_version | |
| if: steps.changes.outputs.changed == 'true' | |
| uses: mikefarah/yq@f15500b20a1c991c8729870ba60a4dc3524b6a94 # v4.44.2 | |
| with: | |
| cmd: yq eval '.version' './charts/metrics-server/Chart.yaml' | |
| - name: Get changelog entry | |
| if: steps.changes.outputs.changed == 'true' | |
| uses: mindsers/changelog-reader-action@32aa5b4c155d76c94e4ec883a223c947b2f02656 # v2.2.3 | |
| with: | |
| path: charts/metrics-server/CHANGELOG.md | |
| version: ${{ steps.chart_version.outputs.result }} | |
| - name: Set-up Artifact Hub CLI | |
| if: steps.changes.outputs.changed == 'true' | |
| uses: action-stars/install-tool-from-github-release@9019d0a3125e2f45a48858afb632e6dbef663d79 # v0.2.2 | |
| with: | |
| github_token: ${{ github.token }} | |
| owner: artifacthub | |
| repository: hub | |
| name: ah | |
| check_command: ah version | |
| version: latest | |
| - name: Run Artifact Hub lint | |
| if: steps.changes.outputs.changed == 'true' | |
| run: ah lint --kind helm || exit 1 | |
| - name: Run chart-testing lint | |
| if: steps.changes.outputs.changed == 'true' | |
| run: ct lint --check-version-increment=false | |
| - name: Create Kind cluster | |
| if: steps.changes.outputs.changed == 'true' | |
| uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 | |
| with: | |
| wait: 120s | |
| - name: Install cert-manager dependency | |
| if: steps.changes.outputs.changed == 'true' | |
| run: | | |
| helm repo add jetstack https://charts.jetstack.io | |
| helm install cert-manager jetstack/cert-manager \ | |
| --namespace cert-manager \ | |
| --create-namespace \ | |
| --wait \ | |
| --set installCRDs=true \ | |
| --set extraArgs='{--enable-certificate-owner-ref}' | |
| - name: Prepare existing secret test scenario | |
| if: steps.changes.outputs.changed == 'true' | |
| run: | | |
| openssl req -x509 -newkey rsa:2048 -sha256 -days 365 \ | |
| -nodes -keyout ${{ runner.temp }}/tls.key -out ${{ runner.temp }}/tls.crt \ | |
| -subj "/CN=metrics-server" \ | |
| -addext "subjectAltName=DNS:metrics-server,DNS:metrics-server.kube-system.svc" | |
| kubectl -n kube-system create secret generic metrics-server-existing \ | |
| --from-file=${{ runner.temp }}/tls.key \ | |
| --from-file=${{ runner.temp }}/tls.crt | |
| cat <<EOF >> charts/metrics-server/ci/tls-existingSecret-values.yaml | |
| apiService: | |
| insecureSkipTLSVerify: false | |
| caBundle: | | |
| $(cat ${{ runner.temp }}/tls.crt | sed -e "s/^/ /g") | |
| EOF | |
| rm ${{ runner.temp }}/tls.key ${{ runner.temp }}/tls.crt | |
| - name: Run chart-testing install | |
| if: steps.changes.outputs.changed == 'true' | |
| run: ct install --namespace kube-system |