issue 3: get docker release up and running (#4)

* change .release files to reference openbao instead of hashicorp and openbao instead of vault Signed-off-by: jessebot <[email protected]> * update Makefile - remove licensing, set openbao-helm to 0.4.0, and update registry to quay.io Signed-off-by: jessebot <[email protected]> * change another docker image reference to use quay.io/openbao Signed-off-by: jessebot <[email protected]> * change order of bats test to do teardown last Signed-off-by: jessebot <[email protected]> * add kubectl describe pod if something fails in the waiting process Signed-off-by: jessebot <[email protected]> * also check openbao-csi-provider pods if there is a failure; reduce timeout for kubectl wait commands to be 3 minutes instead of 5 Signed-off-by: jessebot <[email protected]> * clean up values for helm tests to work with new quay.io method, fix v in docker tag, make new lines for args consistent for helm install commands Signed-off-by: jessebot <[email protected]> * switch back to having registry_name in image_tag and comment out image_tag_latest as it's unused Signed-off-by: jessebot <[email protected]> * add -tls-skip-verify to the bootstrap tests Signed-off-by: jessebot <[email protected]> * update OPENBAO_CACERT to be VAULT_CACERT for testing Signed-off-by: jessebot <[email protected]> * update kind, bats, and node versions to be more current Signed-off-by: jessebot <[email protected]> * use ubi (non-arm) image for agent when running helm chart in bats tests for gha Signed-off-by: jessebot <[email protected]> * set a default timeout for integration-tests bats step to be 15 minutes Signed-off-by: jessebot <[email protected]> * update versions for actions checkout, upload-artifacts, download-artifacts, and helm/kind-action to latest Signed-off-by: jessebot <[email protected]> * update all the secret provider class yaml files to use vault as the provider this is until we can submit a PR to the upstream csi provider driver kubernetes-sigs repo to include openbao as a possible provider type Signed-off-by: jessebot <[email protected]> * remove license test and LICENSE related conditionals from bats testing Signed-off-by: jessebot <[email protected]> * fix comment for download-artifact step in tests gha Signed-off-by: jessebot <[email protected]> * add release workflow from openbao/openbao Signed-off-by: jessebot <[email protected]> * Apply suggestions from code review - downgrade actions/upload-artifact from 4.3.3 to 3.1.2 Signed-off-by: JesseBot <[email protected]> Signed-off-by: jessebot <[email protected]> * Update .github/workflows/build.yml - remove extra hyphen Signed-off-by: JesseBot <[email protected]> Signed-off-by: jessebot <[email protected]> --------- Signed-off-by: jessebot <[email protected]> Signed-off-by: JesseBot <[email protected]>
openbao · Jul 6, 2024 · f54018e · f54018e
1 parent f32bd38
commit f54018e
Show file tree

Hide file tree

Showing 18 changed files with 219 additions and 116 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -18,7 +18,7 @@ jobs:
     outputs:
       product-version: ${{ steps.get-product-version.outputs.product-version }}
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - name: get product version
         id: get-product-version
         run: |
@@ -32,7 +32,7 @@ jobs:
       filepath: ${{ steps.generate-metadata-file.outputs.filepath }}
     steps:
       - name: 'Checkout directory'
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - name: Generate metadata file
         id: generate-metadata-file
         uses: hashicorp/actions-generate-metadata@v1
@@ -57,7 +57,7 @@ jobs:
     name: Go linux ${{ matrix.arch }} build
 
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Setup go
         uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
@@ -91,7 +91,7 @@ jobs:
       version: ${{needs.get-product-version.outputs.product-version}}
 
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - name: Docker Build (Action)
         uses: hashicorp/actions-docker-build@v1
         with:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,137 @@
+# Creates a GitHub Release.
+# Workflow is manually run.
+# Preselect branch or tag before running this workflow.
+name: release
+
+on:
+  workflow_dispatch:
+    inputs:
+      # Defaults to publishing draft releases.
+      # Review draft before formally releasing!
+      draft:
+        description: "Create a release draft"
+        required: false
+        default: true
+        type: boolean
+      prerelease:
+        description: "Mark this release as a prerelease"
+        required: false
+        default: "auto"
+        type: choice
+        # auto follows semver. Prerelease versions are hyphenated with a label. ex. 0.0.0-alpha, 1.0.0-rc1
+        options:
+          - auto
+          - "true"
+          - "false"
+      make-latest:
+        description: "Latest release"
+        required: false
+        default: true
+        type: boolean
+
+permissions:
+  contents: write
+  id-token: write
+  packages: write
+
+jobs:
+  release:
+    runs-on: self-hosted
+    env:
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Required by GoRelease
+
+      - name: Golang Setup
+        uses: actions/setup-go@v5
+        with:
+          go-version: stable
+          check-latest: true
+
+      - name: go-check
+        run: go version
+
+        # Supports Buildx
+      - name: Qemu Setup
+        uses: docker/setup-qemu-action@v3
+
+      - name: Buildx Setup
+        uses: docker/setup-buildx-action@v3
+
+      - name: Cosign Install
+        uses: sigstore/cosign-installer@v3
+
+      - name: GPG Import
+        id: gpg-import
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSWORD }}
+
+      - name: Cache Setup
+        uses: actions/cache@v4
+        with:
+          path: |
+            ./dist/**
+          key: ${{ github.ref }}
+
+      - name: "Docker Login: ghcr.io"
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: "Docker Login: docker.io"
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_TOKEN }}
+
+      - name: "Docker Login: quay.io"
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_TOKEN }}
+
+        # Needed for nPFM
+      - name: Create GPG Signing Key File
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          GPG_KEY_FILE=/tmp/signing-key.gpg
+          echo "${{ secrets.GPG_PRIVATE_KEY_BASE64 }}" | base64 -di > "${GPG_KEY_FILE}"
+          echo "GPG_KEY_FILE=${GPG_KEY_FILE}" >> "${GITHUB_ENV}"
+        env:
+          GPG_TTY: /dev/ttys000 # Set the GPG_TTY to avoid issues with pinentry
+
+      - name: "GoReleaser: Release"
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: goreleaser/goreleaser-action@v5
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --clean --timeout=60m --verbose --debug
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GPG_FINGERPRINT: ${{ steps.gpg-import.outputs.fingerprint }}
+          GPG_PASSWORD: ${{ secrets.GPG_PASSWORD }}
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          GITHUB_RELEASE_PRERELEASE: ${{ inputs.prerelease }}
+          GITHUB_RELEASE_MAKE_LATEST: ${{ inputs.make-latest }}
+          NFPM_DEFAULT_PASSPHRASE: ${{ secrets.GPG_PASSWORD }}
+
+      - name: Remove GPG Signing Key File
+        if: always()
+        run: |
+          if [ -n "${GPG_KEY_FILE}" ]; then
+            rm -rf "${GPG_KEY_FILE}"
+          fi
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -3,9 +3,9 @@ name: Tests
 on: [push, workflow_dispatch, pull_request]
 
 env:
-  KIND_VERSION: "v0.19.0"
-  BATS_VERSION: "1.9.0"
-  NODE_VERSION: "19.8.1"
+  KIND_VERSION: "v0.23.0"
+  BATS_VERSION: "1.11.0"
+  NODE_VERSION: "19.9.0"
   TARBALL_FILE: openbao-csi-provider.docker.tar
 
 jobs:
@@ -16,7 +16,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
         with:
           go-version-file: .go-version
@@ -30,7 +30,7 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
         with:
           go-version-file: .go-version
@@ -43,7 +43,7 @@ jobs:
       - name: Test
         run: make test
 
-      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: openbao-csi-provider-image
           path: ${{ env.TARBALL_FILE }}
@@ -58,7 +58,7 @@ jobs:
         kind-k8s-version: [1.27.13, 1.28.9, 1.29.4]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
         with:
           node-version: ${{ env.NODE_VERSION }}
@@ -68,19 +68,20 @@ jobs:
         shell: bash
 
       - name: Create Kind Cluster
-        uses: helm/kind-action@fa81e57adff234b2908110485695db0f181f3c67 # v1.7.0
+        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
         with:
           cluster_name: kind
           config: test/bats/configs/kind/config.yaml
           node_image: kindest/node:v${{ matrix.kind-k8s-version }}
           version: ${{ env.KIND_VERSION }}
 
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
         with:
           name: openbao-csi-provider-image
 
       - name: Load openbao-csi-provider dev image
         run: docker image load --input ${{ env.TARBALL_FILE }}
 
       - name: bats tests
-        run: DISPLAY_SETUP_TEARDOWN_LOGS=true make e2e-teardown e2e-setup e2e-test
+        timeout-minutes: 15
+        run: DISPLAY_SETUP_TEARDOWN_LOGS=true make e2e-setup e2e-test e2e-teardown
diff --git a/.release/ci.hcl b/.release/ci.hcl
@@ -3,15 +3,11 @@
 
 schema = "1"
 
-project "vault-csi-provider" {
-  team = "vault"
-  slack {
-    // #vault-releases channel
-    notification_channel = "C03RXFX5M4L" // #feed-vault-releases
-  }
+project "openbao-csi-provider" {
+  team = "openbao"
   github {
-    organization = "hashicorp"
-    repository = "vault-csi-provider"
+    organization = "openbao"
+    repository = "openbao-csi-provider"
     release_branches = ["main"]
   }
 }
@@ -24,16 +20,16 @@ event "merge" {
 event "build" {
   depends = ["merge"]
   action "build" {
-    organization = "hashicorp"
-    repository = "vault-csi-provider"
+    organization = "openbao"
+    repository = "openbao-csi-provider"
     workflow = "build"
   }
 }
 
 event "upload-dev" {
   depends = ["build"]
   action "upload-dev" {
-    organization = "hashicorp"
+    organization = "openbao"
     repository = "crt-workflows-common"
     workflow = "upload-dev"
     depends = ["build"]
@@ -47,7 +43,7 @@ event "upload-dev" {
 event "security-scan-binaries" {
   depends = ["upload-dev"]
   action "security-scan-binaries" {
-    organization = "hashicorp"
+    organization = "openbao"
     repository = "crt-workflows-common"
     workflow = "security-scan-binaries"
     config = "security-scan.hcl"
@@ -61,7 +57,7 @@ event "security-scan-binaries" {
 event "security-scan-containers" {
   depends = ["security-scan-binaries"]
   action "security-scan-containers" {
-    organization = "hashicorp"
+    organization = "openbao"
     repository = "crt-workflows-common"
     workflow = "security-scan-containers"
     config = "security-scan.hcl"
@@ -75,7 +71,7 @@ event "security-scan-containers" {
 event "sign" {
   depends = ["security-scan-containers"]
   action "sign" {
-    organization = "hashicorp"
+    organization = "openbao"
     repository = "crt-workflows-common"
     workflow = "sign"
   }
@@ -88,7 +84,7 @@ event "sign" {
 event "verify" {
   depends = ["sign"]
   action "verify" {
-    organization = "hashicorp"
+    organization = "openbao"
     repository = "crt-workflows-common"
     workflow = "verify"
   }
@@ -109,7 +105,7 @@ event "trigger-staging" {
 event "promote-staging" {
   depends = ["trigger-staging"]
   action "promote-staging" {
-    organization = "hashicorp"
+    organization = "openbao"
     repository = "crt-workflows-common"
     workflow = "promote-staging"
     config = "release-metadata.hcl"
@@ -123,7 +119,7 @@ event "promote-staging" {
 event "promote-staging-docker" {
   depends = ["promote-staging"]
   action "promote-staging-docker" {
-    organization = "hashicorp"
+    organization = "openbao"
     repository = "crt-workflows-common"
     workflow = "promote-staging-docker"
   }
@@ -141,7 +137,7 @@ event "trigger-production" {
 event "promote-production" {
   depends = ["trigger-production"]
   action "promote-production" {
-    organization = "hashicorp"
+    organization = "openbao"
     repository = "crt-workflows-common"
     workflow = "promote-production"
   }
@@ -154,7 +150,7 @@ event "promote-production" {
 event "promote-production-docker" {
   depends = ["promote-production"]
   action "promote-production-docker" {
-    organization = "hashicorp"
+    organization = "openbao"
     repository = "crt-workflows-common"
     workflow = "promote-production-docker"
   }

diff --git a/.release/release-metadata.hcl b/.release/release-metadata.hcl
@@ -1,7 +1,7 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: MPL-2.0
 
-url_docker_registry_dockerhub = "https://registry.hub.docker.com/r/hashicorp/vault-csi-provider"
-url_license = "https://github.com/hashicorp/vault-csi-provider/blob/main/LICENSE"
-url_project_website = "https://www.vaultproject.io/docs/platform/k8s/csi"
-url_source_repository = "https://github.com/hashicorp/vault-csi-provider"
+url_docker_registry_dockerhub = "https://registry.hub.docker.com/r/openbao/openbao-csi-provider"
+url_license = "https://github.com/openbao/openbao-csi-provider/blob/main/LICENSE"
+url_project_website = "https://www.openbaoproject.io/docs/platform/k8s/csi"
+url_source_repository = "https://github.com/openbao/openbao-csi-provider"