Without this patch, the name of the image is not templated, which
cause the action to fail.
This should fix it, by ensuring the image scan action uses a
templated value, instead of incorrectly relying on shell templating,
which doesn't run in the action.
Without this patch, we are using outdated images in kind cluster
setup.
This should fix it, by removing 1.17 cluster (which is not tested
anymore), and updating 1.19 images.
Without this patch, dependabot will still try to bump some k8s
dependencies.
This is a problem, as we need to bump them together, manually.
This should fix it by removing them all from dependabot.
We are now testing the helm charts on each PR. They are now
ensured to be passing our tests and reviewed before merging.
This also means that the merged changes in the master branch
are reliable, and therefore can be consumed immediately.
Currently, we are waiting for a release to publish a helm
chart.
This is a problem as it means that the helm chart will
always lag behind, and we'll miss a few semantic versions,
if for example the helm chart is adapted multiple times
before the next release.
This should fix it by ensuring ALL the merged changes in
our helm chart will result in a new published helm chart.
This ensures we bump the code for 1.20.
It updates the testing to ensure kured works on a 1.20 cluster,
removes the testing on 1.17 (as it is now deprecated).
Libraries remain on 1.19, to avoid breaking 1.18 clusters.
Without this patch, the PR jobs are broken and no jobs are running.
This was a recently introduced typo in the last refactor of the
PR jobs.
This should fix it, and make the PR test working again.
Without this, golang version used is the golang version decided
by github.
This is a problem, as it might shift over time, without our control.
This fixes it by getting the golang version from the go.mod.
Without this patch, we'll get kubernetes updates.
This is not necessary, and could be even a problem on merge:
those kubernetes updates are done separately, knowingly,
to respect the life cycle of the kubernetes we need
(and stay one version below latest to have a larger coverage
of versions).
We could keep dependabot to update those on a lower frequency,
but that sounds clunky and not great. Instead disable them all,
and rely on the team to do this regular maintenance work.
There are lots of duplicated code in this workflow.
This fixes it by making a unique job with parameters. The
matrix buys us the parallelisation and the fail-fast.
Without this patch, the lint action incorrectly returns everything
is fine.
This is a problem, as lint effectively is not running, and
therefore we could merge broken charts.
This fixes it by updating to the latest practices you can find
in the official chart-repo-actions.
(See the official example in
i1a9640d998/.github/workflows/lint-test.yaml)
- Made all the file extensions ".yaml"
- Regrouped actions together to make it easy to see when they
are useful: on-pr is useful at every PR, on-tag when we are
ready to tag next image, on-pr-chart when we have a PR to
modify the chart with the published image, on-release when
we have released and need to publish the final helm chart
- Regrouped periodic jobs together, to deal with stale prs/issues
and ensuring that our helm chart always works.
We don't need to test with kustomize, manifest testing is good
enough, as we just test that the manifest are correct, not that
they are functional (which would require a change in the poll time).
This extends our test coverages for kured-* manifest changes on PRs,
and any eventual changes in kubernetes/kubectl on periodics.
Signed-off-by: Jean-Philippe Evrard <open-source@a.spamming.party>
In the past, we had lint issues which were merged into the code,
and/or lint changed without us adapting our code.
This should allow us to stay on top of linting issue by
highlighting them in PRs.
Without this patch, we might hold old issues and PR for a long
time. Instead we should close them. People can reopen if necessary.
This would show that we have a proper triage process, and a proper
way to handle those.
Without this patch, there is no way we can see, in the development
process, if the image we are about to publish is insecure.
This is a problem as we might be releasing new versions of kured
with outdated base image which contains vulnerabilities.
This fixes it by creating a job which will show any eventual
vulnerability.
Without this patch, we don't test on release whether kured actually
works and behave well.
This is a problem, as a functional issue could have been hidden by
a recent change, as our testing is minimalist (only test the
usability, not the functionality).
Instead of testing manually, we should ensure this in CI.
This fixes it by adding a github action which tests the previously
built artifacts before publishing a release. The job consume the helm
chart in our code tree (note: this relies on the last released image),
and run a functional test triggering a coordinated restart of a
whole 5 node cluster deployed with kind, through github actions.
Note: The github action needs to reset docker configuration, else
the reboot of the node (a docker container in kind) will fail.
It will be correctly triggered, but the node will not come back up,
with its systemd log mentioning: "Failed to attach 1 to compat systemd cgroup".
