diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 94fa342..448ddda 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -37,8 +37,22 @@ jobs: - name: Checkout uses: actions/checkout@v4 + - name: Import secrets + uses: hashicorp/vault-action@130d1f5f4fe645bb6c83e4225c04d64cfb62de6e # v2.5.0 + id: secrets + with: + exportEnv: true + url: ${{ secrets.VAULT_URL }} + role: ${{ secrets.VAULT_ROLE }} + method: kubernetes + path: kubernetes-ci + secrets: | + kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ; + kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ; + - name: Build run: | + echo ${DOCKERHUB_PASSWORD} | docker login -u ${DOCKERHUB_USER} --password-stdin IMAGE="wallarm/sidecar-controller" make build TAG=${GITHUB_SHA} IMAGE=${IMAGE} PLATFORMS=linux/${{ matrix.ARCH }} BUILDX_ARGS=--load docker save -o sidecar-${{ matrix.ARCH }}.tar ${IMAGE}:${GITHUB_SHA} @@ -117,6 +131,8 @@ jobs: kv-gitlab-ci/data/github/${{ env.env_code }} allure_server_token ; kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds token_name ; kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds token_secret ; + kv-gitlab-ci/data/github/shared/dockerhub-creds user ; + kv-gitlab-ci/data/github/shared/dockerhub-creds password ; - name: Checkout uses: actions/checkout@v4 @@ -136,6 +152,8 @@ jobs: env: SKIP_CLUSTER_CREATION: true SKIP_IMAGE_CREATION: true + DOCKERHUB_USER: ${{ steps.secrets.outputs.user }} + DOCKERHUB_PASSWORD: ${{ steps.secrets.outputs.password }} INJECTION_STRATEGY: ${{ matrix.INJECTION_STRATEGY }} WALLARM_API_TOKEN: ${{ steps.secrets.outputs.api_token }} WALLARM_API_HOST: ${{ steps.secrets.outputs.api_host }} diff --git a/test/smoke/run.sh b/test/smoke/run.sh index 02d6785..91c35ce 100755 --- a/test/smoke/run.sh +++ b/test/smoke/run.sh @@ -27,6 +27,17 @@ export INJECTION_STRATEGY="${INJECTION_STRATEGY:-single}" K8S_VERSION=${K8S_VERSION:-1.28.7} +DOCKERHUB_REGISTRY_SERVER="https://index.docker.io/v1/" + +# This will prevent the secret for index.docker.io from being used if the DOCKERHUB_USER is not set. +if [ "${DOCKERHUB_USER:-false}" = "false" ]; then + DOCKERHUB_REGISTRY_SERVER="fake_docker_registry_server" +fi + +DOCKERHUB_SECRET_NAME="dockerhub-secret" +DOCKERHUB_USER="${DOCKERHUB_USER:-fake_user}" +DOCKERHUB_PASSWORD="${DOCKERHUB_PASSWORD:-fake_password}" + set -o errexit set -o nounset set -o pipefail @@ -72,6 +83,15 @@ EOF fi fi +# create docker-registry secret +echo "[test-env] creating secret docker-registry ..." +kubectl create secret docker-registry ${DOCKERHUB_SECRET_NAME} \ + --docker-server=${DOCKERHUB_REGISTRY_SERVER} \ + --docker-username="${DOCKERHUB_USER}" \ + --docker-password="${DOCKERHUB_PASSWORD}" \ + --docker-email=docker-pull@unexists.unexists + + if [ "${SKIP_IMAGE_CREATION:-false}" = "false" ]; then echo "[test-env] building sidecar image..." make -C "${DIR}"/../../ build TAG=${TAG} @@ -87,6 +107,9 @@ else IMAGE_PULL_POLICY="IfNotPresent" fi + + + echo "[test-env] installing cert-manager" helm repo add jetstack https://charts.jetstack.io/ helm repo update jetstack @@ -95,6 +118,8 @@ helm upgrade --install cert-manager jetstack/cert-manager --set installCRDs=true echo "[test-env] installing Helm chart using TAG=${TAG} ..." cat << EOF | helm upgrade --install sidecar-controller "${DIR}/../../helm" --wait --debug --values - +imagePullSecrets: + - name: ${DOCKERHUB_SECRET_NAME} config: sidecar: image: diff --git a/test/smoke/workload.yaml b/test/smoke/workload.yaml index bf8f604..838bdf3 100644 --- a/test/smoke/workload.yaml +++ b/test/smoke/workload.yaml @@ -118,6 +118,8 @@ spec: sidecar.wallarm.io/proxy-extra-volume-mounts: '[{"name": "nginx-http-extra-config", "mountPath": "/nginx_include/sidecar-config.conf", "subPath": "sidecar-include.conf"}]' sidecar.wallarm.io/nginx-server-include: "['/nginx_include/sidecar-config.conf']" spec: + imagePullSecrets: + - name: dockerhub-secret containers: - name: nginx image: nginx:stable-alpine @@ -146,4 +148,4 @@ spec: targetPort: 80 nodePort: 30000 selector: - app: workload \ No newline at end of file + app: workload