src/fluent-bit/.github/workflows/call-test-images.yaml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205

---
name: Reusable workflow to test container images
on:
  workflow_call:
    inputs:
      registry:
        description: The registry to pull the images to test from.
        type: string
        required: true
      username:
        description: The username for authentication with the registry.
        type: string
        required: true
      image:
        description: The name of the image to pull from the registry for testing.
        type: string
        required: true
      image-tag:
        description: The tag of the image to pull from the registry for testing.
        type: string
        required: true
      environment:
        description: The Github environment to run this workflow on.
        type: string
        required: false
      ref:
        description: The commit, tag or branch to checkout for testing scripts.
        type: string
        default: master
        required: false
    secrets:
      token:
        description: The Github token or similar to authenticate with for the registry.
        required: true
      cosign_key:
        description: The optional Cosign key to use for verifying the images.
        required: false
jobs:
  call-test-images-cosign-verify:
    name: Cosign verification of container image
    environment: ${{ inputs.environment }}
    runs-on: ubuntu-latest
    steps:
      - name: Install cosign
        uses: sigstore/cosign-installer@v2

      - name: Log in to the Container registry
        uses: docker/login-action@v3
        with:
          registry: ${{ inputs.registry }}
          username: ${{ inputs.username }}
          password: ${{ secrets.token }}

      # There is currently no way to verify a local image, e.g. for a particular architecture
      # https://github.com/sigstore/cosign/issues/60
      - name: Verify image with a key
        # Only key-based verification currently
        if: ${{ env.COSIGN_PUBLIC_KEY }}
        run: |
          echo -e "${COSIGN_PUBLIC_KEY}" > /tmp/my_cosign.pub
          cosign verify --key /tmp/my_cosign.pub "$REGISTRY/$IMAGE_NAME:$IMAGE_TAG"
          rm -f /tmp/my_cosign.key
        shell: bash
        env:
          COSIGN_PUBLIC_KEY: ${{ secrets.cosign_key }}
          REGISTRY: ${{ inputs.registry }}
          IMAGE_NAME: ${{ inputs.image }}
          IMAGE_TAG: ${{ inputs.image-tag }}

  call-test-images-container-architecture:
    name: ${{ matrix.arch }} image architecture verification
    runs-on: ubuntu-latest
    environment: ${{ inputs.environment }}
    # Test as much as we can
    continue-on-error: true
    strategy:
      fail-fast: false
      matrix:
        arch: [ linux/amd64, linux/arm64, linux/arm/v7 ]
        include:
          # Rather than extract the specific central arch we just provide it
          - arch: linux/amd64
            expected: amd64
          - arch: linux/arm64
            expected: arm64
          - arch: linux/arm/v7
            expected: arm
    steps:
      - name: Log in to the Container registry
        uses: docker/login-action@v3
        with:
          registry: ${{ inputs.registry }}
          username: ${{ inputs.username }}
          password: ${{ secrets.token }}

      - name: Pull and extract architecture of image
        id: extract_arch
        run: |
          docker pull --platform=${{ matrix.arch }} "$REGISTRY/$IMAGE_NAME:$IMAGE_TAG"
          ACTUAL_ARCH=$(docker image inspect --format '{{.Architecture}}' "$REGISTRY/$IMAGE_NAME:$IMAGE_TAG")
          echo "ACTUAL_ARCH=$ACTUAL_ARCH" >> $GITHUB_OUTPUT
          docker image inspect "$REGISTRY/$IMAGE_NAME:$IMAGE_TAG"
        shell: bash
        env:
          REGISTRY: ${{ inputs.registry }}
          IMAGE_NAME: ${{ inputs.image }}
          IMAGE_TAG: ${{ inputs.image-tag }}

      - name: Validate architecture of image
        run: |
          if [[ "$ACTUAL_ARCH" != "$EXPECTED_ARCH" ]]; then
            echo "Invalid architecture for $REGISTRY/$IMAGE_NAME: $ACTUAL_ARCH != $EXPECTED_ARCH"
            exit 1
          fi
        env:
          EXPECTED_ARCH: ${{ matrix.expected }}
          ACTUAL_ARCH: ${{ steps.extract_arch.outputs.ACTUAL_ARCH }}
        shell: bash

  call-test-images-container-smoke:
    # Ensure each architecture container runs up correctly with default configuration.
    name: ${{ matrix.arch }} smoke test for local container images
    runs-on: ubuntu-latest
    environment: ${{ inputs.environment }}
    # No point running if the architecture is incorrect
    needs: [ call-test-images-container-architecture ]
    continue-on-error: true
    strategy:
      fail-fast: false # verify all
      matrix:
        arch: [ linux/amd64, linux/arm64, linux/arm/v7 ]
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          ref: ${{ inputs.ref }}

      - name: Log in to the Container registry
        uses: docker/login-action@v3
        with:
          registry: ${{ inputs.registry }}
          username: ${{ inputs.username }}
          password: ${{ secrets.token }}

      - name: Set up QEMU using standard action
        if: ${{ matrix.arch != 'linux/arm64' }}
        uses: docker/setup-qemu-action@v3

      # Without this QEMU fails for ARM64
      - name: Set up binary emulation for QEMU
        if: ${{ matrix.arch == 'linux/arm64' }}
        run: |
          docker run --privileged --rm tonistiigi/binfmt --install all

      - name: Verify platform is supported with Alpine container
        # We make sure there is not an inherent issue with this architecture on this runner
        run: |
          docker run --rm --platform=${{ matrix.arch }} alpine uname -a

      - name: Test the HTTP server is responding
        timeout-minutes: 10
        run: |
          packaging/testing/smoke/container/container-smoke-test.sh
        shell: bash
        env:
          CONTAINER_NAME: local-smoke-${{ matrix.arch }}
          CONTAINER_ARCH: ${{ matrix.arch }}
          REGISTRY: ${{ inputs.registry }}
          IMAGE_NAME: ${{ inputs.image }}
          IMAGE_TAG: ${{ inputs.image-tag }}

  call-test-images-k8s-smoke:
    # No need to test every architecture here, that is covered by local container tests.
    # Testing helm chart deployment on KIND here.
    name: Helm chart test on KIND
    environment: ${{ inputs.environment }}
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          ref: ${{ inputs.ref }}

      - name: Create k8s Kind Cluster
        uses: helm/kind-action@v1.8.0

      - name: Set up Helm
        uses: azure/setup-helm@v3.5
        with:
          version: v3.6.3

      - name: Set up Kubectl
        uses: azure/setup-kubectl@v3.2

      - name: Test the HTTP server is responding
        timeout-minutes: 5
        run: |
          packaging/testing/smoke/k8s/k8s-smoke-test.sh
        shell: bash
        env:
          NAMESPACE: default
          REGISTRY: ${{ inputs.registry }}
          IMAGE_NAME: ${{ inputs.image }}
          IMAGE_TAG: ${{ inputs.image-tag }}