-
Notifications
You must be signed in to change notification settings - Fork 23
251 lines (206 loc) · 9.41 KB
/
tests.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
name: Tests
on:
pull_request:
paths:
- 'charts/**'
push:
branches:
- main
paths:
- 'charts/**'
workflow_dispatch:
jobs:
test:
name: Test Helm charts
runs-on: ubuntu-22.04
environment: Production
steps:
- name: Checkout repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Set up Helm
uses: Azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
with:
version: 'v3.13.1'
- name: Login to Azure - CI Subscription
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve secrets
id: retrieve-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "helm-sm-operator-ci-test-access-token"
- name: Set up lynx
run: sudo apt install lynx
- name: Set up Python
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: '3.12'
check-latest: true
- name: Set up chart-testing
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
- name: Run chart-testing (list-changed)
id: list-changed
run: |
CHANGED=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
if [[ -n "$CHANGED" ]]; then
echo "changed=true" >> $GITHUB_OUTPUT
echo "changed-list=$CHANGED" >> $GITHUB_OUTPUT
fi
- name: Create kind cluster
if: steps.list-changed.outputs.changed == 'true'
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
with:
config: .github/workflows/config/cluster.yaml
- name: Set up cluster
if: steps.list-changed.outputs.changed == 'true'
run: |
installation_id=$(uuidgen)
echo $installation_id
installation_key=$(openssl rand -base64 12)
sa_password=$(openssl rand -base64 12)
cert_pass=$(openssl rand -base64 12)
#TLS setup
echo "Creating root CA cert"
openssl req -x509 -sha256 -days 1 -newkey rsa:2048 -keyout rootCA.key -out rootCA.crt -subj "/CN=Bitwarden Ingress" --passout pass:$cert_pass
echo "Generating TLS key"
openssl genrsa -out bitwarden.localhost.key 2048
echo "Generating TLS cert"
openssl req -key bitwarden.localhost.key -new -out bitwarden.localhost.csr --passin pass:$cert_pass -subj "/CN=bitwarden.localhost"
echo "Signing TLS cert"
cat > bitwarden.localhost.ext << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
subjectAltName = @alt_names
[alt_names]
DNS.1 = bitwarden.localhost
EOF
openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in bitwarden.localhost.csr -out bitwarden.localhost.crt -days 1 -CAcreateserial -extfile bitwarden.localhost.ext --passin pass:$cert_pass
echo "Exporting TLS certs to PEM"
openssl x509 -in bitwarden.localhost.crt -out bitwarden.localhost.pem --passin pass:$cert_pass
openssl x509 -in rootCA.crt -out rootCA.pem --passin pass:$cert_pass
#Ingress
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
kubectl delete -A ValidatingWebhookConfiguration ingress-nginx-admission
sudo echo "127.0.0.1 bitwarden.localhost" | sudo tee -a /etc/hosts
#Namespace
kubectl create ns bitwarden
kubectl config set-context --current --namespace=bitwarden
#Secrets
kubectl create secret generic custom-secret \
--from-literal=globalSettings__installation__id=$installation_id \
--from-literal=globalSettings__installation__key=$installation_key \
--from-literal=globalSettings__mail__smtp__username="REPLACE" \
--from-literal=globalSettings__mail__smtp__password="REPLACE" \
--from-literal=globalSettings__yubico__clientId="REPLACE" \
--from-literal=globalSettings__yubico__key="REPLACE" \
--from-literal=SA_PASSWORD=$sa_password
kubectl create secret tls tls-secret --cert=bitwarden.localhost.pem --key=bitwarden.localhost.key
- name: Run chart-testing (install)
if: steps.list-changed.outputs.changed == 'true'
run: ct install --target-branch ${{ github.event.repository.default_branch }} --skip-clean-up --namespace bitwarden
- name: Test install (self-host)
if: steps.list-changed.outputs.changed == 'true' && contains(steps.list-changed.outputs.changed-list,'self-host')
run: |
#For review purposes
echo "*****DEPLOYMENTS*****"
kubectl get deployments
echo "*****PODS*****"
kubectl get pods
echo "*****SERVICES*****"
kubectl get svc
echo "*****JOBS*****"
kubectl get jobs
echo "*****INGRESS*****"
kubectl describe ingress
echo "*****HOME*****"
home=$(curl -Ls https://bitwarden.localhost -w httpcode=%{http_code} --cacert rootCA.pem)
echo $home | lynx -stdin -dump -width=100
httpCode=$(echo "${home}" | grep -Po 'httpcode=\K(\d\d\d)')
bodyCheck=$(echo "${home}" | grep -Po 'Bitwarden Web Vault')
if [[ ${httpCode} -ne 200 ]]; then
echo "::error::ERROR: Home page failed to load. HTTP code was $httpCode"
exit 1
fi
if [[ "$bodyCheck" != "Bitwarden Web Vault" ]]; then
echo "::error::ERROR: Home page failed to load. Please check body output above."
exit 1
fi
echo "Home OK."
echo "*****API/CONFIG*****"
config=$(curl -Ls https://bitwarden.localhost/api/config -w httpcode=%{http_code} --cacert rootCA.pem)
echo $config | lynx -stdin -dump -width=100
httpCode=$(echo "${config}" | grep -Po 'httpcode=\K(\d\d\d)')
bodyCheck=$(echo "${config}" | grep -Po '\"vault\":\"https://bitwarden\.localhost\"')
if [[ ${httpCode} -ne 200 ]]; then
echo "::error::ERROR: Home page failed to load. HTTP code was $httpCode"
exit 1
fi
if [[ "$bodyCheck" != '"vault":"https://bitwarden.localhost"' ]]; then
echo "::error::ERROR: API/Config page failed to load. Please check body output above."
exit 1
fi
echo "API/Config OK."
echo "*****ADMIN*****"
admin=$(curl -Ls https://bitwarden.localhost/admin -w httpcode=%{http_code} --cacert rootCA.pem)
echo $admin | lynx -stdin -dump -width=100
httpCode=$(echo "${admin}" | grep -Po 'httpcode=\K(\d\d\d)')
bodyCheck=$(echo "${admin}" | grep -Po "We'll email you a secure login link")
if [[ ${httpCode} -ne 200 ]]; then
echo "::error::ERROR: Home page failed to load. HTTP code was $httpCode"
exit 1
fi
if [[ "$bodyCheck" != "We'll email you a secure login link" ]]; then
echo "::error::ERROR: Admin page failed to load. Please check body output above."
exit 1
fi
echo "Admin OK."
- name: Test install (sm-operator)
if: steps.list-changed.outputs.changed == 'true' && contains(steps.list-changed.outputs.changed-list,'sm-operator')
run: |
#For review purposes
echo "*****DEPLOYMENTS*****"
kubectl get deployments
echo "*****PODS*****"
pods=$(kubectl get pods -l app.kubernetes.io/name=sm-operator | grep 2/2)
echo $pods
if [[ -z "$pods" ]]; then
echo "::error::No pods found."
exit 1
fi
echo "*****CREATING AUTH SECRET*****"
kubectl create secret generic bw-auth-token -n bitwarden --from-literal=token="$AUTH_TOKEN"
echo "*****CREATING BW SECRET*****"
kubectl apply -f .github/workflows/config/sample-bw-secret.yaml
# Sleeping while BitwardenSecret is being created and synced
sleep 2s
echo "*****LOGS*****"
logs=$(kubectl logs -l app.kubernetes.io/name=sm-operator -c manager)
echo "$logs"
completed=$(echo "$logs"| grep "Completed sync for bitwarden/bitwardensecret-sample")
if [[ -z "$completed" ]]; then
echo "::error::Secret did not sync."
exit 1
fi
# Sleeping to ensure everything completes
sleep 2s
echo "*****RESULTING SECRETS*****"
secrets=$(kubectl get secrets)
echo "$secrets"
secretCreated=$(echo "$secrets" | grep -Po "bw-sample-secret\s+Opaque\s+3")
if [[ -z "$secretCreated" ]]; then
echo "::error::Secret not created correctly."
exit 1
fi
echo "*****OPERATOR OK*****"
env:
AUTH_TOKEN: ${{ steps.retrieve-secrets.outputs.helm-sm-operator-ci-test-access-token }}
- name: Clean-up
if: steps.list-changed.outputs.changed == 'true'
run: |
helm ls --all --short | xargs -L1 helm delete
kubectl delete ns bitwarden
kind delete cluster