Skip to content

feat(templates): add restricted access policy #5405

feat(templates): add restricted access policy

feat(templates): add restricted access policy #5405

# Copyright 2024 Flant JSC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Build and push for dev
env:
MODULES_REGISTRY: ${{ vars.DEV_REGISTRY }}
CI_COMMIT_REF_NAME: ${{ github.ref_name }}
MODULES_MODULE_NAME: ${{ vars.MODULE_NAME }}
MODULES_MODULE_SOURCE: ${{ vars.DEV_MODULE_SOURCE }}
MODULES_REGISTRY_LOGIN: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
MODULES_REGISTRY_PASSWORD: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
GO_VERSION: "1.22.7"
SOURCE_REPO: "${{secrets.SOURCE_REPO}}"
on:
workflow_dispatch:
inputs:
pr_number:
required: false
type: number
pull_request:
types: [opened, reopened, synchronize, labeled, unlabeled]
push:
branches:
- main
- pre-alpha
defaults:
run:
shell: bash
concurrency:
group: "${{ github.workflow }}-${{ github.event.number || github.ref }}"
cancel-in-progress: true
jobs:
set_vars:
runs-on: ubuntu-latest
name: Set MODULES_MODULE_TAG
outputs:
modules_module_tag: ${{ steps.modules_module_tag.outputs.MODULES_MODULE_TAG }}
module_edition: ${{ steps.modules_module_tag.outputs.MODULE_EDITION }}
steps:
- name: Get Pull Request Labels
id: get-labels
uses: actions/github-script@v7
with:
script: |
if (context.eventName === "pull_request" || context.eventName === "pull_request_target" ) {
const prNumber = context.payload.pull_request.number;
const { data: labels } = await github.rest.issues.listLabelsOnIssue({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: prNumber,
});
return labels.map(label => label.name);
} else {
return [];
}
result-encoding: string
- name: Set vars
id: modules_module_tag
run: |
if [[ "${{ github.ref_name }}" == 'pre-alpha' || "${{ github.ref_name }}" == 'main' ]]; then
MODULES_MODULE_TAG="${{ github.ref_name }}"
elif [[ -n "${{ github.event.pull_request.number }}" ]]; then
MODULES_MODULE_TAG="pr${{ github.event.pull_request.number }}"
elif [[ -n "${{ github.event.inputs.pr_number }}" ]]; then
MODULES_MODULE_TAG="pr${{ github.event.inputs.pr_number }}"
else
echo "::error title=Module image tag is required::Can't detect module tag from workflow context. Dev build uses branch name as tag for pre-alpha and main branches, and PR number for builds from pull requests. Check workflow for correctness."
exit 1
fi
echo "MODULES_MODULE_TAG=$MODULES_MODULE_TAG" >> "$GITHUB_OUTPUT"
# Slect edition for build, default EE
if echo "${{ steps.get-labels.outputs.result }}" | grep -q "edition/ce"; then
echo "MODULE_EDITION=CE" >> $GITHUB_OUTPUT
else
echo "MODULE_EDITION=EE" >> "$GITHUB_OUTPUT"
fi
show_dev_manifest:
runs-on: ubuntu-latest
name: Show manifest
needs: set_vars
env:
MODULES_MODULE_TAG: ${{needs.set_vars.outputs.modules_module_tag}}
steps:
- name: Show dev config
run: |
cat << OUTER
Create ModuleConfig and ModulePullOverride resources to test this MR:
cat <<EOF | kubectl apply -f -
---
apiVersion: deckhouse.io/v1alpha1
kind: ModulePullOverride
metadata:
name: ${MODULES_MODULE_NAME}
spec:
imageTag: ${MODULES_MODULE_TAG}
source: deckhouse
---
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: ${MODULES_MODULE_NAME}
spec:
enabled: true
settings:
dvcr:
storage:
type: PersistentVolumeClaim
persistentVolumeClaim:
size: 50G
virtualMachineCIDRs:
- 10.66.10.0/24
- 10.66.20.0/24
- 10.66.30.0/24
version: 1
EOF
Or patch an existing ModulePullOverride:
kubectl patch mpo ${MODULES_MODULE_NAME} --type merge -p '{"spec":{"imageTag":"${MODULES_MODULE_TAG}"}}'
OUTER
lint_go:
runs-on: ubuntu-latest
name: Run go linter
steps:
- name: Set up Go ${{ env.GO_VERSION }}
uses: actions/setup-go@v5
with:
go-version: "${{ env.GO_VERSION }}"
- name: Install Task
uses: arduino/setup-task@v2
with:
version: 3.37.2
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Run lint virtualization-controller
run: |
task virtualization-controller:init
task virtualization-controller:lint:go
lint_yaml:
runs-on: ubuntu-latest
name: Run yaml linter
steps:
- name: Install Task
uses: arduino/setup-task@v2
with:
version: 3.37.2
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Lint yaml with prettier
run: task -p lint:prettier:yaml
test:
runs-on: ubuntu-latest
name: Run unit test
steps:
- name: Set up Go ${{ env.GO_VERSION }}
uses: actions/setup-go@v5
with:
go-version: "${{ env.GO_VERSION }}"
- name: Install Task
uses: arduino/setup-task@v2
with:
version: 3.37.2
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Run test hooks
run: |
task hooks:test
- name: Run unit test virtualization-controller
run: |
task virtualization-controller:init
task virtualization-controller:test:unit
dev_setup_build:
runs-on: ubuntu-latest
name: Build and Push images
needs: set_vars
env:
MODULES_MODULE_TAG: ${{needs.set_vars.outputs.modules_module_tag}}
MODULE_EDITION: ${{needs.set_vars.outputs.module_edition}}
WERF_VIRTUAL_MERGE: 0
steps:
- name: Print vars
run: |
echo MODULES_REGISTRY=$MODULES_REGISTRY
echo CI_COMMIT_REF_NAME=$CI_COMMIT_REF_NAME
echo MODULES_MODULE_NAME=$MODULES_MODULE_NAME
echo MODULES_MODULE_SOURCE=$MODULES_MODULE_SOURCE
echo MODULES_MODULE_TAG=$MODULES_MODULE_TAG
echo MODULE_EDITION=$MODULE_EDITION
- uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Remove unwanted software
uses: ./.github/actions/remove-unwanted-software
- uses: deckhouse/modules-actions/setup@v1
- uses: deckhouse/modules-actions/build@v1