EVEREST-1799 get groups claim and validate permissions #3339
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: API CI | |
on: | |
push: | |
paths-ignore: | |
- 'ui/**' | |
- '.github/workflows/dev-fe-ci.yaml' | |
branches: | |
- main | |
pull_request: | |
paths-ignore: | |
- 'ui/**' | |
- '.github/workflows/dev-fe-ci.yaml' | |
permissions: | |
contents: read | |
packages: write | |
checks: write | |
pull-requests: write | |
jobs: | |
test: | |
name: Test | |
timeout-minutes: 10 | |
strategy: | |
fail-fast: false | |
matrix: | |
go-version: [ 1.23.x ] | |
may-fail: [ false ] | |
continue-on-error: ${{ matrix.may-fail }} | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Set up Go release | |
uses: percona-platform/setup-go@v4 | |
with: | |
go-version: ${{ matrix.go-version }} | |
- name: Set GO_VERSION environment variable | |
run: | | |
go version | |
echo "GO_VERSION=$(go version)" >> $GITHUB_ENV | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@v4 | |
with: | |
lfs: true | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: Enable Go modules cache | |
uses: percona-platform/cache@v3 | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ matrix.os }}-go-${{ matrix.go-version }}-modules-${{ hashFiles('**/go.sum') }} | |
restore-keys: | | |
${{ matrix.os }}-go-${{ matrix.go-version }}-modules- | |
- name: Enable Go build cache | |
uses: percona-platform/cache@v3 | |
with: | |
path: ~/.cache/go-build | |
key: ${{ matrix.os }}-go-${{ matrix.go-version }}-build-${{ github.ref }}-${{ hashFiles('**') }} | |
restore-keys: | | |
${{ matrix.os }}-go-${{ matrix.go-version }}-build-${{ github.ref }}- | |
${{ matrix.os }}-go-${{ matrix.go-version }}-build- | |
- name: Download Go modules | |
run: go mod download | |
- name: Install development tools | |
run: make init | |
- name: Generate code | |
run: make gen | |
- name: Install binaries | |
run: make build | |
- name: Run tests | |
run: | | |
go clean -testcache | |
make test-crosscover | |
- name: Check that there are no source code changes | |
run: | | |
# Break job if any files were changed during its run (code generation, etc), except go.sum. | |
# `go mod tidy` could remove old checksums from that file, and that's okay on CI, | |
# and actually expected for PRs made by @dependabot. | |
# Checksums of actually used modules are checked by previous `go` subcommands. | |
pushd tools && go mod tidy -v && git checkout go.sum | |
popd && go mod tidy -v && git checkout go.sum | |
git diff --exit-code | |
- name: Run debug commands on failure | |
if: ${{ failure() }} | |
run: | | |
env | |
go version | |
go env | |
pwd | |
git status | |
check: | |
name: Check | |
timeout-minutes: 10 | |
if: github.event_name == 'pull_request' | |
strategy: | |
fail-fast: false | |
matrix: | |
go-version: [1.23.x] | |
may-fail: [false] | |
continue-on-error: ${{ matrix.may-fail }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Set up Go release | |
if: matrix.go-version != 'tip' | |
uses: actions/setup-go@v5 | |
with: | |
go-version: ${{ matrix.go-version }} | |
- name: Set up Go tip | |
if: matrix.go-version == 'tip' | |
run: | | |
git clone --depth=1 https://go.googlesource.com/go $HOME/gotip | |
cd $HOME/gotip/src | |
./make.bash | |
echo "GOROOT=$HOME/gotip" >> $GITHUB_ENV | |
echo "$HOME/gotip/bin" >> $GITHUB_PATH | |
- name: Set GO_VERSION environment variable | |
run: | | |
go version | |
echo "GO_VERSION=$(go version)" >> $GITHUB_ENV | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@v4 | |
with: | |
lfs: true | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: Enable Go modules cache | |
uses: actions/cache@v4 | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ matrix.os }}-go-${{ matrix.go-version }}-modules-${{ hashFiles('**/go.sum') }} | |
restore-keys: | | |
${{ matrix.os }}-go-${{ matrix.go-version }}-modules- | |
- name: Enable Go build cache | |
uses: actions/cache@v4 | |
with: | |
path: ~/.cache/go-build | |
key: ${{ matrix.os }}-go-${{ matrix.go-version }}-build-${{ github.ref }}-${{ hashFiles('**') }} | |
restore-keys: | | |
${{ matrix.os }}-go-${{ matrix.go-version }}-build-${{ github.ref }}- | |
${{ matrix.os }}-go-${{ matrix.go-version }}-build- | |
- name: Download Go modules | |
run: go mod download | |
- name: Install tools | |
run: make init | |
- name: Run linters | |
run: | | |
bin/golangci-lint run --new --out-format=line-number | env REVIEWDOG_GITHUB_API_TOKEN=${{ secrets.GITHUB_TOKEN }} bin/reviewdog -f=golangci-lint -reporter=github-pr-review -filter-mode=nofilter -fail-on-error=true | |
- name: Check that dev Helm chart is up-to-date | |
run: | | |
make update-dev-chart | |
git diff --exit-code | |
- name: Check that there are no source code changes | |
run: | | |
make format | |
pushd tools && go mod tidy -v | |
popd && go mod tidy -v | |
git status | |
git diff --exit-code | |
- name: Check the Makefile references dev version | |
run: | | |
if ! grep -q "RELEASE_VERSION ?= v0.0.0" Makefile; then | |
echo "default RELEASE_VERSION in Makefile should be 0.0.0" | |
exit 1 | |
fi | |
- name: Run debug commands on failure | |
if: ${{ failure() }} | |
run: | | |
env | |
go version | |
go env | |
pwd | |
git status | |
integration_tests_api: | |
strategy: | |
fail-fast: false | |
matrix: | |
go-version: [ 1.23.x ] | |
may-fail: [ false ] | |
name: API Integration Tests | |
runs-on: ubuntu-20.04 | |
env: | |
PERCONA_VERSION_SERVICE_URL: https://check-dev.percona.com/versions/v1 | |
steps: | |
- name: Set up Go release | |
uses: percona-platform/setup-go@v4 | |
with: | |
go-version: ${{ matrix.go-version }} | |
- name: Set GO_VERSION environment variable | |
run: | | |
go version | |
echo "GO_VERSION=$(go version)" >> $GITHUB_ENV | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@v4 | |
with: | |
lfs: true | |
ref: ${{ github.event.pull_request.head.sha }} | |
fetch-depth: 0 | |
- name: Enable Go modules cache | |
uses: percona-platform/cache@v3 | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ matrix.os }}-go-${{ matrix.go-version }}-modules-${{ hashFiles('**/go.sum') }} | |
restore-keys: | | |
${{ matrix.os }}-go-${{ matrix.go-version }}-modules- | |
- name: Enable Go build cache | |
uses: percona-platform/cache@v3 | |
with: | |
path: ~/.cache/go-build | |
key: ${{ matrix.os }}-go-${{ matrix.go-version }}-build-${{ github.ref }}-${{ hashFiles('**') }} | |
restore-keys: | | |
${{ matrix.os }}-go-${{ matrix.go-version }}-build-${{ github.ref }}- | |
${{ matrix.os }}-go-${{ matrix.go-version }}-build- | |
- name: Start local Kubernetes cluster with the local registry | |
uses: medyagh/setup-minikube@latest | |
id: minikube | |
with: | |
cpus: 2 | |
memory: 2000m | |
addons: registry | |
insecure-registry: 'localhost:5000' | |
- name: Expose local registry | |
run: | | |
kubectl port-forward --namespace kube-system service/registry 5000:80 & | |
- name: Build Everest API Server | |
run: | | |
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 make build-debug | |
- name: Build Everest docker container | |
uses: docker/metadata-action@v5 | |
id: meta | |
with: | |
images: localhost:5000/perconalab/everest | |
tags: | |
0.0.0 | |
- name: Build and Push everest dev image | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
push: true | |
tags: ${{ steps.meta.outputs.tags }} | |
# We need to have Everest CRDs available before running provisioning and everest API Server | |
# to have an ability to create monitoring configs and use them during the provisioning as | |
# a mock pmm server without running a real PMM. | |
- name: Install everest operator without Everest | |
run: | | |
kubectl create ns everest-system | |
kubectl create ns everest-monitoring | |
curl https://raw.githubusercontent.com/percona/everest-operator/main/deploy/bundle.yaml -o bundle.yaml | |
sed -i "s/namespace: everest-operator-system/namespace: everest-system/g" bundle.yaml | |
kubectl -n everest-system apply -f bundle.yaml | |
# We create a dummy monitoring instance so we can enable monitoring during provisioning | |
# without having to install PMM. | |
- name: Create a monitoring instance | |
run: | | |
cat <<EOF | kubectl apply -f - | |
kind: Secret | |
apiVersion: v1 | |
metadata: | |
name: pmm-local | |
namespace: everest-monitoring | |
type: Opaque | |
stringData: | |
"apiKey": "dummy-key" | |
EOF | |
cat <<EOF | kubectl apply -f - | |
kind: MonitoringConfig | |
apiVersion: everest.percona.com/v1alpha1 | |
metadata: | |
name: pmm-local | |
namespace: everest-monitoring | |
spec: | |
type: pmm | |
credentialsSecretName: pmm-local | |
pmm: | |
url: http://localhost | |
image: percona/pmm-client:2 | |
EOF | |
- name: Provision Everest using CLI | |
shell: bash | |
run: | | |
make build-cli | |
./bin/everestctl install -v \ | |
--version 0.0.0 \ | |
--version-metadata-url https://check-dev.percona.com \ | |
--operator.mongodb \ | |
--operator.postgresql \ | |
--operator.xtradb-cluster \ | |
--skip-wizard \ | |
--namespaces everest \ | |
--helm.set server.image=localhost:5000/perconalab/everest \ | |
--helm.set server.apiRequestsRateLimit=200 \ | |
--helm.set versionMetadataURL=https://check-dev.percona.com | |
- name: Expose Everest API Server | |
run: | | |
kubectl port-forward --namespace everest-system deployment/everest-server 8080:8080 & | |
- name: Create Everest test user | |
run: | | |
./bin/everestctl accounts create -u everest_ci -p password | |
echo "API_TOKEN=$(curl --location -s 'localhost:8080/v1/session' --header 'Content-Type: application/json' --data '{"username": "everest_ci","password": "password"}' | jq -r .token)" >> $GITHUB_ENV | |
- name: Add CI user to admin role | |
run: | | |
kubectl patch configmap everest-rbac -n everest-system --patch "$(kubectl get configmap everest-rbac -n everest-system -o json | jq '.data["policy.csv"] += "\ng, everest_ci, role:admin"' | jq '{data: { "policy.csv": .data["policy.csv"] } }')" | |
kubectl get configmap everest-rbac -n everest-system -ojsonpath='{.data.policy\.csv}' | |
- name: Run integration tests | |
run: | | |
cd api-tests | |
make init | |
make test | |
- name: Run debug commands on failure | |
if: ${{ failure() }} | |
run: | | |
kubectl -n everest-system describe pods | |
kubectl -n everest-monitoring describe pods | |
kubectl -n everest describe pods | |
kubectl -n everest-system logs deploy/everest-server | |
integration_tests_cli: | |
name: CLI Integration Tests | |
strategy: | |
fail-fast: false | |
matrix: | |
go-version: [ 1.23.x ] | |
may-fail: [ false ] | |
runs-on: ubuntu-20.04 | |
env: | |
PERCONA_VERSION_SERVICE_URL: https://check-dev.percona.com/versions/v1 | |
steps: | |
- name: Set up Go release | |
uses: percona-platform/setup-go@v4 | |
with: | |
go-version: ${{ matrix.go-version }} | |
- name: Set GO_VERSION environment variable | |
run: | | |
go version | |
echo "GO_VERSION=$(go version)" >> $GITHUB_ENV | |
- name: Check out code into the Go module directory | |
uses: actions/checkout@v4 | |
with: | |
lfs: true | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: Enable Go modules cache | |
uses: percona-platform/cache@v3 | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ matrix.os }}-go-${{ matrix.go-version }}-modules-${{ hashFiles('**/go.sum') }} | |
restore-keys: | | |
${{ matrix.os }}-go-${{ matrix.go-version }}-modules- | |
- name: Enable Go build cache | |
uses: percona-platform/cache@v3 | |
with: | |
path: ~/.cache/go-build | |
key: ${{ matrix.os }}-go-${{ matrix.go-version }}-build-${{ github.ref }}-${{ hashFiles('**') }} | |
restore-keys: | | |
${{ matrix.os }}-go-${{ matrix.go-version }}-build-${{ github.ref }}- | |
${{ matrix.os }}-go-${{ matrix.go-version }}-build- | |
- name: Set up Go release for CLI | |
uses: percona-platform/setup-go@v4 | |
with: | |
go-version: ${{ matrix.go-version }} | |
- name: Build CLI binary | |
run: | | |
make init | |
make build-cli | |
- name: Create KIND cluster | |
uses: helm/[email protected] | |
- name: Run integration tests | |
working-directory: cli-tests | |
id: cli-tests | |
run: | | |
make init | |
make install-operators | |
make test-cli | |
- name: Attach the report | |
if: ${{ always() && steps.cli-tests.outcome != 'skipped' }} | |
uses: actions/upload-artifact@v4 | |
with: | |
name: cli-tests-report | |
path: cli-tests/test-report | |
overwrite: true | |
integration_tests_flows: | |
strategy: | |
fail-fast: false | |
matrix: | |
make_target: [ | |
'test-all-operators', | |
'test-mongo-operator', | |
'test-pg-operator', | |
'test-pxc-operator', | |
'test-namespaces' | |
] | |
name: CLI tests | |
uses: ./.github/workflows/cli-tests.yml | |
secrets: inherit | |
with: | |
make_target: ${{ matrix.make_target }} | |
merge-gatekeeper: | |
needs: [ test, check, integration_tests_api, integration_tests_flows, integration_tests_cli] | |
name: Merge Gatekeeper | |
if: ${{ always() }} | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Run Merge Gatekeeper | |
uses: upsidr/[email protected] | |
with: | |
self: Merge Gatekeeper | |
token: ${{ secrets.GITHUB_TOKEN }} | |
interval: 45 | |
timeout: 300 | |
ignored: "license/snyk (Percona Everest), security/snyk (Percona Everest)" | |
ref: ${{ github.event.pull_request.head.sha || github.sha }} |