Skip to content

Add missing permissions for operator role #2192

Add missing permissions for operator role

Add missing permissions for operator role #2192

---
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Test using secrets
on:
pull_request:
paths:
- '.github/*.sh'
- '.github/ct-redpanda.yaml'
- '.github/kind.yaml'
- '.github/workflows/pull_requests_from_origin.yaml'
- 'charts/**'
- 'charts/console/**'
- 'charts/redpanda/**'
- '!charts/connectors/**'
- '!charts/kminion/**'
- '!charts/operator/**'
- '!**/*.md'
defaults:
run:
shell: nix develop --impure --command bash {0}
jobs:
test:
if: ${{ github.event.pull_request.head.repo.full_name == 'redpanda-data/helm-charts' }}
name: "${{ matrix.version }}/${{ matrix.testvaluespattern }}: Run ct tests"
strategy:
matrix:
version:
# See also: https://redpandadata.atlassian.net/wiki/spaces/CORE/pages/16711857/Releases+Backports
- v23.3.20
- v24.1.16
- "" # Test the default / Most recent version of Redpanda.
testvaluespattern:
- '9[6-9]*' # some tests depend on a github secret that isn't available for fork PRs. Only run these tests in branch PRs.
fail-fast: false
runs-on: ubuntu-22.04
permissions:
contents: read
id-token: write
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ vars.RP_AWS_CRED_REGION }}
role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }}
- uses: aws-actions/aws-secretsmanager-get-secrets@v2
with:
secret-ids: |
,sdlc/prod/github/redpanda_sample_license
parse-json-secrets: true
- uses: cachix/install-nix-action@v30
with:
github_access_token: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/checkout@v4
with:
fetch-depth: 0
- run: |
git checkout main
git checkout -
# we're excluding console from testing
# until we have a way to test it with Redpanda
- name: Run chart-testing (list-changed)
id: list-changed
run: |
changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }} --config .github/ct-redpanda.yaml)
echo "$changed"
if [[ -n "$changed" ]]; then
echo changed="true" >> "$GITHUB_OUTPUT"
fi
- name: Set up for matrix
if: steps.list-changed.outputs.changed == 'true'
run: |
echo bash -O extglob -c "rm -v charts/redpanda/ci/!(${{ matrix.testvaluespattern }})"
bash -O extglob -c "rm -v charts/redpanda/ci/!(${{ matrix.testvaluespattern }})"
- name: Create kind cluster
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
if: steps.list-changed.outputs.changed == 'true'
with:
config: .github/kind.yaml
- name: Check kind config worked
if: steps.list-changed.outputs.changed == 'true'
run: kubectl get nodes
- name: Annotate nodes for rack awareness
if: steps.list-changed.outputs.changed == 'true'
run: .github/annotate_kind_nodes.sh chart-testing
- name: Create redpanda license secret
if: steps.list-changed.outputs.changed == 'true'
env:
REDPANDA_LICENSE: ${{ env.REDPANDA_SAMPLE_LICENSE }}
run: |
if [ -z "$REDPANDA_LICENSE" ]; then echo "License is empty" ; exit 1; fi
envsubst \
< ./charts/redpanda/ci/97-license-key-values.yaml.tpl \
> ./charts/redpanda/ci/97-license-key-values.yaml
envsubst \
< ./charts/redpanda/ci/96-audit-logging-values.yaml.tpl \
> ./charts/redpanda/ci/96-audit-logging-values.yaml
kubectl create secret generic redpanda-license \
--from-literal=license-key="$REDPANDA_LICENSE" \
--dry-run=client \
-o yaml \
> redpanda-license.yaml.tmp
kubectl annotate -f redpanda-license.yaml.tmp \
helm.sh/hook-delete-policy="before-hook-creation" \
helm.sh/hook="pre-install" \
helm.sh/hook-weight="-100" \
--local \
--dry-run=none \
-o yaml \
> redpanda-license.yaml
rm redpanda-license.yaml.tmp
mv redpanda-license.yaml ./charts/redpanda/templates/
- name: Install cert-manager
if: steps.list-changed.outputs.changed == 'true'
run: task helm:install:cert-manager
- name: Install prometheus-operator
if: steps.list-changed.outputs.changed == 'true'
run: task helm:install:kube-prometheus-stack
- name: Install metallb
if: steps.list-changed.outputs.changed == 'true'
run: task helm:install:metallb
- name: Run chart-testing (install and upgrade)
if: steps.list-changed.outputs.changed == 'true'
run: |
ct install \
--github-groups \
--upgrade \
--config .github/ct-redpanda.yaml \
--helm-extra-set-args="--set=image.tag=${{ matrix.version }}" \
--skip-missing-values \
--target-branch ${{ github.event.repository.default_branch }}