Merge branch 'main' into vishwahiremat/rad-credential-update-irsa

Signed-off-by: Vishwanath Hiremath <[email protected]>

.github/actions/create-kind-cluster/action.yaml

@@ -0,0 +1,148 @@
+name: "Create a KinD cluster"
+description: |
+  Create a KinD cluster.
+inputs:
+  secure:
+    description: "Whether the KinD cluster should be created with a secure local registry configuration"
+    required: false
+    default: "false"
+  temp-cert-dir:
+    description: "The temporary directory where the certificates are stored"
+    required: false
+    default: ""
+  kind-version:
+    description: "The version of KinD to install"
+    required: false
+    default: "v0.23.0"
+  with-local-registry:
+    description: "Whether the KinD cluster should be created with a local registry configuration"
+    required: false
+    default: "false"
+  registry-name:
+    description: "The name of the local registry"
+    required: true
+    default: "radius-registry"
+  registry-server:
+    description: "The server name for the local registry"
+    required: true
+    default: "localhost"
+  registry-port:
+    description: "The port for the local registry"
+    required: true
+    default: "5000"
+runs:
+  using: "composite"
+  steps:
+    - name: Install KinD
+      shell: bash
+      run: |
+        curl -sSLo "kind" "https://github.com/kubernetes-sigs/kind/releases/download/${{ inputs.kind-version }}/kind-linux-amd64"
+        chmod +x ./kind
+
+    - name: Create a KinD cluster without a local registry
+      if: ${{ inputs.with-local-registry == 'false' }}
+      shell: bash
+      run: |
+        # https://kind.sigs.k8s.io/docs/user/local-registry/
+        cat <<EOF | kind create cluster --config=-
+        kind: Cluster
+        apiVersion: kind.x-k8s.io/v1alpha4
+        EOF
+
+    - name: Create a KinD cluster with an insecure local registry
+      if: ${{ inputs.with-local-registry == 'true' && inputs.secure == 'false' }}
+      shell: bash
+      run: |
+        cat <<EOF | kind create cluster --config=-
+        kind: Cluster
+        apiVersion: kind.x-k8s.io/v1alpha4
+        containerdConfigPatches:
+        - |-
+          [plugins."io.containerd.grpc.v1.cri".registry]
+            config_path = "/etc/containerd/certs.d"
+        EOF
+
+        REGISTRY_DIR="/etc/containerd/certs.d/localhost:${{ inputs.registry-port }}"
+        for node in $(kind get nodes); do
+          docker exec "${node}" mkdir -p "${REGISTRY_DIR}"
+          cat <<EOF | docker exec -i "${node}" cp /dev/stdin "${REGISTRY_DIR}/hosts.toml"
+        [host."http://${{ inputs.registry-name }}:5000"]
+        EOF
+        done
+
+        if [ "$(docker inspect -f='{{json .NetworkSettings.Networks.kind}}' "${{ inputs.registry-name }}")" = 'null' ]; then
+          docker network connect "kind" "${reg_name}"
+        fi
+
+        cat <<EOF | kubectl apply -f -
+        apiVersion: v1
+        kind: ConfigMap
+        metadata:
+          name: local-registry-hosting
+          namespace: kube-public
+        data:
+          localRegistryHosting.v1: |
+            host: "localhost:${{ inputs.registry-port }}"
+            help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
+        EOF
+
+        # Reference: https://kind.sigs.k8s.io/docs/user/local-registry/
+
+    - name: Create a KinD cluster with a secure local registry
+      if: ${{ inputs.with-local-registry == 'true' && inputs.secure == 'true' }}
+      shell: bash
+      run: |
+        # Create the cluster with necessary configurations for the secure local registry
+        cat <<EOF | kind create cluster --config=-
+        kind: Cluster
+        apiVersion: kind.x-k8s.io/v1alpha4
+        nodes:
+        - role: control-plane
+          extraMounts:
+            - containerPath: "/etc/containerd/certs.d/${{ inputs.registry-name }}"
+              hostPath: "${{ inputs.temp-cert-dir }}/certs/${{ inputs.registry-server }}"
+        containerdConfigPatches:
+        - |-
+          [plugins."io.containerd.grpc.v1.cri".registry]
+            config_path = "/etc/containerd/certs.d"
+        EOF
+
+        # Create the directory for the certificates and add the certificate to the system trust store
+        LOCALHOST_DIR="/etc/containerd/certs.d/${{ inputs.registry-server }}:${{ inputs.registry-port }}"
+        RADIUS_DIR="/etc/containerd/certs.d/${{ inputs.registry-name }}:${{ inputs.registry-port }}"
+
+        for node in $(kind get nodes); do
+          docker exec "${node}" mkdir -p "${LOCALHOST_DIR}"
+          cat <<EOF | docker exec -i "${node}" cp /dev/stdin "${LOCALHOST_DIR}/hosts.toml"
+        [host."http://${{ inputs.registry-name }}:${{ inputs.registry-port }}"]
+          capabilities = ["pull", "resolve", "push"]
+          skip_verify = true
+        EOF
+
+          docker exec "${node}" mkdir -p "${RADIUS_DIR}"
+          cat <<EOF | docker exec -i "${node}" cp /dev/stdin "${RADIUS_DIR}/hosts.toml"
+        [host."http://${{ inputs.registry-name }}:${{ inputs.registry-port }}"]
+          capabilities = ["pull", "resolve", "push"]
+          skip_verify = true
+        EOF
+
+          docker exec "${node}" systemctl restart containerd
+        done
+
+        # Connect the registry to the KinD network
+        if [ "$(docker inspect -f='{{json .NetworkSettings.Networks.kind}}' "${{ inputs.registry-name }}")" = 'null' ]; then
+          docker network connect "kind" "${{ inputs.registry-name }}"
+        fi
+
+        # Document the local registry
+        cat <<EOF | kubectl apply -f -
+        apiVersion: v1
+        kind: ConfigMap
+        metadata:
+          name: local-registry-hosting
+          namespace: kube-public
+        data:
+          localRegistryHosting.v1: |
+            host: "${{ inputs.registry-name }}:${{ inputs.registry-port }}"
+            help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
+        EOF

.github/actions/create-local-registry/action.yaml

@@ -0,0 +1,123 @@
+name: "Create a local registry"
+description: |
+  This action creates a local registry for the images to be pushed to.
+  It uses the `docker` CLI to create a registry container and then starts it.
+  The registry is then available at `localhost:5000` by default.
+inputs:
+  secure:
+    description: "Whether the registry should be secure or not"
+    required: false
+    default: "false"
+  registry-name:
+    description: "The name of the local registry"
+    required: false
+    default: "radius-registry"
+  registry-server:
+    description: "The server name for the local registry"
+    required: false
+    default: "localhost"
+  registry-port:
+    description: "The port for the local registry"
+    required: false
+    default: "5000"
+outputs:
+  temp-cert-dir:
+    description: "The temporary directory where the certificates are stored"
+    value: ${{ steps.create-temp-cert-dir.outputs.TEMP_CERT_DIR }}
+runs:
+  using: "composite"
+  steps:
+    - name: Create temporary directory for certificates
+      if: ${{ inputs.secure == 'true' }}
+      shell: bash
+      id: create-temp-cert-dir
+      run: |
+        # Create a temporary directory to store the certificates
+        temp_cert_dir=$(mktemp -d 2>/dev/null || mktemp -d -t 'temp_cert_dir')
+        echo "TEMP_CERT_DIR=$temp_cert_dir" >> $GITHUB_OUTPUT
+
+    - name: Create certificates for local registry
+      if: ${{ inputs.secure == 'true' }}
+      shell: bash
+      run: |
+        create_openssl_cfg() {
+          CFG=$(
+            cat <<'EOF'
+        [req]
+        distinguished_name = subject
+        x509_extensions    = x509_ext
+        prompt             = no
+
+        [subject]
+        CN = localhost
+
+        [x509_ext]
+        basicConstraints        = critical, CA:TRUE
+        subjectKeyIdentifier    = hash
+        authorityKeyIdentifier  = keyid:always, issuer:always
+        keyUsage                = critical, cRLSign, digitalSignature, keyCertSign
+        nsComment               = "OpenSSL Generated Certificate"
+        subjectAltName          = @alt_names
+
+        [alt_names]
+        DNS.1 = ${{ inputs.registry-name }}
+        DNS.2 = ${{ inputs.registry-server }}
+        EOF
+          )
+          echo "$CFG"
+        }
+
+        TEMP_CERT_DIR=${{ steps.create-temp-cert-dir.outputs.TEMP_CERT_DIR }}
+
+        pushd $TEMP_CERT_DIR
+        # Create the directory for the certificates
+        mkdir -p certs/${{ inputs.registry-server }}
+
+        echo "==== Generate the openssl config"
+        create_openssl_cfg >req.cnf
+
+        echo "==== Create the self signed certificate certificate and client key files"
+        openssl req -x509 \
+          -nodes \
+          -days 365 \
+          -newkey rsa:4096 \
+          -keyout certs/${{ inputs.registry-server }}/client.key \
+          -out certs/${{ inputs.registry-server }}/client.crt \
+          -config req.cnf \
+          -sha256
+
+    - name: Add the certificate to the system trust store
+      if: ${{ inputs.secure == 'true' }}
+      shell: bash
+      run: |
+        TEMP_CERT_DIR=${{ steps.create-temp-cert-dir.outputs.TEMP_CERT_DIR }}
+        sudo apt install ca-certificates
+        sudo cp $TEMP_CERT_DIR/certs/${{ inputs.registry-server }}/client.crt /usr/local/share/ca-certificates/${{ inputs.registry-server }}.crt
+        sudo cp $TEMP_CERT_DIR/certs/${{ inputs.registry-server }}/client.crt /usr/local/share/ca-certificates/${{ inputs.registry-name }}.crt
+        sudo update-ca-certificates
+
+    - name: Create secure Docker registry
+      if: ${{ inputs.secure == 'true' }}
+      shell: bash
+      run: |
+        TEMP_CERT_DIR=${{ steps.create-temp-cert-dir.outputs.TEMP_CERT_DIR }}
+        echo "==== Create secure Docker registry"
+        docker run -d \
+          -p ${{ inputs.registry-port }}:5000 \
+          --restart=always \
+          --name ${{ inputs.registry-name }} \
+          -v $TEMP_CERT_DIR/certs/${{ inputs.registry-server }}:/certs \
+          -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/client.crt \
+          -e REGISTRY_HTTP_TLS_KEY=/certs/client.key \
+          registry:2
+
+    - name: Create insecure Docker registry
+      if: ${{ inputs.secure == 'false' }}
+      shell: bash
+      run: |
+        echo "==== Create insecure Docker registry"
+        docker run -d \
+          -p ${{ inputs.registry-port }}:5000 \
+          --restart=always \
+          --name ${{ inputs.registry-name }} \
+          registry:2

.github/actions/download-pr-data-artifact/action.yaml

@@ -29,7 +29,7 @@ runs:
           });
           let fs = require('fs');
           fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/pr_number.zip`, Buffer.from(download.data));
-    - name: 'Unzip artifact'
+    - name: "Unzip artifact"
       shell: bash
       run: unzip pr_number.zip
     - name: Set PR number

.github/actions/process-test-results/action.yaml

@@ -10,30 +10,30 @@ description: |
   test results format which is what we require.
     
     GOTESTSUM_OPTS: '--junitfile ./dist/unit_test_results_raw.xml'
-  
+
   Then running 'make <test target>' will do the right thing :)
 
 inputs:
   test_group_name:
-    description: 'Name to use for reporting (eg: Unit Tests)'
+    description: "Name to use for reporting (eg: Unit Tests)"
     required: true
   artifact_name:
-    description: 'Name to use for uploading artifacts (eg: unit_test_results)'
+    description: "Name to use for uploading artifacts (eg: unit_test_results)"
     required: true
   result_directory:
-    description: 'Directory containing result XML files. These should be in jUnit format. See the description of the action.'
+    description: "Directory containing result XML files. These should be in jUnit format. See the description of the action."
     required: true
 runs:
   using: "composite"
   steps:
     # The test results file output by gotestsum is missing file and line number on the XML elements
     # which is needed for the annotations to work. This script adds the missing information.
-    - name: 'Transform ${{ inputs.test_group_name }} Results'
+    - name: "Transform ${{ inputs.test_group_name }} Results"
       # Always is REQUIRED here. Otherwise, the action will be skipped when the unit tests fail, which
       # defeats the purpose. YES it is counterintuitive. This applies to all of the actions in this file.
       if: always()
-      id: 'process_files'
-      shell: 'bash'
+      id: "process_files"
+      shell: "bash"
       working-directory: ${{ github.workspace }}
       env:
         INPUT_DIRECTORY: ${{ inputs.result_directory }}
@@ -52,14 +52,14 @@ runs:
           python3 ./.github/scripts/transform_test_results.py $GITHUB_WORKSPACE "$INPUT_FILE" "$OUTPUT_FILE"
           echo "wrote ${OUTPUT_FILE}"
         done
-    - name: 'Create ${{ inputs.test_group_name }} Result Report'
+    - name: "Create ${{ inputs.test_group_name }} Result Report"
       uses: EnricoMi/publish-unit-test-result-action@v2
       if: always()
       with:
         check_name: ${{ inputs.test_group_name }}
         files: |
           ${{ inputs.result_directory }}/processed/*.xml
-    - name: 'Upload ${{ inputs.test_group_name }} Results'
+    - name: "Upload ${{ inputs.test_group_name }} Results"
       uses: actions/upload-artifact@v4
       if: always()
       with:

.github/actions/save-pr-as-artifact/action.yaml

@@ -8,10 +8,9 @@ runs:
       env:
         PR_NUMBER: ${{ github.event.number }}
       run: |
-          mkdir -p ./pr
-          echo $PR_NUMBER > ./pr/pr_number
+        mkdir -p ./pr
+        echo $PR_NUMBER > ./pr/pr_number
     - uses: actions/upload-artifact@v4
       with:
         name: pr_number
         path: pr/
-

.github/actions/setup-rad-cli/action.yaml

@@ -35,4 +35,3 @@ runs:
       shell: bash
       run: chmod +x rad
       working-directory: dist
-

.github/scripts/cleanup-cluster.sh

@@ -21,15 +21,15 @@ set -e
 echo "cleaning up cluster"
 
 # Delete all test resources in queuemessages.
-if kubectl get crd queuemessages.ucp.dev > /dev/null 2>&1; then
+if kubectl get crd queuemessages.ucp.dev >/dev/null 2>&1; then
     echo "delete all resources in queuemessages.ucp.dev"
     kubectl delete queuemessages.ucp.dev -n radius-system --all
 fi
 
 # Testing deletion of deployment.apps.
 
 # Delete all test resources in resources without proxy resource.
-if kubectl get crd resources.ucp.dev > /dev/null 2>&1; then
+if kubectl get crd resources.ucp.dev >/dev/null 2>&1; then
     echo "delete all resources in resources.ucp.dev"
     resources=$(kubectl get resources.ucp.dev -n radius-system --no-headers -o custom-columns=":metadata.name")
     for r in $resources; do

.github/scripts/curl-with-retries.sh

@@ -6,7 +6,7 @@
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-#    
+#
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software