fix: Replace wildcards in RBAC objects with explicit resources and ve… #975
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Helm Chart CI (Core) | |
on: | |
# Trigger the workflow on push or pull request, | |
# but only for the main branch | |
push: | |
branches: | |
- main | |
paths: | |
- '.github/workflows/ci-core.yml' | |
- 'keda/**' | |
pull_request: | |
branches: | |
- main | |
- release/* | |
paths: | |
- '.github/workflows/ci-core.yml' | |
- 'keda/**' | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
jobs: | |
lint-helm-3-x: | |
name: Lint Helm Chart | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v2 | |
- name: Helm install | |
uses: Azure/setup-helm@v3 | |
- name: Lint 'KEDA' Helm chart | |
run: helm lint keda | |
deploy-helm-3-x: | |
name: Deploy to Kubernetes ${{ matrix.kubernetesVersion }} in '${{matrix.namespace}}' namespace (${{ (matrix.enableAzureWorkloadIdentity == true && 'With Azure Workload Identity') || 'Without Azure Workload Identity' }} | ${{ (matrix.enableCertManager == true && 'With cert-manager') || 'Without cert-manager' }}) | |
needs: lint-helm-3-x | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
enableAzureWorkloadIdentity: [false, true] | |
kubernetesVersion: [v1.31, v1.30, v1.29, v1.23] | |
namespace: ["keda", "not-keda"] | |
enableCertManager: [false, true] | |
include: | |
# Azure Workload Identity | |
- enableAzureWorkloadIdentity: true | |
tenantId: contoso | |
clientId: ABC | |
- enableAzureWorkloadIdentity: false | |
tenantId: "" | |
clientId: "" | |
# Images are defined on every Kind release | |
# See https://github.com/kubernetes-sigs/kind/releases | |
- kubernetesVersion: v1.31 | |
kindImage: kindest/node:v1.31.0@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7325357a1ac94ba865 | |
- kubernetesVersion: v1.30 | |
kindImage: kindest/node:v1.30.4@sha256:976ea815844d5fa93be213437e3ff5754cd599b040946b5cca43ca45c2047114 | |
- kubernetesVersion: v1.29 | |
kindImage: kindest/node:v1.29.0@sha256:eaa1450915475849a73a9227b8f201df25e55e268e5d619312131292e324d570 | |
- kubernetesVersion: v1.23 | |
kindImage: kindest/node:v1.23.17@sha256:59c989ff8a517a93127d4a536e7014d28e235fb3529d9fba91b3951d461edfdb | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v2 | |
- name: Helm install | |
uses: Azure/setup-helm@v3 | |
- name: Create k8s ${{ matrix.kubernetesVersion }} Kind Cluster | |
uses: helm/kind-action@main | |
with: | |
node_image: ${{ matrix.kindImage }} | |
- name: Show Kubernetes version | |
run: | | |
kubectl version | |
- name: Show Kubernetes nodes | |
run: | | |
kubectl get nodes -o wide | |
- name: Show Helm version | |
run: | | |
helm version | |
- name: Generate values | |
run: | | |
cat <<EOF > test-values.yaml | |
image: | |
keda: | |
tag: main | |
metricsApiServer: | |
tag: main | |
webhooks: | |
tag: main | |
podIdentity: | |
azureWorkload: | |
enabled: ${{ matrix.enableAzureWorkloadIdentity }} | |
tenantId: ${{ matrix.tenantId }} | |
clientId: ${{ matrix.clientId }} | |
podDisruptionBudget: | |
operator: | |
maxUnavailable: 1 | |
metricServer: | |
maxUnavailable: 1 | |
webhooks: | |
maxUnavailable: 1 | |
prometheus: | |
operator: | |
enabled: true | |
podMonitor: | |
enabled: true | |
serviceMonitor: | |
enabled: true | |
relabelings: | |
- regex: (go_.*) | |
action: drop | |
webhooks: | |
enabled: true | |
serviceMonitor: | |
enabled: true | |
relabelings: | |
- regex: (go_.*) | |
action: drop | |
metricServer: | |
enabled: true | |
serviceMonitor: | |
enabled: true | |
relabelings: | |
- regex: (go_.*) | |
action: drop | |
webhooks: | |
failurePolicy: Fail | |
certificates: | |
autoGenerated: true | |
certManager: | |
enabled: ${{ matrix.enableCertManager }} | |
generateCA: true | |
extraInitContainers: | |
- name: hello-once | |
args: | |
- -c | |
- "echo 'Hello World!'" | |
command: | |
- /bin/sh | |
image: 'busybox:glibc' | |
extraContainers: | |
- name: hello-many | |
args: | |
- -c | |
- "while true; do echo hi; sleep 300; done" | |
command: | |
- /bin/sh | |
image: 'busybox:glibc' | |
extraObjects: | |
- apiVersion: keda.sh/v1alpha1 | |
kind: ClusterTriggerAuthentication | |
metadata: | |
name: aws-credentials | |
namespace: keda | |
annotations: | |
helm.sh/hook: post-install | |
spec: | |
podIdentity: | |
provider: aws-eks | |
additionalAnnotations: | |
sample: "annotation" | |
service: | |
additionalAnnotations: | |
hello: "cloud-native world" | |
EOF | |
- name: Install deps | |
run: | | |
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts | |
helm repo add jetstack https://charts.jetstack.io | |
helm repo update | |
helm install prometheus-stack prometheus-community/prometheus-operator-crds --namespace monitoring --create-namespace --wait | |
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true | |
- name: Create KEDA's namespace (${{ matrix.namespace }}) | |
run: kubectl create ns ${{ matrix.namespace }} | |
- name: Template Helm chart | |
run: helm template keda ./keda/ --namespace ${{ matrix.namespace }} --values test-values.yaml | |
- name: Install Helm chart | |
run: helm install keda ./keda/ --namespace ${{ matrix.namespace }} --values test-values.yaml --wait | |
- name: Show Kubernetes resources (KEDA) | |
run: kubectl get all --namespace ${{ matrix.namespace }} | |
if: always() | |
- name: Show Kubernetes resources (Monitoring) | |
run: kubectl get all --namespace monitoring | |
if: always() | |
- name: Get all CRDs | |
run: kubectl get crds -o wide | |
- name: Verify clustertriggerauthentications.keda.sh CRD is installed | |
run: kubectl get crd/clustertriggerauthentications.keda.sh -o wide | |
- name: Verify triggerauthentications.keda.sh CRD is installed | |
run: kubectl get crd/triggerauthentications.keda.sh -o wide | |
- name: Verify scaledjobs.keda.sh CRD is installed | |
run: kubectl get crd/scaledjobs.keda.sh -o wide | |
- name: Verify scaledobjects.keda.sh CRD is installed | |
run: kubectl get crd/scaledobjects.keda.sh -o wide | |
- name: Verify cloudeventsources.eventing.keda.sh CRD is installed | |
run: kubectl get crd/cloudeventsources.eventing.keda.sh -o wide | |
- name: Verify clustercloudeventsources.eventing.keda.sh CRD is installed | |
run: kubectl get crd/clustercloudeventsources.eventing.keda.sh -o wide | |
- name: Get all ScaledObjects | |
run: kubectl get scaledobjects -o wide | |
- name: Get all ScaledJobs | |
run: kubectl get scaledjobs -o wide | |
- name: Get all TriggerAuthentication | |
run: kubectl get triggerauth -o wide | |
- name: Get all ClusterTriggerAuthentication | |
run: kubectl get clustertriggerauth -o wide | |
- name: Get all CloudEventSource | |
run: kubectl get cloudeventsource -o wide | |
- name: Deploy Nginx with autoscaling | |
run: kubectl apply -f ./samples/nginx-scaledobject.yml | |
- name: Get our Nginx ScaledObject | |
run: kubectl get scaledobjects/nginx-autoscaling -o wide | |
if: always() |