.github/workflows/ci.yml

name: CI
on: [pull_request]
env:
  GO_VERSION: 1.19.2
jobs:

  checks:
    name: Checks
    runs-on: ubuntu-latest

    services:
      vault:
        image: vault:1.6.2
        env:
          SKIP_SETCAP: true
          VAULT_DEV_ROOT_TOKEN_ID: 227e1cce-6bf7-30bb-2d2a-acc854318caf
        ports:
          - 8200:8200

    steps:

    - name: Set up Go
      uses: actions/setup-go@v4
      with:
        go-version: ${{ env.GO_VERSION }}

    - name: Check out code
      uses: actions/checkout@v3
      with:
        fetch-depth: 0 # chart testing fails otherwise

    - name: Check licenses
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: make license-check

    - name: Set up chart-testing
      uses: helm/chart-testing-action@v2.4.0

    - name: Run chart-testing
      run: ct lint --debug --config charts/testing.yaml

    - name: Setup test dependencies
      run: |
        sudo apt install opensc softhsm
        sudo mkdir -p /var/lib/softhsm/tokens/
        sudo softhsm2-util --init-token --free --label bank-vaults --so-pin banzai --pin banzai
        sudo pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --keypairgen --key-type rsa:2048 --pin banzai --token-label bank-vaults --label bank-vaults
        sudo chown -R runner:docker /etc/softhsm /var/lib/softhsm

    - name: Run verification
      run: make check
      env:
        VAULT_TOKEN: 227e1cce-6bf7-30bb-2d2a-acc854318caf

  build-bank-vaults:
    name: Build bank-vaults
    runs-on: ubuntu-latest

    steps:

      - name: Checkout
        uses: actions/checkout@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Build and push
        uses: docker/build-push-action@v4
        with:
          context: .
          file: ./Dockerfile
          tags: bank-vaults:latest
          outputs: type=docker,dest=/tmp/bank-vaults.tar

      - name: Upload artifact
        uses: actions/upload-artifact@v3
        with:
          name: bank-vaults
          path: /tmp/bank-vaults.tar

  build-vault-secrets-webhook:
    name: Build webhook
    runs-on: ubuntu-latest

    steps:

      - name: Checkout
        uses: actions/checkout@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Build and push
        uses: docker/build-push-action@v4
        with:
          context: .
          file: ./Dockerfile.webhook
          tags: vault-secrets-webhook:latest
          outputs: type=docker,dest=/tmp/vault-secrets-webhook.tar

      - name: Upload artifact
        uses: actions/upload-artifact@v3
        with:
          name: vault-secrets-webhook
          path: /tmp/vault-secrets-webhook.tar

  build-vault-operator:
    name: Build operator
    runs-on: ubuntu-latest

    steps:

      - name: Checkout
        uses: actions/checkout@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Build and push
        uses: docker/build-push-action@v4
        with:
          context: .
          file: ./Dockerfile.operator
          tags: vault-operator:latest
          outputs: type=docker,dest=/tmp/vault-operator.tar

      - name: Upload artifact
        uses: actions/upload-artifact@v3
        with:
          name: vault-operator
          path: /tmp/vault-operator.tar

  build-vault-env:
    name: Build vault-env
    runs-on: ubuntu-latest

    steps:

      - name: Checkout
        uses: actions/checkout@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Build and push
        uses: docker/build-push-action@v4
        with:
          context: .
          file: ./Dockerfile.vault-env
          tags: vault-env:latest
          outputs: type=docker,dest=/tmp/vault-env.tar

      - name: Upload artifact
        uses: actions/upload-artifact@v3
        with:
          name: vault-env
          path: /tmp/vault-env.tar

#    # Uncomment for debugging with SSH
#    - name: Setup upterm session
#      uses: lhotari/action-upterm@v1
#      with:
#        ## limits ssh access and adds the ssh public key for the user which triggered the workflow
#        limit-access-to-actor: true
#        ## limits ssh access and adds the ssh public keys of the listed GitHub users
#        limit-access-to-users: bonifaido

  acceptance-test:
    name: Acceptance test
    runs-on: ubuntu-latest
    needs: [build-bank-vaults, build-vault-operator, build-vault-env, build-vault-secrets-webhook]
    strategy:
      matrix:
        k8s_version: ["v1.25.8", "v1.24.12", "v1.23.17"]
        vault_version: ["1.13.1", "1.12.5", "1.11.9", "1.10.11"]
    env:
      KURUN_VERSION: "0.6.4"

    steps:

    - name: Set up Go
      uses: actions/setup-go@v4
      with:
        go-version: ${{ env.GO_VERSION }}

    - name: Checkout code
      uses: actions/checkout@v3

    - name: Start kind cluster
      run: |
        kind version
        kind create cluster --config test/kind.yaml --image kindest/node:${{ matrix.k8s_version }} --wait 1m

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v2

    - name: Download Bank-Vaults docker image
      uses: actions/download-artifact@v3
      with:
        name: bank-vaults
        path: /tmp

    - name: Download operator docker image
      uses: actions/download-artifact@v3
      with:
        name: vault-operator
        path: /tmp

    - name: Download vault-env docker image
      uses: actions/download-artifact@v3
      with:
        name: vault-env
        path: /tmp

    - name: Download webhook docker image
      uses: actions/download-artifact@v3
      with:
        name: vault-secrets-webhook
        path: /tmp

    - name: Load Docker images to kind
      run: |
        kind load image-archive /tmp/bank-vaults.tar
        kind load image-archive /tmp/vault-operator.tar
        kind load image-archive /tmp/vault-env.tar
        kind load image-archive /tmp/vault-secrets-webhook.tar

    - name: Install kurun
      run: |
        curl -Lo kurun https://github.com/banzaicloud/kurun/releases/download/${KURUN_VERSION}/kurun-linux-amd64 && chmod +x kurun && sudo mv kurun /usr/local/bin/

    - name: Acceptance test
      run: go test -v -timeout 900s -tags kubeall ./test
      env:
        VAULT_VERSION: ${{ matrix.vault_version }}

  multi-cluster-acceptance-test:
    name: Operator multi-cluster acceptance test
    runs-on: ubuntu-latest
    needs: build-vault-operator
    env:
      GO_VERSION: "1.19.2"
      K8S_VERSION: "v1.23.4"
      HELM_VERSION: "v3.8.0"
      KIND_VERSION: "v0.12.0"

    steps:

    - name: Set up Go
      uses: actions/setup-go@v4
      with:
        go-version: ${{ env.GO_VERSION }}

    - name: Checkout code
      uses: actions/checkout@v3

    - uses: azure/setup-helm@v3
      with:
         version: ${{ env.HELM_VERSION }}
         token: ${{ secrets.GITHUB_TOKEN }}

    - uses: engineerd/setup-kind@v0.5.0
      with:
        version: ${{ env.KIND_VERSION }}

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v2

    - name: Download operator docker image
      uses: actions/download-artifact@v3
      with:
        name: vault-operator
        path: /tmp

    - name: Install envtpl
      run: go install github.com/subfuzion/envtpl/...@428c2d7

    - name: Install cidr
      run: go install github.com/hankjacobs/cidr@master

    - name: Build the Helm charts
      run: |
        helm dep build ./charts/vault-operator

    - name: Operator Multi-DC Raft test
      run: |
        ./operator/deploy/multi-dc/test/multi-dc-raft.sh install