ci: add reusable gh actions

.github/actions/install-trustify-bundle/action.yml

@@ -0,0 +1,51 @@
+name: Install Trustify Bundle
+description: |
+  Install Trustify Operator.
+inputs:
+  bundle_image:
+    description: "image url for operator bundle container image"
+    required: false
+    default: ""
+  namespace:
+    description: "the namespace where Trustify should be installed"
+    required: false
+    default: ""
+  trustify_cr:
+    description: "JSON encoded Trustify Custom Resource (CR) string"
+    required: false
+    default: ""
+runs:
+  using: "composite"
+  steps:
+    - name: Install kubectl
+      shell: bash
+      run: |
+        if command -v kubectl >/dev/null 2>&1; then
+          echo "kubectl is already installed...yay"
+          exit 0
+        fi
+        curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+        sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
+    - name: Install operator-sdk
+      shell: bash
+      run: |
+        if command -v operator-sdk >/dev/null 2>&1; then
+          echo "operator-sdk is already installed...yay"
+          exit 0
+        fi
+        curl -LO https://github.com/operator-framework/operator-sdk/releases/download/v1.35.0/operator-sdk_linux_amd64
+        sudo install -o root -g root -m 0755 operator-sdk_linux_amd64 /usr/local/bin/operator-sdk
+    - name: Install Trustify
+      env:
+        OPERATOR_BUNDLE_IMAGE: ${{ inputs.bundle_image }}
+        NAMESPACE: ${{ inputs.namespace }}
+        trustify_cr: ${{ inputs.trustify_cr }}
+      run: make install-trustify-bundle
+      working-directory: ${{ github.action_path }}/../../..
+      shell: bash
+    - name: Upload logs on fail
+      if: ${{ failure() }}
+      uses: actions/upload-artifact@v4
+      with:
+        name: debug-output
+        path: /tmp/trustify-bundle-debug

.github/actions/install-trustify/action.yml

@@ -0,0 +1,45 @@
+name: Install Trustify operator
+description: |
+  Install Trustify Operator.
+inputs:
+  operator-bundle-image:
+    description: "image url for operator bundle container image"
+    required: false
+    default: "ghcr.io/trustification/trustify-operator-bundle:latest"
+  server-image:
+    description: "image url for the server"
+    required: false
+    default: "ghcr.io/trustification/trustd:latest"
+  image-pull-policy:
+    description: "Image Pull Policy"
+    required: false
+    default: "Always"
+runs:
+  using: "composite"
+  steps:
+    - name: Install kubectl
+      shell: bash
+      run: |
+        if command -v kubectl >/dev/null 2>&1; then
+          echo "kubectl is already installed...yay"
+          exit 0
+        fi
+        curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+        sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
+    - name: Install operator-sdk
+      shell: bash
+      run: |
+        if command -v operator-sdk >/dev/null 2>&1; then
+          echo "operator-sdk is already installed...yay"
+          exit 0
+        fi
+        curl -LO https://github.com/operator-framework/operator-sdk/releases/download/v1.35.0/operator-sdk_linux_amd64
+        sudo install -o root -g root -m 0755 operator-sdk_linux_amd64 /usr/local/bin/operator-sdk
+    - name: Install Trustify
+      run: |
+        export OPERATOR_BUNDLE_IMAGE="${{ inputs.operator-bundle-image }}"
+        export SERVER_IMAGE="${{ inputs.server-image }}"        
+        export IMAGE_PULL_POLICY="${{ inputs.image-pull-policy }}"
+        make install-trustify
+      working-directory: ${{ github.action_path }}/../../..
+      shell: bash

Makefile

@@ -0,0 +1,11 @@
+.PHONY: start-minikube
+start-minikube:
+	bash hack/start-minikube.sh
+
+.PHONY: install-trustify
+install-trustify:
+	bash hack/install-trustify.sh
+
+.PHONY: install-trustify-bundle
+install-trustify-bundle:
+	bash hack/install-trustify-bundle.sh

hack/install-trustify-bundle.sh

@@ -0,0 +1,99 @@
+#!/bin/bash
+
+set -e
+set -x
+set -o pipefail
+
+NAMESPACE="${NAMESPACE:-trustify}"
+OPERATOR_BUNDLE_IMAGE="${OPERATOR_BUNDLE_IMAGE:-ghcr.io/trustification/trustify-operator-bundle:latest}"
+TRUSTIFY_CR="${TRUSTIFY_CR:-}"
+TIMEOUT="${TIMEOUT:-15m}"
+
+if ! command -v kubectl >/dev/null 2>&1; then
+  echo "Please install kubectl. See https://kubernetes.io/docs/tasks/tools/"
+  exit 1
+fi
+
+if ! command -v operator-sdk >/dev/null 2>&1; then
+  echo "Please install operator-sdk. See https://sdk.operatorframework.io/docs/installation/"
+  exit 1
+fi
+
+debug() {
+  echo "Install Trustify FAILED!!!"
+  echo "What follows is some info that may be useful in debugging the failure"
+
+  kubectl get namespace "${NAMESPACE}" -o yaml || true
+  kubectl get --namespace "${NAMESPACE}" all || true
+  kubectl get --namespace "${NAMESPACE}" -o yaml \
+    subscriptions.operators.coreos.com,catalogsources.operators.coreos.com,installplans.operators.coreos.com,clusterserviceversions.operators.coreos.com \
+    || true
+  kubectl get --namespace "${NAMESPACE}" -o yaml trustifies.org.trustify/myapp || true
+
+  for pod in $(kubectl get pods -n "${NAMESPACE}" -o jsonpath='{.items[*].metadata.name}'); do
+    kubectl --namespace "${NAMESPACE}" describe pod "${pod}" || true
+  done
+  exit 1
+}
+trap 'debug' ERR
+
+run_bundle() {
+  kubectl auth can-i create namespace --all-namespaces
+  kubectl create namespace "${NAMESPACE}" || true
+  operator-sdk run bundle "${OPERATOR_BUNDLE_IMAGE}" --namespace "${NAMESPACE}" --timeout "${TIMEOUT}"
+
+  # If on MacOS, need to install `brew install coreutils` to get `timeout`
+  timeout 600s bash -c 'until kubectl get customresourcedefinitions.apiextensions.k8s.io trustifies.org.trustify; do sleep 30; done'
+  kubectl get clusterserviceversions.operators.coreos.com -n "${NAMESPACE}" -o yaml
+}
+
+install_trustify() {
+  echo "Waiting for the Trustify CRD to become available"
+  kubectl wait --namespace "${NAMESPACE}" --for=condition=established customresourcedefinitions.apiextensions.k8s.io/trustifies.org.trustify
+
+  echo "Waiting for the Trustify Operator to exist"
+  timeout 2m bash -c "until kubectl --namespace ${NAMESPACE} get deployment/trustify-operator; do sleep 10; done"
+
+  echo "Waiting for the Trustify Operator to become available"
+  kubectl rollout status --namespace "${NAMESPACE}" -w deployment/trustify-operator --timeout=600s
+
+  if [ -n "${TRUSTIFY_CR}" ]; then
+    echo "${TRUSTIFY_CR}" | kubectl apply --namespace "${NAMESPACE}" -f -
+  else
+    cat <<EOF | kubectl apply --namespace "${NAMESPACE}" -f -
+kind: Trustify
+apiVersion: org.trustify/v1alpha1
+metadata:
+  name: myapp
+spec: {}
+EOF
+  fi
+
+  # Want to see in github logs what we just created
+  kubectl get --namespace "${NAMESPACE}" -o yaml trustifies.org.trustify/myapp
+
+  # Wait for reconcile to finish
+  kubectl wait \
+    --namespace "${NAMESPACE}" \
+    --for=condition=Successful \
+    --timeout=600s \
+    trustifies.org.trustify/myapp
+
+  # Now wait for all the deployments
+  kubectl wait \
+    --namespace "${NAMESPACE}" \
+    --selector="app.kubernetes.io/part-of=myapp" \
+    --for=condition=Available \
+    --timeout=600s \
+    deployments.apps
+
+  kubectl get deployments.apps -n "${NAMESPACE}" -o yaml
+}
+
+kubectl get customresourcedefinitions.apiextensions.k8s.io clusterserviceversions.operators.coreos.com || operator-sdk olm install
+olm_namespace=$(kubectl get clusterserviceversions.operators.coreos.com --all-namespaces | grep packageserver | awk '{print $1}')
+kubectl rollout status -w deployment/olm-operator --namespace="${olm_namespace}"
+kubectl rollout status -w deployment/catalog-operator --namespace="${olm_namespace}"
+kubectl wait --namespace "${olm_namespace}" --for='jsonpath={.status.phase}'=Succeeded clusterserviceversions.operators.coreos.com packageserver
+kubectl get customresourcedefinitions.apiextensions.k8s.io org.trustify || run_bundle
+install_trustify

hack/install-trustify.sh

@@ -0,0 +1,98 @@
+#!/bin/bash
+
+set -e
+set -x
+
+# Figure out where we are being run from.
+# This relies on script being run from:
+#  - ${PROJECT_ROOT}/hack/install-trustify.sh
+#  - ${PROJECT_ROOT}/bin/install-trustify.sh
+__dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+__root="$(cd "$(dirname "${__dir}")" && pwd)"
+__repo="$(basename "${__root}")"
+__bin_dir="${__root}/bin"
+__os="$(uname -s | tr '[:upper:]' '[:lower:]')"
+__arch="$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')"
+
+# Update PATH for execution of this script
+export PATH="${__bin_dir}:${PATH}"
+
+NAMESPACE="${NAMESPACE:-trustify}"
+OPERATOR_BUNDLE_IMAGE="${OPERATOR_BUNDLE_IMAGE:-ghcr.io/trustification/trustify-operator-bundle:latest}"
+SERVER_IMAGE="${SERVER_IMAGE:-ghcr.io/trustification/trustd:latest}"
+IMAGE_PULL_POLICY="${IMAGE_PULL_POLICY:-Always}"
+TIMEOUT="${TIMEOUT:-15m}"
+
+if ! command -v kubectl >/dev/null 2>&1; then
+  kubectl_bin="${__bin_dir}/kubectl"
+  mkdir -p "${__bin_dir}"
+  curl -Lo "${kubectl_bin}" "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/${__os}/${__arch}/kubectl"
+  chmod +x "${kubectl_bin}"
+fi
+
+if ! command -v operator-sdk1 >/dev/null 2>&1; then
+  operator_sdk_bin="${__bin_dir}/operator-sdk"
+  mkdir -p "${__bin_dir}"
+
+  version=$(curl --silent "https://api.github.com/repos/operator-framework/operator-sdk/releases/latest" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/')
+  curl -Lo "${operator_sdk_bin}" "https://github.com/operator-framework/operator-sdk/releases/download/${version}/operator-sdk_${__os}_${__arch}"
+  chmod +x "${operator_sdk_bin}"
+fi
+
+install_operator() {
+  kubectl auth can-i create namespace --all-namespaces
+  kubectl create namespace ${NAMESPACE} || true
+  operator-sdk run bundle "${OPERATOR_BUNDLE_IMAGE}" --namespace "${NAMESPACE}" --timeout "${TIMEOUT}"
+
+  # If on MacOS, need to install `brew install coreutils` to get `timeout`
+  timeout 600s bash -c 'until kubectl get customresourcedefinitions.apiextensions.k8s.io trustifies.org.trustify; do sleep 30; done' \
+  || kubectl get subscription --namespace ${NAMESPACE} -o yaml trustify-operator # Print subscription details when timed out
+}
+
+kubectl get customresourcedefinitions.apiextensions.k8s.io clusterserviceversions.operators.coreos.com || operator-sdk olm install
+olm_namespace=$(kubectl get clusterserviceversions.operators.coreos.com --all-namespaces | grep packageserver | awk '{print $1}')
+kubectl rollout status -w deployment/olm-operator --namespace="${olm_namespace}"
+kubectl rollout status -w deployment/catalog-operator --namespace="${olm_namespace}"
+kubectl wait --namespace "${olm_namespace}" --for='jsonpath={.status.phase}'=Succeeded clusterserviceversions.operators.coreos.com packageserver
+kubectl get customresourcedefinitions.apiextensions.k8s.io org.trustify || install_operator
+
+
+# Create, and wait for, trustify
+kubectl wait \
+  --namespace ${NAMESPACE} \
+  --for=condition=established \
+  customresourcedefinitions.apiextensions.k8s.io/trustifies.org.trustify
+cat <<EOF | kubectl apply -f -
+kind: Trustify
+apiVersion: org.trustify/v1alpha1
+metadata:
+  name: myapp
+  namespace: ${NAMESPACE}
+spec:
+  serverImage: ${SERVER_IMAGE}
+  imagePullPolicy: ${IMAGE_PULL_POLICY}
+EOF
+# Wait for reconcile to finish
+kubectl wait \
+  --namespace ${NAMESPACE} \
+  --for=condition=Successful \
+  --timeout=600s \
+  trustifies.org.trustify/myapp \
+|| kubectl get \
+  --namespace ${NAMESPACE} \
+  -o yaml \
+  trustifies.org.trustify/myapp # Print trustify debug when timed out
+
+# Now wait for all the trustify deployments
+kubectl wait \
+  --namespace ${NAMESPACE} \
+  --selector="app.kubernetes.io/part-of=myapp" \
+  --for=condition=Available \
+  --timeout=600s \
+  deployments.apps \
+|| kubectl get \
+  --namespace ${NAMESPACE} \
+  --selector="app.kubernetes.io/part-of=myapp" \
+  --field-selector=status.phase!=Running  \
+  -o yaml \
+  pods # Print not running trustify pods when timed out

hack/start-minikube.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+set -e
+set -x
+
+# Inputs via environment variables
+MINIKUBE_DRIVER="${MINIKUBE_DRIVER:-}"
+MINIKUBE_CONTAINER_RUNTIME="${MINIKUBE_CONTAINER_RUNTIME:-}"
+MINIKUBE_KUBERNETES_VERSION="${MINIKUBE_KUBERNETES_VERSION:-}"
+MINIKUBE_CPUS="${MINIKUBE_CPUS:-}"
+MINIKUBE_MEMORY="${MINIKUBE_MEMORY:-}"
+MINIKUBE_CNI="${MINIKUBE_CNI:-}"
+
+# Check pre-reqs
+# May want to leave this for the user to install
+if ! command -v minikube >/dev/null 2>&1; then
+  echo "Please install minikube"
+  exit 1
+fi
+
+# Start minikube if not already started
+if ! minikube status; then
+  ARGS=""
+  [ -z "${MINIKUBE_DRIVER}" ] || \
+    ARGS+=" --driver=${MINIKUBE_DRIVER}"
+  [ -z "${MINIKUBE_CONTAINER_RUNTIME}" ] || \
+    ARGS+=" --container-runtime=${MINIKUBE_CONTAINER_RUNTIME}"
+  [ -z "${MINIKUBE_KUBERNETES_VERSION}" ] || \
+    ARGS+=" --kubernetes-version=${MINIKUBE_KUBERNETES_VERSION}"
+  [ -z "${MINIKUBE_CPUS}" ] || \
+    ARGS+=" --cpus=${MINIKUBE_CPUS}"
+  [ -z "${MINIKUBE_MEMORY}" ] || \
+    ARGS+=" --memory=${MINIKUBE_MEMORY}"
+  [ -z "${MINIKUBE_CNI}" ] || \
+    ARGS+=" --cni=${MINIKUBE_CNI}"
+  set -x
+  minikube start ${ARGS}
+fi
+
+# Enable ingress
+minikube addons enable ingress