Skip to content

rustls: optionally use WebPKI roots to avoid panicking on Android & iOS #2661

rustls: optionally use WebPKI roots to avoid panicking on Android & iOS

rustls: optionally use WebPKI roots to avoid panicking on Android & iOS #2661

Workflow file for this run

name: test
on:
pull_request:
env:
RUST_BACKTRACE: 1
# Spend CI time only on latest ref: https://docs.github.com/en/actions/using-jobs/using-concurrency
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
jobs:
unit:
strategy:
# Prevent GitHub from cancelling all in-progress jobs when a matrix job fails.
fail-fast: false
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions-rs/toolchain@v1
with:
override: true
toolchain: stable
profile: minimal
# Smart caching for Rust projects.
# Includes workaround for macos cache corruption.
# - https://github.com/rust-lang/cargo/issues/8603
# - https://github.com/actions/cache/issues/403
- uses: Swatinem/rust-cache@v2
# Install OpenSSL Libraries for Windows
# - name: install openssl
# if: matrix.os == 'windows-latest'
# run: |
# $ErrorActionPreference = "Stop"
# choco install --verbose openssl
# openssl version
# refreshenv
# echo "OPENSSL_LIB_DIR=C:/Program Files/OpenSSL-Win64/lib" >> $env:GITHUB_ENV
# echo "OPENSSL_DIR=C:/Program Files/OpenSSL-Win64/" >> $env:GITHUB_ENV
# echo "OPENSSL_INCLUDE_DIR=C:/Program Files/OpenSSL-Win64/include" >> $env:GITHUB_ENV
# Real CI work starts here
- name: Build workspace
run: cargo build
- name: Build no-features
run: cargo build -p kube --no-default-features
if: matrix.os == 'ubuntu-latest' # only linux tests all feature combinations
- name: Build no-tls
run: cargo build -p kube --no-default-features --features=client
if: matrix.os == 'ubuntu-latest' # only linux tests all feature combinations
# Workspace unit tests with various feature sets
- name: Run workspace unit tests (no default features)
run: cargo test --workspace --lib --no-default-features -j6
if: matrix.os == 'ubuntu-latest' # only linux tests all feature combinations
- name: Run workspace unit tests (default features)
run: cargo test --workspace --lib --exclude kube-examples --exclude e2e -j6
if: matrix.os != 'macos-latest'
- name: Run workspace unit tests (all features)
if: matrix.os != 'windows-latest'
run: cargo test --workspace --lib --all-features --exclude kube-examples --exclude e2e -j6
# Workspace documentation (all features only)
- name: Run workspace doc tests
run: cargo test --workspace --doc --all-features --exclude kube-examples --exclude e2e -j6
if: matrix.os == 'ubuntu-latest'
- name: Run ad-hoc doc test verification
run: |
if rg "\`\`\`ignored"; then
echo "ignored doctests are not allowed, use compile_fail or no_run"
exit 1
fi
if: matrix.os == 'ubuntu-latest'
# Examples
- name: Test examples
if: matrix.os != 'windows-latest'
run: cargo test -p kube-examples --examples -j6
doc:
runs-on: ubuntu-latest
name: doc
steps:
- uses: actions/checkout@v4
- name: Install nightly
uses: dtolnay/rust-toolchain@nightly
- name: cargo doc
run: cargo doc --no-deps --all-features
env:
RUSTDOCFLAGS: --cfg docsrs
msrv:
# Run `cargo check` on our minimum supported Rust version
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@main
- name: Find MSRV
id: msrv
run: |
MSRV=$(grep MSRV README.md | grep -oE "[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+")
echo $MSRV
echo "msrv=${MSRV}" >> $GITHUB_OUTPUT
- uses: actions-rs/toolchain@v1
with:
toolchain: ${{ steps.msrv.outputs.msrv }}
profile: minimal
override: true
- uses: Swatinem/rust-cache@v2
- name: Check
uses: actions-rs/cargo@v1
with:
command: check
args: --workspace
- name: Check rust-version keys matches advertised MSRV
run: |
if ! cat Cargo.toml | grep "rust-version" | grep "${{ steps.msrv.outputs.msrv }}"; then
echo "msrv policy inconsistent with rust-version key"
exit 1
fi
- name: Check devcontainer matches MSRV
run: |
versions=$(sed -nE 's|^FROM (.*/)?rust:([^ ]+)|\2|p' .devcontainer/Dockerfile)
echo "Versions: $versions"
mismatches=$(echo "$versions" | grep -v '^${{ steps.msrv.outputs.msrv }}' || true)
echo "Mismatches: $mismatches"
if [ -n "$mismatches" ]; then
echo "::error ::Devcontainer includes incorrect rust version(s): $mismatches"
exit 1
fi
integration:
runs-on: ubuntu-latest
strategy:
# Prevent GitHub from cancelling all in-progress jobs when a matrix job fails.
fail-fast: false
matrix:
# Run these tests against older clusters as well
k8s: [v1.26, v1.30]
steps:
- uses: actions/checkout@v4
- uses: actions-rs/toolchain@v1
with:
override: true
toolchain: stable
profile: minimal
# Smart caching for Rust projects.
# Includes workaround for macos cache corruption.
# - https://github.com/rust-lang/cargo/issues/8603
# - https://github.com/actions/cache/issues/403
- uses: Swatinem/rust-cache@v2
- uses: nolar/setup-k3d-k3s@v1
with:
version: ${{matrix.k8s}}
# k3d-kube
k3d-name: kube
# Used to avoid rate limits when fetching the releases from k3s repo.
# Anonymous access is limited to 60 requests / hour / worker
# github-token: ${{ secrets.GITHUB_TOKEN }}
k3d-args: "-p 10250:10250 --no-rollback --k3s-arg --disable=traefik,servicelb,metrics-server@server:*"
# Real CI work starts here
- name: Build workspace
run: cargo build
# Run the equivalent of `just integration`
- name: Run all integration library tests
run: cargo test --lib --workspace --exclude e2e --all-features -j6 -- --ignored
- name: Run crd example tests
run: cargo run -p kube-examples --example crd_api
- name: Run derive example tests
run: cargo run -p kube-examples --example crd_derive
mk8sv:
# comile check e2e tests against mk8sv
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Find MK8SV
id: mk8sv
run: |
MK8SV=$(grep MK8SV README.md | grep -oE "[[:digit:]]+\.[[:digit:]]+" | head -n 1)
echo $MK8SV
echo "mk8sv=${MK8SV}" >> $GITHUB_OUTPUT
echo "mk8svdash=v${MK8SV/\./_}" >> $GITHUB_OUTPUT
- name: Check ci jobs run against advertised MK8SV
run: |
if ! grep "${{ steps.mk8sv.outputs.mk8sv }}" -q .github/workflows/ci.yml; then
echo "mk8sv not set correctly in tests"
exit 1
fi
if ! grep "${{ steps.mk8sv.outputs.mk8svdash }}" e2e/Cargo.toml | grep mk8sv; then
echo "mk8sv not set correctly in e2e features"
exit 1
fi
- uses: actions-rs/toolchain@v1
with:
override: true
toolchain: stable
profile: minimal
# Smart caching for Rust projects.
# Includes workaround for macos cache corruption.
# - https://github.com/rust-lang/cargo/issues/8603
# - https://github.com/actions/cache/issues/403
- uses: Swatinem/rust-cache@v2
- uses: nolar/setup-k3d-k3s@v1
with:
version: v1.26
# k3d-kube
k3d-name: kube
# Used to avoid rate limits when fetching the releases from k3s repo.
# Anonymous access is limited to 60 requests / hour / worker
# github-token: ${{ secrets.GITHUB_TOKEN }}
k3d-args: "--no-lb --no-rollback --k3s-arg --disable=traefik,servicelb,metrics-server@server:*"
# Real CI work starts here
- name: Build workspace
run: cargo build
- name: boot openssl, latest k8s
run: cargo run -p e2e --bin boot --features=openssl,latest
- name: boot openssl, minimum supported k8s
run: cargo run -p e2e --bin boot --features=openssl,mk8sv
- name: boot rustls, latest k8s
run: cargo run -p e2e --bin boot --features=rustls,latest
- name: boot rustls, minimum supported k8s
run: cargo run -p e2e --bin boot --features=rustls,mk8sv
in-cluster:
# in-cluster e2e via docker on linux
runs-on: ubuntu-latest
strategy:
# Prevent GitHub from cancelling all in-progress jobs when a matrix job fails.
fail-fast: false
matrix:
tls: [openssl, rustls]
steps:
- uses: actions/checkout@v4
- uses: actions/cache@v4
with:
path: |
~/.cargo/registry/index
~/.cargo/registry/cache
~/.cargo/git
target
key: musl-cargo-${{ hashFiles('**/Cargo.toml') }}-${{matrix.tls}}
- uses: nolar/setup-k3d-k3s@v1
with:
version: latest
# k3d-kube
k3d-name: kube
# Used to avoid rate limits when fetching the releases from k3s repo.
# Anonymous access is limited to 60 requests / hour / worker
# github-token: ${{ secrets.GITHUB_TOKEN }}
k3d-args: "--no-lb --no-rollback --k3s-arg --disable=traefik,servicelb,metrics-server@server:*"
- name: Compile e2e job against ${{matrix.tls}}
run: |
mkdir -p ~/.cargo/{git,registry}
docker run --rm -t \
--mount type=bind,source=${{ github.workspace }},target=/volume \
--mount type=bind,source=$HOME/.cargo/registry,target=/root/.cargo/registry \
--mount type=bind,source=$HOME/.cargo/git,target=/root/.cargo/git \
clux/muslrust:stable \
cargo build -p e2e --release --bin=job --features=latest,${{matrix.tls}} -v
cp target/x86_64-unknown-linux-musl/release/job e2e/
- name: Build image
run: "docker build -t clux/kube-e2e:${{ github.sha }} e2e/"
- name: Import image
run: "k3d image import clux/kube-e2e:${{ github.sha }} --cluster kube"
- run: sed -i 's/latest/${{ github.sha }}/g' e2e/deployment.yaml
- name: Create resource
run: kubectl apply -f e2e/deployment.yaml -n apps
- run: kubectl get all -n apps
- run: kubectl describe jobs/e2e -n apps
- name: Wait for job to complete
run: |
kubectl wait --for=condition=complete job/e2e -n apps --timeout=50s || kubectl logs -f job/e2e -n apps
kubectl get all -n apps
kubectl wait --for=condition=complete job/e2e -n apps --timeout=10s || kubectl get pods -n apps | grep e2e | grep Completed