rustls: optionally use WebPKI roots to avoid panicking on Android & iOS #2661
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: test | |
on: | |
pull_request: | |
env: | |
RUST_BACKTRACE: 1 | |
# Spend CI time only on latest ref: https://docs.github.com/en/actions/using-jobs/using-concurrency | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
jobs: | |
unit: | |
strategy: | |
# Prevent GitHub from cancelling all in-progress jobs when a matrix job fails. | |
fail-fast: false | |
matrix: | |
os: [ubuntu-latest, macos-latest, windows-latest] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions-rs/toolchain@v1 | |
with: | |
override: true | |
toolchain: stable | |
profile: minimal | |
# Smart caching for Rust projects. | |
# Includes workaround for macos cache corruption. | |
# - https://github.com/rust-lang/cargo/issues/8603 | |
# - https://github.com/actions/cache/issues/403 | |
- uses: Swatinem/rust-cache@v2 | |
# Install OpenSSL Libraries for Windows | |
# - name: install openssl | |
# if: matrix.os == 'windows-latest' | |
# run: | | |
# $ErrorActionPreference = "Stop" | |
# choco install --verbose openssl | |
# openssl version | |
# refreshenv | |
# echo "OPENSSL_LIB_DIR=C:/Program Files/OpenSSL-Win64/lib" >> $env:GITHUB_ENV | |
# echo "OPENSSL_DIR=C:/Program Files/OpenSSL-Win64/" >> $env:GITHUB_ENV | |
# echo "OPENSSL_INCLUDE_DIR=C:/Program Files/OpenSSL-Win64/include" >> $env:GITHUB_ENV | |
# Real CI work starts here | |
- name: Build workspace | |
run: cargo build | |
- name: Build no-features | |
run: cargo build -p kube --no-default-features | |
if: matrix.os == 'ubuntu-latest' # only linux tests all feature combinations | |
- name: Build no-tls | |
run: cargo build -p kube --no-default-features --features=client | |
if: matrix.os == 'ubuntu-latest' # only linux tests all feature combinations | |
# Workspace unit tests with various feature sets | |
- name: Run workspace unit tests (no default features) | |
run: cargo test --workspace --lib --no-default-features -j6 | |
if: matrix.os == 'ubuntu-latest' # only linux tests all feature combinations | |
- name: Run workspace unit tests (default features) | |
run: cargo test --workspace --lib --exclude kube-examples --exclude e2e -j6 | |
if: matrix.os != 'macos-latest' | |
- name: Run workspace unit tests (all features) | |
if: matrix.os != 'windows-latest' | |
run: cargo test --workspace --lib --all-features --exclude kube-examples --exclude e2e -j6 | |
# Workspace documentation (all features only) | |
- name: Run workspace doc tests | |
run: cargo test --workspace --doc --all-features --exclude kube-examples --exclude e2e -j6 | |
if: matrix.os == 'ubuntu-latest' | |
- name: Run ad-hoc doc test verification | |
run: | | |
if rg "\`\`\`ignored"; then | |
echo "ignored doctests are not allowed, use compile_fail or no_run" | |
exit 1 | |
fi | |
if: matrix.os == 'ubuntu-latest' | |
# Examples | |
- name: Test examples | |
if: matrix.os != 'windows-latest' | |
run: cargo test -p kube-examples --examples -j6 | |
doc: | |
runs-on: ubuntu-latest | |
name: doc | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install nightly | |
uses: dtolnay/rust-toolchain@nightly | |
- name: cargo doc | |
run: cargo doc --no-deps --all-features | |
env: | |
RUSTDOCFLAGS: --cfg docsrs | |
msrv: | |
# Run `cargo check` on our minimum supported Rust version | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@main | |
- name: Find MSRV | |
id: msrv | |
run: | | |
MSRV=$(grep MSRV README.md | grep -oE "[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+") | |
echo $MSRV | |
echo "msrv=${MSRV}" >> $GITHUB_OUTPUT | |
- uses: actions-rs/toolchain@v1 | |
with: | |
toolchain: ${{ steps.msrv.outputs.msrv }} | |
profile: minimal | |
override: true | |
- uses: Swatinem/rust-cache@v2 | |
- name: Check | |
uses: actions-rs/cargo@v1 | |
with: | |
command: check | |
args: --workspace | |
- name: Check rust-version keys matches advertised MSRV | |
run: | | |
if ! cat Cargo.toml | grep "rust-version" | grep "${{ steps.msrv.outputs.msrv }}"; then | |
echo "msrv policy inconsistent with rust-version key" | |
exit 1 | |
fi | |
- name: Check devcontainer matches MSRV | |
run: | | |
versions=$(sed -nE 's|^FROM (.*/)?rust:([^ ]+)|\2|p' .devcontainer/Dockerfile) | |
echo "Versions: $versions" | |
mismatches=$(echo "$versions" | grep -v '^${{ steps.msrv.outputs.msrv }}' || true) | |
echo "Mismatches: $mismatches" | |
if [ -n "$mismatches" ]; then | |
echo "::error ::Devcontainer includes incorrect rust version(s): $mismatches" | |
exit 1 | |
fi | |
integration: | |
runs-on: ubuntu-latest | |
strategy: | |
# Prevent GitHub from cancelling all in-progress jobs when a matrix job fails. | |
fail-fast: false | |
matrix: | |
# Run these tests against older clusters as well | |
k8s: [v1.26, v1.30] | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions-rs/toolchain@v1 | |
with: | |
override: true | |
toolchain: stable | |
profile: minimal | |
# Smart caching for Rust projects. | |
# Includes workaround for macos cache corruption. | |
# - https://github.com/rust-lang/cargo/issues/8603 | |
# - https://github.com/actions/cache/issues/403 | |
- uses: Swatinem/rust-cache@v2 | |
- uses: nolar/setup-k3d-k3s@v1 | |
with: | |
version: ${{matrix.k8s}} | |
# k3d-kube | |
k3d-name: kube | |
# Used to avoid rate limits when fetching the releases from k3s repo. | |
# Anonymous access is limited to 60 requests / hour / worker | |
# github-token: ${{ secrets.GITHUB_TOKEN }} | |
k3d-args: "-p 10250:10250 --no-rollback --k3s-arg --disable=traefik,servicelb,metrics-server@server:*" | |
# Real CI work starts here | |
- name: Build workspace | |
run: cargo build | |
# Run the equivalent of `just integration` | |
- name: Run all integration library tests | |
run: cargo test --lib --workspace --exclude e2e --all-features -j6 -- --ignored | |
- name: Run crd example tests | |
run: cargo run -p kube-examples --example crd_api | |
- name: Run derive example tests | |
run: cargo run -p kube-examples --example crd_derive | |
mk8sv: | |
# comile check e2e tests against mk8sv | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Find MK8SV | |
id: mk8sv | |
run: | | |
MK8SV=$(grep MK8SV README.md | grep -oE "[[:digit:]]+\.[[:digit:]]+" | head -n 1) | |
echo $MK8SV | |
echo "mk8sv=${MK8SV}" >> $GITHUB_OUTPUT | |
echo "mk8svdash=v${MK8SV/\./_}" >> $GITHUB_OUTPUT | |
- name: Check ci jobs run against advertised MK8SV | |
run: | | |
if ! grep "${{ steps.mk8sv.outputs.mk8sv }}" -q .github/workflows/ci.yml; then | |
echo "mk8sv not set correctly in tests" | |
exit 1 | |
fi | |
if ! grep "${{ steps.mk8sv.outputs.mk8svdash }}" e2e/Cargo.toml | grep mk8sv; then | |
echo "mk8sv not set correctly in e2e features" | |
exit 1 | |
fi | |
- uses: actions-rs/toolchain@v1 | |
with: | |
override: true | |
toolchain: stable | |
profile: minimal | |
# Smart caching for Rust projects. | |
# Includes workaround for macos cache corruption. | |
# - https://github.com/rust-lang/cargo/issues/8603 | |
# - https://github.com/actions/cache/issues/403 | |
- uses: Swatinem/rust-cache@v2 | |
- uses: nolar/setup-k3d-k3s@v1 | |
with: | |
version: v1.26 | |
# k3d-kube | |
k3d-name: kube | |
# Used to avoid rate limits when fetching the releases from k3s repo. | |
# Anonymous access is limited to 60 requests / hour / worker | |
# github-token: ${{ secrets.GITHUB_TOKEN }} | |
k3d-args: "--no-lb --no-rollback --k3s-arg --disable=traefik,servicelb,metrics-server@server:*" | |
# Real CI work starts here | |
- name: Build workspace | |
run: cargo build | |
- name: boot openssl, latest k8s | |
run: cargo run -p e2e --bin boot --features=openssl,latest | |
- name: boot openssl, minimum supported k8s | |
run: cargo run -p e2e --bin boot --features=openssl,mk8sv | |
- name: boot rustls, latest k8s | |
run: cargo run -p e2e --bin boot --features=rustls,latest | |
- name: boot rustls, minimum supported k8s | |
run: cargo run -p e2e --bin boot --features=rustls,mk8sv | |
in-cluster: | |
# in-cluster e2e via docker on linux | |
runs-on: ubuntu-latest | |
strategy: | |
# Prevent GitHub from cancelling all in-progress jobs when a matrix job fails. | |
fail-fast: false | |
matrix: | |
tls: [openssl, rustls] | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/cache@v4 | |
with: | |
path: | | |
~/.cargo/registry/index | |
~/.cargo/registry/cache | |
~/.cargo/git | |
target | |
key: musl-cargo-${{ hashFiles('**/Cargo.toml') }}-${{matrix.tls}} | |
- uses: nolar/setup-k3d-k3s@v1 | |
with: | |
version: latest | |
# k3d-kube | |
k3d-name: kube | |
# Used to avoid rate limits when fetching the releases from k3s repo. | |
# Anonymous access is limited to 60 requests / hour / worker | |
# github-token: ${{ secrets.GITHUB_TOKEN }} | |
k3d-args: "--no-lb --no-rollback --k3s-arg --disable=traefik,servicelb,metrics-server@server:*" | |
- name: Compile e2e job against ${{matrix.tls}} | |
run: | | |
mkdir -p ~/.cargo/{git,registry} | |
docker run --rm -t \ | |
--mount type=bind,source=${{ github.workspace }},target=/volume \ | |
--mount type=bind,source=$HOME/.cargo/registry,target=/root/.cargo/registry \ | |
--mount type=bind,source=$HOME/.cargo/git,target=/root/.cargo/git \ | |
clux/muslrust:stable \ | |
cargo build -p e2e --release --bin=job --features=latest,${{matrix.tls}} -v | |
cp target/x86_64-unknown-linux-musl/release/job e2e/ | |
- name: Build image | |
run: "docker build -t clux/kube-e2e:${{ github.sha }} e2e/" | |
- name: Import image | |
run: "k3d image import clux/kube-e2e:${{ github.sha }} --cluster kube" | |
- run: sed -i 's/latest/${{ github.sha }}/g' e2e/deployment.yaml | |
- name: Create resource | |
run: kubectl apply -f e2e/deployment.yaml -n apps | |
- run: kubectl get all -n apps | |
- run: kubectl describe jobs/e2e -n apps | |
- name: Wait for job to complete | |
run: | | |
kubectl wait --for=condition=complete job/e2e -n apps --timeout=50s || kubectl logs -f job/e2e -n apps | |
kubectl get all -n apps | |
kubectl wait --for=condition=complete job/e2e -n apps --timeout=10s || kubectl get pods -n apps | grep e2e | grep Completed |