[security]fix: Vault Community Edition privilege escalation vulnerabi… #1508

Workflow file for this run

	name: Go
	on:
	push:
	branches:
	- main
	- release-v*
	- release/v*
	paths-ignore:
	- "docs/**"
	- "**.md"
	- "scripts/cleanup/**"
	- "CODEOWNERS"
	- "OWNERS"
	pull_request:
	branches:
	- main
	- release-v*
	- release/v*
	paths-ignore:
	- "docs/**"
	- "**.md"
	- "scripts/cleanup/**"
	- "CODEOWNERS"
	- "OWNERS"
	env:
	CI_WAIT_FOR_OK_SECONDS: 60
	CI_MAX_ITERATIONS_THRESHOLD: 60
	CI_CLIENT_CONCURRENT_CONNECTIONS: 1
	CI_MAX_WAIT_FOR_POD_TIME_SECONDS: 60
	CI_MIN_SUCCESS_THRESHOLD: 1
	FSM_HUMAN_DEBUG_LOG: true

	jobs:
	shellcheck:
	name: Shellcheck
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: ShellCheck
	run: shellcheck -x $(find . -name '*.sh')

	lint:
	name: Lint
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	cache: true
	- name: go build deps
	run: make embed-files-test
	- name: golangci-lint
	uses: golangci/golangci-lint-action@v6
	with:
	version: v1.61
	args: --allow-parallel-runners=true --tests=false --timeout=5m

	codegen:
	name: Codegen
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	cache: true
	- name: go mod tidy
	run: make go-mod-tidy
	- name: Codegen checks
	run: make check-codegen
	- name: Scripts checks
	run: make check-scripts
	- name: Manifests checks
	run: \|
	make manifests
	make check-manifests

	mocks:
	name: Mocks
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	cache: true
	- name: go mod tidy
	run: make go-mod-tidy
	- name: gomock checks
	run: make check-mocks

	charts:
	name: Chart checks
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	cache: true
	- name: chart checks
	run: make chart-checks

	build:
	name: Go build
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	cache: true
	- name: Package Helm Charts
	run: make charts-tgz
	- name: Go Build
	run: make build-ci

	unittest:
	name: Go test
	runs-on: ubuntu-latest
	needs: build
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	cache: true
	- name: go mod tidy
	run: make go-mod-tidy
	- name: Test
	run: make go-test-coverage
	- name: Upload Coverage
	if: ${{ success() }}
	uses: codecov/codecov-action@v4
	with:
	flags: unittests

	imagescan:
	name: Scan images for security vulnerabilities
	runs-on: ubuntu-latest
	env:
	CTR_TAG: ${{ github.sha }}
	CTR_REGISTRY: "localhost:5000"
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	cache: true
	- name: Build docker images
	env:
	DOCKER_BUILDX_OUTPUT: type=docker
	run: make docker-build-fsm
	- name: Setup Trivy
	run: make trivy-ci-setup
	- name: Scan docker images for vulnerabilities
	run: make trivy-scan-images

	mesh-e2e-test:
	name: Go mesh test e2e
	runs-on: ubuntu-latest
	needs: build
	strategy:
	matrix:
	k8s_version: [""]
	focus: [""]
	bucket: [1, 2, 3, 4, 5]
	include:
	- k8s_version: v1.19.16
	focus: "Test traffic flowing from client to server with a Kubernetes Service for the Source: HTTP"
	bucket: ".*"
	- k8s_version: v1.27.11
	focus: "Test traffic flowing from client to server with a Kubernetes Service for the Source: HTTP"
	bucket: ".*"
	env:
	CTR_TAG: ${{ github.sha }}
	CTR_REGISTRY: "localhost:5000" # unused for kind, but currently required in framework
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	cache: true
	- name: Build test dependencies
	env:
	DOCKER_BUILDX_OUTPUT: type=docker
	run: make docker-build-e2e build-fsm
	- name: Run tests
	id: test
	env:
	K8S_NAMESPACE: "fsm-system"
	run: \|
	export PATH=$PWD/bin:$PATH
	echo "PATH=$PATH"
	go test ./tests/e2e -test.v -ginkgo.v -ginkgo.progress -installType=KindCluster -kindClusterVersion='${{ matrix.k8s_version }}' -test.timeout 0 -test.failfast -ginkgo.failFast -ginkgo.focus='\[Bucket ${{ matrix.bucket }}\].*${{ matrix.focus }}'
	continue-on-error: true
	- name: Set Logs name
	if: ${{ steps.test.conclusion != 'skipped' }}
	run: \|
	if [[ -n "${{ matrix.k8s_version }}" ]]; then
	echo "ARTIFACT_NAME=test_logs_k8s_version_${{ matrix.k8s_version }}" >> $GITHUB_ENV
	else
	echo "ARTIFACT_NAME=test_logs_bucket_${{ matrix.bucket }}" >> $GITHUB_ENV
	fi
	- name: Upload test logs
	if: ${{ steps.test.conclusion != 'skipped' }}
	uses: actions/upload-artifact@v4
	with:
	name: ${{ env.ARTIFACT_NAME }}
	path: /tmp/test*/
	- name: Check continue tests
	if: ${{ steps.test.conclusion != 'skipped' && steps.test.outcome == 'failure'}}
	run: exit 1
	- name: Clean tests
	if: ${{ steps.test.conclusion != 'skipped' }}
	run: rm -rf /tmp/test*

	gateway-e2e-test:
	name: Go gateway test e2e
	runs-on: ubuntu-latest
	needs: build
	strategy:
	matrix:
	k8s_version: [""]
	focus: [""]
	bucket: [6]
	include:
	- k8s_version: v1.19.16
	focus: "Test traffic from client to backend service routing by FSM Gateway"
	bucket: ".*"
	- k8s_version: v1.21.14
	focus: "Test traffic from client to backend service routing by FSM Gateway"
	bucket: ".*"
	- k8s_version: v1.23.17
	focus: "Test traffic from client to backend service routing by FSM Gateway"
	bucket: ".*"
	env:
	CTR_TAG: ${{ github.sha }}
	CTR_REGISTRY: "localhost:5000" # unused for kind, but currently required in framework
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	cache: true
	- name: Build test dependencies
	env:
	DOCKER_BUILDX_OUTPUT: type=docker
	run: make docker-build-e2e build-fsm
	- name: Add hosts to /etc/hosts
	run: \|
	sudo echo "127.0.0.1 httptest.localhost" \| sudo tee -a /etc/hosts
	sudo echo "127.0.0.1 grpctest.localhost" \| sudo tee -a /etc/hosts
	sudo echo "127.0.0.1 tcptest.localhost" \| sudo tee -a /etc/hosts
	sudo echo "127.0.0.1 udptest.localhost" \| sudo tee -a /etc/hosts
	- name: Install gRPCurl
	run: \|
	go install github.com/fullstorydev/grpcurl/cmd/grpcurl@latest
	- name: Run tests
	id: test
	env:
	K8S_NAMESPACE: "fsm-system"
	run: \|
	export PATH=$PWD/bin:$PATH
	echo "PATH=$PATH"
	go test ./tests/e2e -test.v -ginkgo.v -ginkgo.progress -installType=KindCluster -kindClusterVersion='${{ matrix.k8s_version }}' -test.timeout 0 -test.failfast -ginkgo.failFast -ginkgo.focus='\[Bucket ${{ matrix.bucket }}\].*${{ matrix.focus }}'
	continue-on-error: true
	- name: Set Logs name
	if: ${{ steps.test.conclusion != 'skipped' }}
	run: \|
	if [[ -n "${{ matrix.k8s_version }}" ]]; then
	echo "ARTIFACT_NAME=test_logs_k8s_version_${{ matrix.k8s_version }}" >> $GITHUB_ENV
	else
	echo "ARTIFACT_NAME=test_logs_bucket_${{ matrix.bucket }}" >> $GITHUB_ENV
	fi
	- name: Upload test logs
	if: ${{ steps.test.conclusion != 'skipped' }}
	uses: actions/upload-artifact@v4
	with:
	name: ${{ env.ARTIFACT_NAME }}
	path: /tmp/test*/
	- name: Check continue tests
	if: ${{ steps.test.conclusion != 'skipped' && steps.test.outcome == 'failure'}}
	run: exit 1
	- name: Clean tests
	if: ${{ steps.test.conclusion != 'skipped' }}
	run: rm -rf /tmp/test*

	ingress-e2e-test:
	name: Go ingress test e2e
	runs-on: ubuntu-latest
	needs: build
	strategy:
	matrix:
	k8s_version: [ "" ]
	focus: [ "" ]
	bucket: [ 7 ]
	env:
	CTR_TAG: ${{ github.sha }}
	CTR_REGISTRY: "localhost:5000" # unused for kind, but currently required in framework
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	cache: true
	- name: Build test dependencies
	env:
	DOCKER_BUILDX_OUTPUT: type=docker
	run: make docker-build-e2e build-fsm
	- name: Add hosts to /etc/hosts
	run: \|
	sudo echo "127.0.0.1 httptest.localhost" \| sudo tee -a /etc/hosts
	- name: Run tests
	id: test
	env:
	K8S_NAMESPACE: "fsm-system"
	run: \|
	export PATH=$PWD/bin:$PATH
	echo "PATH=$PATH"
	go test ./tests/e2e -test.v -ginkgo.v -ginkgo.progress -installType=KindCluster -kindClusterVersion='${{ matrix.k8s_version }}' -test.timeout 0 -test.failfast -ginkgo.failFast -ginkgo.focus='\[Bucket ${{ matrix.bucket }}\].*${{ matrix.focus }}'
	continue-on-error: true
	- name: Set Logs name
	if: ${{ steps.test.conclusion != 'skipped' }}
	run: \|
	if [[ -n "${{ matrix.k8s_version }}" ]]; then
	echo "ARTIFACT_NAME=test_logs_k8s_version_${{ matrix.k8s_version }}" >> $GITHUB_ENV
	else
	echo "ARTIFACT_NAME=test_logs_bucket_${{ matrix.bucket }}" >> $GITHUB_ENV
	fi
	- name: Upload test logs
	if: ${{ steps.test.conclusion != 'skipped' }}
	uses: actions/upload-artifact@v4
	with:
	name: ${{ env.ARTIFACT_NAME }}
	path: /tmp/test*/
	- name: Check continue tests
	if: ${{ steps.test.conclusion != 'skipped' && steps.test.outcome == 'failure'}}
	run: exit 1
	- name: Clean tests
	if: ${{ steps.test.conclusion != 'skipped' }}
	run: rm -rf /tmp/test*

	mesh-retry-e2e-test:
	name: Go retry test e2e
	runs-on: ubuntu-latest
	needs: mesh-statefulset-e2e-test
	strategy:
	matrix:
	k8s_version: [""]
	focus: [""]
	bucket: [9]
	env:
	CTR_TAG: ${{ github.sha }}
	CTR_REGISTRY: "localhost:5000" # unused for kind, but currently required in framework
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	cache: true
	- name: Build test dependencies
	env:
	DOCKER_BUILDX_OUTPUT: type=docker
	run: make docker-build-e2e build-fsm
	- name: Run tests
	id: test
	env:
	K8S_NAMESPACE: "fsm-system"
	run: \|
	export PATH=$PWD/bin:$PATH
	echo "PATH=$PATH"
	go test ./tests/e2e -test.v -ginkgo.v -ginkgo.progress -installType=KindCluster -kindClusterVersion='${{ matrix.k8s_version }}' -test.timeout 0 -test.failfast -ginkgo.failFast -ginkgo.focus='\[Bucket ${{ matrix.bucket }}\].*${{ matrix.focus }}'
	continue-on-error: true
	- name: Set Logs name
	if: ${{ steps.test.conclusion != 'skipped' }}
	run: \|
	if [[ -n "${{ matrix.k8s_version }}" ]]; then
	echo "ARTIFACT_NAME=test_logs_k8s_version_${{ matrix.k8s_version }}" >> $GITHUB_ENV
	else
	echo "ARTIFACT_NAME=test_logs_bucket_${{ matrix.bucket }}" >> $GITHUB_ENV
	fi
	- name: Upload test logs
	if: ${{ steps.test.conclusion != 'skipped' }}
	uses: actions/upload-artifact@v4
	with:
	name: ${{ env.ARTIFACT_NAME }}
	path: /tmp/test*/
	- name: Check continue tests
	if: ${{ steps.test.conclusion != 'skipped' && steps.test.outcome == 'failure'}}
	run: exit 1
	- name: Clean tests
	if: ${{ steps.test.conclusion != 'skipped' }}
	run: rm -rf /tmp/test*

	mesh-statefulset-e2e-test:
	name: Go statefulset test e2e
	runs-on: ubuntu-latest
	needs: integration-tresor
	strategy:
	matrix:
	k8s_version: [""]
	focus: [""]
	bucket: [8]
	env:
	CTR_TAG: ${{ github.sha }}
	CTR_REGISTRY: "localhost:5000" # unused for kind, but currently required in framework
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	cache: true
	- name: Build test dependencies
	env:
	DOCKER_BUILDX_OUTPUT: type=docker
	run: make docker-build-e2e build-fsm
	- name: Run tests
	id: test
	env:
	K8S_NAMESPACE: "fsm-system"
	run: \|
	export PATH=$PWD/bin:$PATH
	echo "PATH=$PATH"
	go test ./tests/e2e -test.v -ginkgo.v -ginkgo.progress -installType=KindCluster -kindClusterVersion='${{ matrix.k8s_version }}' -test.timeout 0 -test.failfast -ginkgo.failFast -ginkgo.focus='\[Bucket ${{ matrix.bucket }}\].*${{ matrix.focus }}'
	continue-on-error: true
	- name: Set Logs name
	if: ${{ steps.test.conclusion != 'skipped' }}
	run: \|
	if [[ -n "${{ matrix.k8s_version }}" ]]; then
	echo "ARTIFACT_NAME=test_logs_k8s_version_${{ matrix.k8s_version }}" >> $GITHUB_ENV
	else
	echo "ARTIFACT_NAME=test_logs_bucket_${{ matrix.bucket }}" >> $GITHUB_ENV
	fi
	- name: Upload test logs
	if: ${{ steps.test.conclusion != 'skipped' }}
	uses: actions/upload-artifact@v4
	with:
	name: ${{ env.ARTIFACT_NAME }}
	path: /tmp/test*/
	- name: Check continue tests
	if: ${{ steps.test.conclusion != 'skipped' && steps.test.outcome == 'failure'}}
	run: exit 1
	- name: Clean tests
	if: ${{ steps.test.conclusion != 'skipped' }}
	run: rm -rf /tmp/test*

	integration-tresor:
	name: Integration Test with Tresor, SMI traffic policies, and egress disabled
	runs-on: ubuntu-latest
	needs: [build]
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	cache: true
	- name: Run Simulation w/ Tresor, SMI policies, egress disabled and reconciler disabled
	env:
	CERT_MANAGER: "tresor"
	BOOKSTORE_SVC: "bookstore"
	BOOKTHIEF_EXPECTED_RESPONSE_CODE: "0"
	ENABLE_EGRESS: "false"
	ENABLE_RECONCILER: "false"
	PERMISSIVE_MODE: "false"
	DEPLOY_TRAFFIC_SPLIT: "true"
	CTR_TAG: ${{ github.sha }}
	USE_PRIVATE_REGISTRY: "false"
	run: \|
	touch .env
	make kind-up
	./demo/run-fsm-demo.sh
	go run ./ci/cmd/maestro.go

	images:
	name: Docker Images
	runs-on: ubuntu-latest
	if: ${{ (github.ref == 'refs/heads/main' \|\| startsWith(github.ref, 'refs/heads/release-')) && github.event_name == 'push' }}
	env:
	DOCKER_USER: ${{ secrets.RELEASE_DOCKER_USER }}
	DOCKER_PASS: ${{ secrets.RELEASE_DOCKER_PASS }}
	CTR_REGISTRY: ${{ secrets.RELEASE_REGISTRY }}
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Docker Login
	run: docker login --username "$DOCKER_USER" --password-stdin <<< "$DOCKER_PASS"
	- name: Push images with "latest-main" tag
	env:
	CTR_TAG: latest-main
	run: make docker-build-cross

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[security]fix: Vault Community Edition privilege escalation vulnerabi… #1508

Workflow file

[security]fix: Vault Community Edition privilege escalation vulnerabi… #1508

Jobs

Run details

Workflow file for this run