Merge pull request #393 from wallarm/DE-41

Helm 4.8.9

.env.example

@@ -8,8 +8,7 @@ WALLARM_API_CA_VERIFY=True
 
 # Settings that related to smoke tests only
 CLIENT_ID=...
-USER_UUID=...
-USER_SECRET=...
+USER_TOKEN=...
 
 # Pytest arguments. Double quotes here must be used here
 # PYTEST_ARGS="--allure-features=Node"

.github/workflows/build.yaml

@@ -25,7 +25,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3.0.2
 
-      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2
+      - uses: dorny/paths-filter@ebc4d7e9ebcb0b1eb21480bb8f43113e996ac77a # v2.10.2
         id: filter
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -44,7 +44,7 @@ jobs:
       matrix: ${{ steps.items.outputs.matrix }}
     steps:
       - name: Import secrets
-        uses: hashicorp/vault-action@affa6f04da5c2d55e6e115b7d1b044a6b1af8c74 # v2.7.4
+        uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
         id: secrets
         with:
           exportEnv: false
@@ -60,7 +60,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3.0.2
 
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v2.0.0
+        uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v2.0.0
         with:
           version: latest
           use: false
@@ -111,7 +111,7 @@ jobs:
       matrix: ${{ fromJson(needs.build.outputs.matrix) }}
     steps:
       - name: Import secrets
-        uses: hashicorp/vault-action@affa6f04da5c2d55e6e115b7d1b044a6b1af8c74 # v2.7.4
+        uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
         id: secrets
         with:
           exportEnv: false
@@ -153,7 +153,7 @@ jobs:
           echo "sbom=${SBOM_SPDX}" >> $GITHUB_OUTPUT
           
       - name: Upload SBOM
-        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
         with:
           retention-days: 30
           name: ${{ steps.sign.outputs.sbom }}

.github/workflows/ci.yaml

@@ -28,7 +28,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
+      - uses: dorny/paths-filter@ebc4d7e9ebcb0b1eb21480bb8f43113e996ac77a # v3.0.1
         id: filter
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -86,7 +86,7 @@ jobs:
           nginx-ingress-controller:e2e
 
       - name: Cache controller images
-        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
         with:
           retention-days: 1
           name: controller-${{ env.ARCH }}.tar
@@ -107,16 +107,16 @@ jobs:
         ARCH: [amd64, arm64]
         include:
           - ARCH: amd64
-            RUNNER: self-hosted-amd64-1cpu
+            RUNNER: self-hosted-amd64-2cpu
           - ARCH: arm64
-            RUNNER: self-hosted-arm64-1cpu
+            RUNNER: self-hosted-arm64-2cpu
     env:
       ARCH: ${{ matrix.ARCH }}
       KIND_CLUSTER_NAME: kind-${{ matrix.k8s }}
       KUBECONFIG: $HOME/.kube/kind-config-${{ matrix.k8s }}
     steps:
       - name: Import secrets
-        uses: hashicorp/vault-action@affa6f04da5c2d55e6e115b7d1b044a6b1af8c74 # v2.7.4
+        uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
         id: secrets
         with:
           exportEnv: false
@@ -126,16 +126,18 @@ jobs:
           path: kubernetes-ci
           secrets: |
             kv-gitlab-ci/data/github/ingress api_token ;
-            kv-gitlab-ci/data/github/ingress user_secret ;
-            kv-gitlab-ci/data/github/ingress user_uuid ;
+            kv-gitlab-ci/data/github/ingress api_host ;
+            kv-gitlab-ci/data/github/ingress api_preset ;
+            kv-gitlab-ci/data/github/ingress user_token ;
+            kv-gitlab-ci/data/github/shared/allure allure_token ;
             kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds token_name ;
             kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds token_secret ;
 
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Load cache
-        uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110
+        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe
         with:
           name: controller-${{ env.ARCH }}.tar
 
@@ -150,15 +152,14 @@ jobs:
           SKIP_CLUSTER_CREATION: true
           SKIP_IMAGE_CREATION: true
           WALLARM_API_TOKEN: ${{ steps.secrets.outputs.api_token }}
-          USER_UUID: ${{ steps.secrets.outputs.user_uuid }}
-          USER_SECRET: ${{ steps.secrets.outputs.user_secret }}
+          WALLARM_API_HOST: ${{ steps.secrets.outputs.api_host }}
+          WALLARM_API_PRESET: ${{ steps.secrets.outputs.api_preset }}
+          USER_TOKEN: ${{ steps.secrets.outputs.user_token }}
           SMOKE_REGISTRY_TOKEN: ${{ steps.secrets.outputs.token_name }}
           SMOKE_REGISTRY_SECRET: ${{ steps.secrets.outputs.token_secret }}
           ALLURE_UPLOAD_REPORT: true
           ALLURE_GENERATE_REPORT: true
-          ALLURE_TOKEN: ${{ secrets.ALLURE_SERVER_TOKEN }}
-          ALLURE_ENDPOINT: ${{ secrets.ALLURE_SERVER_URL }}
-          ALLURE_PROJECT_ID: ${{ secrets.ALLURE_PROJECT_ID }}
+          ALLURE_TOKEN: ${{ steps.secrets.outputs.allure_token }}
           ALLURE_ENVIRONMENT_K8S: ${{ matrix.k8s }}
           ALLURE_ENVIRONMENT_ARCH: ${{ matrix.ARCH }}
         run: |
@@ -179,7 +180,7 @@ jobs:
         method: [ "install" ]
     steps:
       - name: Import secrets
-        uses: hashicorp/vault-action@affa6f04da5c2d55e6e115b7d1b044a6b1af8c74 # v2.7.4
+        uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
         id: secrets
         with:
           exportEnv: false
@@ -195,7 +196,7 @@ jobs:
           fetch-depth: 0
 
       - name: Load cache
-        uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110
+        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe
         with:
           name: controller-${{ env.ARCH }}.tar
 
@@ -231,7 +232,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Load controller build cache
-        uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110
+        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe
         with:
           name: controller-${{ env.ARCH }}.tar
 
@@ -263,27 +264,29 @@ jobs:
     env:
       ARCH: amd64
     strategy:
-      fail-fast: false # TODO: temporary for arm64 new arc testing
+      fail-fast: true
       matrix:
         k8s: [v1.24.12, v1.25.8, v1.26.3,v1.27.1, v1.28.0]
 
     steps:
       - name: Import secrets
-        uses: hashicorp/vault-action@affa6f04da5c2d55e6e115b7d1b044a6b1af8c74 # v2.7.4
+        uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
         id: secrets
         with:
           exportEnv: false
           url: ${{ secrets.VAULT_URL }}
           role: ${{ secrets.VAULT_ROLE }}
           method: kubernetes
           path: kubernetes-ci
-          secrets: kv-gitlab-ci/data/github/ingress api_token
+          secrets: |
+            kv-gitlab-ci/data/github/ingress api_token ;
+            kv-gitlab-ci/data/github/ingress api_host ;
 
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Load controller build cache
-        uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110
+        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe
         with:
           name: controller-${{ env.ARCH }}.tar
 
@@ -301,9 +304,10 @@ jobs:
           SKIP_E2E_IMAGE_CREATION: true
           WALLARM_ENABLED: true
           WALLARM_API_TOKEN: ${{ steps.secrets.outputs.api_token }}
+          WALLARM_API_HOST: ${{ steps.secrets.outputs.api_host }}
         run: |
           kind get kubeconfig > $HOME/.kube/kind-config-kind
-          make E2E_NODES=6 kind-e2e-test
+          make E2E_NODES=7 kind-e2e-test
 
   scan:
     name: Scan images
@@ -318,15 +322,15 @@ jobs:
       ARCH: amd64
     steps:
       - name: Load controller build cache
-        uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110
+        uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe
         with:
           name: controller-${{ env.ARCH }}.tar
 
       - name: Load controller images
         run: docker load -i controller-${{ env.ARCH }}.tar
 
       - name: Scan controller image
-        uses: anchore/scan-action@896d5f410043987c8fe18f60d91bf199e436840c
+        uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a
         with:
           image: "wallarm/ingress-controller:1.0.0-dev"
           fail-build: true

.github/workflows/helm-publish.yml

@@ -12,7 +12,7 @@ jobs:
   release:
     runs-on: self-hosted-amd64-1cpu
     outputs:
-      chart_version: ${{ steps.extract_tag.outputs.tag }}
+      chart_version: ${{ steps.check_release.outputs.tag }}
       release_type: ${{ steps.check_release.outputs.type }}
     steps:
       - name: Import secrets
@@ -25,128 +25,33 @@ jobs:
           method: kubernetes
           path: kubernetes-ci
           secrets: |
-            kv-gitlab-ci/data/github/shared/github_token token | GITHUB_TOKEN ;
+            kv-gitlab-ci/data/github/shared/github_token token ;
 
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
 
-      - name: Extract tag name
-        id: extract_tag
-        run: |
-          X_TAG=$(echo ${GITHUB_REF#refs/*/} | sed 's/[+-].*$//g')
-          echo "X_TAG=${X_TAG}" >> $GITHUB_ENV
-          echo "tag=${X_TAG}" >> $GITHUB_OUTPUT
-
       - name: Check release type
         id: check_release
         run: |
           TYPE="production"
+          TAG=$(echo ${GITHUB_REF#refs/*/} | sed 's/[+-].*$//g')
           if [[ ${GITHUB_REF#refs/*/} =~ "rc" ]]; then
             TYPE="release-candidate"
+            TAG=${GITHUB_REF#refs/*/}
           fi
-          echo "Release type: ${TYPE}"
+          echo -e "Type: ${TYPE} \nTag: ${TAG}"
           echo "type=${TYPE}" >> $GITHUB_OUTPUT
+          echo "tag=${TAG}" >> $GITHUB_OUTPUT
 
-      - name: Publish Helm charts (Prod)
-        if: steps.check_release.outputs.type == 'production'
-        uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # master
+      - name: Publish Helm chart
+        uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260
         with:
-          token: ${{ steps.secrets.outputs.GITHUB_TOKEN }}
+          token: ${{ steps.secrets.outputs.token }}
           charts_dir: ./charts
           charts_url: https://charts.wallarm.com
           linting: off
           repository: helm-charts
           branch: main
-          target_dir: "wallarm-ingress"
+          target_dir: wallarm-ingress
           index_dir: .
-          app_version: "${{ env.X_TAG }}"
-          chart_version: "${{ env.X_TAG }}"
-
-      - name: Update chart name for RC versions
-        if: steps.check_release.outputs.type == 'release-candidate'
-        run: yq -y -i '.name = "wallarm-ingress-rc"' ./charts/ingress-nginx/Chart.yaml
-
-      - name: Publish Helm charts (RC)
-        if: steps.check_release.outputs.type == 'release-candidate'
-        uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # master
-        with:
-          token: ${{ steps.secrets.outputs.GITHUB_TOKEN }}
-          charts_dir: ./charts
-          charts_url: https://charts.wallarm.com
-          linting: off
-          repository: helm-charts
-          branch: main
-          target_dir: "wallarm-ingress-rc"
-          index_dir: .
-          app_version: "${{ env.X_TAG }}"
-          chart_version: "${{ env.X_TAG }}"
-
-  update_version:
-    name: Update package version
-    if: needs.release.outputs.release_type == 'production'
-    runs-on: self-hosted-amd64-1cpu
-    needs: release
-    steps:
-      - name: Import secrets
-        uses: hashicorp/vault-action@affa6f04da5c2d55e6e115b7d1b044a6b1af8c74 # v2.7.4
-        id: secrets
-        with:
-          exportEnv: true
-          url: ${{ secrets.VAULT_URL }}
-          role: ${{ secrets.VAULT_ROLE }}
-          method: kubernetes
-          path: kubernetes-ci
-          secrets: |
-            kv-gitlab-ci/data/github/shared/versions-repo-creds token_secret | GITLAB_TOKEN ;
-            kv-gitlab-ci/data/github/shared/versions-repo-creds token_secret | GITLAB_TOKEN_NAME ;
-            kv-gitlab-ci/data/github/shared/versions-repo-creds host | GITLAB_HOST ;
-            kv-gitlab-ci/data/github/shared/versions-repo-creds repo | GITLAB_REPO ;
-
-      - name: Update package version
-        env:
-          COMPONENT_NAME: wallarm-ingress-controller
-          COMPONENT_VERSION: ${{ needs.release.outputs.chart_version }}
-        run: |
-          PR_BRANCH="update/${COMPONENT_NAME}/${COMPONENT_VERSION}"
-          COMMIT_MESSAGE="Bump ${COMPONENT_NAME} version to ${COMPONENT_VERSION}"
-          GITLAB_REPO_URL="https://${GITLAB_TOKEN_NAME}:${GITLAB_TOKEN}@${GITLAB_HOST}/${GITLAB_REPO}"
-
-          git clone ${GITLAB_REPO_URL}
-          cd packages_versions
-          git checkout -b ${PR_BRANCH}
-          git config --local user.name 'project_808_bot'
-          git config --local user.email 'project808_bot@noreply.${GITLAB_HOST}'
-
-          cd packages_versions
-          cat latest.json | jq -r '.body."'"$COMPONENT_NAME"'" += ["'"$COMPONENT_VERSION"'"]' > latest.new.json
-          mv latest.new.json latest.json
-          git add latest.json
-          git commit -m "${COMMIT_MESSAGE}"
-          git push ${GITLAB_REPO_URL} ${PR_BRANCH}
-
-          glab auth login --hostname ${GITLAB_HOST} --token ${GITLAB_TOKEN}
-
-          echo "Creating merge request ..."
-          glab mr create \
-            --fill \
-            --yes \
-            --label ${COMPONENT_NAME} \
-            --source-branch ${PR_BRANCH} \
-            --repo https://${GITLAB_HOST}/${GITLAB_REPO}
-
-          echo "Approving merge request ..."
-          glab mr approve \
-            ${PR_BRANCH} \
-            --repo https://${GITLAB_HOST}/${GITLAB_REPO}
-          
-          # Sometimes merging is failed without delay
-          echo "Sleep ..."
-          sleep 20
-          
-          echo "Merging ..."
-          glab mr merge \
-            ${PR_BRANCH} \
-            --yes \
-            --remove-source-branch \
-            --when-pipeline-succeeds=false \
-            --repo https://${GITLAB_HOST}/${GITLAB_REPO}
+          chart_version: ${{ steps.check_release.outputs.tag }}

.github/workflows/scorecards.yml

@@ -51,14 +51,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@03e7845b7bfcd5e7fb63d1ae8c61b0e791134fab # v2.1.37
+        uses: github/codeql-action/upload-sarif@379614612a29c9e28f31f39a59013eb8012a51f0 # v2.1.37
         with:
           sarif_file: results.sarif