Add Vault authentication for extended rke images in CI workflow

2025-09-17 23:49:06 +00:00 · 2025-08-13 18:50:22 +05:30
parent de306c29f0
commit d206b9303c
3 changed files with 53 additions and 1 deletions
--- a/.github/workflows/test-cni.yaml
+++ b/.github/workflows/test-cni.yaml
@@ -14,6 +14,7 @@ jobs:
  integration-cni-tests:
    permissions:
      contents: read
+      id-token: write
    runs-on: runs-on,runner=4cpu-linux-x64,run-id=${{ github.run_id }}
    timeout-minutes: 60
    strategy:
@@ -26,6 +27,13 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version-file: 'go.mod'
+      - name: Retrieve Stage Registry Credentials from Vault
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/stage-registry/rancher/rke-extended-life/credentials endpoint | STAGE_REGISTRY_ENDPOINT ;
+            secret/data/github/repo/${{ github.repository }}/stage-registry/rancher/rke-extended-life/credentials username | STAGE_REGISTRY_USERNAME ;
+            secret/data/github/repo/${{ github.repository }}/stage-registry/rancher/rke-extended-life/credentials password | STAGE_REGISTRY_PASSWORD
      - name: Run ${{ matrix.cni }} check
        run: |
          ./scripts/build
--- a/.github/workflows/workflow.yaml
+++ b/.github/workflows/workflow.yaml
@@ -68,12 +68,20 @@ jobs:
  integration-ci:
    permissions:
      contents: read
+      id-token: write 
    runs-on: runs-on,runner=4cpu-linux-x64,run-id=${{ github.run_id }}
    timeout-minutes: 30
    if: github.event_name == 'pull_request'
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
+      - name: Retrieve Stage Registry Credentials from Vault
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/stage-registry/rancher/rke-extended-life/credentials endpoint | STAGE_REGISTRY_ENDPOINT ;
+            secret/data/github/repo/${{ github.repository }}/stage-registry/rancher/rke-extended-life/credentials username | STAGE_REGISTRY_USERNAME ;
+            secret/data/github/repo/${{ github.repository }}/stage-registry/rancher/rke-extended-life/credentials password | STAGE_REGISTRY_PASSWORD
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
@@ -81,7 +89,6 @@ jobs:
      - name: Run CI
        run: |
          ./scripts/integration-ci
-
  github-pre-release:
    permissions:
      contents: write
--- a/scripts/integration
+++ b/scripts/integration
@@ -79,10 +79,17 @@ if [ "$default_version_found" == "false" ]; then
 fi

 for ver in "${!versions_to_test[@]}"; do
+
    version_to_test=${versions_to_test["${ver}"]}
    echo_with_time "Testing version ${version_to_test}"

+    MAJOR_VERSION=$(echo ${version_to_test} | cut -d. -f1 | sed 's/v//')
    MINOR_VERSION=$(echo ${version_to_test} | cut -d. -f2)
+    if [ ${MAJOR_VERSION} -eq 1 ] && [ ${MINOR_VERSION} -lt 31 ]; then
+        echo_with_time "Skipping checks for k8s version ${version_to_test} (<1.31)"
+        continue
+    fi
+
    if [ ${MINOR_VERSION} -ge 30 ] && [ "${NETWORK_PLUGIN}" == "weave" ]; then
        echo "Skipping weave testing with ${version_to_test} since weave is not supported for version >=1.30.0"
        continue
@@ -115,6 +122,11 @@ services:
  kube-api:
    extra_env:
    - TEST_VAR=kube-api
+private_registries:
+- url: ${STAGE_REGISTRY_ENDPOINT}
+  user: ${STAGE_REGISTRY_USERNAME}
+  password: ${STAGE_REGISTRY_PASSWORD}
+  is_default: true
 EOF

    if [ "x${NETWORK_PLUGIN}" != "x" ]; then
@@ -229,7 +241,32 @@ for ver in "${!versions_to_test[@]}"; do
    # Example $all_versions: "v1.16.15-rancher1-2 v1.17.12-rancher1-1 v1.18.9-rancher1-1 v1.19.2-rancher1-1"
    upgrade_to_version=$(echo $all_versions | grep -oP '(?<='"${versions_to_test["${ver}"]}"' )[^ ]*')

+    if [ -z "${upgrade_to_version}" ]; then
+        echo_with_time "No newer version found for ${versions_to_test["${ver}"]} to upgrade to"
+        continue
+    fi
+
+    # Parse major/minor for current/original version
+    CUR_MAJOR=$(echo ${versions_to_test["${ver}"]} | cut -d. -f1 | sed 's/v//')
+    CUR_MINOR=$(echo ${versions_to_test["${ver}"]} | cut -d. -f2)
+
+    # Parse major/minor for upgrade_to_version
+    MAJOR_VERSION=$(echo ${upgrade_to_version} | cut -d. -f1 | sed 's/v//')
    MINOR_VERSION=$(echo ${upgrade_to_version} | cut -d. -f2)
+
+    # Skip if upgrading from <1.31 to >=1.31
+    if [ ${CUR_MAJOR} -eq 1 ] && [ ${CUR_MINOR} -lt 31 ] && \
+       [ ${MAJOR_VERSION} -eq 1 ] && [ ${MINOR_VERSION} -ge 31 ]; then
+        echo "Skipping upgrade from ${versions_to_test["${ver}"]} (<1.31) to ${upgrade_to_version} (>=1.31)"
+        continue
+    fi
+
+    # Skip if target version <1.31
+    if [ ${MAJOR_VERSION} -eq 1 ] && [ ${MINOR_VERSION} -lt 31 ]; then
+        echo_with_time "Skipping upgrade checks for k8s version ${upgrade_to_version} (<1.31)"
+        continue
+    fi
+
    if [ ${MINOR_VERSION} -ge 30 ] && [ "${NETWORK_PLUGIN}" == "weave" ]; then
        echo "Skipping cluster upgrade testing to ${upgrade_to_version} with weave since weave is not supported for version >=1.30.0"
        continue