The API Gateway module contains several pipelines that run on pull requests, on the main branch, on the release branch, and periodically. They perform various tasks such as running a linter, executing unit tests with code coverage, generating artifacts for development and production purposes, and running integration tests. The integration tests ensure the functional correctness of Kyma API Gateway Operator and verify if upgrading to the new version of Kyma API Gateway Operator is possible.
To ensure that the required actions always run, the API Gateway module uses a GitHub ruleset. This enforces the execution of all jobs that determine whether a particular workflow should start.
By default, GitHub Actions that don't run because of reasons other than being skipped in the if statement have the Pending status and do not appear as a check in a PR. The ruleset acts as a safeguard to prevent situations when, for example, an external action is not allowed to run. In such cases, the ruleset ensures that the PR cannot be merged unless the check is executed and has a status of either Skipped or Success.
In this repository, certain jobs are set up to run within the context of the repository environment. This ensures that the jobs that require access to repository Secrets are manually allowed by repository maintainers.
There are two environments configured:
- 'internal' - used when a repository collaborator runs a job in the repository
- 'restricted' - used when an outside collaborator runs a job in the repository. The run must be approved by @kyma-project/goat.
The tests use an OAuth2 authorization server mock that is deployed internally in the test cluster. In case of E2E tests running on Gardener, SAP Cloud Identity Services provider is used instead.
GARDENER_TOKEN- Kubeconfig token used to provision test-purpose shoots and for later cleanupDNS_SECRET_JSON- DNS ServiceAccount used to set up the custom domain using Gardener capabilities (Base64 encoded)
The following CI jobs are part of the development cycle.
| Name | Description |
|---|---|
Pull Request / Build manager image |
Build the manage image so that the image-dependent jobs can be executed. |
PR Integration / Integration tests |
Executes the integration test suites for the API Gateway module on a k3d cluster. The job installs the Istio module using Kyma CLI. |
Pull Request unit & lint / Golang lint check |
Performs linting. |
Pull Request unit & lint / Run unit tests |
Runs unit tests. |
Workflow validation / Ensure SHA pinned actions |
Verifies that all external actions are pinned to a commit. |
Pull Request / gitleaks |
Runs the Gitleaks scan to detect any leaks of secrets. |
PR Build and Push Manager Image / Build and push manager image |
Builds the manager's image and pushes it to a GCP Artifact Registry so that the jobs running tests on Gardener clusters can be executed. |
Sync External Images / sync-external-images |
Executes image syncer to import external images. |
The following CI jobs are part of the release cycle.
| Name | Description |
|---|---|
Release Pull Request / Build manager image |
Builds Kyma Istio Operator's image and pushes it to the dev registry. |
PR Integration Release / Integration tests |
Executes the integration test suites for the API Gateway module on a k3d cluster. The job installs the Istio module using Kyma CLI. |
PR Integration Release / Kubernetes version compatibility test |
Executes the integration test suites for the API Gateway module and checks for any incompatibilities with the latest Kubernetes version. |
PR Integration Release / Upgrade tests |
Executes the upgrade integration test suite for the API Gateway module and verifies if the existing release can be successfully upgraded to the new version. |
Pull Request / Unit tests & lint |
Performs linting. |
UI Tests / Run UI tests |
Runs UI tests for Busola extensions of API Gateway module and API Rules |
PR Integration Release / Custom domain GCP |
Executes the integration test suites that verify the functional correctness of Kyma API Gateway Operator on a Gardener GCP cluster. |
PR Integration Release / Custom domain AWS |
Executes the integration test suites that verify the functional correctness of the API Gateway Operator on a Gardener AWS cluster. |
PR Integration Release / Zero Downtime Migration Tests |
Executes the tests that verify the zero downtime migration from APIRule v1beta1 to v2alpha1 on a k3d cluster. |
The following CI jobs are executed when you merge changes to the main branch and also run daily at 5:00 AM.
| Name | Description |
|---|---|
Main Integration / Build api-gateway image |
Builds Kyma API Gateway Operator image and pushes it to the prod registry. |
Main Integration / Get manager SHA |
Extracts the SHA of the commit that triggered the last successful build of the API Gateway manager image on main. |
Main Integration / E2E tests k3d |
Executes the main integration test suite for the API Gateway module on a k3d cluster. The job uses Istio module. |
Main Integration / E2E tests AWS |
Executes the main integration test suite for the API Gateway module on a Gardener AWS cluster. The job uses Istio module. |
Main Integration / Upgrade tests |
Executes the upgrade integration test suite for the API Gateway module and verifies if the existing release can be successfully upgraded to the new version. |
Main Integration / E2E custom domain tests GCP |
Executes the integration test suite that verifies the functional correctness of Kyma API Gateway Operator. The test suite uses a custom domain and a Gardener GCP cluster. |
Main Integration / E2E custom domain tests AWS |
Executes the integration test suite that verifies the functional correctness of the API Gateway Operator. The test suite uses a custom domain and a Gardener AWS cluster. |
Main Integration / Zero Downtime Migration Tests |
Executes the tests that verify the zero downtime migration from APIRule v1beta1 to v2alpha1 on a k3d cluster. |
Main Integration / Zero Downtime Migration Tests AWS |
Executes the tests that verify the zero downtime migration from APIRule v1beta1 to v2alpha1 on a Gardener AWS cluster. |
Main Integration / Slack Notification |
Sends a Slack notification to the team's channel if any pipelines fail on the main branch. |
UI Tests Periodic / Get manager SHA |
Extracts the SHA of the commit that triggered the last successful build of the API Gateway manager image on main. |
UI Tests Periodic / Run UI tests |
Runs UI tests for Busola extensions of API Gateway module and API Rules |
UI Tests Periodic / Slack Notification |
Sends a Slack notification to the team's channel if any pipelines fail in the workflow. |
The following CI jobs run when you merge changes to the main branch.
| Name | Description |
|---|---|
Sync External Images / sync-external-images |
Executes image syncer to import external images. |
The following CI jobs generate release artifacts. They are triggered on Git tag creation.
| Name | Description |
|---|---|
Create release / build-image |
Builds Kyma API Gateway Operator image on the release and pushes it to the prod registry. |
Create release / Check release prerequisites |
Checks whether all pre-requesites for release are met |
Create release / Create draft release |
Create a draft release that will be updated with release artifacts |
Create release / Publish release |
Publish the previously created draft release |