ci: integrate automatic iam creation in e2e test (#1158)

* integrate automatic iam creation in e2e test

* fix typo

* break long line comments

* fix semvers

* correct bracing
This commit is contained in:
Moritz Sanft 2023-02-21 12:47:14 +01:00 committed by GitHub
parent d89dd0ce18
commit 0ba810240f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 144 additions and 4 deletions

View File

@ -26,6 +26,9 @@ inputs:
keepMeasurements:
default: "false"
description: "Keep measurements embedded in the CLI."
existingConfig:
default: "false"
description: "Use existing config file."
#
# GCP specific inputs
#
@ -70,6 +73,7 @@ runs:
steps:
- name: Constellation config generate
shell: bash
if: inputs.existingConfig != 'true'
run: |
constellation config generate ${{ inputs.cloudProvider }}
@ -99,6 +103,9 @@ runs:
(.provider | select(. | has(\"aws\")).aws.iamProfileWorkerNodes) = \"e2e_test_worker_node_instance_profile\"" \
constellation-conf.yaml
- name: Update config
shell: bash
run: |
if [[ ${{ inputs.kubernetesVersion != '' }} = true ]]; then
yq eval -i "(.kubernetesVersion) = \"${{ inputs.kubernetesVersion }}\"" constellation-conf.yaml
fi
@ -138,7 +145,7 @@ runs:
yq eval -i "(.provider | select(. | has(\"aws\")).aws.instanceType) = \"${{ inputs.machineType }}\"" constellation-conf.yaml
- name: Create serviceAccountKey.json
if: inputs.cloudProvider == 'gcp'
if: inputs.cloudProvider == 'gcp' && !inputs.existingConfig # Skip if using existing config. serviceAccountKey.json is already present in that case.
shell: bash
env:
GCP_CLUSTER_SERVICE_ACCOUNT_KEY: ${{ inputs.gcpClusterServiceAccountKey }}

View File

@ -0,0 +1,83 @@
name: Constellation IAM create
description: Create IAM configuration for a Constellation cluster.
inputs:
cloudProvider:
description: "Either 'aws', 'azure' or 'gcp'."
required: true
#
# AWS specific inputs
#
awsZone:
description: "AWS zone to deploy Constellation in."
required: false
awsPrefix:
description: "name prefix to use for the AWS resources."
required: false
#
# Azure specific inputs
#
azureRegion:
description: "Azure region to deploy Constellation in."
required: false
azureResourceGroup:
description: "Name of the Azure resource group being created."
required: false
azureServicePrincipal:
description: "Name of the Azure service principal being created."
required: false
#
# GCP specific inputs
#
gcpProjectID:
description: "The GCP project ID to deploy Constellation in."
required: false
gcpZone:
description: "The GCP zone to deploy Constellation in."
required: false
gcpServiceAccountID:
description: "ID of the GCP service account being created."
required: false
outputs:
existingConfig:
description: "Whether a configuration file has been created to be used in the next step."
value: ${{ steps.setExistingConfig.outputs.existingConfig }}
runs:
using: "composite"
steps:
- name: Constellation iam create aws
shell: bash
if: inputs.cloudProvider == 'aws'
run: |
constellation iam create aws \
--zone=${{ inputs.awsZone }} \
--prefix=${{ inputs.awsPrefix }} \
--generate-config --yes
- name: Constellation iam create azure
shell: bash
if: inputs.cloudProvider == 'azure'
run: |
constellation iam create azure \
--region=${{ inputs.azureRegion }} \
--resourceGroup=${{ inputs.azureResourceGroup }} \
--servicePrincipal=${{ inputs.azureServicePrincipal }} \
--generate-config --yes
- name: Constellation iam create gcp
shell: bash
if: inputs.cloudProvider == 'gcp'
run: |
constellation iam create gcp \
--projectID=${{ inputs.gcpProjectID }} \
--zone=${{ inputs.gcpZone }} \
--serviceAccountID=${{ inputs.gcpServiceAccountID }} \
--generate-config --yes
- name: Set existing config
id: setExistingConfig
shell: bash
run: |
echo "existingConfig=true" >> $GITHUB_OUTPUT

View File

@ -0,0 +1,17 @@
name: Delete IAM configuration
description: Delete previously created IAM configuration.
runs:
using: "composite"
steps:
- name: Delete IAM configuration
shell: bash
run: |
if [[ -f constellation-iam-terraform/terraform.tfstate ]]; then
echo "IAM Terraform state file exists, deleting..."
cd constellation-iam-terraform
terraform destroy -auto-approve
else
echo "IAM Terraform state file does not exist, exiting..."
exit 0
fi

View File

@ -57,7 +57,7 @@ inputs:
description: "The resource group to use"
required: false
test:
description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, autoscaling, lb, k-bench, verify, recover, nop]."
description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, autoscaling, lb, k-bench, verify, recover, nop, iamcreate]."
required: true
sonobuoyTestSuiteCmd:
description: "The sonobuoy test suite to run."
@ -72,7 +72,7 @@ runs:
using: "composite"
steps:
- name: Check input
if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "autoscaling", "k-bench", "verify", "lb", "recover", "nop"]'), inputs.test))
if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "autoscaling", "k-bench", "verify", "lb", "recover", "nop", "iamcreate"]'), inputs.test))
shell: bash
run: |
echo "Invalid input for test field: ${{ inputs.test }}"
@ -155,6 +155,21 @@ runs:
# extend token expiry to 6 hours to ensure constellation can terminate
role-duration-seconds: 21600
- name: Create IAM configuration
id: constellation-iam-create
if: inputs.test == 'iamcreate' && inputs.cloudProvider != 'azure' # skip for Azure, as the SP / MI does not have the required permissions
uses: ./.github/actions/constellation_iam_create
with:
cloudProvider: ${{ inputs.cloudProvider }}
awsZone: eu-central-1a
awsPrefix: e2e_${{ github.run_id }}_${{ github.run_attempt }}
azureRegion: northeurope
azureResourceGroup: e2e_${{ github.run_id }}_${{ github.run_attempt }}_rg
azureServicePrincipal: e2e_${{ github.run_id }}_${{ github.run_attempt }}_sp
gcpProjectID: ${{ inputs.gcpProject }}
gcpZone: europe-west3-b
gcpServiceAccountID: e2e-${{ github.run_id }}-${{ github.run_attempt }}-sa
- name: Create cluster
id: constellation-create
uses: ./.github/actions/constellation_create
@ -175,6 +190,7 @@ runs:
azureClientSecret: ${{ inputs.azureClientSecret }}
azureUserAssignedIdentity: ${{ inputs.azureUserAssignedIdentity }}
azureResourceGroup: ${{ inputs.azureResourceGroup }}
existingConfig: ${{ steps.constellation-iam-create.outputs.existingConfig }}
#
# Test payloads

View File

@ -39,6 +39,7 @@ on:
- "verify"
- "recover"
- "nop"
- "iamcreate"
required: true
kubernetesVersion:
description: "Kubernetes version to create the cluster from."
@ -311,6 +312,11 @@ jobs:
with:
kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
- name: Always delete IAM configuration
if: always() && inputs.test == 'iamcreate' && inputs.cloudProvider != 'azure' # skip for Azure, as the SP / MI does not have the required permissions
continue-on-error: true
uses: ./.github/actions/constellation_iam_destroy
- name: Always destroy Azure resource group
if: always() && inputs.cloudProvider == 'azure'
shell: bash

View File

@ -46,10 +46,15 @@ jobs:
max-parallel: 5
matrix:
test:
["sonobuoy full", "autoscaling", "k-bench", "lb", "verify", "recover"]
["sonobuoy full", "autoscaling", "k-bench", "lb", "verify", "recover", "iamcreate"]
provider: ["gcp", "azure", "aws"]
version: ["v1.24.9", "v1.25.6", "v1.26.1"]
exclude:
# IAM create test runs only on latest version.
- test: "iamcreate"
version: "v1.24.9"
- test: "iamcreate"
version: "v1.25.6"
# Verify test runs only on latest version.
- test: "verify"
version: "v1.24.9"
@ -140,6 +145,11 @@ jobs:
with:
kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
- name: Always delete IAM configuration
if: always() && matrix.test == 'iamcreate' && matrix.provider != 'azure' # skip for Azure, as the SP / MI does not have the required permissions
continue-on-error: true
uses: ./.github/actions/constellation_iam_destroy
- name: Notify teams channel
if: failure() && github.ref == 'refs/heads/main'
continue-on-error: true

View File

@ -383,6 +383,7 @@ func (c *awsIAMCreator) printOutputValues(cmd *cobra.Command, flags iamFlags, ia
cmd.Printf("zone:\t\t\t%s\n", flags.aws.zone)
cmd.Printf("iamProfileControlPlane:\t%s\n", iamFile.AWSOutput.ControlPlaneInstanceProfile)
cmd.Printf("iamProfileWorkerNodes:\t%s\n\n", iamFile.AWSOutput.WorkerNodeInstanceProfile)
cmd.Println("Your IAM configuration was created successfully. Please fill the above values into your configuration file.")
}
func (c *awsIAMCreator) writeOutputValuesToConfig(conf *config.Config, flags iamFlags, iamFile iamid.File) {