Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

ci: separate e2e permissions (#1555)

Browse Source 
* split e2e test iam create / create perms

* remove global Azure credentials

* remove unnecessary azure actions

* use UUID

* fix e2e upgrade test

* rename create inputs

* remove continue-on-error for resource deletion

* de-exclude verify test

* fix exclude

* fix release e2e test

---------

Co-authored-by: Nils Hanke <nils.hanke@outlook.com>
This commit is contained in:
Moritz Sanft 2023-04-12 13:24:13 +02:00 committed by GitHub
parent 52a1bb0a19
commit 6ba294e175
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 146 additions and 199 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/actions/constellation_create/action.yml vendored
View File

@ -35,7 +35,7 @@ inputs:
gcpProject: gcpProject:
description: "The GCP project to deploy Constellation in." description: "The GCP project to deploy Constellation in."
required: false required: false
gcpClusterServiceAccountKey: gcpInClusterServiceAccountKey:
description: "The GCP Service account to use inside the created Constellation cluster." description: "The GCP Service account to use inside the created Constellation cluster."
required: false required: false
# #
@ -162,7 +162,7 @@ runs:
if: inputs.cloudProvider == 'gcp' && !inputs.existingConfig # Skip if using existing config. serviceAccountKey.json is already present in that case. if: inputs.cloudProvider == 'gcp' && !inputs.existingConfig # Skip if using existing config. serviceAccountKey.json is already present in that case.
shell: bash shell: bash
env: env:
GCP_CLUSTER_SERVICE_ACCOUNT_KEY: ${{ inputs.gcpClusterServiceAccountKey }} GCP_CLUSTER_SERVICE_ACCOUNT_KEY: ${{ inputs.gcpInClusterServiceAccountKey }}
run: | run: |
echo "$GCP_CLUSTER_SERVICE_ACCOUNT_KEY" > serviceAccountKey.json echo "$GCP_CLUSTER_SERVICE_ACCOUNT_KEY" > serviceAccountKey.json

32
.github/actions/constellation_iam_destroy/action.yml vendored
View File

@ -1,9 +1,41 @@
name: Delete IAM configuration name: Delete IAM configuration
description: Delete previously created IAM configuration. description: Delete previously created IAM configuration.
inputs:
cloudProvider:
description: "Either 'aws', 'azure' or 'gcp'."
required: true
gcpServiceAccount:
description: "GCP service account to use for authentication."
required: false
azureCredentials:
description: "Azure service principal to use for authentication."
required: false
runs: runs:
using: "composite" using: "composite"
steps: steps:
- name: Login to GCP (IAM service account)
if: inputs.cloudProvider == 'gcp'
uses: ./.github/actions/login_gcp
with:
service_account: ${{ inputs.gcpServiceAccount }}
- name: Login to AWS (IAM role)
if: inputs.cloudProvider == 'aws'
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
aws-region: eu-central-1
# extend token expiry to 6 hours to ensure constellation can terminate
role-duration-seconds: 21600
- name: Login to Azure (IAM service principal)
if: inputs.cloudProvider == 'azure'
uses: ./.github/actions/login_azure
with:
azure_credentials: ${{ inputs.azureCredentials }}
- name: Delete IAM configuration - name: Delete IAM configuration
shell: bash shell: bash
run: | run: |

97
.github/actions/e2e_test/action.yml vendored
View File

@ -35,10 +35,13 @@ inputs:
gcpProject: gcpProject:
description: "The GCP project to deploy Constellation in." description: "The GCP project to deploy Constellation in."
required: false required: false
gcp_service_account: gcpIAMCreateServiceAccount:
description: "Service account with permissions to create Constellation on GCP." description: "Service account with permissions to create IAM configuration on GCP."
required: false required: false
gcpClusterServiceAccountKey: gcpClusterCreateServiceAccount:
description: "Service account with permissions to create a Constellation cluster on GCP."
required: false
gcpInClusterServiceAccountKey:
description: "Service account to use inside the created Constellation cluster on GCP." description: "Service account to use inside the created Constellation cluster on GCP."
required: false required: false
awsOpenSearchDomain: awsOpenSearchDomain:
@ -50,26 +53,14 @@ inputs:
awsOpenSearchPwd: awsOpenSearchPwd:
description: "AWS OpenSearch Password to upload the benchmark results." description: "AWS OpenSearch Password to upload the benchmark results."
required: false required: false
azureSubscription: azureClusterCreateCredentials:
description: "The Azure subscription ID to deploy Constellation in." description: "Azure credentials authorized to create a Constellation cluster."
required: false required: true
azureTenant: azureIAMCreateCredentials:
description: "The Azure tenant ID to deploy Constellation in." description: "Azure credentials authorized to create an IAM configuration."
required: false required: true
azureClientID:
description: "The client ID of the application registration created for Constellation in Azure."
required: false
azureClientSecret:
description: "The client secret value of the used secret"
required: false
azureUserAssignedIdentity:
description: "The Azure user assigned identity to use for Constellation."
required: false
azureResourceGroup:
description: "The resource group to use"
required: false
test: test:
description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, autoscaling, lb, perf-bench, verify, recover, nop, iamcreate]." description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, autoscaling, lb, perf-bench, verify, recover, nop]."
required: true required: true
sonobuoyTestSuiteCmd: sonobuoyTestSuiteCmd:
description: "The sonobuoy test suite to run." description: "The sonobuoy test suite to run."
@ -87,7 +78,7 @@ runs:
using: "composite" using: "composite"
steps: steps:
- name: Check input - name: Check input
if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "autoscaling", "perf-bench", "verify", "lb", "recover", "nop", "iamcreate"]'), inputs.test)) if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "autoscaling", "perf-bench", "verify", "lb", "recover", "nop"]'), inputs.test))
shell: bash shell: bash
run: | run: |
echo "::error::Invalid input for test field: ${{ inputs.test }}" echo "::error::Invalid input for test field: ${{ inputs.test }}"
@ -155,43 +146,75 @@ runs:
targetOS: ${{ steps.determine-build-target.outputs.hostOS }} targetOS: ${{ steps.determine-build-target.outputs.hostOS }}
targetArch: ${{ steps.determine-build-target.outputs.hostArch }} targetArch: ${{ steps.determine-build-target.outputs.hostArch }}
- name: Login to GCP - name: Login to GCP (IAM service account)
if: inputs.cloudProvider == 'gcp' if: inputs.cloudProvider == 'gcp'
uses: ./.github/actions/login_gcp uses: ./.github/actions/login_gcp
with: with:
service_account: ${{ inputs.gcp_service_account }} service_account: ${{ inputs.gcpIAMCreateServiceAccount }}
- name: Login to AWS - name: Login to AWS (IAM role)
if: inputs.cloudProvider == 'aws' if: inputs.cloudProvider == 'aws'
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0 uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
with: with:
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2E role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
aws-region: eu-central-1 aws-region: eu-central-1
# extend token expiry to 6 hours to ensure constellation can terminate # extend token expiry to 6 hours to ensure constellation can terminate
role-duration-seconds: 21600 role-duration-seconds: 21600
- name: Login to Azure (IAM service principal)
if: inputs.cloudProvider == 'azure'
uses: ./.github/actions/login_azure
with:
azure_credentials: ${{ inputs.azureIAMCreateCredentials }}
- name: Create UUID
id: create-uuid
shell: bash
run: |
uuid=$(uuidgen)
echo "uuid=${uuid%%-*}" >> $GITHUB_OUTPUT
- name: Create IAM configuration - name: Create IAM configuration
id: constellation-iam-create id: constellation-iam-create
if: inputs.test == 'iamcreate' && inputs.cloudProvider != 'azure' # skip for Azure, as the SP / MI does not have the required permissions
uses: ./.github/actions/constellation_iam_create uses: ./.github/actions/constellation_iam_create
with: with:
cloudProvider: ${{ inputs.cloudProvider }} cloudProvider: ${{ inputs.cloudProvider }}
awsZone: eu-central-1c awsZone: eu-central-1c
awsPrefix: e2e_${{ github.run_id }}_${{ github.run_attempt }} awsPrefix: e2e_${{ github.run_id }}_${{ github.run_attempt }}_${{ steps.create-uuid.outputs.uuid }}
azureRegion: northeurope azureRegion: northeurope
azureResourceGroup: e2e_${{ github.run_id }}_${{ github.run_attempt }}_rg azureResourceGroup: e2e_${{ github.run_id }}_${{ github.run_attempt }}_${{ steps.create-uuid.outputs.uuid }}_rg
azureServicePrincipal: e2e_${{ github.run_id }}_${{ github.run_attempt }}_sp azureServicePrincipal: e2e_${{ github.run_id }}_${{ github.run_attempt }}_${{ steps.create-uuid.outputs.uuid }}_sp
gcpProjectID: ${{ inputs.gcpProject }} gcpProjectID: ${{ inputs.gcpProject }}
gcpZone: europe-west3-b gcpZone: europe-west3-b
gcpServiceAccountID: e2e-${{ github.run_id }}-${{ github.run_attempt }}-sa gcpServiceAccountID: e2e-${{ github.run_id }}-${{ github.run_attempt }}-${{ steps.create-uuid.outputs.uuid }}-sa
- name: Login to GCP (Cluster service account)
if: inputs.cloudProvider == 'gcp'
uses: ./.github/actions/login_gcp
with:
service_account: ${{ inputs.gcpClusterCreateServiceAccount }}
- name: Login to AWS (Cluster role)
if: inputs.cloudProvider == 'aws'
uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
with:
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
aws-region: eu-central-1
# extend token expiry to 6 hours to ensure constellation can terminate
role-duration-seconds: 21600
- name: Login to Azure (Cluster service principal)
if: inputs.cloudProvider == 'azure'
uses: ./.github/actions/login_azure
with:
azure_credentials: ${{ inputs.azureClusterCreateCredentials }}
- name: Create cluster - name: Create cluster
id: constellation-create id: constellation-create
uses: ./.github/actions/constellation_create uses: ./.github/actions/constellation_create
with: with:
cloudProvider: ${{ inputs.cloudProvider }} cloudProvider: ${{ inputs.cloudProvider }}
gcpProject: ${{ inputs.gcpProject }} gcpInClusterServiceAccountKey: ${{ inputs.gcpInClusterServiceAccountKey }}
gcpClusterServiceAccountKey: ${{ inputs.gcpClusterServiceAccountKey }}
workerNodesCount: ${{ inputs.workerNodesCount }} workerNodesCount: ${{ inputs.workerNodesCount }}
controlNodesCount: ${{ inputs.controlNodesCount }} controlNodesCount: ${{ inputs.controlNodesCount }}
machineType: ${{ inputs.machineType }} machineType: ${{ inputs.machineType }}
@ -199,12 +222,6 @@ runs:
isDebugImage: ${{ inputs.isDebugImage }} isDebugImage: ${{ inputs.isDebugImage }}
kubernetesVersion: ${{ inputs.kubernetesVersion }} kubernetesVersion: ${{ inputs.kubernetesVersion }}
keepMeasurements: ${{ inputs.keepMeasurements }} keepMeasurements: ${{ inputs.keepMeasurements }}
azureSubscription: ${{ inputs.azureSubscription }}
azureTenant: ${{ inputs.azureTenant }}
azureClientID: ${{ inputs.azureClientID }}
azureClientSecret: ${{ inputs.azureClientSecret }}
azureUserAssignedIdentity: ${{ inputs.azureUserAssignedIdentity }}
azureResourceGroup: ${{ inputs.azureResourceGroup }}
existingConfig: ${{ steps.constellation-iam-create.outputs.existingConfig }} existingConfig: ${{ steps.constellation-iam-create.outputs.existingConfig }}
# #

55
.github/workflows/e2e-test-daily.yml vendored
View File

@ -5,12 +5,6 @@ on:
schedule: schedule:
- cron: "0 3 * * 2-5" # At 03:00 on every day-of-week from Tuesday through Friday. - cron: "0 3 * * 2-5" # At 03:00 on every day-of-week from Tuesday through Friday.
env:
ARM_CLIENT_ID: ${{ secrets.AZURE_E2E_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_E2E_TENANT_ID }}
jobs: jobs:
find-latest-image: find-latest-image:
strategy: strategy:
@ -71,22 +65,6 @@ jobs:
with: with:
go-version: "1.20.3" go-version: "1.20.3"
- name: Login to Azure
if: matrix.provider == 'azure'
uses: ./.github/actions/login_azure
with:
azure_credentials: ${{ secrets.AZURE_E2E_CREDENTIALS }}
- name: Create Azure resource group
if: matrix.provider == 'azure'
id: az_resource_group_gen
shell: bash
run: |
uuid=$(cat /proc/sys/kernel/random/uuid)
name=e2e-test-${uuid%%-*}
az group create --location northeurope --name "$name" --tags e2e
echo "res_group_name=$name" >> "$GITHUB_OUTPUT"
- name: Run E2E test - name: Run E2E test
id: e2e_test id: e2e_test
uses: ./.github/actions/e2e_test uses: ./.github/actions/e2e_test
@ -97,25 +75,29 @@ jobs:
osImage: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || needs.find-latest-image.outputs.image-main-debug }} osImage: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || needs.find-latest-image.outputs.image-main-debug }}
isDebugImage: ${{ matrix.refStream == 'ref/main/stream/debug/?' }} isDebugImage: ${{ matrix.refStream == 'ref/main/stream/debug/?' }}
cliVersion: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || '' }} cliVersion: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || '' }}
azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }}
azureClientID: ${{ secrets.AZURE_E2E_CLIENT_ID }}
azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }}
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }} gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com" gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
test: "sonobuoy full" test: "sonobuoy full"
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }} buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
- name: Always terminate cluster - name: Always terminate cluster
if: always() if: always()
continue-on-error: true
uses: ./.github/actions/constellation_destroy uses: ./.github/actions/constellation_destroy
with: with:
kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
- name: Always delete IAM configuration
if: always()
uses: ./.github/actions/constellation_iam_destroy
with:
cloudProvider: ${{ matrix.provider }}
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
- name: Notify teams channel - name: Notify teams channel
if: failure() && github.ref == 'refs/heads/main' if: failure() && github.ref == 'refs/heads/main'
continue-on-error: true continue-on-error: true
@ -130,14 +112,3 @@ jobs:
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
-d @to-be-send.json \ -d @to-be-send.json \
"${{ secrets.MS_TEAMS_WEBHOOK_URI }}" "${{ secrets.MS_TEAMS_WEBHOOK_URI }}"
- name: Always destroy Azure resource group
if: always() && matrix.provider == 'azure'
shell: bash
run: |
az group delete \
--name ${{ steps.az_resource_group_gen.outputs.res_group_name }} \
--force-deletion-types Microsoft.Compute/virtualMachineScaleSets \
--force-deletion-types Microsoft.Compute/virtualMachines \
--no-wait \
--yes

52
.github/workflows/e2e-test-manual.yml vendored
View File

@ -108,12 +108,6 @@ on:
type: string type: string
required: true required: true
env:
ARM_CLIENT_ID: ${{ secrets.AZURE_E2E_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_E2E_TENANT_ID }}
jobs: jobs:
split-cliImageVersion: split-cliImageVersion:
name: Split cliImageVersion name: Split cliImageVersion
@ -244,22 +238,6 @@ jobs:
if: inputs.cloudProvider == 'gcp' && runner.os == 'macOS' if: inputs.cloudProvider == 'gcp' && runner.os == 'macOS'
uses: google-github-actions/setup-gcloud@62d4898025f6041e16b1068643bfc5a696863587 # v1.1.0 uses: google-github-actions/setup-gcloud@62d4898025f6041e16b1068643bfc5a696863587 # v1.1.0
- name: Login to Azure
if: inputs.cloudProvider == 'azure'
uses: ./.github/actions/login_azure
with:
azure_credentials: ${{ secrets.AZURE_E2E_CREDENTIALS }}
- name: Create Azure resource group
id: az_resource_group_gen
if: inputs.cloudProvider == 'azure'
shell: bash
run: |
uuid=$(uuidgen)
name=e2e-test-${uuid%%-*}
az group create --location westus --name "$name" --tags e2e
echo "res_group_name=$name" >> "$GITHUB_OUTPUT"
- name: Run manual E2E test - name: Run manual E2E test
id: e2e_test id: e2e_test
uses: ./.github/actions/e2e_test uses: ./.github/actions/e2e_test
@ -269,24 +247,21 @@ jobs:
cloudProvider: ${{ inputs.cloudProvider }} cloudProvider: ${{ inputs.cloudProvider }}
machineType: ${{ inputs.machineType }} machineType: ${{ inputs.machineType }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }} gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com" gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} gcpIAMCreateServiceAccount: " constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
test: ${{ inputs.test }} test: ${{ inputs.test }}
kubernetesVersion: ${{ inputs.kubernetesVersion }} kubernetesVersion: ${{ inputs.kubernetesVersion }}
keepMeasurements: ${{ inputs.keepMeasurements }} keepMeasurements: ${{ inputs.keepMeasurements }}
awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }} awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }} awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }} awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }}
azureClientID: ${{ secrets.AZURE_E2E_CLIENT_ID }}
azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }}
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
osImage: ${{ needs.find-latest-image.outputs.image }} osImage: ${{ needs.find-latest-image.outputs.image }}
cliVersion: ${{ needs.split-cliImageVersion.outputs.cliVersion }} cliVersion: ${{ needs.split-cliImageVersion.outputs.cliVersion }}
isDebugImage: ${{ needs.find-latest-image.outputs.isDebugImage }} isDebugImage: ${{ needs.find-latest-image.outputs.isDebugImage }}
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }} buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
- name: Always terminate cluster - name: Always terminate cluster
if: always() if: always()
@ -295,16 +270,9 @@ jobs:
kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
- name: Always delete IAM configuration - name: Always delete IAM configuration
if: always() && inputs.test == 'iamcreate' && inputs.cloudProvider != 'azure' # skip for Azure, as the SP / MI does not have the required permissions if: always()
uses: ./.github/actions/constellation_iam_destroy uses: ./.github/actions/constellation_iam_destroy
with:
- name: Always destroy Azure resource group cloudProvider: ${{ inputs.cloudProvider }}
if: always() && inputs.cloudProvider == 'azure' azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
shell: bash gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
run: |
az group delete \
--name ${{ steps.az_resource_group_gen.outputs.res_group_name }} \
--force-deletion-types Microsoft.Compute/virtualMachineScaleSets \
--force-deletion-types Microsoft.Compute/virtualMachines \
--no-wait \
--yes

22
.github/workflows/e2e-test-release.yml vendored
View File

@ -150,23 +150,21 @@ jobs:
cloudProvider: ${{ matrix.provider }} cloudProvider: ${{ matrix.provider }}
cliVersion: "" cliVersion: ""
kubernetesVersion: ${{ matrix.kubernetes-version }} kubernetesVersion: ${{ matrix.kubernetes-version }}
keepMeasurements: "true"
osImage: "" osImage: ""
isDebugImage: "false" isDebugImage: "false"
keepMeasurements: "true"
awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }} awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }} awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }} awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }}
azureClientID: ${{ secrets.AZURE_E2E_CLIENT_ID }}
azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }}
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }} gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com" gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} gcpIAMCreateServiceAccount: " constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
test: ${{ matrix.test }} test: ${{ matrix.test }}
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }} buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
- name: Always terminate cluster - name: Always terminate cluster
if: always() if: always()
@ -176,9 +174,13 @@ jobs:
kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
- name: Always delete IAM configuration - name: Always delete IAM configuration
if: always() && matrix.test == 'iamcreate' && matrix.provider != 'azure' # skip for Azure, as the SP / MI does not have the required permissions if: always()
continue-on-error: true continue-on-error: true
uses: ./.github/actions/constellation_iam_destroy uses: ./.github/actions/constellation_iam_destroy
with:
cloudProvider: ${{ matrix.provider }}
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
- name: Notify teams channel - name: Notify teams channel
if: failure() && github.ref == 'refs/heads/main' if: failure() && github.ref == 'refs/heads/main'

70
.github/workflows/e2e-test-weekly.yml vendored
View File

@ -5,12 +5,6 @@ on:
schedule: schedule:
- cron: "0 3 * * 6" # At 03:00 on Saturday. - cron: "0 3 * * 6" # At 03:00 on Saturday.
env:
ARM_CLIENT_ID: ${{ secrets.AZURE_E2E_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_E2E_TENANT_ID }}
jobs: jobs:
find-latest-image: find-latest-image:
strategy: strategy:
@ -59,21 +53,17 @@ jobs:
"lb", "lb",
"verify", "verify",
"recover", "recover",
"iamcreate",
] ]
provider: ["gcp", "azure", "aws"] provider: ["gcp", "azure", "aws"]
kubernetes-version: ["v1.24", "v1.25", "v1.26"] kubernetes-version: ["v1.24", "v1.25", "v1.26"]
refStream: ["ref/main/stream/debug/?", "ref/release/stream/stable/?"] refStream: ["ref/main/stream/debug/?", "ref/release/stream/stable/?"]
exclude: exclude:
# IAM create test runs only on latest kubernetes-version. # Verify test runs only on latest kubernetes-version by default.
- test: "iamcreate" # Exclude it for main-debug as it needs to run on 1.25 / release-stable.
kubernetes-version: "v1.24"
- test: "iamcreate"
kubernetes-version: "v1.25"
# Verify test runs only on latest kubernetes-version.
- test: "verify" - test: "verify"
kubernetes-version: "v1.24" kubernetes-version: "v1.24"
- test: "verify" - refStream: "ref/main/stream/debug/?"
test: "verify"
kubernetes-version: "v1.25" kubernetes-version: "v1.25"
# Recover test runs only on latest kubernetes-version. # Recover test runs only on latest kubernetes-version.
- test: "recover" - test: "recover"
@ -100,7 +90,7 @@ jobs:
provider: "aws" provider: "aws"
- test: "perf-bench" - test: "perf-bench"
provider: "aws" provider: "aws"
# Only iamcreate for K8s v1.25 on all providers. # Only verify for K8s v1.25 on all providers.
- refStream: "ref/release/stream/stable/?" - refStream: "ref/release/stream/stable/?"
kubernetes-version: "v1.24" kubernetes-version: "v1.24"
- refStream: "ref/release/stream/stable/?" - refStream: "ref/release/stream/stable/?"
@ -113,8 +103,6 @@ jobs:
test: "autoscaling" test: "autoscaling"
- refStream: "ref/release/stream/stable/?" - refStream: "ref/release/stream/stable/?"
test: "sonobuoy full" test: "sonobuoy full"
- refStream: "ref/release/stream/stable/?"
test: "verify"
- refStream: "ref/release/stream/stable/?" - refStream: "ref/release/stream/stable/?"
test: "recover" test: "recover"
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
@ -135,22 +123,6 @@ jobs:
with: with:
go-version: "1.20.3" go-version: "1.20.3"
- name: Login to Azure
if: matrix.provider == 'azure'
uses: ./.github/actions/login_azure
with:
azure_credentials: ${{ secrets.AZURE_E2E_CREDENTIALS }}
- name: Create Azure resource group
id: az_resource_group_gen
if: matrix.provider == 'azure'
shell: bash
run: |
uuid=$(cat /proc/sys/kernel/random/uuid)
name=e2e-test-${uuid%%-*}
az group create --location northeurope --name "$name" --tags e2e
echo "res_group_name=$name" >> "$GITHUB_OUTPUT"
- name: Run E2E test - name: Run E2E test
id: e2e_test id: e2e_test
uses: ./.github/actions/e2e_test uses: ./.github/actions/e2e_test
@ -165,29 +137,28 @@ jobs:
awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }} awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }} awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }} awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }}
azureClientID: ${{ secrets.AZURE_E2E_CLIENT_ID }}
azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }}
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }} gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com" gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} gcpIAMCreateServiceAccount: " constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
test: ${{ matrix.test }} test: ${{ matrix.test }}
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }} buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
- name: Always terminate cluster - name: Always terminate cluster
if: always() if: always()
continue-on-error: true
uses: ./.github/actions/constellation_destroy uses: ./.github/actions/constellation_destroy
with: with:
kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }} kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
- name: Always delete IAM configuration - name: Always delete IAM configuration
if: always() && matrix.test == 'iamcreate' && matrix.provider != 'azure' # skip for Azure, as the SP / MI does not have the required permissions if: always()
continue-on-error: true
uses: ./.github/actions/constellation_iam_destroy uses: ./.github/actions/constellation_iam_destroy
with:
cloudProvider: ${{ matrix.provider }}
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
- name: Notify teams channel - name: Notify teams channel
if: failure() && github.ref == 'refs/heads/main' if: failure() && github.ref == 'refs/heads/main'
@ -204,17 +175,6 @@ jobs:
-d @to-be-send.json \ -d @to-be-send.json \
"${{ secrets.MS_TEAMS_WEBHOOK_URI }}" "${{ secrets.MS_TEAMS_WEBHOOK_URI }}"
- name: Always destroy Azure resource group
if: always() && matrix.provider == 'azure'
shell: bash
run: |
az group delete \
--name ${{ steps.az_resource_group_gen.outputs.res_group_name }} \
--force-deletion-types Microsoft.Compute/virtualMachineScaleSets \
--force-deletion-types Microsoft.Compute/virtualMachines \
--no-wait \
--yes
e2e-upgrade: e2e-upgrade:
strategy: strategy:
fail-fast: false fail-fast: false

13
.github/workflows/e2e-upgrade.yml vendored
View File

@ -147,17 +147,14 @@ jobs:
osImage: ${{ inputs.fromVersion }} osImage: ${{ inputs.fromVersion }}
cliVersion: ${{ inputs.fromVersion }} cliVersion: ${{ inputs.fromVersion }}
isDebugImage: "false" isDebugImage: "false"
azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }}
azureClientID: ${{ secrets.AZURE_E2E_CLIENT_ID }}
azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }}
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }} gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com" gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
test: "nop" test: "nop"
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }} buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
- name: Run upgrade test - name: Run upgrade test
run: | run: |