From b24c799c80ca0eadaaa971c6a951708c547307d1 Mon Sep 17 00:00:00 2001 From: Nils Hanke Date: Wed, 2 Nov 2022 15:16:47 +0100 Subject: [PATCH] Replace specific Azure/GCP credentials with secrets --- .../actions/constellation_create/action.yml | 25 +++++++++++++++---- .github/actions/e2e_test/action.yml | 20 +++++++++++++++ .../actions/generate_measurements/action.yml | 12 +++++++++ .github/workflows/e2e-test-daily.yml | 5 ++++ .github/workflows/e2e-test-manual-macos.yml | 5 ++++ .github/workflows/e2e-test-manual.yml | 5 ++++ .github/workflows/e2e-test-weekly.yml | 7 +++++- .github/workflows/generate-measurements.yml | 5 ++++ 8 files changed, 78 insertions(+), 6 deletions(-) diff --git a/.github/actions/constellation_create/action.yml b/.github/actions/constellation_create/action.yml index 2b6e528c6..5d99a8b14 100644 --- a/.github/actions/constellation_create/action.yml +++ b/.github/actions/constellation_create/action.yml @@ -11,6 +11,9 @@ inputs: cloudProvider: description: "Either 'gcp' or 'azure'." required: true + gcpProject: + description: "The GCP project to deploy Constellation in." + required: false gcpClusterServiceAccountKey: description: "Service account to use inside the created Constellation cluster on GCP." required: false @@ -26,9 +29,21 @@ inputs: kubernetesVersion: description: "Kubernetes version to create the cluster from." required: false + azureSubscription: + description: "The Azure subscription ID to deploy Constellation in." + required: false + azureTenant: + description: "The Azure tenant ID to deploy Constellation in." + required: false + azureClientID: + description: "The client ID of the application registration created for Constellation in Azure." + required: false azureClientSecret: description: "The client secret value of the used secret" required: false + azureUserAssignedIdentity: + description: "The Azure user assigned identity to use for Constellation." + required: false azureResourceGroup: description: "The resource group to use for Constellation cluster" required: false @@ -47,17 +62,17 @@ runs: constellation config generate ${{ inputs.cloudProvider }} yq eval -i \ - "(.provider | select(. | has(\"azure\")).azure.subscription) = \"0d202bbb-4fa7-4af8-8125-58c269a05435\" | - (.provider | select(. | has(\"azure\")).azure.tenant) = \"adb650a8-5da3-4b15-b4b0-3daf65ff7626\" | + "(.provider | select(. | has(\"azure\")).azure.subscription) = \"${{ inputs.azureSubscription }}\" | + (.provider | select(. | has(\"azure\")).azure.tenant) = \"${{ inputs.azureTenant }}\" | (.provider | select(. | has(\"azure\")).azure.location) = \"North Europe\" | - (.provider | select(. | has(\"azure\")).azure.userAssignedIdentity) = \"/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/e2e-test-creds/providers/Microsoft.ManagedIdentity/userAssignedIdentities/e2e-test-user-assigned-id\" | + (.provider | select(. | has(\"azure\")).azure.userAssignedIdentity) = \"${{ inputs.azureUserAssignedIdentity }}\" | (.provider | select(. | has(\"azure\")).azure.resourceGroup) = \"${{ inputs.azureResourceGroup }}\" | - (.provider | select(. | has(\"azure\")).azure.appClientID) = \"b657a00e-813a-4dc7-9b09-fa498a254d71\" | + (.provider | select(. | has(\"azure\")).azure.appClientID) = \"${{ inputs.azureClientID }}\" | (.provider | select(. | has(\"azure\")).azure.clientSecretValue) = \"${{ inputs.azureClientSecret }}\" | (.provider | select(. | has(\"azure\")).azure.enforcedMeasurements) = [11,12]" \ constellation-conf.yaml yq eval -i \ - "(.provider | select(. | has(\"gcp\")).gcp.project) = \"constellation-331613\" | + "(.provider | select(. | has(\"gcp\")).gcp.project) = \"${{ inputs.gcpProject }}\" | (.provider | select(. | has(\"gcp\")).gcp.region) = \"europe-west3\" | (.provider | select(. | has(\"gcp\")).gcp.zone) = \"europe-west3-b\" | (.provider | select(. | has(\"gcp\")).gcp.enforcedMeasurements) = [11,12] | diff --git a/.github/actions/e2e_test/action.yml b/.github/actions/e2e_test/action.yml index 422fd9e4f..c69ca9f40 100644 --- a/.github/actions/e2e_test/action.yml +++ b/.github/actions/e2e_test/action.yml @@ -27,15 +27,30 @@ inputs: kubernetesVersion: description: "Kubernetes version to create the cluster from." required: false + gcpProject: + description: "The GCP project to deploy Constellation in." + required: false gcp_service_account_json: description: "Service account with permissions to create Constellation on GCP." required: false gcpClusterServiceAccountKey: description: "Service account to use inside the created Constellation cluster on GCP." required: false + azureSubscription: + description: "The Azure subscription ID to deploy Constellation in." + required: false + azureTenant: + description: "The Azure tenant ID to deploy Constellation in." + required: false + azureClientID: + description: "The client ID of the application registration created for Constellation in Azure." + required: false azureClientSecret: description: "The client secret value of the used secret" required: false + azureUserAssignedIdentity: + description: "The Azure user assigned identity to use for Constellation." + required: false azureResourceGroup: description: "The resource group to use" required: false @@ -113,6 +128,7 @@ runs: uses: ./.github/actions/constellation_create with: cloudProvider: ${{ inputs.cloudProvider }} + gcpProject: ${{ inputs.gcpProject }} gcpClusterServiceAccountKey: ${{ inputs.gcpClusterServiceAccountKey }} workerNodesCount: ${{ inputs.workerNodesCount }} controlNodesCount: ${{ inputs.controlNodesCount }} @@ -120,7 +136,11 @@ runs: osImage: ${{ inputs.osImage }} isDebugImage: ${{ inputs.isDebugImage }} kubernetesVersion: ${{ inputs.kubernetesVersion }} + azureSubscription: ${{ inputs.azureSubscription }} + azureTenant: ${{ inputs.azureTenant }} + azureClientID: ${{ inputs.azureClientID }} azureClientSecret: ${{ inputs.azureClientSecret }} + azureUserAssignedIdentity: ${{ inputs.azureUserAssignedIdentity }} azureResourceGroup: ${{ inputs.azureResourceGroup }} # diff --git a/.github/actions/generate_measurements/action.yml b/.github/actions/generate_measurements/action.yml index 21f05c077..9a81a27f3 100644 --- a/.github/actions/generate_measurements/action.yml +++ b/.github/actions/generate_measurements/action.yml @@ -25,12 +25,24 @@ inputs: description: "Kubernetes version to create the cluster from." required: false default: "1.23" + gcpProject: + description: "The GCP project to deploy Constellation in." + required: false gcp_service_account_json: description: "Service account with permissions to create Constellation on GCP." required: false gcpClusterServiceAccountKey: description: "Service account to use inside the created Constellation cluster on GCP." required: false + azureSubscription: + description: "The Azure subscription ID to deploy Constellation in." + required: false + azureTenant: + description: "The Azure tenant ID to deploy Constellation in." + required: false + azureClientID: + description: "The client ID of the application registration created for Constellation in Azure." + required: false azureClientSecret: description: "The client secret value of the used secret" required: false diff --git a/.github/workflows/e2e-test-daily.yml b/.github/workflows/e2e-test-daily.yml index 77e2eeb47..d65fd9ec3 100644 --- a/.github/workflows/e2e-test-daily.yml +++ b/.github/workflows/e2e-test-daily.yml @@ -50,8 +50,13 @@ jobs: workerNodesCount: "2" controlNodesCount: "3" cloudProvider: ${{ matrix.provider }} + azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }} + azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }} + azureClientID: ${{ secrets.AZURE_E2E_CLIENT_ID }} azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }} + azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }} azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }} + gcpProject: ${{ secrets.GCP_E2E_PROJECT }} gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }} gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} test: "sonobuoy full" diff --git a/.github/workflows/e2e-test-manual-macos.yml b/.github/workflows/e2e-test-manual-macos.yml index 6720e619e..0c1923340 100644 --- a/.github/workflows/e2e-test-manual-macos.yml +++ b/.github/workflows/e2e-test-manual-macos.yml @@ -127,11 +127,16 @@ jobs: controlNodesCount: ${{ github.event.inputs.controlNodesCount }} cloudProvider: ${{ github.event.inputs.cloudProvider }} machineType: ${{ github.event.inputs.machineType }} + gcpProject: ${{ secrets.GCP_E2E_PROJECT }} gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }} gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} test: ${{ github.event.inputs.test }} kubernetesVersion: ${{ github.event.inputs.kubernetesVersion }} + azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }} + azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }} + azureClientID: ${{ secrets.AZURE_E2E_CLIENT_ID }} azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }} + azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }} azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }} osImage: ${{ github.event.inputs.osImage }} isDebugImage: ${{ github.event.inputs.isDebugImage }} diff --git a/.github/workflows/e2e-test-manual.yml b/.github/workflows/e2e-test-manual.yml index 644a48e59..021d59862 100644 --- a/.github/workflows/e2e-test-manual.yml +++ b/.github/workflows/e2e-test-manual.yml @@ -91,11 +91,16 @@ jobs: controlNodesCount: ${{ github.event.inputs.controlNodesCount }} cloudProvider: ${{ github.event.inputs.cloudProvider }} machineType: ${{ github.event.inputs.machineType }} + gcpProject: ${{ secrets.GCP_E2E_PROJECT }} gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }} gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} test: ${{ github.event.inputs.test }} kubernetesVersion: ${{ github.event.inputs.kubernetesVersion }} + azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }} + azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }} + azureClientID: ${{ secrets.AZURE_E2E_CLIENT_ID }} azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }} + azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }} azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }} osImage: ${{ github.event.inputs.osImage }} isDebugImage: ${{ github.event.inputs.isDebugImage }} diff --git a/.github/workflows/e2e-test-weekly.yml b/.github/workflows/e2e-test-weekly.yml index 0dc095d70..d9a4e5d7c 100644 --- a/.github/workflows/e2e-test-weekly.yml +++ b/.github/workflows/e2e-test-weekly.yml @@ -60,15 +60,20 @@ jobs: az group create --location northeurope --name $name --tags e2e echo "res_group_name=$name" >> $GITHUB_OUTPUT - - name: Run Azure E2E test + - name: Run E2E test uses: ./.github/actions/e2e_test with: workerNodesCount: "2" controlNodesCount: "3" cloudProvider: ${{ matrix.provider }} kubernetesVersion: ${{ matrix.version }} + azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }} + azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }} + azureClientID: ${{ secrets.AZURE_E2E_CLIENT_ID }} azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }} + azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }} azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }} + gcpProject: ${{ secrets.GCP_E2E_PROJECT }} gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }} gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} test: ${{ matrix.test }} diff --git a/.github/workflows/generate-measurements.yml b/.github/workflows/generate-measurements.yml index 7c0147eef..d2b3d94de 100644 --- a/.github/workflows/generate-measurements.yml +++ b/.github/workflows/generate-measurements.yml @@ -58,9 +58,14 @@ jobs: uses: ./.github/actions/generate_measurements with: cloudProvider: ${{ github.event.inputs.cloudProvider }} + gcpProject: ${{ secrets.GCP_E2E_PROJECT }} gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }} gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} + azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }} + azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }} + azureClientID: ${{ secrets.AZURE_E2E_CLIENT_ID }} azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }} + azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }} azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }} osImage: ${{ github.event.inputs.osImage }} isDebugImage: ${{ github.event.inputs.isDebugImage }}