Replace specific Azure/GCP credentials with secrets

This commit is contained in:
Nils Hanke 2022-11-02 15:16:47 +01:00 committed by Nils Hanke
parent ee20ff8950
commit b24c799c80
8 changed files with 78 additions and 6 deletions

View File

@ -11,6 +11,9 @@ inputs:
cloudProvider: cloudProvider:
description: "Either 'gcp' or 'azure'." description: "Either 'gcp' or 'azure'."
required: true required: true
gcpProject:
description: "The GCP project to deploy Constellation in."
required: false
gcpClusterServiceAccountKey: gcpClusterServiceAccountKey:
description: "Service account to use inside the created Constellation cluster on GCP." description: "Service account to use inside the created Constellation cluster on GCP."
required: false required: false
@ -26,9 +29,21 @@ inputs:
kubernetesVersion: kubernetesVersion:
description: "Kubernetes version to create the cluster from." description: "Kubernetes version to create the cluster from."
required: false required: false
azureSubscription:
description: "The Azure subscription ID to deploy Constellation in."
required: false
azureTenant:
description: "The Azure tenant ID to deploy Constellation in."
required: false
azureClientID:
description: "The client ID of the application registration created for Constellation in Azure."
required: false
azureClientSecret: azureClientSecret:
description: "The client secret value of the used secret" description: "The client secret value of the used secret"
required: false required: false
azureUserAssignedIdentity:
description: "The Azure user assigned identity to use for Constellation."
required: false
azureResourceGroup: azureResourceGroup:
description: "The resource group to use for Constellation cluster" description: "The resource group to use for Constellation cluster"
required: false required: false
@ -47,17 +62,17 @@ runs:
constellation config generate ${{ inputs.cloudProvider }} constellation config generate ${{ inputs.cloudProvider }}
yq eval -i \ yq eval -i \
"(.provider | select(. | has(\"azure\")).azure.subscription) = \"0d202bbb-4fa7-4af8-8125-58c269a05435\" | "(.provider | select(. | has(\"azure\")).azure.subscription) = \"${{ inputs.azureSubscription }}\" |
(.provider | select(. | has(\"azure\")).azure.tenant) = \"adb650a8-5da3-4b15-b4b0-3daf65ff7626\" | (.provider | select(. | has(\"azure\")).azure.tenant) = \"${{ inputs.azureTenant }}\" |
(.provider | select(. | has(\"azure\")).azure.location) = \"North Europe\" | (.provider | select(. | has(\"azure\")).azure.location) = \"North Europe\" |
(.provider | select(. | has(\"azure\")).azure.userAssignedIdentity) = \"/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/e2e-test-creds/providers/Microsoft.ManagedIdentity/userAssignedIdentities/e2e-test-user-assigned-id\" | (.provider | select(. | has(\"azure\")).azure.userAssignedIdentity) = \"${{ inputs.azureUserAssignedIdentity }}\" |
(.provider | select(. | has(\"azure\")).azure.resourceGroup) = \"${{ inputs.azureResourceGroup }}\" | (.provider | select(. | has(\"azure\")).azure.resourceGroup) = \"${{ inputs.azureResourceGroup }}\" |
(.provider | select(. | has(\"azure\")).azure.appClientID) = \"b657a00e-813a-4dc7-9b09-fa498a254d71\" | (.provider | select(. | has(\"azure\")).azure.appClientID) = \"${{ inputs.azureClientID }}\" |
(.provider | select(. | has(\"azure\")).azure.clientSecretValue) = \"${{ inputs.azureClientSecret }}\" | (.provider | select(. | has(\"azure\")).azure.clientSecretValue) = \"${{ inputs.azureClientSecret }}\" |
(.provider | select(. | has(\"azure\")).azure.enforcedMeasurements) = [11,12]" \ (.provider | select(. | has(\"azure\")).azure.enforcedMeasurements) = [11,12]" \
constellation-conf.yaml constellation-conf.yaml
yq eval -i \ yq eval -i \
"(.provider | select(. | has(\"gcp\")).gcp.project) = \"constellation-331613\" | "(.provider | select(. | has(\"gcp\")).gcp.project) = \"${{ inputs.gcpProject }}\" |
(.provider | select(. | has(\"gcp\")).gcp.region) = \"europe-west3\" | (.provider | select(. | has(\"gcp\")).gcp.region) = \"europe-west3\" |
(.provider | select(. | has(\"gcp\")).gcp.zone) = \"europe-west3-b\" | (.provider | select(. | has(\"gcp\")).gcp.zone) = \"europe-west3-b\" |
(.provider | select(. | has(\"gcp\")).gcp.enforcedMeasurements) = [11,12] | (.provider | select(. | has(\"gcp\")).gcp.enforcedMeasurements) = [11,12] |

View File

@ -27,15 +27,30 @@ inputs:
kubernetesVersion: kubernetesVersion:
description: "Kubernetes version to create the cluster from." description: "Kubernetes version to create the cluster from."
required: false required: false
gcpProject:
description: "The GCP project to deploy Constellation in."
required: false
gcp_service_account_json: gcp_service_account_json:
description: "Service account with permissions to create Constellation on GCP." description: "Service account with permissions to create Constellation on GCP."
required: false required: false
gcpClusterServiceAccountKey: gcpClusterServiceAccountKey:
description: "Service account to use inside the created Constellation cluster on GCP." description: "Service account to use inside the created Constellation cluster on GCP."
required: false required: false
azureSubscription:
description: "The Azure subscription ID to deploy Constellation in."
required: false
azureTenant:
description: "The Azure tenant ID to deploy Constellation in."
required: false
azureClientID:
description: "The client ID of the application registration created for Constellation in Azure."
required: false
azureClientSecret: azureClientSecret:
description: "The client secret value of the used secret" description: "The client secret value of the used secret"
required: false required: false
azureUserAssignedIdentity:
description: "The Azure user assigned identity to use for Constellation."
required: false
azureResourceGroup: azureResourceGroup:
description: "The resource group to use" description: "The resource group to use"
required: false required: false
@ -113,6 +128,7 @@ runs:
uses: ./.github/actions/constellation_create uses: ./.github/actions/constellation_create
with: with:
cloudProvider: ${{ inputs.cloudProvider }} cloudProvider: ${{ inputs.cloudProvider }}
gcpProject: ${{ inputs.gcpProject }}
gcpClusterServiceAccountKey: ${{ inputs.gcpClusterServiceAccountKey }} gcpClusterServiceAccountKey: ${{ inputs.gcpClusterServiceAccountKey }}
workerNodesCount: ${{ inputs.workerNodesCount }} workerNodesCount: ${{ inputs.workerNodesCount }}
controlNodesCount: ${{ inputs.controlNodesCount }} controlNodesCount: ${{ inputs.controlNodesCount }}
@ -120,7 +136,11 @@ runs:
osImage: ${{ inputs.osImage }} osImage: ${{ inputs.osImage }}
isDebugImage: ${{ inputs.isDebugImage }} isDebugImage: ${{ inputs.isDebugImage }}
kubernetesVersion: ${{ inputs.kubernetesVersion }} kubernetesVersion: ${{ inputs.kubernetesVersion }}
azureSubscription: ${{ inputs.azureSubscription }}
azureTenant: ${{ inputs.azureTenant }}
azureClientID: ${{ inputs.azureClientID }}
azureClientSecret: ${{ inputs.azureClientSecret }} azureClientSecret: ${{ inputs.azureClientSecret }}
azureUserAssignedIdentity: ${{ inputs.azureUserAssignedIdentity }}
azureResourceGroup: ${{ inputs.azureResourceGroup }} azureResourceGroup: ${{ inputs.azureResourceGroup }}
# #

View File

@ -25,12 +25,24 @@ inputs:
description: "Kubernetes version to create the cluster from." description: "Kubernetes version to create the cluster from."
required: false required: false
default: "1.23" default: "1.23"
gcpProject:
description: "The GCP project to deploy Constellation in."
required: false
gcp_service_account_json: gcp_service_account_json:
description: "Service account with permissions to create Constellation on GCP." description: "Service account with permissions to create Constellation on GCP."
required: false required: false
gcpClusterServiceAccountKey: gcpClusterServiceAccountKey:
description: "Service account to use inside the created Constellation cluster on GCP." description: "Service account to use inside the created Constellation cluster on GCP."
required: false required: false
azureSubscription:
description: "The Azure subscription ID to deploy Constellation in."
required: false
azureTenant:
description: "The Azure tenant ID to deploy Constellation in."
required: false
azureClientID:
description: "The client ID of the application registration created for Constellation in Azure."
required: false
azureClientSecret: azureClientSecret:
description: "The client secret value of the used secret" description: "The client secret value of the used secret"
required: false required: false

View File

@ -50,8 +50,13 @@ jobs:
workerNodesCount: "2" workerNodesCount: "2"
controlNodesCount: "3" controlNodesCount: "3"
cloudProvider: ${{ matrix.provider }} cloudProvider: ${{ matrix.provider }}
azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }}
azureClientID: ${{ secrets.AZURE_E2E_CLIENT_ID }}
azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }} azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }}
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }} azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }} gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
test: "sonobuoy full" test: "sonobuoy full"

View File

@ -127,11 +127,16 @@ jobs:
controlNodesCount: ${{ github.event.inputs.controlNodesCount }} controlNodesCount: ${{ github.event.inputs.controlNodesCount }}
cloudProvider: ${{ github.event.inputs.cloudProvider }} cloudProvider: ${{ github.event.inputs.cloudProvider }}
machineType: ${{ github.event.inputs.machineType }} machineType: ${{ github.event.inputs.machineType }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }} gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
test: ${{ github.event.inputs.test }} test: ${{ github.event.inputs.test }}
kubernetesVersion: ${{ github.event.inputs.kubernetesVersion }} kubernetesVersion: ${{ github.event.inputs.kubernetesVersion }}
azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }}
azureClientID: ${{ secrets.AZURE_E2E_CLIENT_ID }}
azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }} azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }}
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }} azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
osImage: ${{ github.event.inputs.osImage }} osImage: ${{ github.event.inputs.osImage }}
isDebugImage: ${{ github.event.inputs.isDebugImage }} isDebugImage: ${{ github.event.inputs.isDebugImage }}

View File

@ -91,11 +91,16 @@ jobs:
controlNodesCount: ${{ github.event.inputs.controlNodesCount }} controlNodesCount: ${{ github.event.inputs.controlNodesCount }}
cloudProvider: ${{ github.event.inputs.cloudProvider }} cloudProvider: ${{ github.event.inputs.cloudProvider }}
machineType: ${{ github.event.inputs.machineType }} machineType: ${{ github.event.inputs.machineType }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }} gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
test: ${{ github.event.inputs.test }} test: ${{ github.event.inputs.test }}
kubernetesVersion: ${{ github.event.inputs.kubernetesVersion }} kubernetesVersion: ${{ github.event.inputs.kubernetesVersion }}
azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }}
azureClientID: ${{ secrets.AZURE_E2E_CLIENT_ID }}
azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }} azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }}
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }} azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
osImage: ${{ github.event.inputs.osImage }} osImage: ${{ github.event.inputs.osImage }}
isDebugImage: ${{ github.event.inputs.isDebugImage }} isDebugImage: ${{ github.event.inputs.isDebugImage }}

View File

@ -60,15 +60,20 @@ jobs:
az group create --location northeurope --name $name --tags e2e az group create --location northeurope --name $name --tags e2e
echo "res_group_name=$name" >> $GITHUB_OUTPUT echo "res_group_name=$name" >> $GITHUB_OUTPUT
- name: Run Azure E2E test - name: Run E2E test
uses: ./.github/actions/e2e_test uses: ./.github/actions/e2e_test
with: with:
workerNodesCount: "2" workerNodesCount: "2"
controlNodesCount: "3" controlNodesCount: "3"
cloudProvider: ${{ matrix.provider }} cloudProvider: ${{ matrix.provider }}
kubernetesVersion: ${{ matrix.version }} kubernetesVersion: ${{ matrix.version }}
azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }}
azureClientID: ${{ secrets.AZURE_E2E_CLIENT_ID }}
azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }} azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }}
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }} azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }} gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
test: ${{ matrix.test }} test: ${{ matrix.test }}

View File

@ -58,9 +58,14 @@ jobs:
uses: ./.github/actions/generate_measurements uses: ./.github/actions/generate_measurements
with: with:
cloudProvider: ${{ github.event.inputs.cloudProvider }} cloudProvider: ${{ github.event.inputs.cloudProvider }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }} gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }}
azureClientID: ${{ secrets.AZURE_E2E_CLIENT_ID }}
azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }} azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }}
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }} azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
osImage: ${{ github.event.inputs.osImage }} osImage: ${{ github.event.inputs.osImage }}
isDebugImage: ${{ github.event.inputs.isDebugImage }} isDebugImage: ${{ github.event.inputs.isDebugImage }}