mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
Replace specific Azure/GCP credentials with secrets
This commit is contained in:
parent
ee20ff8950
commit
b24c799c80
25
.github/actions/constellation_create/action.yml
vendored
25
.github/actions/constellation_create/action.yml
vendored
@ -11,6 +11,9 @@ inputs:
|
|||||||
cloudProvider:
|
cloudProvider:
|
||||||
description: "Either 'gcp' or 'azure'."
|
description: "Either 'gcp' or 'azure'."
|
||||||
required: true
|
required: true
|
||||||
|
gcpProject:
|
||||||
|
description: "The GCP project to deploy Constellation in."
|
||||||
|
required: false
|
||||||
gcpClusterServiceAccountKey:
|
gcpClusterServiceAccountKey:
|
||||||
description: "Service account to use inside the created Constellation cluster on GCP."
|
description: "Service account to use inside the created Constellation cluster on GCP."
|
||||||
required: false
|
required: false
|
||||||
@ -26,9 +29,21 @@ inputs:
|
|||||||
kubernetesVersion:
|
kubernetesVersion:
|
||||||
description: "Kubernetes version to create the cluster from."
|
description: "Kubernetes version to create the cluster from."
|
||||||
required: false
|
required: false
|
||||||
|
azureSubscription:
|
||||||
|
description: "The Azure subscription ID to deploy Constellation in."
|
||||||
|
required: false
|
||||||
|
azureTenant:
|
||||||
|
description: "The Azure tenant ID to deploy Constellation in."
|
||||||
|
required: false
|
||||||
|
azureClientID:
|
||||||
|
description: "The client ID of the application registration created for Constellation in Azure."
|
||||||
|
required: false
|
||||||
azureClientSecret:
|
azureClientSecret:
|
||||||
description: "The client secret value of the used secret"
|
description: "The client secret value of the used secret"
|
||||||
required: false
|
required: false
|
||||||
|
azureUserAssignedIdentity:
|
||||||
|
description: "The Azure user assigned identity to use for Constellation."
|
||||||
|
required: false
|
||||||
azureResourceGroup:
|
azureResourceGroup:
|
||||||
description: "The resource group to use for Constellation cluster"
|
description: "The resource group to use for Constellation cluster"
|
||||||
required: false
|
required: false
|
||||||
@ -47,17 +62,17 @@ runs:
|
|||||||
constellation config generate ${{ inputs.cloudProvider }}
|
constellation config generate ${{ inputs.cloudProvider }}
|
||||||
|
|
||||||
yq eval -i \
|
yq eval -i \
|
||||||
"(.provider | select(. | has(\"azure\")).azure.subscription) = \"0d202bbb-4fa7-4af8-8125-58c269a05435\" |
|
"(.provider | select(. | has(\"azure\")).azure.subscription) = \"${{ inputs.azureSubscription }}\" |
|
||||||
(.provider | select(. | has(\"azure\")).azure.tenant) = \"adb650a8-5da3-4b15-b4b0-3daf65ff7626\" |
|
(.provider | select(. | has(\"azure\")).azure.tenant) = \"${{ inputs.azureTenant }}\" |
|
||||||
(.provider | select(. | has(\"azure\")).azure.location) = \"North Europe\" |
|
(.provider | select(. | has(\"azure\")).azure.location) = \"North Europe\" |
|
||||||
(.provider | select(. | has(\"azure\")).azure.userAssignedIdentity) = \"/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/e2e-test-creds/providers/Microsoft.ManagedIdentity/userAssignedIdentities/e2e-test-user-assigned-id\" |
|
(.provider | select(. | has(\"azure\")).azure.userAssignedIdentity) = \"${{ inputs.azureUserAssignedIdentity }}\" |
|
||||||
(.provider | select(. | has(\"azure\")).azure.resourceGroup) = \"${{ inputs.azureResourceGroup }}\" |
|
(.provider | select(. | has(\"azure\")).azure.resourceGroup) = \"${{ inputs.azureResourceGroup }}\" |
|
||||||
(.provider | select(. | has(\"azure\")).azure.appClientID) = \"b657a00e-813a-4dc7-9b09-fa498a254d71\" |
|
(.provider | select(. | has(\"azure\")).azure.appClientID) = \"${{ inputs.azureClientID }}\" |
|
||||||
(.provider | select(. | has(\"azure\")).azure.clientSecretValue) = \"${{ inputs.azureClientSecret }}\" |
|
(.provider | select(. | has(\"azure\")).azure.clientSecretValue) = \"${{ inputs.azureClientSecret }}\" |
|
||||||
(.provider | select(. | has(\"azure\")).azure.enforcedMeasurements) = [11,12]" \
|
(.provider | select(. | has(\"azure\")).azure.enforcedMeasurements) = [11,12]" \
|
||||||
constellation-conf.yaml
|
constellation-conf.yaml
|
||||||
yq eval -i \
|
yq eval -i \
|
||||||
"(.provider | select(. | has(\"gcp\")).gcp.project) = \"constellation-331613\" |
|
"(.provider | select(. | has(\"gcp\")).gcp.project) = \"${{ inputs.gcpProject }}\" |
|
||||||
(.provider | select(. | has(\"gcp\")).gcp.region) = \"europe-west3\" |
|
(.provider | select(. | has(\"gcp\")).gcp.region) = \"europe-west3\" |
|
||||||
(.provider | select(. | has(\"gcp\")).gcp.zone) = \"europe-west3-b\" |
|
(.provider | select(. | has(\"gcp\")).gcp.zone) = \"europe-west3-b\" |
|
||||||
(.provider | select(. | has(\"gcp\")).gcp.enforcedMeasurements) = [11,12] |
|
(.provider | select(. | has(\"gcp\")).gcp.enforcedMeasurements) = [11,12] |
|
||||||
|
20
.github/actions/e2e_test/action.yml
vendored
20
.github/actions/e2e_test/action.yml
vendored
@ -27,15 +27,30 @@ inputs:
|
|||||||
kubernetesVersion:
|
kubernetesVersion:
|
||||||
description: "Kubernetes version to create the cluster from."
|
description: "Kubernetes version to create the cluster from."
|
||||||
required: false
|
required: false
|
||||||
|
gcpProject:
|
||||||
|
description: "The GCP project to deploy Constellation in."
|
||||||
|
required: false
|
||||||
gcp_service_account_json:
|
gcp_service_account_json:
|
||||||
description: "Service account with permissions to create Constellation on GCP."
|
description: "Service account with permissions to create Constellation on GCP."
|
||||||
required: false
|
required: false
|
||||||
gcpClusterServiceAccountKey:
|
gcpClusterServiceAccountKey:
|
||||||
description: "Service account to use inside the created Constellation cluster on GCP."
|
description: "Service account to use inside the created Constellation cluster on GCP."
|
||||||
required: false
|
required: false
|
||||||
|
azureSubscription:
|
||||||
|
description: "The Azure subscription ID to deploy Constellation in."
|
||||||
|
required: false
|
||||||
|
azureTenant:
|
||||||
|
description: "The Azure tenant ID to deploy Constellation in."
|
||||||
|
required: false
|
||||||
|
azureClientID:
|
||||||
|
description: "The client ID of the application registration created for Constellation in Azure."
|
||||||
|
required: false
|
||||||
azureClientSecret:
|
azureClientSecret:
|
||||||
description: "The client secret value of the used secret"
|
description: "The client secret value of the used secret"
|
||||||
required: false
|
required: false
|
||||||
|
azureUserAssignedIdentity:
|
||||||
|
description: "The Azure user assigned identity to use for Constellation."
|
||||||
|
required: false
|
||||||
azureResourceGroup:
|
azureResourceGroup:
|
||||||
description: "The resource group to use"
|
description: "The resource group to use"
|
||||||
required: false
|
required: false
|
||||||
@ -113,6 +128,7 @@ runs:
|
|||||||
uses: ./.github/actions/constellation_create
|
uses: ./.github/actions/constellation_create
|
||||||
with:
|
with:
|
||||||
cloudProvider: ${{ inputs.cloudProvider }}
|
cloudProvider: ${{ inputs.cloudProvider }}
|
||||||
|
gcpProject: ${{ inputs.gcpProject }}
|
||||||
gcpClusterServiceAccountKey: ${{ inputs.gcpClusterServiceAccountKey }}
|
gcpClusterServiceAccountKey: ${{ inputs.gcpClusterServiceAccountKey }}
|
||||||
workerNodesCount: ${{ inputs.workerNodesCount }}
|
workerNodesCount: ${{ inputs.workerNodesCount }}
|
||||||
controlNodesCount: ${{ inputs.controlNodesCount }}
|
controlNodesCount: ${{ inputs.controlNodesCount }}
|
||||||
@ -120,7 +136,11 @@ runs:
|
|||||||
osImage: ${{ inputs.osImage }}
|
osImage: ${{ inputs.osImage }}
|
||||||
isDebugImage: ${{ inputs.isDebugImage }}
|
isDebugImage: ${{ inputs.isDebugImage }}
|
||||||
kubernetesVersion: ${{ inputs.kubernetesVersion }}
|
kubernetesVersion: ${{ inputs.kubernetesVersion }}
|
||||||
|
azureSubscription: ${{ inputs.azureSubscription }}
|
||||||
|
azureTenant: ${{ inputs.azureTenant }}
|
||||||
|
azureClientID: ${{ inputs.azureClientID }}
|
||||||
azureClientSecret: ${{ inputs.azureClientSecret }}
|
azureClientSecret: ${{ inputs.azureClientSecret }}
|
||||||
|
azureUserAssignedIdentity: ${{ inputs.azureUserAssignedIdentity }}
|
||||||
azureResourceGroup: ${{ inputs.azureResourceGroup }}
|
azureResourceGroup: ${{ inputs.azureResourceGroup }}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
12
.github/actions/generate_measurements/action.yml
vendored
12
.github/actions/generate_measurements/action.yml
vendored
@ -25,12 +25,24 @@ inputs:
|
|||||||
description: "Kubernetes version to create the cluster from."
|
description: "Kubernetes version to create the cluster from."
|
||||||
required: false
|
required: false
|
||||||
default: "1.23"
|
default: "1.23"
|
||||||
|
gcpProject:
|
||||||
|
description: "The GCP project to deploy Constellation in."
|
||||||
|
required: false
|
||||||
gcp_service_account_json:
|
gcp_service_account_json:
|
||||||
description: "Service account with permissions to create Constellation on GCP."
|
description: "Service account with permissions to create Constellation on GCP."
|
||||||
required: false
|
required: false
|
||||||
gcpClusterServiceAccountKey:
|
gcpClusterServiceAccountKey:
|
||||||
description: "Service account to use inside the created Constellation cluster on GCP."
|
description: "Service account to use inside the created Constellation cluster on GCP."
|
||||||
required: false
|
required: false
|
||||||
|
azureSubscription:
|
||||||
|
description: "The Azure subscription ID to deploy Constellation in."
|
||||||
|
required: false
|
||||||
|
azureTenant:
|
||||||
|
description: "The Azure tenant ID to deploy Constellation in."
|
||||||
|
required: false
|
||||||
|
azureClientID:
|
||||||
|
description: "The client ID of the application registration created for Constellation in Azure."
|
||||||
|
required: false
|
||||||
azureClientSecret:
|
azureClientSecret:
|
||||||
description: "The client secret value of the used secret"
|
description: "The client secret value of the used secret"
|
||||||
required: false
|
required: false
|
||||||
|
5
.github/workflows/e2e-test-daily.yml
vendored
5
.github/workflows/e2e-test-daily.yml
vendored
@ -50,8 +50,13 @@ jobs:
|
|||||||
workerNodesCount: "2"
|
workerNodesCount: "2"
|
||||||
controlNodesCount: "3"
|
controlNodesCount: "3"
|
||||||
cloudProvider: ${{ matrix.provider }}
|
cloudProvider: ${{ matrix.provider }}
|
||||||
|
azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
|
||||||
|
azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }}
|
||||||
|
azureClientID: ${{ secrets.AZURE_E2E_CLIENT_ID }}
|
||||||
azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
|
azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
|
||||||
|
azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }}
|
||||||
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
|
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
|
||||||
|
gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
|
||||||
gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}
|
gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}
|
||||||
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
|
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
|
||||||
test: "sonobuoy full"
|
test: "sonobuoy full"
|
||||||
|
5
.github/workflows/e2e-test-manual-macos.yml
vendored
5
.github/workflows/e2e-test-manual-macos.yml
vendored
@ -127,11 +127,16 @@ jobs:
|
|||||||
controlNodesCount: ${{ github.event.inputs.controlNodesCount }}
|
controlNodesCount: ${{ github.event.inputs.controlNodesCount }}
|
||||||
cloudProvider: ${{ github.event.inputs.cloudProvider }}
|
cloudProvider: ${{ github.event.inputs.cloudProvider }}
|
||||||
machineType: ${{ github.event.inputs.machineType }}
|
machineType: ${{ github.event.inputs.machineType }}
|
||||||
|
gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
|
||||||
gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}
|
gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}
|
||||||
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
|
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
|
||||||
test: ${{ github.event.inputs.test }}
|
test: ${{ github.event.inputs.test }}
|
||||||
kubernetesVersion: ${{ github.event.inputs.kubernetesVersion }}
|
kubernetesVersion: ${{ github.event.inputs.kubernetesVersion }}
|
||||||
|
azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
|
||||||
|
azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }}
|
||||||
|
azureClientID: ${{ secrets.AZURE_E2E_CLIENT_ID }}
|
||||||
azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
|
azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
|
||||||
|
azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }}
|
||||||
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
|
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
|
||||||
osImage: ${{ github.event.inputs.osImage }}
|
osImage: ${{ github.event.inputs.osImage }}
|
||||||
isDebugImage: ${{ github.event.inputs.isDebugImage }}
|
isDebugImage: ${{ github.event.inputs.isDebugImage }}
|
||||||
|
5
.github/workflows/e2e-test-manual.yml
vendored
5
.github/workflows/e2e-test-manual.yml
vendored
@ -91,11 +91,16 @@ jobs:
|
|||||||
controlNodesCount: ${{ github.event.inputs.controlNodesCount }}
|
controlNodesCount: ${{ github.event.inputs.controlNodesCount }}
|
||||||
cloudProvider: ${{ github.event.inputs.cloudProvider }}
|
cloudProvider: ${{ github.event.inputs.cloudProvider }}
|
||||||
machineType: ${{ github.event.inputs.machineType }}
|
machineType: ${{ github.event.inputs.machineType }}
|
||||||
|
gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
|
||||||
gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}
|
gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}
|
||||||
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
|
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
|
||||||
test: ${{ github.event.inputs.test }}
|
test: ${{ github.event.inputs.test }}
|
||||||
kubernetesVersion: ${{ github.event.inputs.kubernetesVersion }}
|
kubernetesVersion: ${{ github.event.inputs.kubernetesVersion }}
|
||||||
|
azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
|
||||||
|
azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }}
|
||||||
|
azureClientID: ${{ secrets.AZURE_E2E_CLIENT_ID }}
|
||||||
azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
|
azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
|
||||||
|
azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }}
|
||||||
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
|
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
|
||||||
osImage: ${{ github.event.inputs.osImage }}
|
osImage: ${{ github.event.inputs.osImage }}
|
||||||
isDebugImage: ${{ github.event.inputs.isDebugImage }}
|
isDebugImage: ${{ github.event.inputs.isDebugImage }}
|
||||||
|
7
.github/workflows/e2e-test-weekly.yml
vendored
7
.github/workflows/e2e-test-weekly.yml
vendored
@ -60,15 +60,20 @@ jobs:
|
|||||||
az group create --location northeurope --name $name --tags e2e
|
az group create --location northeurope --name $name --tags e2e
|
||||||
echo "res_group_name=$name" >> $GITHUB_OUTPUT
|
echo "res_group_name=$name" >> $GITHUB_OUTPUT
|
||||||
|
|
||||||
- name: Run Azure E2E test
|
- name: Run E2E test
|
||||||
uses: ./.github/actions/e2e_test
|
uses: ./.github/actions/e2e_test
|
||||||
with:
|
with:
|
||||||
workerNodesCount: "2"
|
workerNodesCount: "2"
|
||||||
controlNodesCount: "3"
|
controlNodesCount: "3"
|
||||||
cloudProvider: ${{ matrix.provider }}
|
cloudProvider: ${{ matrix.provider }}
|
||||||
kubernetesVersion: ${{ matrix.version }}
|
kubernetesVersion: ${{ matrix.version }}
|
||||||
|
azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
|
||||||
|
azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }}
|
||||||
|
azureClientID: ${{ secrets.AZURE_E2E_CLIENT_ID }}
|
||||||
azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
|
azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
|
||||||
|
azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }}
|
||||||
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
|
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
|
||||||
|
gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
|
||||||
gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}
|
gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}
|
||||||
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
|
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
|
||||||
test: ${{ matrix.test }}
|
test: ${{ matrix.test }}
|
||||||
|
5
.github/workflows/generate-measurements.yml
vendored
5
.github/workflows/generate-measurements.yml
vendored
@ -58,9 +58,14 @@ jobs:
|
|||||||
uses: ./.github/actions/generate_measurements
|
uses: ./.github/actions/generate_measurements
|
||||||
with:
|
with:
|
||||||
cloudProvider: ${{ github.event.inputs.cloudProvider }}
|
cloudProvider: ${{ github.event.inputs.cloudProvider }}
|
||||||
|
gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
|
||||||
gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}
|
gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}
|
||||||
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
|
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
|
||||||
|
azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
|
||||||
|
azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }}
|
||||||
|
azureClientID: ${{ secrets.AZURE_E2E_CLIENT_ID }}
|
||||||
azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
|
azureClientSecret: ${{ secrets.AZURE_E2E_CLIENT_SECRET }}
|
||||||
|
azureUserAssignedIdentity: ${{ secrets.AZURE_E2E_USER_ASSIGNED_IDENTITY }}
|
||||||
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
|
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
|
||||||
osImage: ${{ github.event.inputs.osImage }}
|
osImage: ${{ github.event.inputs.osImage }}
|
||||||
isDebugImage: ${{ github.event.inputs.isDebugImage }}
|
isDebugImage: ${{ github.event.inputs.isDebugImage }}
|
||||||
|
Loading…
Reference in New Issue
Block a user