mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-26 16:09:45 -05:00
223 lines
8.0 KiB
YAML
223 lines
8.0 KiB
YAML
name: e2e test Terraform module
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
ref:
|
|
type: string
|
|
description: "Git ref to checkout"
|
|
required: false
|
|
cloudProvider:
|
|
description: "Which cloud provider to use."
|
|
type: choice
|
|
options:
|
|
- "aws"
|
|
- "gcp"
|
|
required: true
|
|
regionZone:
|
|
description: "Region or zone to create the cluster in. Leave empty for default region/zone."
|
|
type: string
|
|
image:
|
|
description: "Node image version of the cluster."
|
|
type: string
|
|
required: true
|
|
cliVersion:
|
|
description: "Constellation CLI version to use. Empty value means build from source."
|
|
type: string
|
|
default: ""
|
|
required: false
|
|
workflow_call:
|
|
inputs:
|
|
ref:
|
|
type: string
|
|
description: "Git ref to checkout"
|
|
required: false
|
|
cloudProvider:
|
|
description: "Which cloud provider to use."
|
|
type: string
|
|
required: true
|
|
regionZone:
|
|
description: "Which zone to use."
|
|
type: string
|
|
image:
|
|
description: "Node image reference which is compatible with the current dev release version."
|
|
type: string
|
|
required: true
|
|
cliVersion:
|
|
description: "Constellation CLI version to use. Empty value means build from source."
|
|
type: string
|
|
default: ""
|
|
required: false
|
|
jobs:
|
|
build:
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
packages: write
|
|
steps:
|
|
- name: Checkout
|
|
id: checkout
|
|
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
|
with:
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
|
|
|
- name: Upload module
|
|
uses: ./.github/actions/upload_terraform_module
|
|
|
|
- name: Download Terraform module
|
|
uses: actions/download-artifact@v3
|
|
with:
|
|
name: terraform-module
|
|
|
|
- name: Unzip Terraform module
|
|
run: unzip terraform-module.zip
|
|
|
|
- name: Create resource prefix
|
|
id: create-prefix
|
|
shell: bash
|
|
run: |
|
|
run_id=${{ github.run_id }}
|
|
last_three="${run_id: -3}"
|
|
echo "prefix=e2e-${last_three}-${{ github.run_attempt }}" | tee -a "$GITHUB_OUTPUT"
|
|
|
|
- name: Create AWS Terraform variable input file
|
|
if: inputs.cloudProvider == 'aws'
|
|
working-directory: ./terraform-module/aws-constellation
|
|
run: |
|
|
cat > terraform.tfvars <<EOF
|
|
name = "${{ steps.create-prefix.outputs.prefix }}"
|
|
image = "${{ inputs.image }}"
|
|
zone = "${{ inputs.regionZone || 'us-east-2c' }}"
|
|
name_prefix = "${{ steps.create-prefix.outputs.prefix }}"
|
|
node_groups = {
|
|
control_plane_default = {
|
|
role = "control-plane"
|
|
zone = "${{ inputs.regionZone || 'us-east-2c' }}"
|
|
instance_type = "m6a.xlarge"
|
|
disk_size = 30
|
|
disk_type = "gp3"
|
|
initial_count = 2
|
|
},
|
|
worker_default = {
|
|
role = "worker"
|
|
zone = "${{ inputs.regionZone || 'us-east-2c' }}"
|
|
instance_type = "m6a.xlarge"
|
|
disk_size = 30
|
|
disk_type = "gp3"
|
|
initial_count = 2
|
|
}
|
|
}
|
|
EOF
|
|
cat terraform.tfvars
|
|
|
|
- name: Create GCP Terraform variable input file
|
|
if: inputs.cloudProvider == 'gcp'
|
|
working-directory: ./terraform-module/gcp-constellation
|
|
run: |
|
|
cat > terraform.tfvars <<EOF
|
|
name = "${{ steps.create-prefix.outputs.prefix }}"
|
|
project = "${{ secrets.GCP_E2E_PROJECT }}"
|
|
service_account_id = "${{ steps.create-prefix.outputs.prefix }}-sa"
|
|
image = "${{ inputs.image }}"
|
|
zone = "${{ inputs.regionZone || 'europe-west3-b' }}"
|
|
node_groups = {
|
|
control_plane_default = {
|
|
role = "control-plane"
|
|
zone = "${{ inputs.regionZone || 'europe-west3-b' }}"
|
|
instance_type = "n2d-standard-4"
|
|
disk_size = 30
|
|
disk_type = "pd-ssd"
|
|
initial_count = 2
|
|
},
|
|
worker_default = {
|
|
role = "worker"
|
|
zone = "${{ inputs.regionZone || 'europe-west3-b' }}"
|
|
instance_type = "n2d-standard-4"
|
|
disk_size = 30
|
|
disk_type = "pd-ssd"
|
|
initial_count = 2
|
|
}
|
|
}
|
|
EOF
|
|
cat terraform.tfvars
|
|
|
|
- name: Install dependencies (Terraform)
|
|
run: |
|
|
sudo apt update && sudo apt install gpg
|
|
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
|
|
gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
|
|
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
|
|
sudo apt update
|
|
sudo apt install terraform=1.4.4-*
|
|
|
|
- name: Log in to the Container registry
|
|
uses: ./.github/actions/container_registry_login
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Setup bazel
|
|
if: inputs.cliVersion == ''
|
|
uses: ./.github/actions/setup_bazel_nix
|
|
with:
|
|
useCache: "true"
|
|
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
|
|
|
|
- name: Build CLI
|
|
if: inputs.cliVersion == ''
|
|
uses: ./.github/actions/build_cli
|
|
with:
|
|
outputPath: "constellation"
|
|
enterpriseCLI: true
|
|
push: true
|
|
|
|
- name: Download CLI
|
|
if: inputs.cliVersion != ''
|
|
shell: bash
|
|
run: |
|
|
curl -fsSL -o constellation https://github.com/edgelesssys/constellation/releases/download/${{ inputs.cliVersion }}/constellation-linux-amd64
|
|
chmod u+x ./constellation
|
|
./constellation version
|
|
sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts'
|
|
|
|
- name: Login to AWS (IAM + Cluster role)
|
|
if: inputs.cloudProvider == 'aws'
|
|
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
|
|
with:
|
|
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ETerraform
|
|
aws-region: eu-central-1
|
|
# extend token expiry to 6 hours to ensure constellation can terminate
|
|
role-duration-seconds: 21600
|
|
|
|
- name: Login to GCP (IAM + Cluster service account)
|
|
if: inputs.cloudProvider == 'gcp'
|
|
uses: ./.github/actions/login_gcp
|
|
with:
|
|
service_account: "constellation-e2e-tf@constellation-331613.iam.gserviceaccount.com"
|
|
|
|
- name: Apply Terraform Cluster
|
|
id: apply_terraform
|
|
working-directory: ./terraform-module/${{ inputs.cloudProvider }}-constellation
|
|
run: |
|
|
cp ../../constellation .
|
|
terraform init
|
|
terraform apply -var-file=terraform.tfvars -auto-approve
|
|
|
|
- name: Destroy Terraform Cluster
|
|
# outcome is part of the steps context (https://docs.github.com/en/actions/learn-github-actions/contexts#steps-context)
|
|
if: always() && steps.apply_terraform.outcome != 'skipped'
|
|
working-directory: ./terraform-module/${{ inputs.cloudProvider }}-constellation
|
|
run: |
|
|
terraform init
|
|
terraform destroy -var-file=terraform.tfvars -auto-approve
|
|
|
|
- name: Verify cleanup
|
|
working-directory: ./terraform-module/${{ inputs.cloudProvider }}-constellation
|
|
run: |
|
|
if [ -f constellation-mastersecret.json ] || [ -f constellation-conf.yaml ]; then
|
|
echo "Files constellation-mastersecret.json or constellation-conf.yaml still exist"
|
|
exit 1
|
|
fi
|