mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-28 16:27:01 -05:00
29dcb72bea
The existingConfig field is always set to true during create, as we use the IAM create step to generate the config in all cases. Accordingly, secret injection into config isn't needed anymore in create. This fixes a bug where other parameters like Kubernetes version and cluster name wouldn't be injected into the config due to existingConfig being true. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
306 lines
12 KiB
YAML
306 lines
12 KiB
YAML
name: e2e meta test
|
|
description: "This test does the infrastructure management and runs the e2e test of your choice."
|
|
|
|
inputs:
|
|
workerNodesCount:
|
|
description: "Number of worker nodes to spawn."
|
|
required: false
|
|
default: "2"
|
|
controlNodesCount:
|
|
description: "Number of control-plane nodes to spawn."
|
|
required: false
|
|
default: "3"
|
|
cloudProvider:
|
|
description: "Which cloud provider to use."
|
|
required: true
|
|
machineType:
|
|
description: "VM machine type. Make sure it matches selected cloud provider!"
|
|
required: false
|
|
osImage:
|
|
description: "OS image to run."
|
|
required: true
|
|
isDebugImage:
|
|
description: "Is OS img a debug img?"
|
|
default: "true"
|
|
required: true
|
|
cliVersion:
|
|
description: "Version of a released CLI to download, e.g. 'v2.3.0', leave empty to build it."
|
|
required: false
|
|
kubernetesVersion:
|
|
description: "Kubernetes version to create the cluster from."
|
|
required: false
|
|
gcpProject:
|
|
description: "The GCP project to deploy Constellation in."
|
|
required: false
|
|
gcpIAMCreateServiceAccount:
|
|
description: "Service account with permissions to create IAM configuration on GCP."
|
|
required: false
|
|
gcpClusterCreateServiceAccount:
|
|
description: "Service account with permissions to create a Constellation cluster on GCP."
|
|
required: false
|
|
gcpInClusterServiceAccountKey:
|
|
description: "Service account to use inside the created Constellation cluster on GCP."
|
|
required: false
|
|
awsOpenSearchDomain:
|
|
description: "AWS OpenSearch Endpoint Domain to upload the benchmark results."
|
|
required: false
|
|
awsOpenSearchUsers:
|
|
description: "AWS OpenSearch User to upload the benchmark results."
|
|
required: false
|
|
awsOpenSearchPwd:
|
|
description: "AWS OpenSearch Password to upload the benchmark results."
|
|
required: false
|
|
azureClusterCreateCredentials:
|
|
description: "Azure credentials authorized to create a Constellation cluster."
|
|
required: true
|
|
azureIAMCreateCredentials:
|
|
description: "Azure credentials authorized to create an IAM configuration."
|
|
required: true
|
|
test:
|
|
description: "The test to run. Can currently be one of [sonobuoy full, sonobuoy quick, autoscaling, lb, perf-bench, verify, recover, nop]."
|
|
required: true
|
|
sonobuoyTestSuiteCmd:
|
|
description: "The sonobuoy test suite to run."
|
|
required: false
|
|
buildBuddyApiKey:
|
|
description: "BuildBuddy API key for caching Bazel artifacts"
|
|
required: false
|
|
registry:
|
|
description: "Container registry to use"
|
|
required: true
|
|
githubToken:
|
|
description: "GitHub authorization token"
|
|
required: true
|
|
fetchMeasurements:
|
|
default: "false"
|
|
description: "Update measurements via the 'constellation config fetch-measurements' command."
|
|
|
|
outputs:
|
|
kubeconfig:
|
|
description: "The kubeconfig for the cluster."
|
|
value: ${{ steps.constellation-create.outputs.kubeconfig }}
|
|
namePrefix:
|
|
description: "The name prefix of the cloud resources used in the e2e test."
|
|
value: ${{ steps.create-prefix.outputs.prefix }}
|
|
|
|
runs:
|
|
using: "composite"
|
|
steps:
|
|
- name: Check input
|
|
if: (!contains(fromJson('["sonobuoy full", "sonobuoy quick", "autoscaling", "perf-bench", "verify", "lb", "recover", "nop"]'), inputs.test))
|
|
shell: bash
|
|
run: |
|
|
echo "::error::Invalid input for test field: ${{ inputs.test }}"
|
|
exit 1
|
|
|
|
# Perf-bench's network benchmarks require at least two distinct worker nodes.
|
|
- name: Validate perf-bench inputs
|
|
if: inputs.test == 'perf-bench'
|
|
shell: bash
|
|
run: |
|
|
if [[ "${{ inputs.workerNodesCount }}" -lt 2 ]]; then
|
|
echo "::error::Test Perf-Bench requires at least 2 worker nodes."
|
|
exit 1
|
|
fi
|
|
|
|
- name: Determine build target
|
|
id: determine-build-target
|
|
shell: bash
|
|
run: |
|
|
echo "hostOS=$(go env GOOS)" | tee -a "$GITHUB_OUTPUT"
|
|
echo "hostArch=$(go env GOARCH)" | tee -a "$GITHUB_OUTPUT"
|
|
|
|
- name: Setup bazel
|
|
uses: ./.github/actions/setup_bazel
|
|
with:
|
|
useCache: ${{ inputs.buildBuddyApiKey != '' }}
|
|
buildBuddyApiKey: ${{ inputs.buildBuddyApiKey }}
|
|
|
|
- name: Log in to the Container registry
|
|
uses: ./.github/actions/container_registry_login
|
|
with:
|
|
registry: ${{ inputs.registry }}
|
|
username: ${{ github.actor }}
|
|
password: ${{ inputs.githubToken }}
|
|
|
|
- name: Build CLI
|
|
if: inputs.cliVersion == ''
|
|
uses: ./.github/actions/build_cli
|
|
with:
|
|
targetOS: ${{ steps.determine-build-target.outputs.hostOS }}
|
|
targetArch: ${{ steps.determine-build-target.outputs.hostArch }}
|
|
enterpriseCLI: true
|
|
outputPath: "build/constellation"
|
|
push: ${{ inputs.cliVersion == '' }}
|
|
|
|
- name: Download CLI
|
|
if: inputs.cliVersion != ''
|
|
shell: bash
|
|
run: |
|
|
curl -fsSL -o constellation https://github.com/edgelesssys/constellation/releases/download/${{ inputs.cliVersion }}/constellation-linux-amd64
|
|
chmod u+x constellation
|
|
echo "$(pwd)" >> $GITHUB_PATH
|
|
export PATH="$PATH:$(pwd)"
|
|
constellation version
|
|
# Do not spam license server from pipeline
|
|
sudo sh -c 'echo "127.0.0.1 license.confidential.cloud" >> /etc/hosts'
|
|
|
|
- name: Build the bootstrapper
|
|
id: build-bootstrapper
|
|
if: inputs.isDebugImage == 'true'
|
|
uses: ./.github/actions/build_bootstrapper
|
|
|
|
- name: Build the upgrade-agent
|
|
id: build-upgrade-agent
|
|
if: inputs.isDebugImage == 'true'
|
|
uses: ./.github/actions/build_upgrade_agent
|
|
|
|
- name: Build cdbg
|
|
id: build-cdbg
|
|
if: inputs.isDebugImage == 'true'
|
|
uses: ./.github/actions/build_cdbg
|
|
with:
|
|
targetOS: ${{ steps.determine-build-target.outputs.hostOS }}
|
|
targetArch: ${{ steps.determine-build-target.outputs.hostArch }}
|
|
|
|
- name: Login to GCP (IAM service account)
|
|
if: inputs.cloudProvider == 'gcp'
|
|
uses: ./.github/actions/login_gcp
|
|
with:
|
|
service_account: ${{ inputs.gcpIAMCreateServiceAccount }}
|
|
|
|
- name: Login to AWS (IAM role)
|
|
if: inputs.cloudProvider == 'aws'
|
|
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
|
|
with:
|
|
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
|
|
aws-region: eu-central-1
|
|
# extend token expiry to 6 hours to ensure constellation can terminate
|
|
role-duration-seconds: 21600
|
|
|
|
- name: Login to Azure (IAM service principal)
|
|
if: inputs.cloudProvider == 'azure'
|
|
uses: ./.github/actions/login_azure
|
|
with:
|
|
azure_credentials: ${{ inputs.azureIAMCreateCredentials }}
|
|
|
|
- name: Create prefix
|
|
id: create-prefix
|
|
shell: bash
|
|
run: |
|
|
uuid=$(uuidgen | tr "[:upper:]" "[:lower:]")
|
|
uuid=${uuid%%-*}
|
|
echo "uuid=${uuid}" | tee -a $GITHUB_OUTPUT
|
|
echo "prefix=e2e-${{ github.run_id }}-${{ github.run_attempt }}-${uuid}" | tee -a $GITHUB_OUTPUT
|
|
|
|
- name: Create IAM configuration
|
|
id: constellation-iam-create
|
|
uses: ./.github/actions/constellation_iam_create
|
|
with:
|
|
cloudProvider: ${{ inputs.cloudProvider }}
|
|
namePrefix: ${{ steps.create-prefix.outputs.prefix }}
|
|
awsZone: us-east-2c
|
|
azureRegion: northeurope
|
|
gcpProjectID: ${{ inputs.gcpProject }}
|
|
gcpZone: europe-west3-b
|
|
kubernetesVersion: ${{ inputs.kubernetesVersion }}
|
|
|
|
- name: Login to GCP (Cluster service account)
|
|
if: inputs.cloudProvider == 'gcp'
|
|
uses: ./.github/actions/login_gcp
|
|
with:
|
|
service_account: ${{ inputs.gcpClusterCreateServiceAccount }}
|
|
|
|
- name: Login to AWS (Cluster role)
|
|
if: inputs.cloudProvider == 'aws'
|
|
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
|
|
with:
|
|
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
|
|
aws-region: eu-central-1
|
|
# extend token expiry to 6 hours to ensure constellation can terminate
|
|
role-duration-seconds: 21600
|
|
|
|
- name: Login to Azure (Cluster service principal)
|
|
if: inputs.cloudProvider == 'azure'
|
|
uses: ./.github/actions/login_azure
|
|
with:
|
|
azure_credentials: ${{ inputs.azureClusterCreateCredentials }}
|
|
|
|
- name: Create cluster
|
|
id: constellation-create
|
|
uses: ./.github/actions/constellation_create
|
|
with:
|
|
cloudProvider: ${{ inputs.cloudProvider }}
|
|
workerNodesCount: ${{ inputs.workerNodesCount }}
|
|
controlNodesCount: ${{ inputs.controlNodesCount }}
|
|
machineType: ${{ inputs.machineType }}
|
|
osImage: ${{ inputs.osImage }}
|
|
isDebugImage: ${{ inputs.isDebugImage }}
|
|
artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
|
|
fetchMeasurements: ${{ inputs.fetchMeasurements }}
|
|
cliVersion: ${{ inputs.cliVersion }}
|
|
|
|
#
|
|
# Test payloads
|
|
#
|
|
|
|
- name: Nop test payload
|
|
if: inputs.test == 'nop'
|
|
shell: bash
|
|
run: echo "::warning::This test has a nop payload. It doesn't run any tests."
|
|
|
|
- name: Run sonobuoy quick test
|
|
if: inputs.test == 'sonobuoy quick'
|
|
uses: ./.github/actions/e2e_sonobuoy
|
|
with:
|
|
sonobuoyTestSuiteCmd: "--mode quick"
|
|
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
|
|
artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
|
|
|
|
- name: Run sonobuoy full test
|
|
if: inputs.test == 'sonobuoy full'
|
|
uses: ./.github/actions/e2e_sonobuoy
|
|
with:
|
|
# TODO(3u13r): Remove E2E_SKIP once AB#2174 is resolved
|
|
sonobuoyTestSuiteCmd: '--plugin e2e --plugin-env e2e.E2E_FOCUS="\[Conformance\]" --plugin-env e2e.E2E_SKIP="for service with type clusterIP|HostPort validates that there is no conflict between pods with same hostPort but different hostIP and protocol" --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-plugin.yaml --plugin https://raw.githubusercontent.com/vmware-tanzu/sonobuoy-plugins/master/cis-benchmarks/kube-bench-master-plugin.yaml'
|
|
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
|
|
artifactNameSuffix: ${{ steps.create-prefix.outputs.prefix }}
|
|
|
|
- name: Run autoscaling test
|
|
if: inputs.test == 'autoscaling'
|
|
uses: ./.github/actions/e2e_autoscaling
|
|
with:
|
|
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
|
|
|
|
- name: Run lb test
|
|
if: inputs.test == 'lb'
|
|
uses: ./.github/actions/e2e_lb
|
|
with:
|
|
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
|
|
|
|
- name: Run Performance Benchmark
|
|
if: inputs.test == 'perf-bench'
|
|
uses: ./.github/actions/e2e_benchmark
|
|
with:
|
|
cloudProvider: ${{ inputs.cloudProvider }}
|
|
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
|
|
awsOpenSearchDomain: ${{ inputs.awsOpenSearchDomain }}
|
|
awsOpenSearchUsers: ${{ inputs.awsOpenSearchUsers }}
|
|
awsOpenSearchPwd: ${{ inputs.awsOpenSearchPwd }}
|
|
|
|
- name: Run constellation verify test
|
|
if: inputs.test == 'verify'
|
|
uses: ./.github/actions/e2e_verify
|
|
with:
|
|
cloudProvider: ${{ inputs.cloudProvider }}
|
|
osImage: ${{ steps.constellation-create.outputs.osImageUsed }}
|
|
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
|
|
|
|
- name: Run recover test
|
|
if: inputs.test == 'recover'
|
|
uses: ./.github/actions/e2e_recover
|
|
with:
|
|
controlNodesCount: ${{ inputs.controlNodesCount }}
|
|
kubeconfig: ${{ steps.constellation-create.outputs.kubeconfig }}
|
|
masterSecret: ${{ steps.constellation-create.outputs.masterSecret }}
|