mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
e466ce2f26
by setting the Azure SNP enforcement policy to equal in the weekly e2e. The run should fail when there are unexpected ID Key digests used. Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
301 lines
11 KiB
YAML
301 lines
11 KiB
YAML
name: e2e test weekly
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
schedule:
|
|
- cron: "0 3 * * 6" # At 03:00 on Saturday.
|
|
|
|
jobs:
|
|
find-latest-image:
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
refStream: ["ref/main/stream/debug/?", "ref/release/stream/stable/?"]
|
|
name: Find latest image
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
outputs:
|
|
image-main-debug: ${{ steps.relabel-output.outputs.image-main-debug }}
|
|
image-release-stable: ${{ steps.relabel-output.outputs.image-release-stable }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
with:
|
|
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
|
|
|
- name: Select relevant image
|
|
id: select-image-action
|
|
uses: ./.github/actions/select_image
|
|
with:
|
|
osImage: ${{ matrix.refStream }}
|
|
|
|
- name: Relabel output
|
|
id: relabel-output
|
|
shell: bash
|
|
run: |
|
|
ref=$(echo ${{ matrix.refStream }} | cut -d/ -f2)
|
|
stream=$(echo ${{ matrix.refStream }} | cut -d/ -f4)
|
|
|
|
echo "image-$ref-$stream=${{ steps.select-image-action.outputs.osImage }}" | tee -a "$GITHUB_OUTPUT"
|
|
|
|
e2e-weekly:
|
|
strategy:
|
|
fail-fast: false
|
|
max-parallel: 4
|
|
matrix:
|
|
include:
|
|
#
|
|
# Tests on main-debug refStream
|
|
#
|
|
|
|
# sonobuoy full test on all k8s versions
|
|
- test: "sonobuoy full"
|
|
refStream: "ref/main/stream/debug/?"
|
|
provider: "gcp"
|
|
kubernetes-version: "v1.27"
|
|
- test: "sonobuoy full"
|
|
refStream: "ref/main/stream/debug/?"
|
|
provider: "azure"
|
|
kubernetes-version: "v1.27"
|
|
- test: "sonobuoy full"
|
|
refStream: "ref/main/stream/debug/?"
|
|
provider: "aws"
|
|
kubernetes-version: "v1.27"
|
|
|
|
- test: "sonobuoy full"
|
|
refStream: "ref/main/stream/debug/?"
|
|
provider: "gcp"
|
|
kubernetes-version: "v1.26"
|
|
- test: "sonobuoy full"
|
|
refStream: "ref/main/stream/debug/?"
|
|
provider: "azure"
|
|
kubernetes-version: "v1.26"
|
|
- test: "sonobuoy full"
|
|
refStream: "ref/main/stream/debug/?"
|
|
provider: "aws"
|
|
kubernetes-version: "v1.26"
|
|
|
|
- test: "sonobuoy full"
|
|
refStream: "ref/main/stream/debug/?"
|
|
provider: "gcp"
|
|
kubernetes-version: "v1.25"
|
|
- test: "sonobuoy full"
|
|
refStream: "ref/main/stream/debug/?"
|
|
provider: "azure"
|
|
kubernetes-version: "v1.25"
|
|
- test: "sonobuoy full"
|
|
refStream: "ref/main/stream/debug/?"
|
|
provider: "aws"
|
|
kubernetes-version: "v1.25"
|
|
|
|
# verify test on latest k8s version
|
|
- test: "verify"
|
|
refStream: "ref/main/stream/debug/?"
|
|
provider: "gcp"
|
|
kubernetes-version: "v1.27"
|
|
- test: "verify"
|
|
refStream: "ref/main/stream/debug/?"
|
|
provider: "azure"
|
|
kubernetes-version: "v1.27"
|
|
azureSNPEnforcementPolicy: "equal" # This run checks for unknown ID Key disgests.
|
|
- test: "verify"
|
|
provider: "aws"
|
|
refStream: "ref/main/stream/debug/?"
|
|
kubernetes-version: "v1.27"
|
|
|
|
# recover test on latest k8s version
|
|
- test: "recover"
|
|
refStream: "ref/main/stream/debug/?"
|
|
provider: "gcp"
|
|
kubernetes-version: "v1.27"
|
|
- test: "recover"
|
|
refStream: "ref/main/stream/debug/?"
|
|
provider: "azure"
|
|
kubernetes-version: "v1.27"
|
|
- test: "recover"
|
|
refStream: "ref/main/stream/debug/?"
|
|
provider: "aws"
|
|
kubernetes-version: "v1.27"
|
|
|
|
# lb test on latest k8s version
|
|
- test: "lb"
|
|
refStream: "ref/main/stream/debug/?"
|
|
provider: "gcp"
|
|
kubernetes-version: "v1.27"
|
|
- test: "lb"
|
|
refStream: "ref/main/stream/debug/?"
|
|
provider: "azure"
|
|
kubernetes-version: "v1.27"
|
|
- test: "lb"
|
|
refStream: "ref/main/stream/debug/?"
|
|
provider: "aws"
|
|
kubernetes-version: "v1.27"
|
|
|
|
# autoscaling test on latest k8s version, not supported on AWS
|
|
- test: "autoscaling"
|
|
refStream: "ref/main/stream/debug/?"
|
|
provider: "gcp"
|
|
kubernetes-version: "v1.27"
|
|
- test: "autoscaling"
|
|
refStream: "ref/main/stream/debug/?"
|
|
provider: "azure"
|
|
kubernetes-version: "v1.27"
|
|
|
|
# perf-bench test on latest k8s version, not supported on AWS
|
|
- test: "perf-bench"
|
|
refStream: "ref/main/stream/debug/?"
|
|
provider: "gcp"
|
|
kubernetes-version: "v1.27"
|
|
- test: "perf-bench"
|
|
refStream: "ref/main/stream/debug/?"
|
|
provider: "azure"
|
|
kubernetes-version: "v1.27"
|
|
|
|
#
|
|
# Tests on release-stable refStream
|
|
#
|
|
|
|
# verify test on default k8s version
|
|
- test: "verify"
|
|
refStream: "ref/release/stream/stable/?"
|
|
provider: "gcp"
|
|
kubernetes-version: "v1.26"
|
|
- test: "verify"
|
|
refStream: "ref/release/stream/stable/?"
|
|
provider: "azure"
|
|
kubernetes-version: "v1.26"
|
|
- test: "verify"
|
|
refStream: "ref/release/stream/stable/?"
|
|
provider: "aws"
|
|
kubernetes-version: "v1.26"
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
id-token: write
|
|
checks: write
|
|
contents: read
|
|
packages: write
|
|
needs: [find-latest-image]
|
|
steps:
|
|
- name: Check out repository
|
|
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
with:
|
|
fetch-depth: 0
|
|
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
|
|
|
- name: Run E2E test
|
|
id: e2e_test
|
|
uses: ./.github/actions/e2e_test
|
|
with:
|
|
workerNodesCount: "2"
|
|
controlNodesCount: "3"
|
|
cloudProvider: ${{ matrix.provider }}
|
|
osImage: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || needs.find-latest-image.outputs.image-main-debug }}
|
|
isDebugImage: ${{ matrix.refStream == 'ref/main/stream/debug/?' }}
|
|
cliVersion: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || '' }}
|
|
kubernetesVersion: ${{ matrix.kubernetes-version }}
|
|
awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
|
|
awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
|
|
awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
|
|
gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
|
|
gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
|
|
gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
|
|
gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
|
|
test: ${{ matrix.test }}
|
|
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
|
|
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
|
|
azureIAMCreateCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
|
|
registry: ghcr.io
|
|
githubToken: ${{ secrets.GITHUB_TOKEN }}
|
|
fetchMeasurements: ${{ matrix.refStream != 'ref/release/stream/stable/?' }}
|
|
azureSNPEnforcementPolicy: ${{ matrix.azureSNPEnforcementPolicy }}
|
|
|
|
- name: Always terminate cluster
|
|
if: always()
|
|
uses: ./.github/actions/constellation_destroy
|
|
with:
|
|
kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
|
|
|
|
- name: Always delete IAM configuration
|
|
if: always()
|
|
uses: ./.github/actions/constellation_iam_destroy
|
|
with:
|
|
cloudProvider: ${{ matrix.provider }}
|
|
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
|
|
gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
|
|
|
|
- name: Notify about failure
|
|
if: |
|
|
failure() &&
|
|
github.ref == 'refs/heads/main' &&
|
|
github.event_name == 'schedule'
|
|
continue-on-error: true
|
|
uses: ./.github/actions/notify_failure
|
|
with:
|
|
projectWriteToken: ${{ secrets.PROJECT_WRITE_TOKEN }}
|
|
teamsWebhookUri: ${{ secrets.MS_TEAMS_WEBHOOK_URI }}
|
|
refStream: ${{ matrix.refStream }}
|
|
test: ${{ matrix.test }}
|
|
kubernetesVersion: ${{ matrix.kubernetes-version }}
|
|
provider: ${{ matrix.provider }}
|
|
|
|
- name: Always upload Terraform logs
|
|
if: always()
|
|
uses: ./.github/actions/upload_terraform_logs
|
|
with:
|
|
artifactNameSuffix: ${{ steps.e2e_test.outputs.namePrefix }}
|
|
|
|
e2e-upgrade:
|
|
strategy:
|
|
fail-fast: false
|
|
max-parallel: 1
|
|
matrix:
|
|
fromVersion: ["v2.9.1"]
|
|
cloudProvider: ["gcp", "azure", "aws"]
|
|
name: Run upgrade tests
|
|
secrets: inherit
|
|
permissions:
|
|
id-token: write
|
|
checks: write
|
|
contents: read
|
|
packages: write
|
|
uses: ./.github/workflows/e2e-upgrade.yml
|
|
with:
|
|
fromVersion: ${{ matrix.fromVersion }}
|
|
cloudProvider: ${{ matrix.cloudProvider }}
|
|
workerNodesCount: 2
|
|
controlNodesCount: 3
|
|
scheduled: ${{ github.event_name == 'schedule' }}
|
|
e2e-mini:
|
|
name: Run miniconstellation E2E test
|
|
runs-on: ubuntu-22.04
|
|
environment: e2e
|
|
permissions:
|
|
id-token: write
|
|
contents: read
|
|
packages: write
|
|
steps:
|
|
- name: Checkout
|
|
id: checkout
|
|
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
with:
|
|
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
|
|
|
|
- name: Azure login OIDC
|
|
uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
|
|
with:
|
|
client-id: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
|
|
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
|
|
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
|
|
|
- name: Run e2e MiniConstellation
|
|
uses: ./.github/actions/e2e_mini
|
|
with:
|
|
azureClientID: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
|
|
azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
|
azureTenantID: ${{ secrets.AZURE_TENANT_ID }}
|
|
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
|
|
registry: ghcr.io
|
|
githubToken: ${{ secrets.GITHUB_TOKEN }}
|