mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-15 10:54:29 -05:00
1a10cf645d
* ci: add debug information when UAMI is missing * ci: query identity directly instead of searching in list
116 lines
4.9 KiB
YAML
116 lines
4.9 KiB
YAML
name: Cdbg deploy
|
|
description: Deploy the Constellation Bootstrapper to the cluster via the debugd.
|
|
|
|
inputs:
|
|
test:
|
|
description: "The e2e test payload."
|
|
required: true
|
|
azureClusterCreateCredentials:
|
|
description: "Azure credentials authorized to create a Constellation cluster."
|
|
required: true
|
|
azureIAMCreateCredentials:
|
|
description: "Azure credentials authorized to create an IAM configuration."
|
|
required: true
|
|
cloudProvider:
|
|
description: "The cloud provider to use."
|
|
required: true
|
|
attestationVariant:
|
|
description: "Attestation variant of the cluster."
|
|
required: false
|
|
kubernetesVersion:
|
|
description: "Kubernetes version to create the cluster from."
|
|
required: true
|
|
refStream:
|
|
description: "The refStream of the image the test runs on."
|
|
required: true
|
|
clusterCreation:
|
|
description: "How the infrastructure for the e2e test was created. One of [cli, terraform]."
|
|
default: "cli"
|
|
|
|
runs:
|
|
using: "composite"
|
|
steps:
|
|
- name: Login to Azure (IAM service principal)
|
|
if: inputs.cloudProvider == 'azure'
|
|
uses: ./.github/actions/login_azure
|
|
with:
|
|
azure_credentials: ${{ inputs.azureIAMCreateCredentials }}
|
|
|
|
- name: Add Azure Keyvault access role
|
|
if: inputs.cloudProvider == 'azure'
|
|
shell: bash
|
|
run: |
|
|
UAMI=$(yq eval ".provider.azure.userAssignedIdentity" constellation-conf.yaml)
|
|
PRINCIPAL_ID=$(az identity show --ids "$UAMI" | yq ".principalId")
|
|
if [ -z "$PRINCIPAL_ID" ]; then
|
|
echo "::error::PRINCIPAL_ID for \"$UAMI\" not found"
|
|
echo "::group::Available identities"
|
|
az identity list | yq ".[].id"
|
|
echo "::endgroup::"
|
|
exit 1
|
|
fi
|
|
az role assignment create --role "Key Vault Secrets User" \
|
|
--assignee "$PRINCIPAL_ID" \
|
|
--scope /subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/e2e-test-creds/providers/Microsoft.KeyVault/vaults/opensearch-creds
|
|
|
|
- name: Login to Azure (Cluster service principal)
|
|
if: inputs.cloudProvider == 'azure'
|
|
uses: ./.github/actions/login_azure
|
|
with:
|
|
azure_credentials: ${{ inputs.azureClusterCreateCredentials }}
|
|
|
|
- name: Login to AWS (IAM service principal)
|
|
if: inputs.cloudProvider == 'aws'
|
|
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
|
with:
|
|
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2EIAM
|
|
aws-region: eu-central-1
|
|
# extend token expiry to 6 hours to ensure constellation can terminate
|
|
role-duration-seconds: 21600
|
|
|
|
- name: Add AWS Secrets Manager access role
|
|
if: inputs.cloudProvider == 'aws'
|
|
shell: bash
|
|
run: |
|
|
INSTANCE_PROFILE=$(yq eval ".provider.aws.iamProfileControlPlane" constellation-conf.yaml)
|
|
ROLE_NAME=$(aws iam get-instance-profile --instance-profile-name "$INSTANCE_PROFILE" | yq ".InstanceProfile.Roles[0].RoleName")
|
|
aws iam attach-role-policy \
|
|
--role-name "$ROLE_NAME" \
|
|
--policy-arn arn:aws:iam::795746500882:policy/GitHubActionsOSCredAccess
|
|
|
|
- name: Login to AWS (Cluster service principal)
|
|
if: inputs.cloudProvider == 'aws'
|
|
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
|
|
with:
|
|
role-to-assume: arn:aws:iam::795746500882:role/GithubActionsE2ECluster
|
|
aws-region: eu-central-1
|
|
# extend token expiry to 6 hours to ensure constellation can terminate
|
|
role-duration-seconds: 21600
|
|
|
|
- name: Cdbg deploy
|
|
shell: bash
|
|
run: |
|
|
echo "::group::cdbg deploy"
|
|
chmod +x $GITHUB_WORKSPACE/build/cdbg
|
|
cdbg deploy \
|
|
--bootstrapper "${{ github.workspace }}/build/bootstrapper" \
|
|
--upgrade-agent "${{ github.workspace }}/build/upgrade-agent" \
|
|
--info logcollect=true \
|
|
--info logcollect.github.actor="${{ github.triggering_actor }}" \
|
|
--info logcollect.github.workflow="${{ github.workflow }}" \
|
|
--info logcollect.github.run-id="${{ github.run_id }}" \
|
|
--info logcollect.github.run-attempt="${{ github.run_attempt }}" \
|
|
--info logcollect.github.ref-name="${{ github.ref_name }}" \
|
|
--info logcollect.github.sha="${{ github.sha }}" \
|
|
--info logcollect.github.runner-os="${{ runner.os }}" \
|
|
--info logcollect.github.e2e-test-payload="${{ inputs.test }}" \
|
|
--info logcollect.github.is-debug-cluster=false \
|
|
--info logcollect.github.ref-stream="${{ inputs.refStream }}" \
|
|
--info logcollect.github.kubernetes-version="${{ inputs.kubernetesVersion }}" \
|
|
--info logcollect.github.cluster-creation="${{ inputs.clusterCreation }}" \
|
|
--info logcollect.github.attestation-variant="${{ inputs.attestationVariant }}" \
|
|
--info logcollect.deployment-type="debugd" \
|
|
--verbosity=-1 \
|
|
--force
|
|
echo "::endgroup::"
|