From 0de650306be68d84d8612d6a0e496360d76f68d0 Mon Sep 17 00:00:00 2001 From: Sunny Date: Tue, 18 Jul 2023 17:38:53 +0000 Subject: [PATCH] tests/int: Add IAM setup automation docs Add instructions about how to create service accounts with IAM permissions and populare the secrets and variables required in the CI. Signed-off-by: Sunny --- .github/workflows/e2e-azure.yaml | 40 +++++++------- tests/integration/README.md | 94 +++++++++++++++++++++++++++++--- 2 files changed, 105 insertions(+), 29 deletions(-) diff --git a/.github/workflows/e2e-azure.yaml b/.github/workflows/e2e-azure.yaml index 9d3a9c31..e5f22074 100644 --- a/.github/workflows/e2e-azure.yaml +++ b/.github/workflows/e2e-azure.yaml @@ -3,19 +3,19 @@ name: e2e-azure on: workflow_dispatch: schedule: - - cron: '0 6 * * *' + - cron: "0 6 * * *" push: branches: - main paths: - - 'tests/**' - - '.github/workflows/e2e-azure.yaml' + - "tests/**" + - ".github/workflows/e2e-azure.yaml" pull_request: branches: - main paths: - - 'tests/**' - - '.github/workflows/e2e-azure.yaml' + - "tests/**" + - ".github/workflows/e2e-azure.yaml" permissions: contents: read @@ -47,7 +47,7 @@ jobs: wget https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux -O $HOME/.local/bin/sops chmod +x $HOME/.local/bin/sops - name: Setup Terraform - uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2 + uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2 with: terraform_version: 1.2.8 terraform_wrapper: false @@ -91,7 +91,7 @@ jobs: - name: Authenticate to Azure uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.6 with: - creds: '{"clientId":"${{ secrets.ARM_CLIENT_ID }}","clientSecret":"${{ secrets.ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.ARM_TENANT_ID }}"}' + creds: '{"clientId":"${{ secrets.AZ_ARM_CLIENT_ID }}","clientSecret":"${{ secrets.AZ_ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZ_ARM_TENANT_ID }}"}' - name: Set dynamic variables in .env run: | cat > .env < build/ssh/key - export AZUREDEVOPS_SSH=build/ssh/key + echo $GITREPO_SSH_CONTENTS | base64 -d > build/ssh/key + export GITREPO_SSH_PATH=build/ssh/key touch ./build/ssh/key.pub - echo $AZUREDEVOPS_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub - export AZUREDEVOPS_SSH_PUB=build/ssh/key.pub + echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub + export GITREPO_SSH_PUB_PATH=build/ssh/key.pub make test-azure diff --git a/tests/integration/README.md b/tests/integration/README.md index 5477628d..ee11cd0a 100644 --- a/tests/integration/README.md +++ b/tests/integration/README.md @@ -55,6 +55,44 @@ the tests: - `Microsoft.KeyVault/*` - `Microsoft.EventHub/*` +To set up CI secrets and variables using +[azure-gh-actions](https://github.com/fluxcd/test-infra/tree/main/tf-modules/azure/github-actions) +use: + +```hcl +module "azure_gh_actions" { + source = "git::https://github.com/fluxcd/test-infra.git//tf-modules/azure/github-actions" + + azure_owners = ["owner-id-1", "owner-id-2"] + azure_app_name = "flux2-e2e" + azure_app_description = "flux2 e2e" + azure_permissions = [ + "Microsoft.Kubernetes/*", + "Microsoft.Resources/*", + "Microsoft.Authorization/roleAssignments/{Read,Write,Delete}", + "Microsoft.ContainerRegistry/*", + "Microsoft.ContainerService/*", + "Microsoft.KeyVault/*", + "Microsoft.EventHub/*" + ] + azure_location = "eastus" + + github_project = "flux2" + + github_secret_client_id_name = "AZ_ARM_CLIENT_ID" + github_secret_client_secret_name = "AZ_ARM_CLIENT_SECRET" + github_secret_subscription_id_name = "AZ_ARM_SUBSCRIPTION_ID" + github_secret_tenant_id_name = "AZ_ARM_TENANT_ID" + + github_secret_custom = { + "TF_VAR_azuredevops_org" = "", + "TF_VAR_azuredevops_pat" = "", + "GITREPO_SSH_CONTENTS" = "", + "GITREPO_SSH_PUB_CONTENTS" = "" + } +} +``` + ## GCP ### Architecture @@ -112,15 +150,53 @@ for the terraform variables Following roles are needed for provisioning the infrastructure and running the tests: -- Compute Instance Admin (v1) -- Kubernetes Engine Admin -- Service Account User -- Artifact Registry Administrator -- Artifact Registry Repository Administrator -- Cloud KMS Admin -- Cloud KMS CryptoKey Encrypter -- Source Repository Administrator -- Pub/Sub Admin +- Compute Instance Admin (v1) - `roles/compute.instanceAdmin.v1` +- Kubernetes Engine Admin - `roles/container.admin` +- Service Account User - `roles/iam.serviceAccountUser` +- Artifact Registry Administrator - `roles/artifactregistry.admin` +- Artifact Registry Repository Administrator - `roles/artifactregistry.repoAdmin` +- Cloud KMS Admin - `roles/cloudkms.admin` +- Cloud KMS CryptoKey Encrypter - `roles/cloudkms.cryptoKeyEncrypt` +- Source Repository Administrator - `roles/source.admin` +- Pub/Sub Admin - `roles/pubsub.admin` + +To set up CI secrets and variables using +[gcp-gh-actions](https://github.com/fluxcd/test-infra/tree/main/tf-modules/gcp/github-actions) +use: + +```hcl +provider "google" {} + +module "gcp_gh_actions" { + source = "git::https://github.com/fluxcd/test-infra.git//tf-modules/gcp/github-actions" + + gcp_service_account_id = "flux2-e2e-test" + gcp_service_account_name = "flux2-e2e-test" + gcp_roles = [ + "roles/compute.instanceAdmin.v1", + "roles/container.admin", + "roles/iam.serviceAccountUser", + "roles/artifactregistry.admin", + "roles/artifactregistry.repoAdmin", + "roles/cloudkms.admin", + "roles/cloudkms.cryptoKeyEncrypter", + "roles/source.admin", + "roles/pubsub.admin" + ] + + github_project = "flux2" + + github_secret_credentials_name = "FLUX2_E2E_GOOGLE_CREDENTIALS" + + github_secret_custom = { + "TF_VAR_gcp_keyring" = "", + "TF_VAR_gcp_crypto_key" = "", + "TF_VAR_gcp_email" = "", + "GITREPO_SSH_CONTENTS" = "", + "GITREPO_SSH_PUB_CONTENTS" = "" + } +} +``` ## Tests