Mirrors
/
flux2
mirror of https://github.com/fluxcd/flux2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

tests/int: Add IAM setup automation docs

Browse Source 
Add instructions about how to create service accounts with IAM
permissions and populare the secrets and variables required in the CI.

Signed-off-by: Sunny <darkowlzz@protonmail.com>
pull/4091/head
Sunny 2 years ago
parent c8e017086e
commit 0de650306b
2 changed files with 105 additions and 29 deletions
Show Stats Download Patch File Download Diff File

40
.github/workflows/e2e-azure.yaml vendored
Unescape Escape View File

@ -3,19 +3,19 @@ name: e2e-azure
on: on:
workflow_dispatch: workflow_dispatch:
schedule: schedule:
- cron: '0 6 * * *' - cron: "0 6 * * *"
push: push:
branches: branches:
- main - main
paths: paths:
- 'tests/**' - "tests/**"
- '.github/workflows/e2e-azure.yaml' - ".github/workflows/e2e-azure.yaml"
pull_request: pull_request:
branches: branches:
- main - main
paths: paths:
- 'tests/**' - "tests/**"
- '.github/workflows/e2e-azure.yaml' - ".github/workflows/e2e-azure.yaml"
permissions: permissions:
contents: read contents: read
@ -47,7 +47,7 @@ jobs:
wget https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux -O $HOME/.local/bin/sops wget https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux -O $HOME/.local/bin/sops
chmod +x $HOME/.local/bin/sops chmod +x $HOME/.local/bin/sops
- name: Setup Terraform - name: Setup Terraform
uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2 uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2
with: with:
terraform_version: 1.2.8 terraform_version: 1.2.8
terraform_wrapper: false terraform_wrapper: false
@ -91,7 +91,7 @@ jobs:
- name: Authenticate to Azure - name: Authenticate to Azure
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.6 uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.6
with: with:
creds: '{"clientId":"${{ secrets.ARM_CLIENT_ID }}","clientSecret":"${{ secrets.ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.ARM_TENANT_ID }}"}' creds: '{"clientId":"${{ secrets.AZ_ARM_CLIENT_ID }}","clientSecret":"${{ secrets.AZ_ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZ_ARM_TENANT_ID }}"}'
- name: Set dynamic variables in .env - name: Set dynamic variables in .env
run: | run: |
cat > .env <<EOF cat > .env <<EOF
@ -101,22 +101,22 @@ jobs:
run: cat .env run: cat .env
- name: Run Azure e2e tests - name: Run Azure e2e tests
env: env:
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} ARM_CLIENT_ID: ${{ secrets.AZ_ARM_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} ARM_CLIENT_SECRET: ${{ secrets.AZ_ARM_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} ARM_TENANT_ID: ${{ secrets.AZ_ARM_TENANT_ID }}
TF_VAR_azuredevops_org: ${{ secrets.AZUREDEVOPS_ORG }} TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
TF_VAR_azuredevops_pat: ${{ secrets.AZUREDEVOPS_PAT }} TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
TF_VAR_location: "southcentralus" TF_VAR_location: ${{ vars.TF_VAR_azure_location }}
AZUREDEVOPS_SSH_CONTENTS: ${{ secrets.AZUREDEVOPS_ID_RSA }} GITREPO_SSH_CONTENTS: ${{ secrets.GITREPO_SSH_CONTENTS }}
AZUREDEVOPS_SSH_PUB_CONTENTS: ${{ secrets.AZUREDEVOPS_ID_RSA_PUB }} GITREPO_SSH_PUB_CONTENTS: ${{ secrets.GITREPO_SSH_PUB_CONTENTS }}
run: | run: |
source .env source .env
mkdir -p ./build/ssh mkdir -p ./build/ssh
touch ./build/ssh/key touch ./build/ssh/key
echo $AZUREDEVOPS_SSH_CONTENTS | base64 -d > build/ssh/key echo $GITREPO_SSH_CONTENTS | base64 -d > build/ssh/key
export AZUREDEVOPS_SSH=build/ssh/key export GITREPO_SSH_PATH=build/ssh/key
touch ./build/ssh/key.pub touch ./build/ssh/key.pub
echo $AZUREDEVOPS_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub
export AZUREDEVOPS_SSH_PUB=build/ssh/key.pub export GITREPO_SSH_PUB_PATH=build/ssh/key.pub
make test-azure make test-azure

94
tests/integration/README.md
Unescape Escape View File

@ -55,6 +55,44 @@ the tests:
- `Microsoft.KeyVault/*` - `Microsoft.KeyVault/*`
- `Microsoft.EventHub/*` - `Microsoft.EventHub/*`
To set up CI secrets and variables using
[azure-gh-actions](https://github.com/fluxcd/test-infra/tree/main/tf-modules/azure/github-actions)
use:
```hcl
module "azure_gh_actions" {
source = "git::https://github.com/fluxcd/test-infra.git//tf-modules/azure/github-actions"
azure_owners = ["owner-id-1", "owner-id-2"]
azure_app_name = "flux2-e2e"
azure_app_description = "flux2 e2e"
azure_permissions = [
"Microsoft.Kubernetes/*",
"Microsoft.Resources/*",
"Microsoft.Authorization/roleAssignments/{Read,Write,Delete}",
"Microsoft.ContainerRegistry/*",
"Microsoft.ContainerService/*",
"Microsoft.KeyVault/*",
"Microsoft.EventHub/*"
]
azure_location = "eastus"
github_project = "flux2"
github_secret_client_id_name = "AZ_ARM_CLIENT_ID"
github_secret_client_secret_name = "AZ_ARM_CLIENT_SECRET"
github_secret_subscription_id_name = "AZ_ARM_SUBSCRIPTION_ID"
github_secret_tenant_id_name = "AZ_ARM_TENANT_ID"
github_secret_custom = {
"TF_VAR_azuredevops_org" = "<org-name>",
"TF_VAR_azuredevops_pat" = "<pat>",
"GITREPO_SSH_CONTENTS" = "<add-private-key-content>",
"GITREPO_SSH_PUB_CONTENTS" = "<add-public-key-content>"
}
}
```
## GCP ## GCP
### Architecture ### Architecture
@ -112,15 +150,53 @@ for the terraform variables
Following roles are needed for provisioning the infrastructure and running the tests: Following roles are needed for provisioning the infrastructure and running the tests:
- Compute Instance Admin (v1) - Compute Instance Admin (v1) - `roles/compute.instanceAdmin.v1`
- Kubernetes Engine Admin - Kubernetes Engine Admin - `roles/container.admin`
- Service Account User - Service Account User - `roles/iam.serviceAccountUser`
- Artifact Registry Administrator - Artifact Registry Administrator - `roles/artifactregistry.admin`
- Artifact Registry Repository Administrator - Artifact Registry Repository Administrator - `roles/artifactregistry.repoAdmin`
- Cloud KMS Admin - Cloud KMS Admin - `roles/cloudkms.admin`
- Cloud KMS CryptoKey Encrypter - Cloud KMS CryptoKey Encrypter - `roles/cloudkms.cryptoKeyEncrypt`
- Source Repository Administrator - Source Repository Administrator - `roles/source.admin`
- Pub/Sub Admin - Pub/Sub Admin - `roles/pubsub.admin`
To set up CI secrets and variables using
[gcp-gh-actions](https://github.com/fluxcd/test-infra/tree/main/tf-modules/gcp/github-actions)
use:
```hcl
provider "google" {}
module "gcp_gh_actions" {
source = "git::https://github.com/fluxcd/test-infra.git//tf-modules/gcp/github-actions"
gcp_service_account_id = "flux2-e2e-test"
gcp_service_account_name = "flux2-e2e-test"
gcp_roles = [
"roles/compute.instanceAdmin.v1",
"roles/container.admin",
"roles/iam.serviceAccountUser",
"roles/artifactregistry.admin",
"roles/artifactregistry.repoAdmin",
"roles/cloudkms.admin",
"roles/cloudkms.cryptoKeyEncrypter",
"roles/source.admin",
"roles/pubsub.admin"
]
github_project = "flux2"
github_secret_credentials_name = "FLUX2_E2E_GOOGLE_CREDENTIALS"
github_secret_custom = {
"TF_VAR_gcp_keyring" = "<keyring-name>",
"TF_VAR_gcp_crypto_key" = "<key-name>",
"TF_VAR_gcp_email" = "<email>",
"GITREPO_SSH_CONTENTS" = "<add-private-key-content>",
"GITREPO_SSH_PUB_CONTENTS" = "<add-public-key-content>"
}
}
```
## Tests ## Tests

Write Preview
Loading…
Cancel
Save