Add Azure E2E tests

Signed-off-by: Philip Laine <philip.laine@xenit.se>
2026-02-07 19:25:57 +00:00 · 2021-09-30 13:53:19 +02:00
parent 5067df179e
commit d8235ea21b
24 changed files with 3311 additions and 0 deletions
--- a/tests/azure/terraform/aks/.terraform.lock.hcl
+++ b/tests/azure/terraform/aks/.terraform.lock.hcl
@@ -0,0 +1,78 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/azuread" {
+  version     = "1.6.0"
+  constraints = "1.6.0"
+  hashes = [
+    "h1:BlO53mX+Y2W//YqlCKvoxzofegFQk636XlKtmZYH0PY=",
+    "zh:0db70045a464d325fdb3d71809f0467844c3e2fcf1349e568bc51ad5035c99d9",
+    "zh:3629f1d7b4eba48d744b24c7cf7fe878d5ef5910a36b525507bd3d588010ccec",
+    "zh:5a73a45b6d1ff353810cc9b00d7c90a2fb328ba0a9ef3d24392b1500fb98741a",
+    "zh:7a6a9c390cf1bf752321abb8d0643c9f623e8c2ad871dfb378d64c9d90fada2d",
+    "zh:7d6de55d326b046dabc16bd7b655f008ff780c36ffc884b139a7c7da37b446d5",
+    "zh:8d725c618396ccae290e411296c892e08e776c3e9e5a82b0ef1f633a917146ec",
+    "zh:a206d1d8042bf66ca12b97334bbd6fcdf12fd6131f8cb4547c82b9fa7a701612",
+    "zh:b03ab4ff07dcb5ed8be8b0619c6ec9fb0da0c83594ccb0a1bff72f346083b530",
+    "zh:b6131f9d438b340a4016c770b569139ec7ac2532358a8ab783234e8c93d141d5",
+    "zh:ce9372d38e9e62accfd54f4669753000d3dcbae4b45686d74630eb63eb879f37",
+    "zh:df9a607c333d464d8bdeb248b1ff41e493c1d0661453a1e1ce396b89952a74ee",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/azurerm" {
+  version     = "2.76.0"
+  constraints = "2.76.0"
+  hashes = [
+    "h1:kF+u0s0DPnE5gMKhzQACWRUIdwZG1Ax4atXt9hk1J8M=",
+    "zh:137eb7c07d3d3c9fe123e74381c108c4442efba9fc051faa2ca603503ff2840f",
+    "zh:142a354dffd59a1d6b7f1614ab66a468ace3636d95933589a8d704ee8dbc4ea6",
+    "zh:4c343b4da8b86e4213c1b11f73337cec73a55b1fa95a0e0e0c79f34597d37cc3",
+    "zh:75d3109d48726fdbaad840d2fa294ec3362b32a3628c261af00f5c5608427521",
+    "zh:7b1e78c144c6ad2beebc798abb9e76c725bf34ced41df36dc0120a0f2426e801",
+    "zh:981235b01c3d4acf94c78cdd96624fd01d0a3622bc06b5c62aef3e788f1481c3",
+    "zh:bad819efae7293ce371409e1ed34197c3e879f61d3e44893af0ce68e6aaffde7",
+    "zh:c8008967722929deccfec9695754ae55028ce12311c321ae7a7c753dde162a44",
+    "zh:d38513d1138864269b2ff333b08a64a7949630d489f18e660630bbaff3b7ebb8",
+    "zh:e1f64d2d91b5f5cba6a9c5d35278a4918d332d7385a87f8e3466aaadb782a90f",
+    "zh:e93a377a1e823df69718686703b07f1712046eeb742006022e982f2e8a594161",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.1.0"
+  hashes = [
+    "h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=",
+    "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc",
+    "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626",
+    "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff",
+    "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2",
+    "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992",
+    "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427",
+    "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc",
+    "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f",
+    "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b",
+    "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7",
+    "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a",
+  ]
+}
+
+provider "registry.terraform.io/microsoft/azuredevops" {
+  version     = "0.1.7"
+  constraints = "0.1.7"
+  hashes = [
+    "h1:AWNWqJ3XhlKp3xdJF+3WKdK1zVoCFYInQvi06exsBzg=",
+    "zh:0c024992f2282ef73d4829e487ec8482dd98e9272b903f2e5979f5f62567ee4e",
+    "zh:47fef8f57dfdca6aebe5a907b4866880007512019d9bec29805fc83501412309",
+    "zh:692736c501c6b987a4a74c69fb7702a54969180706d1f67eff13e6ed2a0f9fec",
+    "zh:6c3c4339206f5dcbc9d10fb2fe343652e7e14255223dcece5bf79ef9030858ef",
+    "zh:77dfc63377b8d8fe24cbbe479ead18bfd1c7ded067fd694b6532434d6305ad31",
+    "zh:93dba26dbade208a1cba43333f104a64252ca2404636ab033702da29648bfaaa",
+    "zh:952d28b3e6c137de9b8700d2b748e5a4a2aa53ed07005f0f7abdd66b84cc63fe",
+    "zh:a7b8238b8b2f04ad2d720a207377bfc2066d54b1d9d7285f2535afc43ff80fdb",
+    "zh:bb23d8fc3cdd3c01d7620dadb2ba7b724706f2112d7738e135d1be1455682f5e",
+    "zh:cb4da640beb5fc59296479c201a03351789496c04aaa57ae1530a7aac9095b92",
+    "zh:ede6fb7ab598081fdddac56d470bae14448271dfd43a645bc02d136643391ebe",
+    "zh:fd8291e6dc9118323a744660326a0f11de2a475c4a358e50f480feed1f3bb080",
+  ]
+}
--- a/tests/azure/terraform/aks/aks.tf
+++ b/tests/azure/terraform/aks/aks.tf
@@ -0,0 +1,37 @@
+resource "azurerm_kubernetes_cluster" "this" {
+  name                = "aks-${local.name_suffix}"
+  location            = azurerm_resource_group.this.location
+  resource_group_name = azurerm_resource_group.this.name
+
+  dns_prefix = "aks${local.name_suffix}"
+
+  default_node_pool {
+    name            = "default"
+    node_count      = 2
+    vm_size         = "Standard_B2s"
+    os_disk_size_gb = 30
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  role_based_access_control {
+    enabled = true
+  }
+
+  network_profile {
+    network_plugin = "kubenet"
+    network_policy = "calico"
+  }
+
+  tags = {
+    environment = "e2e"
+  }
+}
+
+resource "azurerm_role_assignment" "aks_acr_pull" {
+  scope                = data.azurerm_container_registry.shared.id
+  role_definition_name = "AcrPull"
+  principal_id         = azurerm_kubernetes_cluster.this.kubelet_identity[0].object_id
+}
--- a/tests/azure/terraform/aks/azuredevops.tf
+++ b/tests/azure/terraform/aks/azuredevops.tf
@@ -0,0 +1,21 @@
+data "azuredevops_project" "e2e" {
+  name = "e2e"
+}
+
+resource "azuredevops_git_repository" "fleet_infra" {
+  project_id = data.azuredevops_project.e2e.id
+  name       = "fleet-infra-${local.name_suffix}"
+  default_branch = "refs/heads/main"
+  initialization {
+    init_type = "Clean"
+  }
+}
+
+resource "azuredevops_git_repository" "application" {
+  project_id = data.azuredevops_project.e2e.id
+  name       = "application-${local.name_suffix}"
+  default_branch = "refs/heads/main"
+  initialization {
+    init_type = "Clean"
+  }
+}
--- a/tests/azure/terraform/aks/event-hub.tf
+++ b/tests/azure/terraform/aks/event-hub.tf
@@ -0,0 +1,26 @@
+resource "azurerm_eventhub_namespace" "this" {
+  name = "ehns-${local.name_suffix}"
+  location            = azurerm_resource_group.this.location
+  resource_group_name = azurerm_resource_group.this.name
+  sku                 = "Standard"
+  capacity            = 1
+}
+
+
+resource "azurerm_eventhub" "this" {
+  name = "eh-${local.name_suffix}"
+  namespace_name      = azurerm_eventhub_namespace.this.name
+  resource_group_name = azurerm_resource_group.this.name
+  partition_count     = 1
+  message_retention   = 1
+}
+
+resource "azurerm_eventhub_authorization_rule" "this" {
+  name                = "flux"
+  resource_group_name = azurerm_resource_group.this.name
+  namespace_name      = azurerm_eventhub_namespace.this.name
+  eventhub_name       = azurerm_eventhub.this.name
+  listen              = true
+  send                = true
+  manage              = false
+}
--- a/tests/azure/terraform/aks/keyvault.tf
+++ b/tests/azure/terraform/aks/keyvault.tf
@@ -0,0 +1,37 @@
+resource "azurerm_key_vault" "this" {
+  name                = "kv-${random_pet.suffix.id}"
+  resource_group_name = azurerm_resource_group.this.name
+  location            = azurerm_resource_group.this.location
+  tenant_id           = data.azurerm_client_config.current.tenant_id
+  sku_name            = "standard"
+}
+
+resource "azurerm_key_vault_access_policy" "sops_write" {
+  key_vault_id = azurerm_key_vault.this.id
+  tenant_id = data.azurerm_client_config.current.tenant_id
+  object_id = data.azurerm_client_config.current.object_id
+
+  key_permissions = [
+    "Encrypt",
+    "Decrypt",
+    "Create",
+    "Delete",
+    "Purge",
+    "Get",
+    "List",
+  ]
+}
+
+resource "azurerm_key_vault_key" "sops" {
+  depends_on = [azurerm_key_vault_access_policy.sops_write]
+
+  name         = "sops"
+  key_vault_id = azurerm_key_vault.this.id
+  key_type     = "RSA"
+  key_size     = 2048
+
+  key_opts = [
+    "decrypt",
+    "encrypt",
+  ]
+}
--- a/tests/azure/terraform/aks/main.tf
+++ b/tests/azure/terraform/aks/main.tf
@@ -0,0 +1,52 @@
+terraform {
+  backend "azurerm" {
+    resource_group_name  = "terraform-state"
+    storage_account_name = "terraformstate0419"
+    container_name       = "aks-tfstate"
+    key                  = "prod.terraform.tfstate"
+  }
+
+  required_version = "1.0.7"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "2.76.0"
+    }
+    azuread = {
+      source = "hashicorp/azuread"
+      version = "1.6.0"
+    }
+    azuredevops = {
+      source = "microsoft/azuredevops"
+      version = "0.1.7"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+
+provider "azuredevops" {
+  org_service_url = "https://dev.azure.com/${local.azure_devops_org}"
+  personal_access_token = data.azurerm_key_vault_secret.shared_pat.value
+}
+
+data "azurerm_client_config" "current" {}
+
+resource "random_pet" "suffix" {}
+
+locals {
+  azure_devops_org = "flux-azure"
+  name_suffix = "e2e-${random_pet.suffix.id}"
+}
+
+resource "azurerm_resource_group" "this" {
+  name     = "rg-${local.name_suffix}"
+  location = "West Europe"
+
+  tags = {
+    environment = "e2e"
+  }
+}
--- a/tests/azure/terraform/aks/outputs.tf
+++ b/tests/azure/terraform/aks/outputs.tf
@@ -0,0 +1,76 @@
+output "aks_kube_config" {
+  sensitive = true
+  value = azurerm_kubernetes_cluster.this.kube_config_raw
+}
+
+output "aks_host" {
+  value = azurerm_kubernetes_cluster.this.kube_config[0].host
+}
+
+output "aks_client_certificate" {
+  value = base64decode(azurerm_kubernetes_cluster.this.kube_config[0].client_certificate)
+}
+
+output "aks_client_key" {
+  value = base64decode(azurerm_kubernetes_cluster.this.kube_config[0].client_key)
+}
+
+output "aks_cluster_ca_certificate" {
+  value = base64decode(azurerm_kubernetes_cluster.this.kube_config[0].cluster_ca_certificate)
+}
+
+output "shared_pat" {
+  sensitive = true
+  value = data.azurerm_key_vault_secret.shared_pat.value
+}
+
+output "shared_id_rsa" {
+  sensitive = true
+  value = data.azurerm_key_vault_secret.shared_id_rsa.value
+}
+
+output "shared_id_rsa_pub" {
+  sensitive = true
+  value = data.azurerm_key_vault_secret.shared_id_rsa_pub.value
+}
+
+output "fleet_infra_repository" {
+  value = {
+    http = azuredevops_git_repository.fleet_infra.remote_url
+    ssh = "ssh://git@ssh.dev.azure.com/v3/${local.azure_devops_org}/${azuredevops_git_repository.fleet_infra.project_id}/${azuredevops_git_repository.fleet_infra.name}"
+  }
+}
+
+output "application_repository" {
+  value = {
+    http = azuredevops_git_repository.application.remote_url
+    ssh = "ssh://git@ssh.dev.azure.com/v3/${local.azure_devops_org}/${azuredevops_git_repository.application.project_id}/${azuredevops_git_repository.application.name}"
+  }
+}
+
+output "flux_azure_sp" {
+  value = {
+    tenant_id = data.azurerm_client_config.current.tenant_id
+    client_id = azuread_service_principal.flux.application_id
+    client_secret = azuread_service_principal_password.flux.value
+  }
+  sensitive = true
+}
+
+output "event_hub_sas" {
+  value = azurerm_eventhub_authorization_rule.this.primary_connection_string
+  sensitive = true
+}
+
+output "sops_id" {
+  value = azurerm_key_vault_key.sops.id
+}
+
+output "acr" {
+  value = {
+    url = data.azurerm_container_registry.shared.login_server
+    username = azuread_service_principal.flux.application_id
+    password = azuread_service_principal_password.flux.value
+  }
+  sensitive = true
+}
--- a/tests/azure/terraform/aks/service-principal.tf
+++ b/tests/azure/terraform/aks/service-principal.tf
@@ -0,0 +1,52 @@
+resource "azuread_application" "flux" {
+  display_name = "flux-${local.name_suffix}"
+
+  required_resource_access {
+    resource_app_id = "00000003-0000-0000-c000-000000000000"
+
+    resource_access {
+      id   = "df021288-bdef-4463-88db-98f22de89214"
+      type = "Role"
+    }
+  }
+
+  required_resource_access {
+    resource_app_id = "00000002-0000-0000-c000-000000000000"
+
+    resource_access {
+      id   = "1cda74f2-2616-4834-b122-5cb1b07f8a59"
+      type = "Role"
+    }
+    resource_access {
+      id   = "78c8a3c8-a07e-4b9e-af1b-b5ccab50a175"
+      type = "Role"
+    }
+  }
+}
+
+resource "azuread_service_principal" "flux" {
+  application_id = azuread_application.flux.application_id
+}
+
+resource "azuread_service_principal_password" "flux" {
+  service_principal_id = azuread_service_principal.flux.object_id
+}
+
+resource "azurerm_role_assignment" "acr" {
+  scope                = data.azurerm_container_registry.shared.id
+  role_definition_name = "AcrPull"
+  principal_id         = azuread_service_principal.flux.object_id
+}
+
+resource "azurerm_key_vault_access_policy" "sops_decrypt" {
+  key_vault_id = azurerm_key_vault.this.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = azuread_service_principal.flux.object_id
+
+  key_permissions = [
+    "Encrypt",
+    "Decrypt",
+    "Get",
+    "List",
+  ]
+}
--- a/tests/azure/terraform/aks/shared.tf
+++ b/tests/azure/terraform/aks/shared.tf
@@ -0,0 +1,32 @@
+locals {
+  shared_suffix = "oarfish"
+}
+
+data "azurerm_resource_group" "shared" {
+  name = "e2e-shared"
+}
+
+data "azurerm_container_registry" "shared" {
+  name                = "acrapps${local.shared_suffix}"
+  resource_group_name = data.azurerm_resource_group.shared.name
+}
+
+data "azurerm_key_vault" "shared" {
+  resource_group_name = data.azurerm_resource_group.shared.name
+  name                = "kv-credentials-${local.shared_suffix}"
+}
+
+data "azurerm_key_vault_secret" "shared_pat" {
+  key_vault_id = data.azurerm_key_vault.shared.id
+  name         = "pat"
+}
+
+data "azurerm_key_vault_secret" "shared_id_rsa" {
+  key_vault_id = data.azurerm_key_vault.shared.id
+  name         = "id-rsa"
+}
+
+data "azurerm_key_vault_secret" "shared_id_rsa_pub" {
+  key_vault_id = data.azurerm_key_vault.shared.id
+  name         = "id-rsa-pub"
+}