13f99fa9a0
Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
156 lines
6.0 KiB
YAML
156 lines
6.0 KiB
YAML
name: e2e-azure
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
schedule:
|
|
- cron: '0 6 * * *'
|
|
push:
|
|
branches:
|
|
- main
|
|
paths:
|
|
- 'tests/**'
|
|
- '.github/workflows/e2e-azure.yaml'
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
paths:
|
|
- 'tests/**'
|
|
- '.github/workflows/e2e-azure.yaml'
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
e2e-aks:
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
SSH_SECRET_SMOKE_TEST_ONLY: "true"
|
|
defaults:
|
|
run:
|
|
working-directory: ./tests/integration
|
|
if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
|
|
steps:
|
|
- name: CheckoutD
|
|
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
|
- name: Smoke test Git SSH secrets
|
|
env:
|
|
GITREPO_SSH_CONTENTS: ${{ secrets.GIT_SSH_IDENTITY }}
|
|
GITREPO_SSH_PUB_CONTENTS: ${{ secrets.GIT_SSH_IDENTITY_PUB }}
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
mkdir -p ./build/ssh
|
|
cat <<EOF > build/ssh/key
|
|
$GITREPO_SSH_CONTENTS
|
|
EOF
|
|
cat <<EOF > build/ssh/key.pub
|
|
$GITREPO_SSH_PUB_CONTENTS
|
|
EOF
|
|
chmod 600 build/ssh/key
|
|
|
|
key_lines=$(wc -l < build/ssh/key)
|
|
pub_lines=$(wc -l < build/ssh/key.pub)
|
|
echo "private key lines: ${key_lines}"
|
|
echo "public key lines: ${pub_lines}"
|
|
|
|
ssh-keygen -y -f build/ssh/key > build/ssh/derived.pub
|
|
if ! cmp -s build/ssh/derived.pub build/ssh/key.pub; then
|
|
echo "::error::derived public key does not match GIT_SSH_IDENTITY_PUB"
|
|
echo "derived public key fingerprint:"
|
|
ssh-keygen -lf build/ssh/derived.pub
|
|
echo "configured public key fingerprint:"
|
|
ssh-keygen -lf build/ssh/key.pub
|
|
exit 1
|
|
fi
|
|
|
|
echo "SSH key fingerprint:"
|
|
ssh-keygen -lf build/ssh/derived.pub
|
|
|
|
set +e
|
|
ssh_output=$(ssh -i build/ssh/key -o BatchMode=yes -o StrictHostKeyChecking=accept-new -o UserKnownHostsFile=build/ssh/known_hosts -T git@ssh.dev.azure.com 2>&1)
|
|
ssh_status=$?
|
|
set -e
|
|
echo "${ssh_output}"
|
|
|
|
if echo "${ssh_output}" | grep -q "Shell access is not supported"; then
|
|
echo "Azure DevOps SSH accepted the key"
|
|
exit 0
|
|
fi
|
|
if echo "${ssh_output}" | grep -Eq "Public key authentication failed|Permission denied"; then
|
|
echo "::error::Azure DevOps SSH rejected the key"
|
|
exit 1
|
|
fi
|
|
|
|
echo "::error::unexpected Azure DevOps SSH probe result, exit status ${ssh_status}"
|
|
exit 1
|
|
- name: Setup Go
|
|
if: ${{ env.SSH_SECRET_SMOKE_TEST_ONLY != 'true' }}
|
|
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
|
|
with:
|
|
go-version: 1.26.x
|
|
cache-dependency-path: tests/integration/go.sum
|
|
- name: Setup Terraform
|
|
if: ${{ env.SSH_SECRET_SMOKE_TEST_ONLY != 'true' }}
|
|
uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1
|
|
- name: Setup Flux CLI
|
|
if: ${{ env.SSH_SECRET_SMOKE_TEST_ONLY != 'true' }}
|
|
run: make build
|
|
working-directory: ./
|
|
- name: Setup SOPS
|
|
if: ${{ env.SSH_SECRET_SMOKE_TEST_ONLY != 'true' }}
|
|
run: |
|
|
mkdir -p $HOME/.local/bin
|
|
wget -O $HOME/.local/bin/sops https://github.com/mozilla/sops/releases/download/v$SOPS_VER/sops-v$SOPS_VER.linux
|
|
chmod +x $HOME/.local/bin/sops
|
|
env:
|
|
SOPS_VER: 3.7.1
|
|
- name: Authenticate to Azure
|
|
if: ${{ env.SSH_SECRET_SMOKE_TEST_ONLY != 'true' }}
|
|
uses: Azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v1.4.6
|
|
with:
|
|
creds: '{"clientId":"${{ secrets.ARM_CLIENT_ID }}","clientSecret":"${{ secrets.ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.ARM_TENANT_ID }}"}'
|
|
- name: Set dynamic variables in .env
|
|
if: ${{ env.SSH_SECRET_SMOKE_TEST_ONLY != 'true' }}
|
|
run: |
|
|
cat > .env <<EOF
|
|
export TF_VAR_tags='{ "environment"="github", "ci"="true", "repo"="flux2", "createdat"="$(date -u +x%Y-%m-%d_%Hh%Mm%Ss)" }'
|
|
EOF
|
|
- name: Print .env for dynamic tag value reference
|
|
if: ${{ env.SSH_SECRET_SMOKE_TEST_ONLY != 'true' }}
|
|
run: cat .env
|
|
- name: Run Azure e2e tests
|
|
if: ${{ env.SSH_SECRET_SMOKE_TEST_ONLY != 'true' }}
|
|
env:
|
|
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
|
|
ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
|
|
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
|
|
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
|
|
TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
|
|
TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
|
|
TF_VAR_azure_location: ${{ vars.TF_VAR_azure_location }}
|
|
GITREPO_SSH_CONTENTS: ${{ secrets.GIT_SSH_IDENTITY }}
|
|
GITREPO_SSH_PUB_CONTENTS: ${{ secrets.GIT_SSH_IDENTITY_PUB }}
|
|
run: |
|
|
source .env
|
|
mkdir -p ./build/ssh
|
|
cat <<EOF > build/ssh/key
|
|
$GITREPO_SSH_CONTENTS
|
|
EOF
|
|
export GITREPO_SSH_PATH=build/ssh/key
|
|
cat <<EOF > build/ssh/key.pub
|
|
$GITREPO_SSH_PUB_CONTENTS
|
|
EOF
|
|
export GITREPO_SSH_PUB_PATH=build/ssh/key.pub
|
|
make test-azure
|
|
- name: Ensure resource cleanup
|
|
if: ${{ always() && env.SSH_SECRET_SMOKE_TEST_ONLY != 'true' }}
|
|
env:
|
|
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
|
|
ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
|
|
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
|
|
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
|
|
TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
|
|
TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
|
|
TF_VAR_azure_location: ${{ vars.TF_VAR_azure_location }}
|
|
run: source .env && make destroy-azure
|