Skip to content

Commit

Permalink
Update CI to use different GCP project
Browse files Browse the repository at this point in the history
Signed-off-by: Daniel Weiße <[email protected]>
  • Loading branch information
daniel-weisse committed Nov 23, 2023
1 parent 64a05b9 commit 292ee66
Show file tree
Hide file tree
Showing 8 changed files with 31 additions and 50 deletions.
3 changes: 0 additions & 3 deletions .github/actions/e2e_test/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,9 +37,6 @@ inputs:
gcpClusterCreateServiceAccount:
description: "Service account with permissions to create a Constellation cluster on GCP."
required: true
gcpInClusterServiceAccountKey:
description: "Service account to use inside the created Constellation cluster on GCP."
required: true
awsOpenSearchDomain:
description: "AWS OpenSearch Endpoint Domain to upload the benchmark results."
awsOpenSearchUsers:
Expand Down
9 changes: 4 additions & 5 deletions .github/workflows/e2e-test-daily.yml
Original file line number Diff line number Diff line change
Expand Up @@ -74,10 +74,9 @@ jobs:
isDebugImage: ${{ matrix.refStream == 'ref/main/stream/debug/?' }}
cliVersion: ${{ matrix.refStream == 'ref/release/stream/stable/?' && needs.find-latest-image.outputs.image-release-stable || '' }}
refStream: ${{ matrix.refStream }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "[email protected]"
gcpIAMCreateServiceAccount: "[email protected]"
kubernetesVersion: ${{ matrix.kubernetesVersion }}
test: ${{ matrix.test }}
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
Expand Down Expand Up @@ -106,7 +105,7 @@ jobs:
with:
cloudProvider: ${{ matrix.provider }}
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"

- name: Notify about failure
if: |
Expand Down
9 changes: 4 additions & 5 deletions .github/workflows/e2e-test-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -226,10 +226,9 @@ jobs:
awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "[email protected]"
gcpIAMCreateServiceAccount: "[email protected]"
test: ${{ matrix.test }}
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
Expand All @@ -255,7 +254,7 @@ jobs:
with:
cloudProvider: ${{ matrix.provider }}
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"

e2e-upgrade:
strategy:
Expand Down
5 changes: 3 additions & 2 deletions .github/workflows/e2e-test-tf-module.yml
Original file line number Diff line number Diff line change
Expand Up @@ -159,7 +159,8 @@ jobs:
run: |
cat > terraform.tfvars <<EOF
name = "${{ steps.create-prefix.outputs.prefix }}"
project = "${{ secrets.GCP_E2E_PROJECT }}"
# project = "${{ secrets.GCP_E2E_PROJECT }}"
project = "constellation-e2e"
service_account_id = "${{ steps.create-prefix.outputs.prefix }}-sa"
image = "${{ steps.find-latest-image.outputs.image }}"
zone = "${{ inputs.regionZone || 'europe-west3-b' }}"
Expand Down Expand Up @@ -245,7 +246,7 @@ jobs:
if: inputs.cloudProvider == 'gcp'
uses: ./.github/actions/login_gcp
with:
service_account: "constellation-e2e-tf@constellation-331613.iam.gserviceaccount.com"
service_account: "terraform-e2e@constellation-e2e.iam.gserviceaccount.com"

- name: Apply Terraform Cluster
id: apply_terraform
Expand Down
9 changes: 4 additions & 5 deletions .github/workflows/e2e-test-weekly.yml
Original file line number Diff line number Diff line change
Expand Up @@ -243,10 +243,9 @@ jobs:
awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
awsOpenSearchUsers: ${{ secrets.AWS_OPENSEARCH_USER }}
awsOpenSearchPwd: ${{ secrets.AWS_OPENSEARCH_PWD }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "[email protected]"
gcpIAMCreateServiceAccount: "[email protected]"
test: ${{ matrix.test }}
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
Expand Down Expand Up @@ -274,7 +273,7 @@ jobs:
with:
cloudProvider: ${{ matrix.provider }}
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"

- name: Notify about failure
if: |
Expand Down
11 changes: 5 additions & 6 deletions .github/workflows/e2e-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,7 @@ jobs:
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
ref: ${{ inputs.git-ref }}

- name: Get Latest Image
id: find-latest-image
uses: ./.github/actions/find_latest_image
Expand Down Expand Up @@ -215,10 +215,9 @@ jobs:
cloudProvider: ${{ inputs.cloudProvider }}
machineType: ${{ inputs.machineType }}
regionZone: ${{ inputs.regionZone }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "[email protected]"
gcpIAMCreateServiceAccount: "[email protected]"
test: ${{ inputs.test }}
kubernetesVersion: ${{ inputs.kubernetesVersion }}
awsOpenSearchDomain: ${{ secrets.AWS_OPENSEARCH_DOMAIN }}
Expand Down Expand Up @@ -253,4 +252,4 @@ jobs:
with:
cloudProvider: ${{ inputs.cloudProvider }}
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"
13 changes: 6 additions & 7 deletions .github/workflows/e2e-upgrade.yml
Original file line number Diff line number Diff line change
Expand Up @@ -170,10 +170,9 @@ jobs:
isDebugImage: "false"
cliVersion: ${{ inputs.fromVersion }}
regionZone: ${{ inputs.regionZone }}
gcpProject: ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
gcpIAMCreateServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpInClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
gcpProject: constellation-e2e # ${{ secrets.GCP_E2E_PROJECT }}
gcpClusterCreateServiceAccount: "[email protected]"
gcpIAMCreateServiceAccount: "[email protected]"
test: "upgrade"
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
azureClusterCreateCredentials: ${{ secrets.AZURE_E2E_CLUSTER_CREDENTIALS }}
Expand All @@ -196,7 +195,7 @@ jobs:
if: inputs.cloudProvider == 'gcp'
uses: ./.github/actions/login_gcp
with:
service_account: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
service_account: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"

- name: Login to AWS (IAM role)
if: inputs.cloudProvider == 'aws'
Expand Down Expand Up @@ -226,7 +225,7 @@ jobs:
if: always() && inputs.cloudProvider == 'gcp'
uses: ./.github/actions/login_gcp
with:
service_account: "constellation-e2e-cluster@constellation-331613.iam.gserviceaccount.com"
service_account: "infrastructure-e2e@constellation-e2e.iam.gserviceaccount.com"

- name: Login to AWS (Cluster role)
if: always() && inputs.cloudProvider == 'aws'
Expand Down Expand Up @@ -297,7 +296,7 @@ jobs:
with:
cloudProvider: ${{ inputs.cloudProvider }}
azureCredentials: ${{ secrets.AZURE_E2E_IAM_CREDENTIALS }}
gcpServiceAccount: "constellation-iam-e2e@constellation-331613.iam.gserviceaccount.com"
gcpServiceAccount: "iam-e2e@constellation-e2e.iam.gserviceaccount.com"

- name: Notify about failure
if: |
Expand Down
22 changes: 5 additions & 17 deletions dev-docs/workflows/github-actions.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,11 @@ When using `--mode` be aware that `--e2e-focus` and `e2e-skip` will be overwritt

## Local Development

Using [***act***](https://github.com/nektos/act) you can run GitHub actions locally.
Using [`act`](https://github.com/nektos/act) you can run GitHub actions locally.

**These instructions are for internal use.**
In case you want to use the E2E actions externally, you need to adjust other configuration parameters.
Check the assignments made in the [/.github/actions/e2e_test/action.yml](E2E action) and adjust any hard-coded values.
Check the assignments made in the [E2E action](/.github/actions/e2e_test/action.yml) and adjust any hard-coded values.

### Specific Jobs

Expand All @@ -59,28 +59,16 @@ Create a new JSON file to describe the event ([relevant issue](https://github.co
}
```

Then run *act* with the event as input:
Then run `act` with the event as input:

```bash
act -j e2e-test-manual --eventpath event.json
```

### Authorizing GCP

For creating Kubernetes clusters in GCP a local copy of the service account secret is required.

1. [Create a new service account key](https://console.cloud.google.com/iam-admin/serviceaccounts/details/112741463528383500960/keys?authuser=0&project=constellation-331613&supportedpurview=project)
2. Create a compact (one line) JSON representation of the file `jq -c`
3. Store in a GitHub Action Secret called `GCP_SERVICE_ACCOUNT` or create a local secret file for *act* to consume:

```bash
$ cat secrets.env
GCP_SERVICE_ACCOUNT={"type":"service_account", ... }

$ act --secret-file secrets.env
```

In addition, you need to create a Service Account which Constellation itself is supposed to use. Refer to [First steps](https://docs.edgeless.systems/constellation/getting-started/first-steps#create-a-cluster) in the documentation on how to create it. What you need here specifically is the `gcpServiceAccountKey`, which needs to be stored in a secret called `GCP_CLUSTER_SERVICE_ACCOUNT`.
For GCP, OIDC is used to authenticate the CI runner.
This means the workflow cannot be run locally, as the runner created by `act` is not authenticated.

### Authorizing Azure

Expand Down

0 comments on commit 292ee66

Please sign in to comment.