e2e_openssl.yml

name: E2E Test OpenSSL

on:
  workflow_dispatch:
    inputs:
      use_release_cli:
        description: Use a release version of the Nunki CLI
        required: false
        type: boolean

env:
  container_registry: ghcr.io/edgelesssys
  azure_resource_group: nunki-ci

jobs:
  test:
    runs-on: ubuntu-22.04
    permissions:
      contents: read
      packages: write
    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Install Nix
        uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
        with:
          github_access_token: ${{ secrets.GITHUB_TOKEN }}

      - name: Use Nix Cache
        uses: cachix/cachix-action@18cf96c7c98e048e10a83abd92116114cd8504be # v14
        with:
          name: edgelesssys
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
          installCommand: nix profile install github:cachix/cachix/cd12acd9245ac9b7e010aa3acac49f37824fdad2 --accept-flake-config # remove on v14.1/v15

      - name: Log in to ghcr.io Container registry
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Login to Azure
        uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
        with:
          creds: ${{ secrets.NUNKI_CI_INFRA_AZURE }}

      - name: Enter Nix development environment
        uses: nicknovitski/nix-develop@a2060d116a50b36dfab02280af558e73ab52427d # v1.1.0

      - name: Create justfile.env
        run: |
          cat <<EOF > justfile.env
          container_registry=${{ env.container_registry }}
          azure_resource_group=${{ env.azure_resource_group }}
          EOF

      - name: Get Credentials for CI Cluster
        run: |
          just get-credentials

      - name: Download Nunki CLI
        if: ${{ inputs.use_release_cli }}
        shell: bash
        run: |
          curl -fLo nunki https://github.com/edgelesssys/nunki/releases/download/latest/nunki

      - name: Build Nunki CLI
        if: ${{ !inputs.use_release_cli }}
        run: |
          nix build .#cli
          ln -s result-cli/bin/nunki nunki

      - name: Build Containers and Template the Deployment
        shell: bash
        run: |
          COORDINATOR_IMAGE=$(just coordinator | tail -1)
          INITIALIZER_IMAGE=$(just initializer | tail -1)
          OPENSSL_IMAGE=$(just openssl | tail -1)
          yq eval -i "(select(document_index == 0) | .spec.template.spec.containers[0].image) = \"$COORDINATOR_IMAGE\"" e2e/openssl/deployment/coordinator.yml

          # Unfortunately, yq doesn't allow us to update multiple files at once
          yq eval -i "(select(document_index == 0) | .spec.template.spec.containers[0].image) = \"$OPENSSL_IMAGE\"" e2e/openssl/deployment/openssl-backend.yml
          yq eval -i "(select(document_index == 0) | .spec.template.spec.initContainers[0].image) = \"$INITIALIZER_IMAGE\"" e2e/openssl/deployment/openssl-backend.yml
          yq eval -i "(select(document_index == 0) | .spec.template.spec.containers[0].image) = \"$OPENSSL_IMAGE\"" e2e/openssl/deployment/openssl-frontend.yml
          yq eval -i "(select(document_index == 0) | .spec.template.spec.initContainers[0].image) = \"$INITIALIZER_IMAGE\"" e2e/openssl/deployment/openssl-frontend.yml
          yq eval -i "(select(document_index == 0) | .spec.template.spec.containers[0].image) = \"$OPENSSL_IMAGE\"" e2e/openssl/deployment/openssl-client.yml
          yq eval -i "(select(document_index == 0) | .spec.template.spec.initContainers[0].image) = \"$INITIALIZER_IMAGE\"" e2e/openssl/deployment/openssl-client.yml

      - name: Generate Policies
        shell: bash
        run: |
          ./nunki generate e2e/openssl/deployment/*.yml

      - name: Deploy
        shell: bash
        run: |
          kubectl apply -f e2e/openssl/deployment/ns.yml
          kubectl apply -f e2e/openssl/deployment

      - name: Set Manifest
        shell: bash
        run : |
          nix run .#kubectl-wait-ready -- e2e-test coordinator
          nix run .#kubectl-wait-ready -- e2e-test port-forwarder-coordinator
          kubectl -n e2e-test port-forward pod/port-forwarder-coordinator 1313 &
          PID=$!
          nix run .#wait-for-port-listen -- 1313
          ./nunki set -c localhost:1313 -m manifest.json e2e/openssl/deployment
          kill $PID

      - name: Verify the Coordinator
        shell: bash
        run: |
          nix run .#kubectl-wait-ready -- e2e-test coordinator
          nix run .#kubectl-wait-ready -- e2e-test port-forwarder-coordinator
          kubectl -n e2e-test port-forward pod/port-forwarder-coordinator 1313 &
          PID=$!
          nix run .#wait-for-port-listen -- 1313
          ./nunki verify -c localhost:1313 -o ./verify
          kill $PID

      - name: Run E2E Test
        shell: bash
        run: |
          nix run .#kubectl-wait-ready -- e2e-test openssl-frontend
          nix run .#kubectl-wait-ready -- e2e-test openssl-backend
          nix run .#kubectl-wait-ready -- e2e-test openssl-client
          go test -v -count=1 -timeout 10m --tags=e2e ./e2e/openssl

      - name: Undeploy
        if: always()
        run: |
          kubectl delete -f e2e/openssl/deployment/ns.yml