From 7b8ca093d95547a6464aaeab3320104f6b999b3e Mon Sep 17 00:00:00 2001
From: Moritz Sanft <58110325+msanft@users.noreply.github.com>
Date: Fri, 9 Feb 2024 18:19:55 +0100
Subject: [PATCH] ci: add openssl e2e test workflow

---
 .github/workflows/e2e_openssl.yml | 136 ++++++++++++++++++++++++++++++
 1 file changed, 136 insertions(+)
 create mode 100644 .github/workflows/e2e_openssl.yml

diff --git a/.github/workflows/e2e_openssl.yml b/.github/workflows/e2e_openssl.yml
new file mode 100644
index 0000000000..81ef0973ee
--- /dev/null
+++ b/.github/workflows/e2e_openssl.yml
@@ -0,0 +1,136 @@
+name: E2E Test OpenSSL
+
+on:
+  workflow_dispatch:
+    inputs:
+      use_release_cli:
+        description: Use a release version of the Nunki CLI
+        required: false
+        type: boolean
+  push:
+
+env:
+  container_registry: ghcr.io/edgelesssys
+  azure_resource_group: nunki-ci
+
+jobs:
+  test:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@6004951b182f8860210c8d6f0d808ec5b1a33d28 # v25
+        with:
+          github_access_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Use Nix Cache
+        uses: cachix/cachix-action@18cf96c7c98e048e10a83abd92116114cd8504be # v14
+        with:
+          name: edgelesssys
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          installCommand: nix profile install github:cachix/cachix/cd12acd9245ac9b7e010aa3acac49f37824fdad2 --accept-flake-config # remove on v14.1/v15
+
+      - name: Log in to ghcr.io Container registry
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Login to Azure
+        uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1
+        with:
+          creds: ${{ secrets.NUNKI_CI_INFRA_AZURE }}
+
+      - name: Enter Nix development environment
+        uses: nicknovitski/nix-develop@a2060d116a50b36dfab02280af558e73ab52427d # v1.1.0
+
+      - name: Create justfile.env
+        run: |
+          cat <<EOF > justfile.env
+          container_registry=${{ env.container_registry }}
+          azure_resource_group=${{ env.azure_resource_group }}
+          EOF
+
+      - name: Get Credentials for CI Cluster
+        run: |
+          just get-credentials
+
+      - name: Download Nunki CLI
+        if: ${{ inputs.use_release_cli }}
+        shell: bash
+        run: |
+          curl -fLo nunki https://github.com/edgelesssys/nunki/releases/download/latest/nunki
+
+      - name: Build Nunki CLI
+        if: ${{ !inputs.use_release_cli }}
+        run: |
+          nix build .#cli
+          ln -s result-cli/bin/nunki nunki
+
+      - name: Build Containers and Template the Deployment
+        shell: bash
+        run: |
+          COORDINATOR_IMAGE=$(just coordinator | tail -1)
+          INITIALIZER_IMAGE=$(just initializer | tail -1)
+          OPENSSL_IMAGE=$(just openssl | tail -1)
+          yq eval -i "(select(document_index == 0) | .spec.template.spec.containers[0].image) = \"$COORDINATOR_IMAGE\"" e2e/openssl/deployment/coordinator.yml
+
+          # Unfortunately, yq doesn't allow us to update multiple files at once
+          yq eval -i "(select(document_index == 0) | .spec.template.spec.containers[0].image) = \"$OPENSSL_IMAGE\"" e2e/openssl/deployment/openssl-backend.yml
+          yq eval -i "(select(document_index == 0) | .spec.template.spec.initContainers[0].image) = \"$INITIALIZER_IMAGE\"" e2e/openssl/deployment/openssl-backend.yml
+          yq eval -i "(select(document_index == 0) | .spec.template.spec.containers[0].image) = \"$OPENSSL_IMAGE\"" e2e/openssl/deployment/openssl-frontend.yml
+          yq eval -i "(select(document_index == 0) | .spec.template.spec.initContainers[0].image) = \"$INITIALIZER_IMAGE\"" e2e/openssl/deployment/openssl-frontend.yml
+          yq eval -i "(select(document_index == 0) | .spec.template.spec.containers[0].image) = \"$OPENSSL_IMAGE\"" e2e/openssl/deployment/openssl-client.yml
+          yq eval -i "(select(document_index == 0) | .spec.template.spec.initContainers[0].image) = \"$INITIALIZER_IMAGE\"" e2e/openssl/deployment/openssl-client.yml
+
+      - name: Generate Policies
+        shell: bash
+        run: |
+          ./nunki generate e2e/openssl/deployment/*.yml
+
+      - name: Deploy
+        shell: bash
+        run: |
+          kubectl apply -f e2e/openssl/deployment/ns.yml
+          kubectl apply -f e2e/openssl/deployment
+
+      - name: Set Manifest
+        shell: bash
+        run : |
+          nix run .#kubectl-wait-ready -- e2e-test coordinator
+          nix run .#kubectl-wait-ready -- e2e-test port-forwarder-coordinator
+          kubectl -n e2e-test port-forward pod/port-forwarder-coordinator 1313 &
+          PID=$!
+          nix run .#wait-for-port-listen -- 1313
+          ./nunki set -c localhost:1313 -m manifest.json e2e/openssl/deployment
+          kill $PID
+
+      - name: Verify the Coordinator
+        shell: bash
+        run: |
+          nix run .#kubectl-wait-ready -- e2e-test coordinator
+          nix run .#kubectl-wait-ready -- e2e-test port-forwarder-coordinator
+          kubectl -n e2e-test port-forward pod/port-forwarder-coordinator 1313 &
+          PID=$!
+          nix run .#wait-for-port-listen -- 1313
+          ./nunki verify -c localhost:1313 -o ./verify
+          kill $PID
+
+      - name: Run E2E Test
+        shell: bash
+        run: |
+          nix run .#kubectl-wait-ready -- e2e-test openssl-frontend
+          nix run .#kubectl-wait-ready -- e2e-test openssl-backend
+          nix run .#kubectl-wait-ready -- e2e-test openssl-client
+          go test -v -count=1 -timeout 10m --tags=e2e ./e2e/openssl
+
+      - name: Undeploy
+        if: always()
+        run: |
+          kubectl delete -f e2e/openssl/deployment/ns.yml