tests/int: Add IAM setup automation docs

Add instructions about how to create service accounts with IAM permissions and populare the secrets and variables required in the CI. Signed-off-by: Sunny <[email protected]>
fluxcd · Jul 17, 2023 · 9070337 · 9070337
1 parent c8e0170
commit 9070337
Show file tree

Hide file tree

Showing 2 changed files with 105 additions and 29 deletions.
diff --git a/.github/workflows/e2e-azure.yaml b/.github/workflows/e2e-azure.yaml
@@ -3,19 +3,19 @@ name: e2e-azure
 on:
   workflow_dispatch:
   schedule:
-    - cron:  '0 6 * * *'
+    - cron: "0 6 * * *"
   push:
     branches:
       - main
     paths:
-      - 'tests/**'
-      - '.github/workflows/e2e-azure.yaml'
+      - "tests/**"
+      - ".github/workflows/e2e-azure.yaml"
   pull_request:
     branches:
       - main
     paths:
-      - 'tests/**'
-      - '.github/workflows/e2e-azure.yaml'
+      - "tests/**"
+      - ".github/workflows/e2e-azure.yaml"
 
 permissions:
   contents: read
@@ -47,7 +47,7 @@ jobs:
           wget https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux -O $HOME/.local/bin/sops
           chmod +x $HOME/.local/bin/sops
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1  # v2
+        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2
         with:
           terraform_version: 1.2.8
           terraform_wrapper: false
@@ -91,7 +91,7 @@ jobs:
       - name: Authenticate to Azure
         uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.6
         with:
-          creds: '{"clientId":"${{ secrets.ARM_CLIENT_ID }}","clientSecret":"${{ secrets.ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.ARM_TENANT_ID }}"}'
+          creds: '{"clientId":"${{ secrets.AZ_ARM_CLIENT_ID }}","clientSecret":"${{ secrets.AZ_ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZ_ARM_TENANT_ID }}"}'
       - name: Set dynamic variables in .env
         run: |
           cat > .env <<EOF
@@ -101,22 +101,22 @@ jobs:
         run: cat .env
       - name: Run Azure e2e tests
         env:
-          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
-          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
-          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
-          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
-          TF_VAR_azuredevops_org: ${{ secrets.AZUREDEVOPS_ORG }}
-          TF_VAR_azuredevops_pat: ${{ secrets.AZUREDEVOPS_PAT }}
-          TF_VAR_location: "southcentralus"
-          AZUREDEVOPS_SSH_CONTENTS: ${{ secrets.AZUREDEVOPS_ID_RSA }}
-          AZUREDEVOPS_SSH_PUB_CONTENTS: ${{ secrets.AZUREDEVOPS_ID_RSA_PUB }}
+          ARM_CLIENT_ID: ${{ secrets.AZ_ARM_CLIENT_ID }}
+          ARM_CLIENT_SECRET: ${{ secrets.AZ_ARM_CLIENT_SECRET }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}
+          ARM_TENANT_ID: ${{ secrets.AZ_ARM_TENANT_ID }}
+          TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
+          TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
+          TF_VAR_location: ${{ vars.TF_VAR_azure_location }}
+          GITREPO_SSH_CONTENTS: ${{ secrets.GITREPO_SSH_CONTENTS }}
+          GITREPO_SSH_PUB_CONTENTS: ${{ secrets.GITREPO_SSH_PUB_CONTENTS }}
         run: |
           source .env
           mkdir -p ./build/ssh
           touch ./build/ssh/key
-          echo $AZUREDEVOPS_SSH_CONTENTS | base64 -d > build/ssh/key
-          export AZUREDEVOPS_SSH=build/ssh/key
+          echo $GITREPO_SSH_CONTENTS | base64 -d > build/ssh/key
+          export GITREPO_SSH_PATH=build/ssh/key
           touch ./build/ssh/key.pub
-          echo $AZUREDEVOPS_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub
-          export AZUREDEVOPS_SSH_PUB=build/ssh/key.pub
+          echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub
+          export GITREPO_SSH_PUB_PATH=build/ssh/key.pub
           make test-azure
diff --git a/tests/integration/README.md b/tests/integration/README.md
@@ -55,6 +55,44 @@ the tests:
 - `Microsoft.KeyVault/*`
 - `Microsoft.EventHub/*`
 
+To set up CI secrets and variables using
+[azure-gh-actions](https://github.com/fluxcd/test-infra/tree/main/tf-modules/azure/github-actions)
+use:
+
+```hcl
+module "azure_gh_actions" {
+  source = "git::https://github.com/fluxcd/test-infra.git//tf-modules/azure/github-actions"
+
+  azure_owners = ["owner-id-1", "owner-id-2"]
+  azure_app_name = "flux2-e2e"
+  azure_app_description = "flux2 e2e"
+  azure_permissions = [
+      "Microsoft.Kubernetes/*",
+      "Microsoft.Resources/*",
+      "Microsoft.Authorization/roleAssignments/{Read,Write,Delete}",
+      "Microsoft.ContainerRegistry/*",
+      "Microsoft.ContainerService/*",
+      "Microsoft.KeyVault/*",
+      "Microsoft.EventHub/*"
+  ]
+  azure_location = "eastus"
+
+  github_project = "flux2"
+
+  github_secret_client_id_name = "AZ_ARM_CLIENT_ID"
+  github_secret_client_secret_name = "AZ_ARM_CLIENT_SECRET"
+  github_secret_subscription_id_name = "AZ_ARM_SUBSCRIPTION_ID"
+  github_secret_tenant_id_name = "AZ_ARM_TENANT_ID"
+
+  github_secret_custom = {
+    "TF_VAR_azuredevops_org" = "<org-name>",
+    "TF_VAR_azuredevops_pat" = "<pat>",
+    "GITREPO_SSH_CONTENTS" = "<add-private-key-content>",
+    "GITREPO_SSH_PUB_CONTENTS" = "<add-public-key-content>"
+  }
+}
+```
+
 ## GCP
 
 ### Architecture
@@ -112,15 +150,53 @@ for the terraform variables
 
 Following roles are needed for provisioning the infrastructure and running the tests:
 
-- Compute Instance Admin (v1)
-- Kubernetes Engine Admin
-- Service Account User
-- Artifact Registry Administrator
-- Artifact Registry Repository Administrator
-- Cloud KMS Admin
-- Cloud KMS CryptoKey Encrypter
-- Source Repository Administrator
-- Pub/Sub Admin
+- Compute Instance Admin (v1) - `roles/compute.instanceAdmin.v1`
+- Kubernetes Engine Admin - `roles/container.admin`
+- Service Account User - `roles/iam.serviceAccountUser`
+- Artifact Registry Administrator - `roles/artifactregistry.admin`
+- Artifact Registry Repository Administrator - `roles/artifactregistry.repoAdmin`
+- Cloud KMS Admin - `roles/cloudkms.admin`
+- Cloud KMS CryptoKey Encrypter - `roles/cloudkms.cryptoKeyEncrypt`
+- Source Repository Administrator - `roles/source.admin`
+- Pub/Sub Admin - `roles/pubsub.admin`
+
+To set up CI secrets and variables using
+[gcp-gh-actions](https://github.com/fluxcd/test-infra/tree/main/tf-modules/gcp/github-actions)
+use:
+
+```hcl
+provider "google" {}
+
+module "gcp_gh_actions" {
+  source = "git::https://github.com/fluxcd/test-infra.git//tf-modules/gcp/github-actions"
+
+  gcp_service_account_id = "flux2-e2e-test"
+  gcp_service_account_name = "flux2-e2e-test"
+  gcp_roles = [
+      "roles/compute.instanceAdmin.v1",
+      "roles/container.admin",
+      "roles/iam.serviceAccountUser",
+      "roles/artifactregistry.admin",
+      "roles/artifactregistry.repoAdmin",
+      "roles/cloudkms.admin",
+      "roles/cloudkms.cryptoKeyEncrypt",
+      "roles/source.admin",
+      "roles/pubsub.admin"
+  ]
+
+  github_project = "flux2"
+
+  github_secret_credentials_name = "FLUX2_E2E_GOOGLE_CREDENTIALS"
+
+  github_secret_custom = {
+    "TF_VAR_gcp_keyring" = "<keyring-name>",
+    "TF_VAR_gcp_crypto_key" = "<key-name>",
+    "TF_VAR_gcp_email" = "<email>",
+    "GITREPO_SSH_CONTENTS" = "<add-private-key-content>",
+    "GITREPO_SSH_PUB_CONTENTS" = "<add-public-key-content>"
+  }
+}
+```
 
 ## Tests