Skip to content

Commit

Permalink
Use workload identity in workflow (radius-project#7337)
Browse files Browse the repository at this point in the history
# Description

This is to use workload identity instead of secret auth for service
principal.

## Type of change

- This pull request is a minor refactor, code cleanup, test improvement,
or other maintenance task and doesn't change the functionality of Radius
(issue link optional).

Fixes: #issue_number

---------

Signed-off-by: Young Bu Park <[email protected]>
  • Loading branch information
youngbupark authored Mar 19, 2024
1 parent c77088f commit 48b5256
Show file tree
Hide file tree
Showing 4 changed files with 46 additions and 20 deletions.
1 change: 1 addition & 0 deletions .github/workflows/build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -306,6 +306,7 @@ jobs:
mkdir -p ${{ env.ARTIFACT_DIR }}/${{ env.HELM_PACKAGE_DIR }}
helm package ${{ env.HELM_CHARTS_DIR }} --version ${{ env.CHART_VERSION }} --app-version ${{ env.REL_VERSION }} --destination ${{ env.ARTIFACT_DIR }}/${{ env.HELM_PACKAGE_DIR }}
# TODO: Delete this step once we use GHCR as the helm chart repo.
# Cannot use Workload Identity because azure federated identity doesn't accept wildcard tag version.
- name: Setup Azure CLI
run: curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
- name: az CLI login
Expand Down
22 changes: 15 additions & 7 deletions .github/workflows/functional-test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,12 @@
# ------------------------------------------------------------

name: Functional tests

permissions:
id-token: write # Required for requesting the JWT
contents: read # Required for actions/checkout
packages: write # Required for uploading the package

on:
schedule:
# Run every 4 hours on weekdays.
Expand Down Expand Up @@ -378,9 +384,11 @@ jobs:
name: ${{ env.RAD_CLI_ARTIFACT_NAME }}
path: bin
- name: Login to Azure
uses: azure/login@v1
uses: azure/login@v2
with:
creds: '{"clientId":"${{ secrets.INTEGRATION_TEST_SP_APP_ID }}","clientSecret":"${{ secrets.INTEGRATION_TEST_SP_PASSWORD }}","subscriptionId":"${{ secrets.INTEGRATION_TEST_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.INTEGRATION_TEST_TENANT_ID }}"}'
client-id: ${{ secrets.AZURE_SP_TESTS_APPID }}
tenant-id: ${{ secrets.AZURE_SP_TESTS_TENANTID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }}
- uses: marocchino/sticky-pull-request-comment@v2
continue-on-error: true
with:
Expand All @@ -396,7 +404,7 @@ jobs:
az group create \
--location ${{ env.AZURE_LOCATION }} \
--name $RESOURCE_GROUP \
--subscription ${{ secrets.INTEGRATION_TEST_SUBSCRIPTION_ID }} \
--subscription ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }} \
--tags creationTime=$current_time
while [ $(az group exists --name $RESOURCE_GROUP) = false ]; do sleep 2; done
env:
Expand Down Expand Up @@ -456,7 +464,7 @@ jobs:
- name: Install azure workload identity webhook chart
run: |
helm repo add azure-workload-identity https://azure.github.io/azure-workload-identity/charts
helm install workload-identity-webhook azure-workload-identity/workload-identity-webhook --namespace radius-default --create-namespace --version ${{ env.AZURE_WORKLOAD_IDENTITY_WEBHOOK_VER }} --set azureTenantID=${{ secrets.INTEGRATION_TEST_TENANT_ID }}
helm install workload-identity-webhook azure-workload-identity/workload-identity-webhook --namespace radius-default --create-namespace --version ${{ env.AZURE_WORKLOAD_IDENTITY_WEBHOOK_VER }} --set azureTenantID=${{ secrets.AZURE_SP_TESTS_TENANTID }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
Expand Down Expand Up @@ -503,11 +511,11 @@ jobs:
rad env switch kind-radius
echo "*** Configuring Azure provider ***"
rad env update kind-radius --azure-subscription-id ${{ secrets.INTEGRATION_TEST_SUBSCRIPTION_ID }} \
rad env update kind-radius --azure-subscription-id ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }} \
--azure-resource-group ${{ env.AZURE_TEST_RESOURCE_GROUP }}
rad credential register azure --client-id ${{ secrets.INTEGRATION_TEST_SP_APP_ID }} \
rad credential register azure --client-id ${{ secrets.AZURE_SP_TESTS_APPID }} \
--client-secret ${{ secrets.INTEGRATION_TEST_SP_PASSWORD }} \
--tenant-id ${{ secrets.INTEGRATION_TEST_TENANT_ID }}
--tenant-id ${{ secrets.AZURE_SP_TESTS_TENANTID }}
echo "*** Configuring AWS provider ***"
rad env update kind-radius --aws-region ${{ env.AWS_REGION }} --aws-account-id ${{ secrets.FUNCTEST_AWS_ACCOUNT_ID }}
Expand Down
30 changes: 20 additions & 10 deletions .github/workflows/long-running-azure.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,12 @@
# Grafana dashboard URL: https://radiuse2e00-dashboard-audycmffgberbghy.wus3.grafana.azure.com/

name: Long-running test on Azure

permissions:
id-token: write # Required for requesting the JWT
contents: read # Required for actions/checkout
packages: write # Required for uploading the package

on:
schedule:
# Run every 2 hours
Expand Down Expand Up @@ -201,9 +207,11 @@ jobs:
run: curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
- name: Login to Azure
if: steps.skip-build.outputs.SKIP_BUILD != 'true'
uses: azure/login@v1
uses: azure/login@v2
with:
creds: '{"clientId":"${{ secrets.INTEGRATION_TEST_SP_APP_ID }}","clientSecret":"${{ secrets.INTEGRATION_TEST_SP_PASSWORD }}","subscriptionId":"${{ secrets.INTEGRATION_TEST_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.INTEGRATION_TEST_TENANT_ID }}"}'
client-id: ${{ secrets.AZURE_SP_TESTS_APPID }}
tenant-id: ${{ secrets.AZURE_SP_TESTS_TENANTID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
Expand Down Expand Up @@ -330,9 +338,11 @@ jobs:
mv ./dist/cache/rad ./bin/
chmod +x ./bin/rad
- name: Login to Azure
uses: azure/login@v1
uses: azure/login@v2
with:
creds: '{"clientId":"${{ secrets.INTEGRATION_TEST_SP_APP_ID }}","clientSecret":"${{ secrets.INTEGRATION_TEST_SP_PASSWORD }}","subscriptionId":"${{ secrets.INTEGRATION_TEST_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.INTEGRATION_TEST_TENANT_ID }}"}'
client-id: ${{ secrets.AZURE_SP_TESTS_APPID }}
tenant-id: ${{ secrets.AZURE_SP_TESTS_TENANTID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
Expand All @@ -345,15 +355,15 @@ jobs:
az group create \
--location ${{ env.AZURE_LOCATION }} \
--name $RESOURCE_GROUP \
--subscription ${{ secrets.INTEGRATION_TEST_SUBSCRIPTION_ID }} \
--subscription ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }} \
--tags creationTime=$current_time
while [ $(az group exists --name $RESOURCE_GROUP) = false ]; do sleep 2; done
env:
RESOURCE_GROUP: ${{ env.AZURE_TEST_RESOURCE_GROUP }}
- name: Get kubeconf credential for AKS cluster
run: |
az aks get-credentials \
--subscription ${{ secrets.INTEGRATION_TEST_SUBSCRIPTION_ID }} \
--subscription ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }} \
--resource-group ${{ env.AKS_RESOURCE_GROUP }} \
--name ${{ env.AKS_CLUSTER_NAME }} --admin
env:
Expand Down Expand Up @@ -398,11 +408,11 @@ jobs:
rad env switch ${{ env.RADIUS_TEST_ENVIRONMENT_NAME }}
echo "*** Configuring Azure provider ***"
rad env update ${{ env.RADIUS_TEST_ENVIRONMENT_NAME }} --azure-subscription-id ${{ secrets.INTEGRATION_TEST_SUBSCRIPTION_ID }} \
rad env update ${{ env.RADIUS_TEST_ENVIRONMENT_NAME }} --azure-subscription-id ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }} \
--azure-resource-group ${{ env.AZURE_TEST_RESOURCE_GROUP }}
rad credential register azure --client-id ${{ secrets.INTEGRATION_TEST_SP_APP_ID }} \
rad credential register azure --client-id ${{ secrets.AZURE_SP_TESTS_APPID }} \
--client-secret ${{ secrets.INTEGRATION_TEST_SP_PASSWORD }} \
--tenant-id ${{ secrets.INTEGRATION_TEST_TENANT_ID }}
--tenant-id ${{ secrets.AZURE_SP_TESTS_TENANTID }}
echo "*** Configuring AWS provider ***"
rad env update ${{ env.RADIUS_TEST_ENVIRONMENT_NAME }} --aws-region ${{ env.AWS_REGION }} --aws-account-id ${{ secrets.FUNCTEST_AWS_ACCOUNT_ID }}
Expand Down Expand Up @@ -479,7 +489,7 @@ jobs:
run: |
# if deletion fails, purge workflow will purge the resource group and its resources later.
az group delete \
--subscription ${{ secrets.INTEGRATION_TEST_SUBSCRIPTION_ID }} \
--subscription ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }} \
--name ${{ env.AZURE_TEST_RESOURCE_GROUP }} \
--yes --verbose
- name: Clean up cluster
Expand Down
13 changes: 10 additions & 3 deletions .github/workflows/purge-test-resources.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,11 @@
# ------------------------------------------------------------

name: Purge test resources

permissions:
id-token: write # Required for requesting the JWT
contents: read # Required for actions/checkout

on:
schedule:
# Run twice a day
Expand Down Expand Up @@ -46,17 +51,19 @@ jobs:
- name: Setup Azure CLI
run: curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
- name: Login to Azure
uses: azure/login@v1
uses: azure/login@v2
with:
creds: '{"clientId":"${{ secrets.INTEGRATION_TEST_SP_APP_ID }}","clientSecret":"${{ secrets.INTEGRATION_TEST_SP_PASSWORD }}","subscriptionId":"${{ secrets.INTEGRATION_TEST_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.INTEGRATION_TEST_TENANT_ID }}"}'
client-id: ${{ secrets.AZURE_SP_TESTS_APPID }}
tenant-id: ${{ secrets.AZURE_SP_TESTS_TENANTID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }}
- name: Find old test resource groups
run: |
echo "## Test resource group list" >> $GITHUB_STEP_SUMMARY
# Create the file to store the resource group list
touch ${{ env.AZURE_RG_DELETE_LIST_FILE}}
az account set -s ${{ secrets.INTEGRATION_TEST_SUBSCRIPTION_ID }}
az account set -s ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }}
resource_groups=$(az group list --query "[].{Name:name, creationTime:tags.creationTime}" -o tsv)
current_time=$(date +%s)
Expand Down

0 comments on commit 48b5256

Please sign in to comment.