From 48b52567876671c32020fde4d57f5039b4e1e72e Mon Sep 17 00:00:00 2001 From: Young Bu Park Date: Tue, 19 Mar 2024 10:42:30 -0700 Subject: [PATCH] Use workload identity in workflow (#7337) # Description This is to use workload identity instead of secret auth for service principal. ## Type of change - This pull request is a minor refactor, code cleanup, test improvement, or other maintenance task and doesn't change the functionality of Radius (issue link optional). Fixes: #issue_number --------- Signed-off-by: Young Bu Park --- .github/workflows/build.yaml | 1 + .github/workflows/functional-test.yaml | 22 ++++++++++----- .github/workflows/long-running-azure.yaml | 30 ++++++++++++++------- .github/workflows/purge-test-resources.yaml | 13 ++++++--- 4 files changed, 46 insertions(+), 20 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 8874d7d212..4f386eb4c0 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -306,6 +306,7 @@ jobs: mkdir -p ${{ env.ARTIFACT_DIR }}/${{ env.HELM_PACKAGE_DIR }} helm package ${{ env.HELM_CHARTS_DIR }} --version ${{ env.CHART_VERSION }} --app-version ${{ env.REL_VERSION }} --destination ${{ env.ARTIFACT_DIR }}/${{ env.HELM_PACKAGE_DIR }} # TODO: Delete this step once we use GHCR as the helm chart repo. + # Cannot use Workload Identity because azure federated identity doesn't accept wildcard tag version. - name: Setup Azure CLI run: curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash - name: az CLI login diff --git a/.github/workflows/functional-test.yaml b/.github/workflows/functional-test.yaml index 75a1fd3f11..d7f2700d97 100644 --- a/.github/workflows/functional-test.yaml +++ b/.github/workflows/functional-test.yaml @@ -15,6 +15,12 @@ # ------------------------------------------------------------ name: Functional tests + +permissions: + id-token: write # Required for requesting the JWT + contents: read # Required for actions/checkout + packages: write # Required for uploading the package + on: schedule: # Run every 4 hours on weekdays. @@ -378,9 +384,11 @@ jobs: name: ${{ env.RAD_CLI_ARTIFACT_NAME }} path: bin - name: Login to Azure - uses: azure/login@v1 + uses: azure/login@v2 with: - creds: '{"clientId":"${{ secrets.INTEGRATION_TEST_SP_APP_ID }}","clientSecret":"${{ secrets.INTEGRATION_TEST_SP_PASSWORD }}","subscriptionId":"${{ secrets.INTEGRATION_TEST_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.INTEGRATION_TEST_TENANT_ID }}"}' + client-id: ${{ secrets.AZURE_SP_TESTS_APPID }} + tenant-id: ${{ secrets.AZURE_SP_TESTS_TENANTID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }} - uses: marocchino/sticky-pull-request-comment@v2 continue-on-error: true with: @@ -396,7 +404,7 @@ jobs: az group create \ --location ${{ env.AZURE_LOCATION }} \ --name $RESOURCE_GROUP \ - --subscription ${{ secrets.INTEGRATION_TEST_SUBSCRIPTION_ID }} \ + --subscription ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }} \ --tags creationTime=$current_time while [ $(az group exists --name $RESOURCE_GROUP) = false ]; do sleep 2; done env: @@ -456,7 +464,7 @@ jobs: - name: Install azure workload identity webhook chart run: | helm repo add azure-workload-identity https://azure.github.io/azure-workload-identity/charts - helm install workload-identity-webhook azure-workload-identity/workload-identity-webhook --namespace radius-default --create-namespace --version ${{ env.AZURE_WORKLOAD_IDENTITY_WEBHOOK_VER }} --set azureTenantID=${{ secrets.INTEGRATION_TEST_TENANT_ID }} + helm install workload-identity-webhook azure-workload-identity/workload-identity-webhook --namespace radius-default --create-namespace --version ${{ env.AZURE_WORKLOAD_IDENTITY_WEBHOOK_VER }} --set azureTenantID=${{ secrets.AZURE_SP_TESTS_TENANTID }} - name: Login to GitHub Container Registry uses: docker/login-action@v2 with: @@ -503,11 +511,11 @@ jobs: rad env switch kind-radius echo "*** Configuring Azure provider ***" - rad env update kind-radius --azure-subscription-id ${{ secrets.INTEGRATION_TEST_SUBSCRIPTION_ID }} \ + rad env update kind-radius --azure-subscription-id ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }} \ --azure-resource-group ${{ env.AZURE_TEST_RESOURCE_GROUP }} - rad credential register azure --client-id ${{ secrets.INTEGRATION_TEST_SP_APP_ID }} \ + rad credential register azure --client-id ${{ secrets.AZURE_SP_TESTS_APPID }} \ --client-secret ${{ secrets.INTEGRATION_TEST_SP_PASSWORD }} \ - --tenant-id ${{ secrets.INTEGRATION_TEST_TENANT_ID }} + --tenant-id ${{ secrets.AZURE_SP_TESTS_TENANTID }} echo "*** Configuring AWS provider ***" rad env update kind-radius --aws-region ${{ env.AWS_REGION }} --aws-account-id ${{ secrets.FUNCTEST_AWS_ACCOUNT_ID }} diff --git a/.github/workflows/long-running-azure.yaml b/.github/workflows/long-running-azure.yaml index f74d24f9a4..e43c7013d7 100644 --- a/.github/workflows/long-running-azure.yaml +++ b/.github/workflows/long-running-azure.yaml @@ -37,6 +37,12 @@ # Grafana dashboard URL: https://radiuse2e00-dashboard-audycmffgberbghy.wus3.grafana.azure.com/ name: Long-running test on Azure + +permissions: + id-token: write # Required for requesting the JWT + contents: read # Required for actions/checkout + packages: write # Required for uploading the package + on: schedule: # Run every 2 hours @@ -201,9 +207,11 @@ jobs: run: curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash - name: Login to Azure if: steps.skip-build.outputs.SKIP_BUILD != 'true' - uses: azure/login@v1 + uses: azure/login@v2 with: - creds: '{"clientId":"${{ secrets.INTEGRATION_TEST_SP_APP_ID }}","clientSecret":"${{ secrets.INTEGRATION_TEST_SP_PASSWORD }}","subscriptionId":"${{ secrets.INTEGRATION_TEST_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.INTEGRATION_TEST_TENANT_ID }}"}' + client-id: ${{ secrets.AZURE_SP_TESTS_APPID }} + tenant-id: ${{ secrets.AZURE_SP_TESTS_TENANTID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }} - name: Login to GitHub Container Registry uses: docker/login-action@v2 with: @@ -330,9 +338,11 @@ jobs: mv ./dist/cache/rad ./bin/ chmod +x ./bin/rad - name: Login to Azure - uses: azure/login@v1 + uses: azure/login@v2 with: - creds: '{"clientId":"${{ secrets.INTEGRATION_TEST_SP_APP_ID }}","clientSecret":"${{ secrets.INTEGRATION_TEST_SP_PASSWORD }}","subscriptionId":"${{ secrets.INTEGRATION_TEST_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.INTEGRATION_TEST_TENANT_ID }}"}' + client-id: ${{ secrets.AZURE_SP_TESTS_APPID }} + tenant-id: ${{ secrets.AZURE_SP_TESTS_TENANTID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }} - name: Login to GitHub Container Registry uses: docker/login-action@v2 with: @@ -345,7 +355,7 @@ jobs: az group create \ --location ${{ env.AZURE_LOCATION }} \ --name $RESOURCE_GROUP \ - --subscription ${{ secrets.INTEGRATION_TEST_SUBSCRIPTION_ID }} \ + --subscription ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }} \ --tags creationTime=$current_time while [ $(az group exists --name $RESOURCE_GROUP) = false ]; do sleep 2; done env: @@ -353,7 +363,7 @@ jobs: - name: Get kubeconf credential for AKS cluster run: | az aks get-credentials \ - --subscription ${{ secrets.INTEGRATION_TEST_SUBSCRIPTION_ID }} \ + --subscription ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }} \ --resource-group ${{ env.AKS_RESOURCE_GROUP }} \ --name ${{ env.AKS_CLUSTER_NAME }} --admin env: @@ -398,11 +408,11 @@ jobs: rad env switch ${{ env.RADIUS_TEST_ENVIRONMENT_NAME }} echo "*** Configuring Azure provider ***" - rad env update ${{ env.RADIUS_TEST_ENVIRONMENT_NAME }} --azure-subscription-id ${{ secrets.INTEGRATION_TEST_SUBSCRIPTION_ID }} \ + rad env update ${{ env.RADIUS_TEST_ENVIRONMENT_NAME }} --azure-subscription-id ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }} \ --azure-resource-group ${{ env.AZURE_TEST_RESOURCE_GROUP }} - rad credential register azure --client-id ${{ secrets.INTEGRATION_TEST_SP_APP_ID }} \ + rad credential register azure --client-id ${{ secrets.AZURE_SP_TESTS_APPID }} \ --client-secret ${{ secrets.INTEGRATION_TEST_SP_PASSWORD }} \ - --tenant-id ${{ secrets.INTEGRATION_TEST_TENANT_ID }} + --tenant-id ${{ secrets.AZURE_SP_TESTS_TENANTID }} echo "*** Configuring AWS provider ***" rad env update ${{ env.RADIUS_TEST_ENVIRONMENT_NAME }} --aws-region ${{ env.AWS_REGION }} --aws-account-id ${{ secrets.FUNCTEST_AWS_ACCOUNT_ID }} @@ -479,7 +489,7 @@ jobs: run: | # if deletion fails, purge workflow will purge the resource group and its resources later. az group delete \ - --subscription ${{ secrets.INTEGRATION_TEST_SUBSCRIPTION_ID }} \ + --subscription ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }} \ --name ${{ env.AZURE_TEST_RESOURCE_GROUP }} \ --yes --verbose - name: Clean up cluster diff --git a/.github/workflows/purge-test-resources.yaml b/.github/workflows/purge-test-resources.yaml index 1c23ca8b1c..4313cb0df4 100644 --- a/.github/workflows/purge-test-resources.yaml +++ b/.github/workflows/purge-test-resources.yaml @@ -15,6 +15,11 @@ # ------------------------------------------------------------ name: Purge test resources + +permissions: + id-token: write # Required for requesting the JWT + contents: read # Required for actions/checkout + on: schedule: # Run twice a day @@ -46,9 +51,11 @@ jobs: - name: Setup Azure CLI run: curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash - name: Login to Azure - uses: azure/login@v1 + uses: azure/login@v2 with: - creds: '{"clientId":"${{ secrets.INTEGRATION_TEST_SP_APP_ID }}","clientSecret":"${{ secrets.INTEGRATION_TEST_SP_PASSWORD }}","subscriptionId":"${{ secrets.INTEGRATION_TEST_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.INTEGRATION_TEST_TENANT_ID }}"}' + client-id: ${{ secrets.AZURE_SP_TESTS_APPID }} + tenant-id: ${{ secrets.AZURE_SP_TESTS_TENANTID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }} - name: Find old test resource groups run: | echo "## Test resource group list" >> $GITHUB_STEP_SUMMARY @@ -56,7 +63,7 @@ jobs: # Create the file to store the resource group list touch ${{ env.AZURE_RG_DELETE_LIST_FILE}} - az account set -s ${{ secrets.INTEGRATION_TEST_SUBSCRIPTION_ID }} + az account set -s ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }} resource_groups=$(az group list --query "[].{Name:name, creationTime:tags.creationTime}" -o tsv) current_time=$(date +%s)