[WIP/ Do not review] Replace Azure Service Principal auth with Azure Workload Identity auth in samples tests #2926
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test Samples (k3d and EKS) | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: "Radius version number to use (e.g. 0.1.0, 0.1.0-rc1, edge). Defaults to edge." | |
| required: false | |
| default: "edge" | |
| type: string | |
| push: | |
| branches: | |
| - v*.* | |
| - edge | |
| paths: | |
| - "samples/**" | |
| - ".github/workflows/**" | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| branches: | |
| - v*.* | |
| - edge | |
| schedule: # Run every day at 12 PM | |
| - cron: "0 12 * * *" | |
| env: | |
| RUN_IDENTIFIER: samplestest-${{ github.run_id }}-${{ github.run_attempt }} | |
| # Azure workload identity webhook chart version | |
| AZURE_WORKLOAD_IDENTITY_WEBHOOK_VER: "1.3.0" | |
| # Helm version | |
| HELM_VER: "v3.12.0" | |
| # k3d CLI version | |
| K3D_VER: "v5.7.3" | |
| jobs: | |
| test: | |
| name: Sample tests | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - name: demo | |
| os: ubuntu-latest | |
| runOnPullRequest: true | |
| app: demo | |
| env: default | |
| path: ./samples/demo/app.bicep | |
| deployArgs: --application demo -p image=sampleregistry:5000/samples/demo | |
| exposeArgs: --application demo | |
| uiTestFile: tests/demo/demo.app.spec.ts | |
| port: 3000 | |
| container: demo | |
| enableDapr: false | |
| images: samples/demo | |
| directories: samples/demo/ | |
| - name: dapr | |
| os: ubuntu-latest-m | |
| runOnPullRequest: true | |
| app: dapr | |
| env: default | |
| path: ./samples/dapr/dapr.bicep | |
| deployArgs: -p frontendImage=sampleregistry:5000/samples/dapr-frontend -p backendImage=sampleregistry:5000/samples/dapr-backend | |
| enableDapr: true | |
| images: samples/dapr-frontend,samples/dapr-backend | |
| directories: samples/dapr/ui/,samples/dapr/nodeapp/ | |
| - name: volumes | |
| os: ubuntu-latest | |
| runOnPullRequest: true | |
| app: myapp | |
| env: default | |
| path: ./samples/volumes/app.bicep | |
| deployArgs: -p image=sampleregistry:5000/samples/volumes | |
| enableDapr: false | |
| images: samples/volumes | |
| directories: samples/volumes/ | |
| - name: eshop-containers | |
| os: ubuntu-latest-m | |
| runOnPullRequest: true | |
| app: eshop | |
| env: default | |
| path: ./samples/eshop/eshop.bicep | |
| uiTestFile: tests/eshop/eshop.app.spec.ts | |
| enableDapr: false | |
| - name: eshop-azure | |
| os: ubuntu-latest-m | |
| runOnPullRequest: false | |
| app: eshop | |
| env: azure | |
| path: ./samples/eshop/eshop.bicep | |
| uiTestFile: tests/eshop/eshop.app.spec.ts | |
| credential: azure | |
| enableDapr: false | |
| - name: eshop-aws | |
| os: ubuntu-latest-m | |
| runOnPullRequest: false | |
| app: eshop | |
| env: aws | |
| path: ./samples/eshop/eshop.bicep | |
| uiTestFile: tests/eshop/eshop.app.spec.ts | |
| credential: aws | |
| enableDapr: false | |
| env: | |
| BRANCH: ${{ github.base_ref || github.ref_name }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| AZURE_LOCATION: westus3 | |
| AWS_REGION: us-west-2 | |
| AWS_ZONES: us-west-2a,us-west-2b,us-west-2c | |
| steps: | |
| # Setup the test assets and configuration | |
| - name: Generate output variables | |
| id: gen-id | |
| run: | | |
| RUN_IDENTIFIER=${{ env.RUN_IDENTIFIER }}-${{ matrix.name }} | |
| if [[ "${{ github.event_name }}" == "pull_request" && "${{ matrix.runOnPullRequest }}" == "false" ]]; then | |
| RUN_TEST=false | |
| else | |
| RUN_TEST=true | |
| fi | |
| if [[ "${{ matrix.enableDapr }}" == "true" ]]; then | |
| ENABLE_DAPR=true | |
| else | |
| ENABLE_DAPR=false | |
| fi | |
| # Set output variables to be used in the other jobs | |
| echo "RUN_IDENTIFIER=${RUN_IDENTIFIER}" >> $GITHUB_OUTPUT | |
| echo "TEST_AZURE_RESOURCE_GROUP=rg-${RUN_IDENTIFIER}" >> $GITHUB_OUTPUT | |
| echo "TEST_EKS_CLUSTER_NAME=eks-${RUN_IDENTIFIER}" >> $GITHUB_OUTPUT | |
| echo "RUN_TEST=${RUN_TEST}" >> $GITHUB_OUTPUT | |
| echo "ENABLE_DAPR=${ENABLE_DAPR}" >> $GITHUB_OUTPUT | |
| - name: Checkout code | |
| if: steps.gen-id.outputs.RUN_TEST == 'true' | |
| uses: actions/checkout@v4 | |
| - name: Ensure inputs.version is valid semver | |
| if: steps.gen-id.outputs.RUN_TEST == 'true' && inputs.version != '' | |
| run: | | |
| python ./.github/scripts/validate_semver.py ${{ inputs.version }} | |
| - name: Setup Node | |
| if: steps.gen-id.outputs.RUN_TEST == 'true' | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| - uses: azure/setup-helm@v4 | |
| with: | |
| version: ${{ env.HELM_VER }} | |
| - name: az CLI login | |
| if: steps.gen-id.outputs.RUN_TEST == 'true' && matrix.credential == 'azure' | |
| run: | | |
| az login --service-principal \ | |
| --username ${{ secrets.AZURE_SP_TESTS_APPID }} \ | |
| --password ${{ secrets.AZURE_SP_TESTS_PASSWORD }} \ | |
| --tenant ${{ secrets.AZURE_SP_TESTS_TENANTID }} | |
| - name: Configure AWS | |
| if: steps.gen-id.outputs.RUN_TEST == 'true' && matrix.credential == 'aws' | |
| run: | | |
| aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws configure set region ${{ env.AWS_REGION }} | |
| aws configure set output json | |
| - name: Download k3d | |
| if: steps.gen-id.outputs.RUN_TEST == 'true' | |
| run: wget -q -O - https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | TAG=${{ env.K3D_VER }} bash | |
| - name: Create k3d cluster | |
| if: steps.gen-id.outputs.RUN_TEST == 'true' | |
| run: | | |
| # Populate the following environment variables for Azure workload identity from secrets. | |
| # AZURE_OIDC_ISSUER_PUBLIC_KEY | |
| # AZURE_OIDC_ISSUER_PRIVATE_KEY | |
| # AZURE_OIDC_ISSUER | |
| eval "export $(echo "${{ secrets.FUNCTEST_AZURE_OIDC_JSON }}" | jq -r 'to_entries | map("\(.key)=\(.value)") | @sh')" | |
| # Create k3d cluster with OIDC Issuer keys | |
| echo $AZURE_OIDC_ISSUER_PUBLIC_KEY | base64 -d > sa.pub | |
| echo $AZURE_OIDC_ISSUER_PRIVATE_KEY | base64 -d > sa.key | |
| # Create k3d cluster configuration | |
| # https://k3d.io/v5.7.3/usage/configfile/?h=config+file | |
| cat <<EOF > k3d-config.yaml | |
| apiVersion: k3d.io/v1alpha5 | |
| kind: Simple | |
| servers: 1 | |
| agents: 2 | |
| options: | |
| k3s: | |
| extraArgs: | |
| - arg: "--kube-apiserver-arg=service-account-issuer=$AZURE_OIDC_ISSUER" | |
| nodeFilters: | |
| - server:0 | |
| - arg: "--kube-apiserver-arg=service-account-key-file=/etc/kubernetes/k3s/pki/sa.pub" | |
| nodeFilters: | |
| - server:0 | |
| - arg: "--kube-apiserver-arg=service-account-signing-key-file=/etc/kubernetes/k3s/pki/sa.key" | |
| nodeFilters: | |
| - server:0 | |
| - arg: "--kube-controller-manager-arg=service-account-private-key-file=/etc/kubernetes/k3s/pki/sa.key" | |
| nodeFilters: | |
| - server:0 | |
| - arg: "--disable=traefik@server:0" | |
| nodeFilters: | |
| - server:0 | |
| ports: | |
| - port: 80:80 | |
| nodeFilters: | |
| - loadbalancer | |
| volumes: | |
| - volume: sa.pub:/etc/kubernetes/k3s/pki/sa.pub | |
| nodeFilters: | |
| - server:0 | |
| - volume: sa.key:/etc/kubernetes/k3s/pki/sa.key | |
| nodeFilters: | |
| - server:0 | |
| registries: | |
| create: | |
| name: sampleregistry | |
| host: "0.0.0.0" | |
| hostPort: "51351" | |
| EOF | |
| # Create the k3d cluster using the configuration file | |
| k3d cluster create --config ./k3d-config.yaml | |
| - name: Build images | |
| if: steps.gen-id.outputs.RUN_TEST == 'true' && matrix.images != '' | |
| run: | | |
| # split images and directories into arrays | |
| IFS=',' read -ra images <<< "${{ matrix.images }}" | |
| IFS=',' read -ra directories <<< "${{ matrix.directories }}" | |
| echo "Building images: $images" | |
| echo "Directories: $directories" | |
| for index in "${!images[@]}"; do | |
| image=${images[$index]} | |
| directory=${directories[$index]} | |
| echo "Building image $image from directory $directory" | |
| docker build -t localhost:51351/$image:latest $directory | |
| docker push localhost:51351/$image:latest | |
| done | |
| # Create and install test environment | |
| - name: Create Azure resource group | |
| if: steps.gen-id.outputs.RUN_TEST == 'true' && matrix.credential == 'azure' | |
| id: create-azure-resource-group | |
| run: | | |
| current_time=$(date +%s) | |
| az group create \ | |
| --location ${{ env.AZURE_LOCATION }} \ | |
| --name ${{ steps.gen-id.outputs.TEST_AZURE_RESOURCE_GROUP }} \ | |
| --subscription ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }} \ | |
| --tags creationTime=$current_time | |
| while [ $(az group exists --name ${{ steps.gen-id.outputs.TEST_AZURE_RESOURCE_GROUP }} --subscription ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }}) = false ]; do | |
| echo "Waiting for resource group ${{ steps.gen-id.outputs.TEST_AZURE_RESOURCE_GROUP }} to be created..." | |
| sleep 5 | |
| done | |
| - name: Create EKS Cluster | |
| if: steps.gen-id.outputs.RUN_TEST == 'true' && matrix.credential == 'aws' | |
| id: create-eks | |
| run: | | |
| curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp | |
| sudo mv /tmp/eksctl /usr/local/bin | |
| eksctl create cluster \ | |
| --name ${{ steps.gen-id.outputs.TEST_EKS_CLUSTER_NAME }} \ | |
| --nodes-min 1 --nodes-max 2 --node-type t3.large \ | |
| --zones ${{ env.AWS_ZONES }} \ | |
| --managed \ | |
| --region ${{ env.AWS_REGION }} | |
| while [[ "$(eksctl get cluster ${{ steps.gen-id.outputs.TEST_EKS_CLUSTER_NAME }} --region ${{ env.AWS_REGION }} -o json | jq -r .[0].Status)" != "ACTIVE" ]]; do | |
| echo "Waiting for EKS cluster to be created..." | |
| sleep 60 | |
| done | |
| aws eks update-kubeconfig --region ${{ env.AWS_REGION }} --name ${{ steps.gen-id.outputs.TEST_EKS_CLUSTER_NAME }} | |
| timeout-minutes: 60 | |
| continue-on-error: false | |
| - name: Install Dapr | |
| if: steps.gen-id.outputs.RUN_TEST == 'true' && steps.gen-id.outputs.ENABLE_DAPR == 'true' | |
| run: | | |
| helm repo add dapr https://dapr.github.io/helm-charts/ | |
| helm install dapr dapr/dapr --version=1.6 --namespace dapr-system --create-namespace --wait | |
| - name: Install azure workload identity webhook chart | |
| run: | | |
| helm repo add azure-workload-identity https://azure.github.io/azure-workload-identity/charts | |
| helm install workload-identity-webhook azure-workload-identity/workload-identity-webhook --namespace radius-default --create-namespace --version ${{ env.AZURE_WORKLOAD_IDENTITY_WEBHOOK_VER }} --set azureTenantID=${{ secrets.AZURE_TEST_TENANTID }} | |
| - name: Download rad CLI | |
| if: steps.gen-id.outputs.RUN_TEST == 'true' | |
| run: | | |
| RADIUS_VERSION="${{ inputs.version }}" | |
| if [[ -z "${{ inputs.version }}" ]]; then | |
| RADIUS_VERSION=edge | |
| fi | |
| ./.github/scripts/install-radius.sh $RADIUS_VERSION | |
| - name: Initialize default environment | |
| if: steps.gen-id.outputs.RUN_TEST == 'true' | |
| run: | | |
| if [[ "${{ matrix.credential }}" == "aws" ]]; then | |
| rad install kubernetes --set global.azureWorkloadIdentity.enabled=true | |
| else | |
| rad install kubernetes --set rp.publicEndpointOverride=localhost,global.azureWorkloadIdentity.enabled=true | |
| fi | |
| rad group create default | |
| rad workspace create kubernetes default --group default | |
| rad group switch default | |
| rad env create default | |
| rad env switch default | |
| rad recipe register default -e default -w default --template-kind bicep --template-path ghcr.io/radius-project/recipes/local-dev/rediscaches:latest --resource-type Applications.Datastores/redisCaches | |
| rad recipe register default -e default -w default --template-kind bicep --template-path ghcr.io/radius-project/recipes/local-dev/mongodatabases:latest --resource-type Applications.Datastores/mongoDatabases | |
| rad recipe register default -e default -w default --template-kind bicep --template-path ghcr.io/radius-project/recipes/local-dev/sqldatabases:latest --resource-type Applications.Datastores/sqlDatabases | |
| rad recipe register default -e default -w default --template-kind bicep --template-path ghcr.io/radius-project/recipes/local-dev/rabbitmqqueues:latest --resource-type Applications.Messaging/rabbitMQQueues | |
| - name: Configure cloud credentials | |
| if: steps.gen-id.outputs.RUN_TEST == 'true' && ( matrix.credential == 'azure' || matrix.credential == 'aws') | |
| run: | | |
| if [[ "${{ matrix.credential }}" == "azure" ]]; then | |
| rad env update default --azure-subscription-id ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }} --azure-resource-group ${{ steps.gen-id.outputs.TEST_AZURE_RESOURCE_GROUP }} | |
| rad credential register azure wi --client-id ${{ secrets.AZURE_SP_TESTS_APPID }} --tenant-id ${{ secrets.AZURE_SP_TESTS_TENANTID }} | |
| fi | |
| if [[ "${{ matrix.credential }}" == "aws" ]]; then | |
| rad env update default --aws-region ${{ env.AWS_REGION }} --aws-account-id ${{ secrets.AWS_ACCOUNT_ID }} | |
| rad credential register aws --access-key-id ${{ secrets.AWS_ACCESS_KEY_ID }} --secret-access-key ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| fi | |
| ## This step is temporary until we have Recipe Packs for Azure & AWS and update the eShop sample | |
| - name: Initialize eShop environments | |
| if: steps.gen-id.outputs.RUN_TEST == 'true' && matrix.app == 'eshop' | |
| run: | | |
| if [[ "${{ matrix.credential }}" == "azure" ]]; then | |
| rad deploy ./samples/eshop/environments/azure.bicep -p azureResourceGroup=${{ steps.gen-id.outputs.TEST_AZURE_RESOURCE_GROUP }} -p azureSubscriptionId=${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }} | |
| elif [[ "${{ matrix.credential }}" == "aws" ]]; then | |
| rad deploy ./samples/eshop/environments/aws.bicep -p awsAccountId=${{ secrets.AWS_ACCOUNT_ID }} -p awsRegion=${{ env.AWS_REGION }} -p eksClusterName=${{ steps.gen-id.outputs.TEST_EKS_CLUSTER_NAME }} | |
| fi | |
| rad env switch ${{ matrix.env }} | |
| # Deploy application and run tests | |
| # Retry the deployment step in case of transient failures | |
| - name: Deploy app | |
| if: steps.gen-id.outputs.RUN_TEST == 'true' | |
| id: deploy-app | |
| uses: nick-fields/retry@v3 | |
| with: | |
| timeout_minutes: 30 | |
| max_attempts: 3 | |
| retry_wait_seconds: 30 | |
| command: rad deploy ${{ matrix.path }} ${{ matrix.deployArgs }} | |
| - name: Run Playwright Test | |
| if: steps.gen-id.outputs.RUN_TEST == 'true' && matrix.uiTestFile != '' | |
| id: run-playwright-test | |
| run: | | |
| if [[ "${{ matrix.container }}" != "" ]]; then | |
| rad resource expose containers ${{ matrix.container }} ${{ matrix.exposeArgs }} --port ${{ matrix.port }} & | |
| export ENDPOINT="http://localhost:3000/" | |
| else | |
| endpoint="$(rad app status -a ${{ matrix.app }} | sed 's/ /\n/g' | grep http)" | |
| echo "Endpoint: $endpoint" | |
| export ENDPOINT=$endpoint | |
| fi | |
| cd playwright/ | |
| npm ci | |
| npx playwright install --with-deps | |
| npx playwright test ${{ matrix.uiTestFile }} --retries 3 | |
| - name: Upload Playwright Results | |
| uses: actions/upload-artifact@v4 | |
| if: always() && (steps.run-playwright-test.outcome == 'success' || steps.run-playwright-test.outcome == 'failure') | |
| with: | |
| name: playwright-report-${{ matrix.name }} | |
| path: playwright/playwright-report/ | |
| retention-days: 30 | |
| if-no-files-found: error | |
| - name: Upload Playwright Videos | |
| uses: actions/upload-artifact@v4 | |
| if: always() && steps.run-playwright-test.outcome == 'failure' | |
| with: | |
| name: playwright-video-${{ matrix.name }} | |
| path: playwright/test-results/ | |
| retention-days: 30 | |
| if-no-files-found: error | |
| # Handle failures | |
| - name: Get Pod logs for failed tests | |
| id: get-pod-logs | |
| if: failure() && (steps.run-playwright-test.outcome == 'failure' || steps.deploy-app.outcome == 'failure') | |
| run: | | |
| # Create pod-logs directory | |
| mkdir -p playwright/pod-logs/${{ matrix.name }} | |
| # Get pod logs and save to file | |
| namespace="${{ matrix.env }}-${{ matrix.app }}" | |
| label="radapp.io/application=${{ matrix.app }}" | |
| pod_names=($(kubectl get pods -l $label -n $namespace -o jsonpath='{.items[*].metadata.name}')) | |
| for pod_name in "${pod_names[@]}"; do | |
| kubectl logs $pod_name -n $namespace > playwright/pod-logs/${{ matrix.name }}/${pod_name}.txt | |
| done | |
| echo "Pod logs saved to playwright/pod-logs/${{ matrix.name }}/" | |
| # Get kubernetes events and save to file | |
| kubectl get events -n $namespace > playwright/pod-logs/${{ matrix.name }}/events.txt | |
| - name: Upload Pod logs for failed tests | |
| uses: actions/upload-artifact@v4 | |
| if: failure() && steps.get-pod-logs.outcome == 'success' | |
| with: | |
| name: ${{ matrix.name }}-pod-logs | |
| path: playwright/pod-logs/${{ matrix.name }} | |
| retention-days: 30 | |
| if-no-files-found: error | |
| - name: Create GitHub issue on failure | |
| if: failure() && github.event_name == 'schedule' | |
| run: gh issue create --title "Samples deployment failed for ${{ matrix.name }}" --body "Test failed on ${{ github.repository }}. See [workflow logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for more details." --repo ${{ github.repository }} --label test-failure | |
| # Cleanup | |
| - name: Delete app | |
| if: steps.gen-id.outputs.RUN_TEST == 'true' && steps.deploy-app.outcome == 'success' | |
| run: | | |
| if command -v rad &> /dev/null; then | |
| rad app delete ${{ matrix.app }} -y | |
| fi | |
| - name: Delete Azure resource group | |
| if: steps.gen-id.outputs.RUN_TEST == 'true' && steps.create-azure-resource-group.outcome == 'success' | |
| run: | | |
| # Delete Azure resources created by the test | |
| # if deletion fails, purge workflow will purge the resource group and its resources later | |
| az group delete \ | |
| --subscription ${{ secrets.AZURE_SUBSCRIPTIONID_TESTS }} \ | |
| --name ${{ steps.gen-id.outputs.TEST_AZURE_RESOURCE_GROUP }} \ | |
| --yes | |
| - name: Delete AWS Resources | |
| if: steps.gen-id.outputs.RUN_TEST == 'true' && matrix.credential == 'aws' && steps.deploy-app.outcome == 'success' | |
| run: | | |
| # Delete all AWS resources created by the test | |
| ./.github/scripts/delete-aws-resources.sh '/planes/radius/local/resourcegroups/default/providers/Applications.Core/applications/${{ matrix.app }}' | |
| - name: Delete EKS Cluster ${{ steps.gen-id.outputs.TEST_EKS_CLUSTER_NAME }} | |
| if: steps.create-eks.outcome == 'success' | |
| run: | | |
| echo "Deleting EKS cluster: ${{ steps.gen-id.outputs.TEST_EKS_CLUSTER_NAME }}" | |
| eksctl delete cluster --name ${{ steps.gen-id.outputs.TEST_EKS_CLUSTER_NAME }} --region ${{ env.AWS_REGION }} --wait --force |