Skip to content

Commit

Permalink
chore: use sops for secrets
Browse files Browse the repository at this point in the history
Use SOPS for secrets, this should allow PR's from forks to work.
We should not still approve PR's to run workflow outside the org, GH
will run the workflow when an org member force pushes.

Signed-off-by: Noel Georgi <[email protected]>
  • Loading branch information
frezbo committed Apr 19, 2024
1 parent f2b975b commit 4134d2c
Show file tree
Hide file tree
Showing 12 changed files with 200 additions and 39 deletions.
56 changes: 43 additions & 13 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
#
# Generated on 2024-04-17T17:08:50Z by kres 92eef68.
# Generated on 2024-04-19T08:33:46Z by kres add13d7.

name: default
concurrency:
Expand Down Expand Up @@ -47,11 +47,18 @@ jobs:
run: |
git fetch --prune --unshallow
- name: Set up Docker Buildx
id: setup-buildx
uses: docker/setup-buildx-action@v3
with:
driver: remote
endpoint: tcp://127.0.0.1:1234
timeout-minutes: 10
- name: Mask secrets
run: |
echo -e "$(sops -d .secrets.yaml | yq '.secrets | to_entries[] | "::add-mask::" + .value')"
- name: Set secrets for job
run: |
sops -d .secrets.yaml | yq '.secrets | to_entries[] | .key + "=" + .value' >> "$GITHUB_ENV"
- name: js
run: |
make js
Expand Down Expand Up @@ -114,8 +121,6 @@ jobs:
make omnictl
- name: run-integration-test
env:
AUTH0_TEST_PASSWORD: ${{ secrets.AUTH0_TEST_PASSWORD }}
AUTH0_TEST_USERNAME: ${{ secrets.AUTH0_TEST_USERNAME }}
INTEGRATION_RUN_E2E_TEST: "true"
INTEGRATION_TEST_ARGS: --test.run CleanState/|Auth/|DefaultCluster/
WITH_DEBUG: "true"
Expand Down Expand Up @@ -197,11 +202,18 @@ jobs:
run: |
git fetch --prune --unshallow
- name: Set up Docker Buildx
id: setup-buildx
uses: docker/setup-buildx-action@v3
with:
driver: remote
endpoint: tcp://127.0.0.1:1234
timeout-minutes: 10
- name: Mask secrets
run: |
echo -e "$(sops -d .secrets.yaml | yq '.secrets | to_entries[] | "::add-mask::" + .value')"
- name: Set secrets for job
run: |
sops -d .secrets.yaml | yq '.secrets | to_entries[] | .key + "=" + .value' >> "$GITHUB_ENV"
- name: Download artifacts
uses: actions/download-artifact@v4
with:
Expand All @@ -212,8 +224,6 @@ jobs:
xargs -a _out/executable-artifacts -I {} chmod +x {}
- name: run-integration-test
env:
AUTH0_TEST_PASSWORD: ${{ secrets.AUTH0_TEST_PASSWORD }}
AUTH0_TEST_USERNAME: ${{ secrets.AUTH0_TEST_USERNAME }}
INTEGRATION_RUN_E2E_TEST: "false"
INTEGRATION_TEST_ARGS: --test.run CleanState/|EtcdBackupAndRestore
WITH_DEBUG: "true"
Expand Down Expand Up @@ -250,11 +260,18 @@ jobs:
run: |
git fetch --prune --unshallow
- name: Set up Docker Buildx
id: setup-buildx
uses: docker/setup-buildx-action@v3
with:
driver: remote
endpoint: tcp://127.0.0.1:1234
timeout-minutes: 10
- name: Mask secrets
run: |
echo -e "$(sops -d .secrets.yaml | yq '.secrets | to_entries[] | "::add-mask::" + .value')"
- name: Set secrets for job
run: |
sops -d .secrets.yaml | yq '.secrets | to_entries[] | .key + "=" + .value' >> "$GITHUB_ENV"
- name: Download artifacts
uses: actions/download-artifact@v4
with:
Expand All @@ -265,8 +282,6 @@ jobs:
xargs -a _out/executable-artifacts -I {} chmod +x {}
- name: run-integration-test
env:
AUTH0_TEST_PASSWORD: ${{ secrets.AUTH0_TEST_PASSWORD }}
AUTH0_TEST_USERNAME: ${{ secrets.AUTH0_TEST_USERNAME }}
INTEGRATION_RUN_E2E_TEST: "false"
INTEGRATION_TEST_ARGS: --test.run CleanState/|ScaleUpAndDown/|ScaleUpAndDownMachineClassBasedMachineSets/|RollingUpdateParallelism/|ForcedMachineRemoval/|ReplaceControlPlanes/|ConfigPatching/|KubernetesNodeAudit/
WITH_DEBUG: "true"
Expand Down Expand Up @@ -303,11 +318,18 @@ jobs:
run: |
git fetch --prune --unshallow
- name: Set up Docker Buildx
id: setup-buildx
uses: docker/setup-buildx-action@v3
with:
driver: remote
endpoint: tcp://127.0.0.1:1234
timeout-minutes: 10
- name: Mask secrets
run: |
echo -e "$(sops -d .secrets.yaml | yq '.secrets | to_entries[] | "::add-mask::" + .value')"
- name: Set secrets for job
run: |
sops -d .secrets.yaml | yq '.secrets | to_entries[] | .key + "=" + .value' >> "$GITHUB_ENV"
- name: Download artifacts
uses: actions/download-artifact@v4
with:
Expand All @@ -318,8 +340,6 @@ jobs:
xargs -a _out/executable-artifacts -I {} chmod +x {}
- name: run-integration-test
env:
AUTH0_TEST_PASSWORD: ${{ secrets.AUTH0_TEST_PASSWORD }}
AUTH0_TEST_USERNAME: ${{ secrets.AUTH0_TEST_USERNAME }}
INTEGRATION_RUN_E2E_TEST: "false"
INTEGRATION_TEST_ARGS: --test.run CleanState/|TalosImageGeneration/|ImmediateClusterDestruction/|DefaultCluster/|EncryptedCluster/|SinglenodeCluster/|Auth/
WITH_DEBUG: "true"
Expand Down Expand Up @@ -356,11 +376,18 @@ jobs:
run: |
git fetch --prune --unshallow
- name: Set up Docker Buildx
id: setup-buildx
uses: docker/setup-buildx-action@v3
with:
driver: remote
endpoint: tcp://127.0.0.1:1234
timeout-minutes: 10
- name: Mask secrets
run: |
echo -e "$(sops -d .secrets.yaml | yq '.secrets | to_entries[] | "::add-mask::" + .value')"
- name: Set secrets for job
run: |
sops -d .secrets.yaml | yq '.secrets | to_entries[] | .key + "=" + .value' >> "$GITHUB_ENV"
- name: Download artifacts
uses: actions/download-artifact@v4
with:
Expand All @@ -371,8 +398,6 @@ jobs:
xargs -a _out/executable-artifacts -I {} chmod +x {}
- name: run-integration-test
env:
AUTH0_TEST_PASSWORD: ${{ secrets.AUTH0_TEST_PASSWORD }}
AUTH0_TEST_USERNAME: ${{ secrets.AUTH0_TEST_USERNAME }}
INTEGRATION_RUN_E2E_TEST: "false"
INTEGRATION_TEST_ARGS: --test.run CleanState/|ClusterTemplate/
WITH_DEBUG: "true"
Expand Down Expand Up @@ -409,11 +434,18 @@ jobs:
run: |
git fetch --prune --unshallow
- name: Set up Docker Buildx
id: setup-buildx
uses: docker/setup-buildx-action@v3
with:
driver: remote
endpoint: tcp://127.0.0.1:1234
timeout-minutes: 10
- name: Mask secrets
run: |
echo -e "$(sops -d .secrets.yaml | yq '.secrets | to_entries[] | "::add-mask::" + .value')"
- name: Set secrets for job
run: |
sops -d .secrets.yaml | yq '.secrets | to_entries[] | .key + "=" + .value' >> "$GITHUB_ENV"
- name: Download artifacts
uses: actions/download-artifact@v4
with:
Expand All @@ -424,8 +456,6 @@ jobs:
xargs -a _out/executable-artifacts -I {} chmod +x {}
- name: run-integration-test
env:
AUTH0_TEST_PASSWORD: ${{ secrets.AUTH0_TEST_PASSWORD }}
AUTH0_TEST_USERNAME: ${{ secrets.AUTH0_TEST_USERNAME }}
INTEGRATION_RUN_E2E_TEST: "false"
INTEGRATION_TEST_ARGS: --test.run CleanState/|TalosUpgrades/|KubernetesUpgrades/|MaintenanceDowngrade/
WITH_DEBUG: "true"
Expand Down
11 changes: 8 additions & 3 deletions .github/workflows/e2e-backups-cron.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
#
# Generated on 2024-04-17T16:16:58Z by kres 92eef68.
# Generated on 2024-04-19T08:33:46Z by kres add13d7.

name: e2e-backups-cron
concurrency:
Expand Down Expand Up @@ -30,15 +30,20 @@ jobs:
run: |
git fetch --prune --unshallow
- name: Set up Docker Buildx
id: setup-buildx
uses: docker/setup-buildx-action@v3
with:
driver: remote
endpoint: tcp://127.0.0.1:1234
timeout-minutes: 10
- name: Mask secrets
run: |
echo -e "$(sops -d .secrets.yaml | yq '.secrets | to_entries[] | "::add-mask::" + .value')"
- name: Set secrets for job
run: |
sops -d .secrets.yaml | yq '.secrets | to_entries[] | .key + "=" + .value' >> "$GITHUB_ENV"
- name: run-integration-test
env:
AUTH0_TEST_PASSWORD: ${{ secrets.AUTH0_TEST_PASSWORD }}
AUTH0_TEST_USERNAME: ${{ secrets.AUTH0_TEST_USERNAME }}
INTEGRATION_RUN_E2E_TEST: "false"
INTEGRATION_TEST_ARGS: --test.run CleanState/|EtcdBackupAndRestore
WITH_DEBUG: "true"
Expand Down
11 changes: 8 additions & 3 deletions .github/workflows/e2e-scaling-cron.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
#
# Generated on 2024-04-17T17:08:50Z by kres 92eef68.
# Generated on 2024-04-19T08:33:46Z by kres add13d7.

name: e2e-scaling-cron
concurrency:
Expand Down Expand Up @@ -30,15 +30,20 @@ jobs:
run: |
git fetch --prune --unshallow
- name: Set up Docker Buildx
id: setup-buildx
uses: docker/setup-buildx-action@v3
with:
driver: remote
endpoint: tcp://127.0.0.1:1234
timeout-minutes: 10
- name: Mask secrets
run: |
echo -e "$(sops -d .secrets.yaml | yq '.secrets | to_entries[] | "::add-mask::" + .value')"
- name: Set secrets for job
run: |
sops -d .secrets.yaml | yq '.secrets | to_entries[] | .key + "=" + .value' >> "$GITHUB_ENV"
- name: run-integration-test
env:
AUTH0_TEST_PASSWORD: ${{ secrets.AUTH0_TEST_PASSWORD }}
AUTH0_TEST_USERNAME: ${{ secrets.AUTH0_TEST_USERNAME }}
INTEGRATION_RUN_E2E_TEST: "false"
INTEGRATION_TEST_ARGS: --test.run CleanState/|ScaleUpAndDown/|ScaleUpAndDownMachineClassBasedMachineSets/|RollingUpdateParallelism/|ForcedMachineRemoval/|ReplaceControlPlanes/|ConfigPatching/|KubernetesNodeAudit/
WITH_DEBUG: "true"
Expand Down
11 changes: 8 additions & 3 deletions .github/workflows/e2e-short-cron.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
#
# Generated on 2024-04-17T16:16:58Z by kres 92eef68.
# Generated on 2024-04-19T08:33:46Z by kres add13d7.

name: e2e-short-cron
concurrency:
Expand Down Expand Up @@ -30,15 +30,20 @@ jobs:
run: |
git fetch --prune --unshallow
- name: Set up Docker Buildx
id: setup-buildx
uses: docker/setup-buildx-action@v3
with:
driver: remote
endpoint: tcp://127.0.0.1:1234
timeout-minutes: 10
- name: Mask secrets
run: |
echo -e "$(sops -d .secrets.yaml | yq '.secrets | to_entries[] | "::add-mask::" + .value')"
- name: Set secrets for job
run: |
sops -d .secrets.yaml | yq '.secrets | to_entries[] | .key + "=" + .value' >> "$GITHUB_ENV"
- name: run-integration-test
env:
AUTH0_TEST_PASSWORD: ${{ secrets.AUTH0_TEST_PASSWORD }}
AUTH0_TEST_USERNAME: ${{ secrets.AUTH0_TEST_USERNAME }}
INTEGRATION_RUN_E2E_TEST: "false"
INTEGRATION_TEST_ARGS: --test.run CleanState/|TalosImageGeneration/|ImmediateClusterDestruction/|DefaultCluster/|EncryptedCluster/|SinglenodeCluster/|Auth/
WITH_DEBUG: "true"
Expand Down
11 changes: 8 additions & 3 deletions .github/workflows/e2e-templates-cron.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
#
# Generated on 2024-04-17T16:16:58Z by kres 92eef68.
# Generated on 2024-04-19T08:33:46Z by kres add13d7.

name: e2e-templates-cron
concurrency:
Expand Down Expand Up @@ -30,15 +30,20 @@ jobs:
run: |
git fetch --prune --unshallow
- name: Set up Docker Buildx
id: setup-buildx
uses: docker/setup-buildx-action@v3
with:
driver: remote
endpoint: tcp://127.0.0.1:1234
timeout-minutes: 10
- name: Mask secrets
run: |
echo -e "$(sops -d .secrets.yaml | yq '.secrets | to_entries[] | "::add-mask::" + .value')"
- name: Set secrets for job
run: |
sops -d .secrets.yaml | yq '.secrets | to_entries[] | .key + "=" + .value' >> "$GITHUB_ENV"
- name: run-integration-test
env:
AUTH0_TEST_PASSWORD: ${{ secrets.AUTH0_TEST_PASSWORD }}
AUTH0_TEST_USERNAME: ${{ secrets.AUTH0_TEST_USERNAME }}
INTEGRATION_RUN_E2E_TEST: "false"
INTEGRATION_TEST_ARGS: --test.run CleanState/|ClusterTemplate/
WITH_DEBUG: "true"
Expand Down
11 changes: 8 additions & 3 deletions .github/workflows/e2e-upgrades-cron.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
#
# Generated on 2024-04-17T16:16:58Z by kres 92eef68.
# Generated on 2024-04-19T08:33:46Z by kres add13d7.

name: e2e-upgrades-cron
concurrency:
Expand Down Expand Up @@ -30,15 +30,20 @@ jobs:
run: |
git fetch --prune --unshallow
- name: Set up Docker Buildx
id: setup-buildx
uses: docker/setup-buildx-action@v3
with:
driver: remote
endpoint: tcp://127.0.0.1:1234
timeout-minutes: 10
- name: Mask secrets
run: |
echo -e "$(sops -d .secrets.yaml | yq '.secrets | to_entries[] | "::add-mask::" + .value')"
- name: Set secrets for job
run: |
sops -d .secrets.yaml | yq '.secrets | to_entries[] | .key + "=" + .value' >> "$GITHUB_ENV"
- name: run-integration-test
env:
AUTH0_TEST_PASSWORD: ${{ secrets.AUTH0_TEST_PASSWORD }}
AUTH0_TEST_USERNAME: ${{ secrets.AUTH0_TEST_USERNAME }}
INTEGRATION_RUN_E2E_TEST: "false"
INTEGRATION_TEST_ARGS: --test.run CleanState/|TalosUpgrades/|KubernetesUpgrades/|MaintenanceDowngrade/
WITH_DEBUG: "true"
Expand Down
19 changes: 15 additions & 4 deletions .kres.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,7 @@ spec:
@hack/test/integration.sh
ghaction:
enabled: true
sops: true
artifacts:
enabled: true
extraPaths:
Expand All @@ -167,8 +168,6 @@ spec:
WITH_DEBUG: "true"
INTEGRATION_RUN_E2E_TEST: "true"
INTEGRATION_TEST_ARGS: "--test.run CleanState/|Auth/|DefaultCluster/"
AUTH0_TEST_PASSWORD: ${{ secrets.AUTH0_TEST_PASSWORD }}
AUTH0_TEST_USERNAME: ${{ secrets.AUTH0_TEST_USERNAME }}
jobs:
- name: e2e-short
crons:
Expand Down Expand Up @@ -234,6 +233,20 @@ spec:
- "hack/generate-certs/certs"
- "hack/compose/docker-compose.override.yml"
---
kind: common.SOPS
spec:
enabled: true
config: |-
creation_rules:
- age: age1xrpa9ujxxcj2u2gzfrzv8mxak4rts94a6y60ypurv6rs5cpr4e4sg95f0k
# order: Andrey, Noel, Artem, Utku, Dmitriy
pgp: >-
15D5721F5F5BAF121495363EFE042E3D4085A811,
CC51116A94490FA6FB3C18EB2401FCAE863A06CA,
4919F560F0D35F80CF382D76E084A2DF1143C14D,
966BC282A680D8BB3E8363E865933E76F0549B0D,
AA5213AF261C1977AF38B03A94B473337258BFD5
---
kind: golang.Build
name: omni
spec:
Expand Down Expand Up @@ -503,8 +516,6 @@ spec:
- .vue
skipPaths:
- node_modules/

enableConform: true
enforceContexts:
- e2e-short
- e2e-scaling
Expand Down
Loading

0 comments on commit 4134d2c

Please sign in to comment.