-
Notifications
You must be signed in to change notification settings - Fork 95
131 lines (120 loc) · 4.71 KB
/
azwi-e2e.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: Azure Workload Identity E2E
on:
workflow_dispatch:
schedule:
- cron: '0 0 * * *' # nightly
push:
branches:
- main
- release-**
permissions:
id-token: write
contents: read
jobs:
azwi_e2e:
env:
AZURE_CLIENT_ID: 0dcfc182-7b36-4e23-b53f-a27c929a9e4e
AZURE_TENANT_ID: bc2d60ab-9b1d-45bd-8a3b-3a18ae865e3a
SERVICE_ACCOUNT_ISSUER: "https://azwi.blob.core.windows.net/oidc-test/"
strategy:
fail-fast: false
matrix:
# TODO(chewong): add windows and macos test env
env: [ubuntu-20.04]
runs-on: ${{ matrix.env }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
fetch-depth: 0
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with:
go-version: "1.21"
check-latest: true
- name: Azure CLI
run: |
echo "Azure CLI Current installed version"
az version
- name: Set variables
id: variables
run: |
echo "AAD_APPLICATION_NAME=azwi-e2e-app-$(openssl rand -hex 2)" >> "${GITHUB_ENV}"
SERVICE_ACCOUNT_NAMESPACE="azwi-$(openssl rand -hex 2)"
echo "SERVICE_ACCOUNT_NAMESPACE=${SERVICE_ACCOUNT_NAMESPACE}" >> "${GITHUB_ENV}"
echo "SERVICE_ACCOUNT_NAME=${SERVICE_ACCOUNT_NAMESPACE}-sa" >> "${GITHUB_ENV}"
- name: Create kind cluster
run: |
openssl genrsa -out sa.key 2048
openssl rsa -in sa.key -pubout -out sa.pub
make kind-create
- name: Build azwi
run: make bin/azwi
- uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.6
with:
client-id: ${{ env.AZURE_CLIENT_ID }}
tenant-id: ${{ env.AZURE_TENANT_ID }}
allow-no-subscriptions: true
- name: E2E test
run: |
kubectl create namespace "${SERVICE_ACCOUNT_NAMESPACE}"
./bin/azwi serviceaccount create \
--aad-application-name "${AAD_APPLICATION_NAME}" \
--service-account-namespace "${SERVICE_ACCOUNT_NAMESPACE}" \
--service-account-name "${SERVICE_ACCOUNT_NAME}" \
--service-account-issuer-url "${SERVICE_ACCOUNT_ISSUER}" \
--service-account-token-expiration 10h \
--skip-phases role-assignment
# get the service account object
kubectl describe serviceaccount "${SERVICE_ACCOUNT_NAME}" --namespace "${SERVICE_ACCOUNT_NAMESPACE}" > sa.yaml
APPLICATION_CLIENT_ID="$(az ad sp list --display-name "${AAD_APPLICATION_NAME}" --query '[0].appId' -otsv)"
cat sa.yaml | grep "azure.workload.identity/client-id: ${APPLICATION_CLIENT_ID}"
cat sa.yaml | grep "azure.workload.identity/service-account-token-expiration: 36000"
cat sa.yaml | grep "azure.workload.identity/tenant-id: ${AZURE_TENANT_ID}"
# get the federated identity
APPLICATION_OBJECT_ID="$(az ad app show --id "${APPLICATION_CLIENT_ID}" --query id -otsv)"
az rest --method GET --uri "https://graph.microsoft.com/beta/applications/${APPLICATION_OBJECT_ID}/federatedIdentityCredentials"
- name: Cleanup
if: ${{ always() }}
run: |
set +e
# this should delete the underlying federated identity
./bin/azwi serviceaccount delete phase app \
--aad-application-name "${AAD_APPLICATION_NAME}"
./bin/azwi serviceaccount delete phase sa \
--service-account-namespace "${SERVICE_ACCOUNT_NAMESPACE}" \
--service-account-name "${SERVICE_ACCOUNT_NAME}"
azwi_build:
strategy:
fail-fast: false
matrix:
# TODO(aramase): add windows test env
env: [ubuntu-20.04, macos-11]
runs-on: ${{ matrix.env }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
fetch-depth: 0
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with:
go-version: "1.21"
check-latest: true
- name: Build azwi
run: |
make bin/azwi
- name: Validate azwi commands
run: |
./bin/azwi version
./bin/azwi -h
./bin/azwi serviceaccount -h
./bin/azwi serviceaccount create -h
./bin/azwi serviceaccount delete -h
./bin/azwi jwks -h