Skip to content
This repository has been archived by the owner on Oct 3, 2024. It is now read-only.

Initial setup for repo #11

Initial setup for repo

Initial setup for repo #11

name: Test AWS Init Package
on:
push:
branches:
- main
pull_request:
branches:
- main
workflow_dispatch:
inputs:
cluster_name_public:
type: string
default: "zarf-init-aws-public-test"
description: Name of the eks cluster for public ECR test
cluster_name_private:
type: string
default: "zarf-init-aws-private-test"
description: Name of the eks cluster for private ECR test
instance_type:
type: string
default: t3.medium
description: EC2 instance type to use for the EKS cluster nodes
permissions:
id-token: write
contents: read
# Abort prior jobs in the same workflow / PR
concurrency:
group: init-aws-${{ github.ref }}
cancel-in-progress: true
jobs:
# Build AWS init package and EKS package
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Setup Go
uses: defenseunicorns/zarf/.github/actions/golang@main
# TODO: Use setup-zarf github action once Zarf v0.30.0 is released
- name: Build Zarf binary from source
run: |
tmpdir="$(mktemp -d)"
git clone --depth 1 https://github.com/defenseunicorns/zarf.git "$tmpdir"
cd "$tmpdir"
make build-cli-linux-amd
mv build/zarf "${GITHUB_WORKSPACE}/build"
sudo cp "${GITHUB_WORKSPACE}/build/zarf" /usr/local/bin
chmod +x /usr/local/bin/zarf
- name: Build AWS init package
run: make aws-init-package
- name: Build EKS package
run: make eks-package
# Upload the contents of the build directory for later stages to use
- name: Upload build artifacts
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: build-artifacts
path: build/
retention-days: 1
# Deploy and test AWS init package with private ECR registry
validate-private-ecr:
runs-on: ubuntu-latest
needs: build
steps:
- name: Checkout
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Download build artifacts
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: build-artifacts
path: build/
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 # v4.0.0
with:
role-to-assume: ${{ secrets.AWS_NIGHTLY_ROLE }}
aws-region: us-east-1
role-duration-seconds: 14400
# - name: Install latest version of Zarf
# uses: defenseunicorns/setup-zarf@main
- name: Make Zarf executable
run: chmod +x build/zarf
- name: Deploy EKS package
run: |
./build/zarf package deploy build/zarf-package-distro-eks-multi-0.0.3.tar.zst \
--components=deploy-eks-cluster \
--set=EKS_CLUSTER_NAME=${{ inputs.cluster_name_private }} \
--set=EKS_INSTANCE_TYPE=${{ inputs.instance_type }} \
--confirm
- name: Create IAM roles for IRSA authentication
working-directory: hack/iam
id: iam-create
run: ./iam.sh create ${{ inputs.cluster_name_private }}
- name: Zarf init with private ECR registry
run: |
REGISTRY_TYPE="private"
AWS_REGION="us-east-1"
AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text)
REGISTRY_URL="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
ECR_AUTH_TOKEN=$(aws ecr get-login-password --region "${AWS_REGION}")
./build/zarf init \
--registry-url="${REGISTRY_URL}" \
--registry-push-username="AWS" \
--registry-push-password="${ECR_AUTH_TOKEN}" \
--set=REGISTRY_TYPE="${REGISTRY_TYPE}" \
--set=AWS_REGION="${AWS_REGION}" \
--set=ECR_HOOK_ROLE_ARN=${{ steps.iam-create.outputs.ecr-webhook-role-arn }} \
--set=ECR_CREDENTIAL_HELPER_ROLE_ARN=${{ steps.iam-create.outputs.ecr-credential-helper-role-arn }} \
--components="zarf-ecr-credential-helper" \
-a amd64 \
-l debug \
--confirm
- name: Teardown the cluster
if: always()
run: |
zarf package deploy build/zarf-package-distro-eks-multi-0.0.3.tar.zst \
--components=teardown-eks-cluster \
--set=EKS_CLUSTER_NAME=${{ inputs.cluster_name_private }} \
--confirm
- name: Delete private ECR repositories
if: always()
run: |
repos=("defenseunicorns/pepr/controller" "defenseunicorns/zarf/agent" "lucasrod96/zarf-ecr-credential-helper")
for repo in "${repos[@]}"
do
aws ecr delete-repository --repository-name "${repo}" --force || true
done
- name: Delete IAM roles
if: always()
working-directory: hack/iam
run: ./iam.sh delete
- name: Save logs
if: always()
uses: defenseunicorns/zarf/.github/actions/save-logs@main
# TODO: add slack webhook URL secret
# - name: Send trigger to Slack on workflow failure
# if: failure()
# uses: defenseunicorns/zarf/.github/actions/slack@main
# with:
# slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
# Deploy and test AWS init package with public ECR registry
validate-public-ecr:
runs-on: ubuntu-latest
needs: build
steps:
- name: Checkout
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Download build artifacts
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: build-artifacts
path: build/
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 # v4.0.0
with:
role-to-assume: ${{ secrets.AWS_NIGHTLY_ROLE }}
aws-region: us-east-1
role-duration-seconds: 14400
# - name: Install latest version of Zarf
# uses: defenseunicorns/setup-zarf@main
- name: Make Zarf executable
run: chmod +x build/zarf
- name: Deploy EKS package
run: |
./build/zarf package deploy build/zarf-package-distro-eks-multi-0.0.3.tar.zst \
--components=deploy-eks-cluster \
--set=EKS_CLUSTER_NAME=${{ inputs.cluster_name_public }} \
--set=EKS_INSTANCE_TYPE=${{ inputs.instance_type }} \
--confirm
- name: Create IAM roles for IRSA authentication
working-directory: hack/iam
id: iam-create
run: ./iam.sh create ${{ inputs.cluster_name_public }}
- name: Zarf init with public ECR registry
run: |
REGISTRY_TYPE="public"
AWS_REGION="us-east-1"
AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text)
REGISTRY_URL=$(aws ecr-public describe-registries --query 'registries[0].registryUri' --output text)
ECR_AUTH_TOKEN=$(aws ecr-public get-login-password --region "${AWS_REGION}")
./build/zarf init \
--registry-url="${REGISTRY_URL}" \
--registry-push-username="AWS" \
--registry-push-password="${ECR_AUTH_TOKEN}" \
--set=REGISTRY_TYPE="${REGISTRY_TYPE}" \
--set=AWS_REGION="${AWS_REGION}" \
--set=ECR_HOOK_ROLE_ARN=${{ steps.iam-create.outputs.ecr-webhook-role-arn }} \
--set=ECR_CREDENTIAL_HELPER_ROLE_ARN=${{ steps.iam-create.outputs.ecr-credential-helper-role-arn }} \
--components="zarf-ecr-credential-helper" \
-a amd64 \
-l debug \
--confirm
- name: Teardown the cluster
if: always()
run: |
zarf package deploy build/zarf-package-distro-eks-multi-0.0.3.tar.zst \
--components=teardown-eks-cluster \
--set=EKS_CLUSTER_NAME=${{ inputs.cluster_name_public }} \
--confirm
- name: Delete public ECR repositories
if: always()
run: |
repos=("defenseunicorns/pepr/controller" "defenseunicorns/zarf/agent" "lucasrod96/zarf-ecr-credential-helper")
for repo in "${repos[@]}"
do
aws ecr-public delete-repository --repository-name "${repo}" --force || true
done
- name: Delete IAM roles
if: always()
working-directory: hack/iam
run: ./iam.sh delete
- name: Save logs
if: always()
uses: defenseunicorns/zarf/.github/actions/save-logs@main
# TODO: add slack webhook URL secret
# - name: Send trigger to Slack on workflow failure
# if: failure()
# uses: defenseunicorns/zarf/.github/actions/slack@main
# with:
# slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}