tests/int: Add IAM setup automation docs

Add instructions about how to create service accounts with IAM permissions and populare the secrets and variables required in the CI. Signed-off-by: Sunny <darkowlzz@protonmail.com>
2026-02-22 15:41:47 +00:00 · 2023-07-18 17:38:53 +00:00 · 2023-07-18 17:38:53 +00:00 · 0de650306b
commit 0de650306b
parent c8e017086e
2 changed files with 105 additions and 29 deletions
--- a/.github/workflows/e2e-azure.yaml
+++ b/.github/workflows/e2e-azure.yaml
@ -3,19 +3,19 @@ name: e2e-azure
 on:
  workflow_dispatch:
  schedule:
-    - cron:  '0 6 * * *'
+    - cron: "0 6 * * *"
  push:
    branches:
      - main
    paths:
-      - 'tests/**'
-      - '.github/workflows/e2e-azure.yaml'
+      - "tests/**"
+      - ".github/workflows/e2e-azure.yaml"
  pull_request:
    branches:
      - main
    paths:
-      - 'tests/**'
-      - '.github/workflows/e2e-azure.yaml'
+      - "tests/**"
+      - ".github/workflows/e2e-azure.yaml"

 permissions:
  contents: read
@ -47,7 +47,7 @@ jobs:
          wget https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux -O $HOME/.local/bin/sops
          chmod +x $HOME/.local/bin/sops
      - name: Setup Terraform
-        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1  # v2
+        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2
        with:
          terraform_version: 1.2.8
          terraform_wrapper: false
@ -91,7 +91,7 @@ jobs:
      - name: Authenticate to Azure
        uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.6
        with:
-          creds: '{"clientId":"${{ secrets.ARM_CLIENT_ID }}","clientSecret":"${{ secrets.ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.ARM_TENANT_ID }}"}'
+          creds: '{"clientId":"${{ secrets.AZ_ARM_CLIENT_ID }}","clientSecret":"${{ secrets.AZ_ARM_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZ_ARM_TENANT_ID }}"}'
      - name: Set dynamic variables in .env
        run: |
          cat > .env <<EOF
@ -101,22 +101,22 @@ jobs:
        run: cat .env
      - name: Run Azure e2e tests
        env:
-          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
-          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
-          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
-          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
-          TF_VAR_azuredevops_org: ${{ secrets.AZUREDEVOPS_ORG }}
-          TF_VAR_azuredevops_pat: ${{ secrets.AZUREDEVOPS_PAT }}
-          TF_VAR_location: "southcentralus"
-          AZUREDEVOPS_SSH_CONTENTS: ${{ secrets.AZUREDEVOPS_ID_RSA }}
-          AZUREDEVOPS_SSH_PUB_CONTENTS: ${{ secrets.AZUREDEVOPS_ID_RSA_PUB }}
+          ARM_CLIENT_ID: ${{ secrets.AZ_ARM_CLIENT_ID }}
+          ARM_CLIENT_SECRET: ${{ secrets.AZ_ARM_CLIENT_SECRET }}
+          ARM_SUBSCRIPTION_ID: ${{ secrets.AZ_ARM_SUBSCRIPTION_ID }}
+          ARM_TENANT_ID: ${{ secrets.AZ_ARM_TENANT_ID }}
+          TF_VAR_azuredevops_org: ${{ secrets.TF_VAR_azuredevops_org }}
+          TF_VAR_azuredevops_pat: ${{ secrets.TF_VAR_azuredevops_pat }}
+          TF_VAR_location: ${{ vars.TF_VAR_azure_location }}
+          GITREPO_SSH_CONTENTS: ${{ secrets.GITREPO_SSH_CONTENTS }}
+          GITREPO_SSH_PUB_CONTENTS: ${{ secrets.GITREPO_SSH_PUB_CONTENTS }}
        run: |
          source .env
          mkdir -p ./build/ssh
          touch ./build/ssh/key
-          echo $AZUREDEVOPS_SSH_CONTENTS | base64 -d > build/ssh/key
-          export AZUREDEVOPS_SSH=build/ssh/key
+          echo $GITREPO_SSH_CONTENTS | base64 -d > build/ssh/key
+          export GITREPO_SSH_PATH=build/ssh/key
          touch ./build/ssh/key.pub
-          echo $AZUREDEVOPS_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub
-          export AZUREDEVOPS_SSH_PUB=build/ssh/key.pub
+          echo $GITREPO_SSH_PUB_CONTENTS | base64 -d > ./build/ssh/key.pub
+          export GITREPO_SSH_PUB_PATH=build/ssh/key.pub
          make test-azure
--- a/tests/integration/README.md
+++ b/tests/integration/README.md
@ -55,6 +55,44 @@ the tests:
 - `Microsoft.KeyVault/*`
 - `Microsoft.EventHub/*`

+To set up CI secrets and variables using
+[azure-gh-actions](https://github.com/fluxcd/test-infra/tree/main/tf-modules/azure/github-actions)
+use:
+
+```hcl
+module "azure_gh_actions" {
+  source = "git::https://github.com/fluxcd/test-infra.git//tf-modules/azure/github-actions"
+
+  azure_owners = ["owner-id-1", "owner-id-2"]
+  azure_app_name = "flux2-e2e"
+  azure_app_description = "flux2 e2e"
+  azure_permissions = [
+      "Microsoft.Kubernetes/*",
+      "Microsoft.Resources/*",
+      "Microsoft.Authorization/roleAssignments/{Read,Write,Delete}",
+      "Microsoft.ContainerRegistry/*",
+      "Microsoft.ContainerService/*",
+      "Microsoft.KeyVault/*",
+      "Microsoft.EventHub/*"
+  ]
+  azure_location = "eastus"
+
+  github_project = "flux2"
+
+  github_secret_client_id_name = "AZ_ARM_CLIENT_ID"
+  github_secret_client_secret_name = "AZ_ARM_CLIENT_SECRET"
+  github_secret_subscription_id_name = "AZ_ARM_SUBSCRIPTION_ID"
+  github_secret_tenant_id_name = "AZ_ARM_TENANT_ID"
+
+  github_secret_custom = {
+    "TF_VAR_azuredevops_org" = "<org-name>",
+    "TF_VAR_azuredevops_pat" = "<pat>",
+    "GITREPO_SSH_CONTENTS" = "<add-private-key-content>",
+    "GITREPO_SSH_PUB_CONTENTS" = "<add-public-key-content>"
+  }
+}
+```
+
 ## GCP

 ### Architecture
@ -112,15 +150,53 @@ for the terraform variables

 Following roles are needed for provisioning the infrastructure and running the tests:

- Compute Instance Admin (v1)
- Kubernetes Engine Admin
- Service Account User
- Artifact Registry Administrator
- Artifact Registry Repository Administrator
- Cloud KMS Admin
- Cloud KMS CryptoKey Encrypter
- Source Repository Administrator
- Pub/Sub Admin
+- Compute Instance Admin (v1) - `roles/compute.instanceAdmin.v1`
+- Kubernetes Engine Admin - `roles/container.admin`
+- Service Account User - `roles/iam.serviceAccountUser`
+- Artifact Registry Administrator - `roles/artifactregistry.admin`
+- Artifact Registry Repository Administrator - `roles/artifactregistry.repoAdmin`
+- Cloud KMS Admin - `roles/cloudkms.admin`
+- Cloud KMS CryptoKey Encrypter - `roles/cloudkms.cryptoKeyEncrypt`
+- Source Repository Administrator - `roles/source.admin`
+- Pub/Sub Admin - `roles/pubsub.admin`
+
+To set up CI secrets and variables using
+[gcp-gh-actions](https://github.com/fluxcd/test-infra/tree/main/tf-modules/gcp/github-actions)
+use:
+
+```hcl
+provider "google" {}
+
+module "gcp_gh_actions" {
+  source = "git::https://github.com/fluxcd/test-infra.git//tf-modules/gcp/github-actions"
+
+  gcp_service_account_id = "flux2-e2e-test"
+  gcp_service_account_name = "flux2-e2e-test"
+  gcp_roles = [
+      "roles/compute.instanceAdmin.v1",
+      "roles/container.admin",
+      "roles/iam.serviceAccountUser",
+      "roles/artifactregistry.admin",
+      "roles/artifactregistry.repoAdmin",
+      "roles/cloudkms.admin",
+      "roles/cloudkms.cryptoKeyEncrypter",
+      "roles/source.admin",
+      "roles/pubsub.admin"
+  ]
+
+  github_project = "flux2"
+
+  github_secret_credentials_name = "FLUX2_E2E_GOOGLE_CREDENTIALS"
+
+  github_secret_custom = {
+    "TF_VAR_gcp_keyring" = "<keyring-name>",
+    "TF_VAR_gcp_crypto_key" = "<key-name>",
+    "TF_VAR_gcp_email" = "<email>",
+    "GITREPO_SSH_CONTENTS" = "<add-private-key-content>",
+    "GITREPO_SSH_PUB_CONTENTS" = "<add-public-key-content>"
+  }
+}
+```

 ## Tests