fix: rename secrets #29
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: reusable_teleport_operational_procedure | |
| on: | |
| push: | |
| branches: | |
| - reusable-gh-workflow | |
| permissions: | |
| contents: read | |
| id-token: write | |
| env: | |
| AWS_PROFILE: infex | |
| TESTS_TF_BINARY_NAME: terraform | |
| NAMESPACE_PREFIX: infraex- | |
| CLUSTER_NAME: camunda-ci-eks | |
| LABELS: janitor/ttl=1h camunda.cloud/ephemeral=true | |
| CLUSTER_1_NAMESPACE_ARR: c8-snap-cluster-1 | |
| CLUSTER_1_NAMESPACE_FAILOVER_ARR: c8-snap-cluster-1-failover | |
| CLUSTER_0_NAMESPACE_ARR: c8-snap-cluster-0 | |
| CLUSTER_0_NAMESPACE_FAILOVER_ARR: c8-snap-cluster-0-failover | |
| CLUSTER_1_NAMESPACE: c8-snap-cluster-1 | |
| CLUSTER_1_NAMESPACE_FAILOVER: c8-snap-cluster-1-failover | |
| CLUSTER_0_NAMESPACE: c8-snap-cluster-0 | |
| CLUSTER_0_NAMESPACE_FAILOVER: c8-snap-cluster-0-failover | |
| CLUSTER_0: camunda.teleport.sh-camunda-ci-eks | |
| CLUSTER_1: camunda.teleport.sh-camunda-ci-eks | |
| KUBECONFIG: ./kubeconfig | |
| HELM_RELEASE_NAME: camunda | |
| ZEEBE_CLUSTER_SIZE: 8 | |
| jobs: | |
| teleport-setup: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Setup AWS and Tools | |
| uses: ./.github/actions/setup-aws | |
| with: | |
| secrets: ${{ toJSON(secrets) }} | |
| - name: Set up Teleport | |
| uses: teleport-actions/setup@v1 | |
| with: | |
| version: 16.4.11 | |
| - name: Authenticate with Teleport | |
| uses: teleport-actions/auth-k8s@v2 | |
| with: | |
| proxy: camunda.teleport.sh:443 | |
| token: infra-ci-prod-github-action-infraex | |
| kubernetes-cluster: camunda-ci-eks | |
| - name: Write kubeconfig file | |
| id: write-kubeconfig | |
| run: | | |
| kubectl config view --raw > ./test/kubeconfig | |
| - name: Update namespace arrays with prefix and random suffix | |
| id: update-namespace-arrays | |
| run: | | |
| RANDOM_ID=$(openssl rand -hex 3) | |
| update_namespace_array() { | |
| local arr="$1" | |
| local new_arr="" | |
| IFS=',' read -ra ADDR <<< "$arr" | |
| for i in "${ADDR[@]}"; do | |
| new_arr+="${{ env.NAMESPACE_PREFIX }}$i-${RANDOM_ID}," | |
| done | |
| echo "${new_arr%,}" | |
| } | |
| CLUSTER_1_NAMESPACE_ARR=$(update_namespace_array "${{ env.CLUSTER_1_NAMESPACE_ARR }}") | |
| CLUSTER_1_NAMESPACE_FAILOVER_ARR=$(update_namespace_array "${{ env.CLUSTER_1_NAMESPACE_FAILOVER_ARR }}") | |
| CLUSTER_0_NAMESPACE_ARR=$(update_namespace_array "${{ env.CLUSTER_0_NAMESPACE_ARR }}") | |
| CLUSTER_0_NAMESPACE_FAILOVER_ARR=$(update_namespace_array "${{ env.CLUSTER_0_NAMESPACE_FAILOVER_ARR }}") | |
| { | |
| echo "CLUSTER_1_NAMESPACE_ARR=$CLUSTER_1_NAMESPACE_ARR" | |
| echo "CLUSTER_1_NAMESPACE_FAILOVER_ARR=$CLUSTER_1_NAMESPACE_FAILOVER_ARR" | |
| echo "CLUSTER_0_NAMESPACE_ARR=$CLUSTER_0_NAMESPACE_ARR" | |
| echo "CLUSTER_0_NAMESPACE_FAILOVER_ARR=$CLUSTER_0_NAMESPACE_FAILOVER_ARR" | |
| } >> "$GITHUB_ENV" | |
| get_first_item() { | |
| local arr="$1" | |
| IFS=',' read -ra ADDR <<< "$arr" | |
| echo "${ADDR[0]}" | |
| } | |
| { | |
| echo "CLUSTER_1_NAMESPACE=$(get_first_item "$CLUSTER_1_NAMESPACE_ARR")" | |
| echo "CLUSTER_1_NAMESPACE_FAILOVER=$(get_first_item "$CLUSTER_1_NAMESPACE_FAILOVER_ARR")" | |
| echo "CLUSTER_0_NAMESPACE=$(get_first_item "$CLUSTER_0_NAMESPACE_ARR")" | |
| echo "CLUSTER_0_NAMESPACE_FAILOVER=$(get_first_item "$CLUSTER_0_NAMESPACE_FAILOVER_ARR")" | |
| echo "CAMUNDA_NAMESPACE_0=${CLUSTER_0_NAMESPACE}" | |
| echo "CAMUNDA_NAMESPACE_1=${CLUSTER_1_NAMESPACE}" | |
| } >> "$GITHUB_ENV" | |
| - name: Import Secrets | |
| id: secrets | |
| uses: hashicorp/vault-action@v3 | |
| with: | |
| url: ${{ secrets.VAULT_ADDR }} | |
| method: approle | |
| roleId: ${{ secrets.VAULT_ROLE_ID }} | |
| secretId: ${{ secrets.VAULT_SECRET_ID }} | |
| exportEnv: true | |
| secrets: | | |
| secret/data/products/infrastructure-experience/ci/common AWS_ACCESS_KEY | S3_BACKUP_ACCESS_KEY; | |
| secret/data/products/infrastructure-experience/ci/common AWS_SECRET_KEY | S3_BACKUP_SECRET_KEY; | |
| - name: Create namespaces and secrets | |
| id: create-namespaces | |
| env: | |
| AWS_SECRET_ACCESS_KEY_ES: ${{ steps.secrets.outputs.S3_BACKUP_SECRET_KEY }} | |
| AWS_ACCESS_KEY_ES: ${{ steps.secrets.outputs.S3_BACKUP_ACCESS_KEY }} | |
| working-directory: ./test | |
| run: | | |
| go test --count=1 -v -timeout 9m -run TestClusterPrerequisitesTeleport | |
| - name: Label namespaces and secrets | |
| run: | | |
| label_resources() { | |
| local namespace=$1 | |
| kubectl label namespace "$namespace" ${{ env.LABELS }} | |
| secrets=$(kubectl get secrets -n "$namespace" -o jsonpath='{.items[*].metadata.name}') | |
| for secret in $secrets; do | |
| kubectl label secret "$secret" -n "$namespace" ${{ env.LABELS }} | |
| done | |
| } | |
| IFS=',' read -ra NAMESPACES <<< "${{ env.CLUSTER_0_NAMESPACE_ARR }},${{ env.CLUSTER_1_NAMESPACE_ARR }}" | |
| for namespace in "${NAMESPACES[@]}"; do | |
| label_resources "$namespace" | |
| done | |
| - name: Deploy dual region camunda through teleport access | |
| id: deploy-camunda | |
| working-directory: ./test | |
| run: | | |
| go test --count=1 -v -timeout 9m -run TestAWSDeployDualRegCamundaTeleport | |
| - name: Delete namespaces | |
| run: | | |
| delete_namespaces() { | |
| local namespace_arr="$1" | |
| IFS=',' read -ra NAMESPACES <<< "$namespace_arr" | |
| for namespace in "${NAMESPACES[@]}"; do | |
| kubectl delete namespace "$namespace" | |
| done | |
| } | |
| delete_namespaces "${{ env.CLUSTER_0_NAMESPACE_ARR }}" | |
| delete_namespaces "${{ env.CLUSTER_1_NAMESPACE_ARR }}" | |
| delete_namespaces "${{ env.CLUSTER_0_NAMESPACE_FAILOVER_ARR }}" | |
| delete_namespaces "${{ env.CLUSTER_1_NAMESPACE_FAILOVER_ARR }}" |