spiffe
/
spire-tutorials
mirror of https://github.com/spiffe/spire-tutorials.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Enable Github actions (#78) 

Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>
This commit is contained in:
Marcos Yacob 2022-05-01 13:49:50 -03:00 committed by GitHub
parent d2b4baa287
commit 5cb41636f5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 59 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
.github/workflows/pr_build.yml vendored Normal file
View File

@ -0,0 +1,29 @@
name: PR Build
on:
push:
branches:
- master
pull_request: {}
workflow_dispatch: {}
env:
GO_VERSION: 1.16.5
CHANGE_MINIKUBE_NONE_USER: true
TERM: xterm
jobs:
test-all:
runs-on: ubuntu-18.04
timeout-minutes: 30
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Setup go
uses: actions/setup-go@v2
with:
go-version: ${{ env.GO_VERSION }}
- name: install minikube
id: minikube
uses: medyagh/setup-minikube@master
- name: Envoy
run: docker-compose/test-all.sh
- name: K8s
run: k8s/test-all.sh

1
docker-compose/metrics/spire/server/server.conf
View File

@ -1,6 +1,7 @@
server { server {
bind_address = "0.0.0.0" bind_address = "0.0.0.0"
bind_port = "8081" bind_port = "8081"
socket_path = "/tmp/spire-server/private/api.sock"
trust_domain = "example.org" trust_domain = "example.org"
data_dir = "/opt/spire/data/server" data_dir = "/opt/spire/data/server"
log_level = "DEBUG" log_level = "DEBUG"

17
docker-compose/metrics/test.sh
View File

@ -1,4 +1,3 @@
#!/bin/bash #!/bin/bash
norm=$(tput sgr0) || true norm=$(tput sgr0) || true
@ -15,7 +14,7 @@ log() {
clean-env() { clean-env() {
log "Cleaning up..." log "Cleaning up..."
bash "${DIR}"/scripts/clean-env.sh > /dev/null bash "${DIR}"/scripts/clean-env.sh
} }
trap clean-env EXIT trap clean-env EXIT
@ -23,16 +22,16 @@ trap clean-env EXIT
log "Preparing environment..." log "Preparing environment..."
clean-env clean-env
bash "${DIR}"/scripts/set-env.sh > /dev/null bash "${DIR}"/scripts/set-env.sh
bash "${DIR}"/scripts/create-workload-registration-entry.sh > /dev/null bash "${DIR}"/scripts/create-workload-registration-entry.sh
log "Checking Statsd received metrics pushed by SPIRE..." log "Checking Statsd received metrics pushed by SPIRE..."
STATSD_LOG_LINE="MetricLineReceiver connection with .* established" STATSD_LOG_LINE="MetricLineReceiver connection with .* established"
for ((i=0;i<60;i++)); do for ((i=0;i<60;i++)); do
if ! docker-compose -f "${DIR}"/docker-compose.yaml logs --tail=10 -t graphite-statsd | grep -qe "${STATSD_LOG_LINE}" ; then if ! docker-compose -f "${DIR}"/docker-compose.yaml logs --tail=10 -t graphite-statsd | grep -qe "${STATSD_LOG_LINE}" ; then
sleep 1 sleep 1
continue continue
fi fi
METRIC_RECEIVED=1 METRIC_RECEIVED=1
break break
@ -44,9 +43,9 @@ fi
log "Checking that Prometheus can reach the endpoint exposed by SPIRE..." log "Checking that Prometheus can reach the endpoint exposed by SPIRE..."
for ((i=0;i<60;i++)); do for ((i=0;i<60;i++)); do
if ! docker-compose -f "${DIR}"/docker-compose.yaml exec prometheus wget -S spire-server:8088/ | grep -qe "200 OK" ; then if ! docker-compose -f "${DIR}"/docker-compose.yaml exec -T prometheus wget -S spire-server:8088/ 2>&1 | grep -qe "200 OK" ; then
sleep 1 sleep 1
continue continue
fi fi
CONNECTION_OK=1 CONNECTION_OK=1
break break

4
docker-compose/nested-spire/root/agent/agent.conf
View File

@ -3,7 +3,7 @@ agent {
log_level = "DEBUG" log_level = "DEBUG"
server_address = "root-server" server_address = "root-server"
server_port = "8081" server_port = "8081"
socket_path ="/opt/spire/sockets/workload_api.sock" socket_path = "/opt/spire/sockets/workload_api.sock"
trust_bundle_path = "/opt/spire/conf/agent/bootstrap.crt" trust_bundle_path = "/opt/spire/conf/agent/bootstrap.crt"
trust_domain = "example.org" trust_domain = "example.org"
} }
@ -22,6 +22,8 @@ plugins {
} }
WorkloadAttestor "docker" { WorkloadAttestor "docker" {
plugin_data { plugin_data {
# GitHub worklow activate groups for testing
#container_id_cgroup_matchers = [CGROUP_MATCHERS]
} }
} }
} }

9
docker-compose/nested-spire/scripts/set-env.sh
View File

@ -48,6 +48,15 @@ check-entry-is-propagated() {
} }
# Configure the environment-dependent CGROUP matchers for the docker workload
# attestors.
CGROUP_MATCHERS="TEreso"
if [ -n "${GITHUB_WORKFLOW}" ]; then
CGROUP_MATCHERS='"/actions_job/<id>"'
fi
sed -i.bak "s#\#container_id_cgroup_matchers#container_id_cgroup_matchers#" "${PARENT_DIR}"/root/agent/agent.conf
sed -i.bak "s#CGROUP_MATCHERS#$CGROUP_MATCHERS#" "${PARENT_DIR}"/root/agent/agent.conf
# create a shared folder for root agent socket to be accessed by nestedA and nestedB servers # create a shared folder for root agent socket to be accessed by nestedA and nestedB servers
mkdir -p "${PARENT_DIR}"/sharedRootSocket mkdir -p "${PARENT_DIR}"/sharedRootSocket

4
docker-compose/nested-spire/test.sh
View File

@ -30,10 +30,10 @@ trap clean-env EXIT
log "Preparing Nested SPIRE environment..." log "Preparing Nested SPIRE environment..."
clean-env clean-env
bash "${DIR}"/scripts/set-env.sh > /dev/null bash "${DIR}"/scripts/set-env.sh
log "Creating workload registration entries..." log "Creating workload registration entries..."
bash "${DIR}"/scripts/create-workload-registration-entries.sh > /dev/null bash "${DIR}"/scripts/create-workload-registration-entries.sh
log "checking nested JWT-SVID..." log "checking nested JWT-SVID..."
# Fetch JWT-SVID and extract token # Fetch JWT-SVID and extract token

13
k8s/quickstart/test.sh
View File

@ -13,18 +13,15 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
MINIKUBEPROFILE="SPIRE-SYSTEMS-TEST" MINIKUBEPROFILE="SPIRE-SYSTEMS-TEST"
MINIKUBECMD="minikube -p ${MINIKUBEPROFILE}" MINIKUBECMD="minikube -p ${MINIKUBEPROFILE}"
CHECKINTERVAL=1 CHECKINTERVAL=1
if [ -n "${TRAVIS}" ]; then if [ -n "${GITHUB_WORKFLOW}" ]; then
# Use the default profile inside of Travis
MINIKUBECMD="/usr/local/bin/minikube"
# Travis is slow. Give our containers more time.
CHECKINTERVAL=5 CHECKINTERVAL=5
fi fi
TMPDIR=$(mktemp -d) TMPDIR=$(mktemp -d)
SERVERLOGS=${TMPDIR}/spire-server-logs.log SERVERLOGS=${TMPDIR}/spire-server-logs.log
start_minikube() { start_minikube() {
# Travis will start up minikube (via .travis.yml) # GH actions will start up minikube
if [ -z "${TRAVIS}" ]; then if [ -z "${GITHUB_WORKFLOW}" ]; then
echo "${bold}Starting minikube... ${norm}" echo "${bold}Starting minikube... ${norm}"
${MINIKUBECMD} start ${MINIKUBECMD} start
eval $(${MINIKUBECMD} docker-env) eval $(${MINIKUBECMD} docker-env)
@ -36,8 +33,8 @@ tear_down_config() {
} }
stop_minikube() { stop_minikube() {
# Don't stop the minikube inside of travis # Don't stop the minikube inside of GH actions
if [ -z "${TRAVIS}" ]; then if [ -z "${GITHUB_WORKFLOW}" ]; then
${MINIKUBECMD} stop > /dev/null || true ${MINIKUBECMD} stop > /dev/null || true
fi fi
} }

3
k8s/test-all.sh
View File

@ -38,4 +38,5 @@ done
if [ -n "${FAILED}" ]; then if [ -n "${FAILED}" ]; then
fail "There were test failures" fail "There were test failures"
fi fi
echo "${green}Done. All test passed!${norm}" echo "${green}Done. All test passed!${norm}"