ci: Use OIDC to log into Azure

This completely eliminates the Azure secret from the repo, following the below guidance: https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure The federated identity is scoped to the `ci` environment, meaning: * I had to specify this environment in some YAMLs. I don't believe there's any downside to this. * As previously, the CI works seamlessly both from PRs and in the manual workflow. I also deleted the tools/packaging/kata-deploy/action folder as it doesn't seem to be used anymore, and it contains a reference to the secret. Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-25 10:43:15 +00:00 · 2025-06-05 19:43:56 -05:00
parent 31a8944da1
commit 9dd3807467
21 changed files with 37 additions and 392 deletions
--- a/tools/packaging/kata-deploy/action/Dockerfile
+++ b/tools/packaging/kata-deploy/action/Dockerfile
@@ -1,31 +0,0 @@
-# Copyright (c) 2019 Intel Corporation
-#
-# SPDX-License-Identifier: Apache-2.0
-FROM mcr.microsoft.com/azure-cli:2.9.1
-
-LABEL com.github.actions.name="Test kata-deploy in an AKS cluster"
-LABEL com.github.actions.description="Test kata-deploy in an AKS cluster"
-
-# Default to latest validated AKS-engine version
-ARG AKS_ENGINE_VER="v0.62.0"
-ARG ARCH=amd64
-
-ENV GITHUB_ACTION_NAME="Test kata-deploy in an AKS cluster"
-
-# When run, we expect the caller (GitHub Action workflow) to provide the
-# PKG_SHA environment variable
-ENV PKG_SHA=HEAD
-
-RUN curl -LO "https://dl.k8s.io/release/$(curl -s https://dl.k8s.io/release/stable.txt)/bin/linux/${ARCH}/kubectl" \
-  && chmod +x ./kubectl \
-  && mv ./kubectl /usr/local/bin/kubectl
-
-RUN curl -LO "https://github.com/Azure/aks-engine/releases/download/${AKS_ENGINE_VER}/aks-engine-${AKS_ENGINE_VER}-linux-${ARCH}.tar.gz" \
-  && tar xvf "aks-engine-${AKS_ENGINE_VER}-linux-${ARCH}.tar.gz" \
-  && mv "aks-engine-${AKS_ENGINE_VER}-linux-${ARCH}/aks-engine" /usr/local/bin/aks-engine \
-  && rm "aks-engine-${AKS_ENGINE_VER}-linux-${ARCH}.tar.gz"
-
-COPY kubernetes-containerd.json /
-COPY setup-aks.sh test-kata.sh entrypoint.sh /
-
-ENTRYPOINT ["/entrypoint.sh"]
--- a/tools/packaging/kata-deploy/action/action.yml
+++ b/tools/packaging/kata-deploy/action/action.yml
@@ -1,13 +0,0 @@
-# action.yml
-name: 'kata-deploy-aks'
-description: 'test Kata container image in AKS'
-inputs:
-  packaging-sha:
-    description: 'SHA we are using for pulling packaging manifests'
-    required: true
-    default: ''
-runs:
-  using: 'docker'
-  image: 'Dockerfile'
-  args:
-    - ${{ inputs.packaging-sha }}
--- a/tools/packaging/kata-deploy/action/entrypoint.sh
+++ b/tools/packaging/kata-deploy/action/entrypoint.sh
@@ -1,24 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (c) 2018 Intel Corporation
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-set -o errexit
-set -o pipefail
-set -o nounset
-
-# This entrypoint expects an environment variable, PKG_SHA, to be
-# within the container runtime. A default is provided in the Dockerfile,
-# but we expect the caller to pass this into the container run (ie docker run -e PKG_SHA=foo ...)
-echo "provided package reference: ${PKG_SHA}"
-
-# Since this is the entrypoint for the container image, we know that the AKS and Kata setup/testing
-# scripts are located at root.
-source /setup-aks.sh
-source /test-kata.sh 
-
-trap destroy_aks EXIT
-
-setup_aks
-test_kata
--- a/tools/packaging/kata-deploy/action/kubernetes-containerd.json
+++ b/tools/packaging/kata-deploy/action/kubernetes-containerd.json
@@ -1,43 +0,0 @@
-{
-  "apiVersion": "vlabs",
-  "properties": {
-    "orchestratorProfile": {
-      "orchestratorType": "Kubernetes",
-      "orchestratorVersion": "1.20.5",
-      "kubernetesConfig": {
-        "containerRuntime": "containerd",
-        "useManagedIdentity": false
-      }
-    },
-    "masterProfile": {
-      "count": 1,
-      "dnsPrefix": "",
-      "vmSize": "Standard_D2_v2"
-    },
-    "agentPoolProfiles": [
-      {
-        "name": "agentpool",
-        "count": 1,
-        "vmSize": "Standard_D4s_v3",
-        "availabilityProfile": "AvailabilitySet"
-      }
-    ],
-    "linuxProfile": {
-      "adminUsername": "azureuser",
-      "ssh": {
-        "publicKeys": [
-          {
-            "keyData": ""
-          }
-        ]
-      }
-    },
-    "servicePrincipalProfile": {
-      "clientId": "",
-      "secret": ""
-    },
-    "linuxProfile": {
-      "runUnattendedUpgradesOnBootstrap": false
-    }
-  }
-}
--- a/tools/packaging/kata-deploy/action/setup-aks.sh
+++ b/tools/packaging/kata-deploy/action/setup-aks.sh
@@ -1,51 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (c) 2019 Intel Corporation
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-set -o errexit
-set -o pipefail
-set -o nounset
-
-export AZURE_HTTP_USER_AGENT="GITHUBACTIONS_${GITHUB_ACTION_NAME}_${GITHUB_REPOSITORY}"
-
-LOCATION=${LOCATION:-westus2}
-DNS_PREFIX=${DNS_PREFIX:-kata-deploy-${GITHUB_SHA:0:10}}
-CLUSTER_CONFIG=${CLUSTER_CONFIG:-/kubernetes-containerd.json}
-
-function die() {
-	msg="$*"
-	echo "ERROR: $msg" >&2
-	exit 1
-}
-
-function destroy_aks() {
-	set +x
-
-	export KUBECONFIG="${PWD}/_output/${DNS_PREFIX}/kubeconfig/kubeconfig.${LOCATION}.json"
-
-	az login --service-principal -u "$AZ_APPID" -p "$AZ_PASSWORD" --tenant "$AZ_TENANT_ID"
-	az group delete --name "$DNS_PREFIX" --yes --no-wait
-	az logout
-}
-
-function setup_aks() {
-	[[ -z "$AZ_APPID" ]] && die "no Azure service principal ID provided"
-	[[ -z "$AZ_PASSWORD" ]] && die "no Azure service principal secret provided"
-	[[ -z "$AZ_SUBSCRIPTION_ID" ]] && die "no Azure subscription ID provided"
-	[[ -z "$AZ_TENANT_ID" ]] && die "no Azure tenant ID provided"
-
-	aks-engine deploy --subscription-id "$AZ_SUBSCRIPTION_ID" \
-		--client-id "$AZ_APPID" --client-secret "$AZ_PASSWORD" \
-		--location "$LOCATION" --dns-prefix "$DNS_PREFIX" \
-		--api-model "$CLUSTER_CONFIG" --force-overwrite
-
-	export KUBECONFIG="${PWD}/_output/${DNS_PREFIX}/kubeconfig/kubeconfig.${LOCATION}.json"
-
-	# wait for the cluster to be settled:
-	kubectl wait --timeout=10m --for=condition=Ready --all nodes
-
-	# make sure coredns is up before moving forward:
-	kubectl wait --timeout=10m -n kube-system --for=condition=Available deployment/coredns
-}
--- a/tools/packaging/kata-deploy/action/test-kata.sh
+++ b/tools/packaging/kata-deploy/action/test-kata.sh
@@ -1,162 +0,0 @@
-#!/usr/bin/env bash
-#
-# Copyright (c) 2019 Intel Corporation
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-
-set -o errexit
-set -o pipefail
-set -o nounset
-
-function die() {
-    msg="$*"
-    echo "ERROR: $msg" >&2
-    exit 1
-}
-
-function waitForProcess() {
-    wait_time="$1"
-    cmd="$2"
-    sleep_time=5
-    echo "waiting for process $cmd"
-    while [ "$wait_time" -gt 0 ]; do
-        if eval "$cmd"; then
-            return 0
-        else
-            sleep "$sleep_time"
-            wait_time=$((wait_time-sleep_time))
-        fi
-    done
-    return 1
-}
-
-# waitForLabelRemoval will wait for the kata-runtime labels to removed until a given
-# timeout expires
-function waitForLabelRemoval() {
-    wait_time="$1"
-    sleep_time=5
-
-    echo "waiting for kata-runtime label to be removed"
-    while [[ "$wait_time" -gt 0 ]]; do
-        # if a node is found which matches node-select, the output will include a column for node name,
-        # NAME. Let's look for that 
-        if [[ -z $(kubectl get nodes --selector katacontainers.io/kata-runtime 2>&1 | grep NAME) ]]
-        then
-            return 0
-        else
-            sleep "$sleep_time"
-            wait_time=$((wait_time-sleep_time))
-        fi
-    done
-
-    echo $(kubectl get pods,nodes --all-namespaces --show-labels)
-
-    echo "failed to cleanup"
-    return 1
-}
-
-function run_test() {
-    YAMLPATH="./tools/packaging/kata-deploy/"
-    echo "verify connectivity with a pod using Kata"
-
-    deployment=""
-    busybox_pod="test-nginx"
-    busybox_image="busybox"
-    cmd="kubectl get pods | grep $busybox_pod | grep Completed"
-    wait_time=120
-
-    configurations=("nginx-deployment-qemu" "nginx-deployment-clh" "nginx-deployment-dragonball")
-    for deployment in "${configurations[@]}"; do
-        # start the kata pod:
-        kubectl apply -f "$YAMLPATH/examples/${deployment}.yaml"
-
-      # in case the control plane is slow, give it a few seconds to accept the yaml, otherwise
-      # our 'wait' for deployment status will fail to find the deployment at all
-      sleep 3 
-
-      kubectl wait --timeout=5m --for=condition=Available deployment/${deployment} || kubectl describe pods
-      kubectl expose deployment/${deployment}
-
-      # test pod connectivity:
-      kubectl run $busybox_pod --restart=Never --image="$busybox_image" -- wget --timeout=5 "$deployment"
-      waitForProcess "$wait_time" "$cmd"
-      kubectl logs "$busybox_pod" | grep "index.html"
-      kubectl describe pod "$busybox_pod"
-
-      # cleanup:
-      kubectl delete deployment "$deployment"
-      kubectl delete service "$deployment"
-      kubectl delete pod "$busybox_pod"
-  done
-}
-
-
-function test_kata() {
-    set -x
-
-    [[ -z "$PKG_SHA" ]] && die "no PKG_SHA provided"
-
-    YAMLPATH="./tools/packaging/kata-deploy/"
-
-    # This action could be called in two contexts:
-    #  1. Packaging workflows: testing in packaging repository, where we assume yaml/packaging
-    #   bits under test are already part of teh action workspace.
-    #  2. From kata-containers: when creating a release, the appropriate packaging repository is
-    #   not yet part of the workspace, and we will need to clone
-    if [[ ! -d $YAMLPATH ]]; then
-        [[ -d  $YAMLPATH ]] || git clone https://github.com/kata-containers/kata-containers
-        cd kata-containers
-        git fetch
-        git checkout $PKG_SHA
-    fi
-
-    kubectl apply -f "$YAMLPATH/kata-rbac/base/kata-rbac.yaml"
-
-    # apply runtime classes:
-    kubectl apply -f "$YAMLPATH/runtimeclasses/kata-runtimeClasses.yaml"
-
-    kubectl get runtimeclasses
-
-    # update deployment daemonset to utilize the container under test:
-    sed -i "s#quay.io/kata-containers/kata-deploy:latest#quay.io/kata-containers/kata-deploy-ci:${PKG_SHA}#g" $YAMLPATH/kata-deploy/base/kata-deploy.yaml
-    sed -i "s#quay.io/kata-containers/kata-deploy:latest#quay.io/kata-containers/kata-deploy-ci:${PKG_SHA}#g" $YAMLPATH/kata-cleanup/base/kata-cleanup.yaml
-
-    cat $YAMLPATH/kata-deploy/base/kata-deploy.yaml
-
-    # deploy kata:
-    kubectl apply -f $YAMLPATH/kata-deploy/base/kata-deploy.yaml
-
-    # in case the control plane is slow, give it a few seconds to accept the yaml, otherwise
-    # our 'wait' for deployment status will fail to find the deployment at all. If it can't persist
-    # the daemonset to etcd in 30 seconds... then we'll fail.
-    sleep 30
-
-    # wait for kata-deploy to be up
-    kubectl -n kube-system wait --timeout=10m --for=condition=Ready -l name=kata-deploy pod
-
-    # show running pods, and labels of nodes
-    kubectl get pods,nodes --all-namespaces --show-labels
-
-    run_test
-
-    kubectl get pods,nodes --show-labels
-
-    # Remove Kata
-    kubectl delete -f $YAMLPATH/kata-deploy/base/kata-deploy.yaml
-    kubectl -n kube-system wait --timeout=10m --for=delete -l name=kata-deploy pod
-
-    kubectl get pods,nodes --show-labels
-
-    kubectl apply -f $YAMLPATH/kata-cleanup/base/kata-cleanup.yaml
-
-    # The cleanup daemonset will run a single time, since it will clear the node-label. Thus, its difficult to
-    # check the daemonset's status for completion. instead, let's wait until the kata-runtime labels are removed
-    # from all of the worker nodes. If this doesn't happen after 2 minutes, let's fail
-    timeout=120
-    waitForLabelRemoval $timeout
-
-    kubectl delete -f $YAMLPATH/kata-cleanup/base/kata-cleanup.yaml
-
-    set +x
-}