Merge pull request #18 from apigee/feat/test-ansible

feat: added ansible test

.github/workflows/testing.yml

@@ -57,9 +57,6 @@ jobs:
         name: Checkout
         uses: actions/checkout@v2
 
-      - id: commit
-        uses: prompt/actions-commit-hash@v3
-
       - id: auth
         name: Authenticate with Google Cloud
         uses: google-github-actions/auth@v0
@@ -87,7 +84,7 @@ jobs:
           GCP_REGION: ${{ secrets.GCP_REGION }}
 
   deploy-runtime-plane-gke:
-    name: Deploy Apigee Hybrid Runtime GKE Platform
+    name: Deploy GKE Cluster
     runs-on: ubuntu-latest
     if: github.event_name == 'push'
     permissions:
@@ -99,9 +96,6 @@ jobs:
         name: Checkout
         uses: actions/checkout@v2
 
-      - id: commit
-        uses: prompt/actions-commit-hash@v3
-
       - id: auth
         name: Authenticate with Google Cloud
         uses: google-github-actions/auth@v0
@@ -127,3 +121,55 @@ jobs:
           TF_BACKEND_BUCKET: ${{ secrets.TF_BACKEND_BUCKET }}
           GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
           GCP_REGION: ${{ secrets.GCP_REGION }}
+
+  deploy-runtime-plane:
+    name: Deploy Apigee Hybrid Single DC
+    runs-on: self-hosted
+    if: github.event_name == 'push'
+    needs:
+      - docker-build
+      - deploy-runtime-plane-gke
+      - deploy-control-plane
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    steps:
+      - id: checkout
+        name: Checkout
+        uses: actions/checkout@v2
+
+      - id: commit
+        uses: prompt/actions-commit-hash@v3
+
+      - id: auth
+        name: Authenticate with Google Cloud
+        uses: google-github-actions/auth@v0
+        with:
+          token_format: access_token
+          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_POOL_PROVIDER_NAME }}
+          service_account: ${{ secrets.SVC_ACCOUNT_EMAIL }}
+          access_token_lifetime: 300s
+          create_credentials_file: true
+
+      - name: Login to Artifact Registry
+        uses: docker/login-action@v1
+        with:
+          registry: ${{ secrets.GCP_REGION }}-docker.pkg.dev
+          username: oauth2accesstoken
+          password: ${{ steps.auth.outputs.access_token }}
+
+      - name: Run Ansible Playbook
+        id: init
+        run: |
+          bash run_playbook.sh \
+            ${{ github.workspace }} \
+            ${{ steps.commit.outputs.short }}
+        shell: bash
+        working-directory: ./test/scripts
+        env:
+          TF_BACKEND_BUCKET: ${{ secrets.TF_BACKEND_BUCKET }}
+          GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
+          GCP_REGION: ${{ secrets.GCP_REGION }}
+          GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.auth.outputs.credentials_file_path }}
+          GCP_GAR_REPO: ${{ secrets.GCP_GAR_REPO }}
+          GCP_ACCESS_TOKEN: ${{ steps.auth.outputs.access_token }}

roles/apigee-hybrid-overrides/templates/overrides.yaml.j2

@@ -80,8 +80,6 @@ envs:
     runtime:
       replicaCountMax: {{ each_env.get('runtime',{}).get('replicaCountMax',{}) if each_env.get('runtime',{}).get('replicaCountMax',{}) else '' }}
       replicaCountMin: {{ each_env.get('runtime',{}).get('replicaCountMin',{}) if each_env.get('runtime',{}).get('replicaCountMin',{}) else '' }}
-  serviceAccountPaths:
-    synchronizer:
   serviceAccountSecretRefs:
     synchronizer: {{ svc_account(create_service_account, deployment_environment,'synchronizer', overrides.synchronizer.serviceAccountRef) | indent( width=4)}}
     udca: {{ svc_account(create_service_account, deployment_environment,'udca', overrides.udca.serviceAccountRef) | indent( width=4)}}

roles/apigee-hybrid-overrides/templates/service_account.j2

@@ -7,8 +7,7 @@
 {% else %}
 {{ 'apigee-non-prod-svc-account-secret' % project_id }}
 {%- endif %}
-{%- endif %}
-{% if name  -%}
+{% else %}
 {{ name }}
 {%- endif %}
 {% endmacro %}

roles/prepare-service-accounts/tasks/main.yml

@@ -76,14 +76,13 @@
         - name: Create Service Account
           shell: |
             download_keys(){
-            local sa_name=$1
-            local sa_email=$2
-            local output_dir=$3
-            local project_id=$4
-            gcloud iam service-accounts keys create "${output_dir}/${project_id}-${sa_name}.json" \
-                --iam-account="${sa_email}" || \
-                    log_error "Failed to download keys for service account ${sa_name}"
-            echo "JSON Key ${sa_name} was successfully download to directory ${output_dir}."
+                local sa_name=$1
+                local sa_email=$2
+                local output_dir=$3
+                local project_id=$4
+                gcloud iam service-accounts keys create "${output_dir}/${project_id}-${sa_name}.json" \
+                    --iam-account="${sa_email}" || exit 1
+                echo "JSON Key ${sa_name} was successfully download to directory ${output_dir}."
             }
             download_keys {{ item }} {{ item }}@{{ overrides.gcp.projectID }}.iam.gserviceaccount.com {{ setup_path }}/service-accounts {{ overrides.gcp.projectID }}
           with_items: "{{ missing_svc_account_files }}"

roles/validate-input-apigee-control-plane/files/validate_apigee_objects.py

@@ -42,18 +42,11 @@ def __init__(
             else "Basic {}".format(access_token)  # noqa
         }
 
-    def get_token_user(self, token):
-        url = f"https://www.googleapis.com/oauth2/v1/tokeninfo?access_token={token}"  # noqa
-        response = requests.get(url)
-        if response.status_code == 200:
-            return response.json()['email']
-        return ''
-
     def is_token_valid(self, token):
         url = f"https://www.googleapis.com/oauth2/v1/tokeninfo?access_token={token}"  # noqa
         response = requests.get(url)
         if response.status_code == 200:
-            print(f"Token Validated for user {response.json()['email']}")
+            print("Token Validated")
             return True
         return False
 
@@ -139,18 +132,17 @@ def main():
         args.access_token,
     )
     validations = []
-    authenticated_user = TargetApigee.get_token_user(args.access_token)
     if not TargetApigee.get_org():
-        validations.append(f"Apigee Organization : {apigee_org} doesnt exist OR user {authenticated_user} doesnt have permissions ")  # noqa pylint: disable=line-too-long
+        validations.append(f"Apigee Organization : {apigee_org} doesnt exist OR user doesnt have permissions ")  # noqa pylint: disable=line-too-long
 
     for apigee_env in apigee_envs:
         if not TargetApigee.get_environment(apigee_env['name']):
-            validations.append(f"Apigee Environment : {apigee_env['name']} doesnt exist OR user {authenticated_user} doesnt have permissions ")  # noqa pylint: disable=line-too-long
+            validations.append(f"Apigee Environment : {apigee_env['name']} doesnt exist OR user doesnt have permissions ")  # noqa pylint: disable=line-too-long
 
     for apigee_vhost in apigee_vhosts:
         apigee_vhost_status, apigee_vhost_info = TargetApigee.get_env_group(apigee_vhost['name'])  # noqa pylint: disable=line-too-long
         if not apigee_vhost_status:
-            validations.append(f"Apigee Environment Group : {apigee_vhost['name']} doesnt exist OR user {authenticated_user} doesnt have permissions ")  # noqa pylint: disable=line-too-long
+            validations.append(f"Apigee Environment Group : {apigee_vhost['name']} doesnt exist OR user doesnt have permissions ")  # noqa pylint: disable=line-too-long
 
         if apigee_vhost_status:
             apigee_vhost_hostname = apigee_vhost.get('hostnames', [])

test/scripts/run_playbook.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -x
+ANSIBLE_DIR="${1}"
+GIT_COMMIT_SHORT_ID="$2"
+cd "$ANSIBLE_DIR" || exit
+
+# Function to replace a string from a file
+function replace_string() {
+  # Get the search and replacement strings from the user
+  input_file="$1"
+  search_string="$2"
+  replacement_string="$3"
+  # Replace the string in the file
+  sed -i "s/$search_string/$replacement_string/g" "$input_file"
+}
+
+replace_string "$ANSIBLE_DIR/vars/test.yaml" "_GCP_PROJECT_ID_" "${GCP_PROJECT_ID}"
+replace_string "$ANSIBLE_DIR/vars/test.yaml" "_GCP_REGION_" "${GCP_REGION}"
+
+DATE_EPOCH=$(date +%s)
+CONTAINER_NAME="ansible-run-${DATE_EPOCH}"
+
+docker run --name "${CONTAINER_NAME}"\
+    -v "$ANSIBLE_DIR:/app" \
+    -v "$GOOGLE_APPLICATION_CREDENTIALS:/svc_account/account.json" \
+    -e GOOGLE_APPLICATION_CREDENTIALS=/svc_account/account.json \
+    "$GCP_REGION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_GAR_REPO/ansible-helm-apigee-hybrid-deployer:latest" \
+    /bin/bash -c "cd /app; \
+      PIPELINE_STATUS=\"success\"; \
+      mkdir -p /tmp/setup; echo \"started\" > /tmp/setup/start.log; \
+      gcloud auth login --cred-file=/svc_account/account.json; \
+      gcloud container clusters get-credentials apigee-hybrid-cicd-test --region $GCP_REGION --project $GCP_PROJECT_ID; \
+      ansible-playbook playbook.yaml --tags 'dc1' -e @vars/test.yaml"
+
+CONTAINER_EXIT_CODE=$(docker inspect "$CONTAINER_NAME" --format='{{.State.ExitCode}}')
+if [ "$CONTAINER_EXIT_CODE" -ne 0 ]; then
+  LOG_DUMP=$(mktemp -d)
+  docker cp "$CONTAINER_NAME:/tmp/setup" "$LOG_DUMP"
+  gsutil -m cp -r "$LOG_DUMP" "gs://$TF_BACKEND_BUCKET/ansible_run_log/$GIT_COMMIT_SHORT_ID"
+  exit 1
+fi