From 8d0e78a9e1b3ba3aa95fb851d26737a8e13b37a8 Mon Sep 17 00:00:00 2001 From: anaik91 Date: Sat, 28 Oct 2023 17:05:51 +0530 Subject: [PATCH 1/9] feat: added ansible test --- .github/workflows/testing.yml | 54 +++++++++++++++++++++++++++++++---- 1 file changed, 48 insertions(+), 6 deletions(-) diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 1314fb3..521b046 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -57,9 +57,6 @@ jobs: name: Checkout uses: actions/checkout@v2 - - id: commit - uses: prompt/actions-commit-hash@v3 - - id: auth name: Authenticate with Google Cloud uses: google-github-actions/auth@v0 @@ -99,9 +96,6 @@ jobs: name: Checkout uses: actions/checkout@v2 - - id: commit - uses: prompt/actions-commit-hash@v3 - - id: auth name: Authenticate with Google Cloud uses: google-github-actions/auth@v0 @@ -127,3 +121,51 @@ jobs: TF_BACKEND_BUCKET: ${{ secrets.TF_BACKEND_BUCKET }} GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }} GCP_REGION: ${{ secrets.GCP_REGION }} + + deploy-runtime-plane: + name: Deploy Apigee Hybrid Runtime GKE Platform + runs-on: ubuntu-latest + if: github.event_name == 'push' + needs: + - docker-build + - deploy-runtime-plane-gke + - deploy-control-plane + permissions: + contents: 'read' + id-token: 'write' + steps: + - id: checkout + name: Checkout + uses: actions/checkout@v2 + + - id: commit + uses: prompt/actions-commit-hash@v3 + + - id: auth + name: Authenticate with Google Cloud + uses: google-github-actions/auth@v0 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_POOL_PROVIDER_NAME }} + service_account: ${{ secrets.SVC_ACCOUNT_EMAIL }} + access_token_lifetime: 300s + + - name: Login to Artifact Registry + uses: docker/login-action@v1 + with: + registry: ${{ secrets.GCP_REGION }}-docker.pkg.dev + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: Run Terraform + id: init + run: | + docker run -v ${{ github.workspace }}:/app \ + ${{ secrets.GCP_REGION }}-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/${{ secrets.GCP_GAR_REPO }}/ansible-helm-apigee-hybrid-deployer:${{ steps.commit.outputs.short }} \ + cd /app && ansible-playbook playbook.yaml --list-tags + shell: bash + # working-directory: ./test/scripts + env: + TF_BACKEND_BUCKET: ${{ secrets.TF_BACKEND_BUCKET }} + GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }} + GCP_REGION: ${{ secrets.GCP_REGION }} From 5094d0f74afa17245e97c51d73ef8a3577ea92b1 Mon Sep 17 00:00:00 2001 From: anaik91 Date: Sat, 28 Oct 2023 17:32:57 +0530 Subject: [PATCH 2/9] feat: added scripts to run playbook --- .github/workflows/testing.yml | 23 +- test/scripts/run_playbook.sh | 39 +++ vars/test.yaml | 451 ++++++++++++++++++++++++++++++++++ vars/vars.yaml | 2 +- 4 files changed, 504 insertions(+), 11 deletions(-) create mode 100755 test/scripts/run_playbook.sh create mode 100644 vars/test.yaml diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 521b046..9c6c74b 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -124,12 +124,12 @@ jobs: deploy-runtime-plane: name: Deploy Apigee Hybrid Runtime GKE Platform - runs-on: ubuntu-latest + runs-on: self-hosted if: github.event_name == 'push' - needs: - - docker-build - - deploy-runtime-plane-gke - - deploy-control-plane + # needs: + # - docker-build + # - deploy-runtime-plane-gke + # - deploy-control-plane permissions: contents: 'read' id-token: 'write' @@ -149,6 +149,7 @@ jobs: workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_POOL_PROVIDER_NAME }} service_account: ${{ secrets.SVC_ACCOUNT_EMAIL }} access_token_lifetime: 300s + create_credentials_file: true - name: Login to Artifact Registry uses: docker/login-action@v1 @@ -157,15 +158,17 @@ jobs: username: oauth2accesstoken password: ${{ steps.auth.outputs.access_token }} - - name: Run Terraform + - name: Run Ansible Playbook id: init run: | - docker run -v ${{ github.workspace }}:/app \ - ${{ secrets.GCP_REGION }}-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/${{ secrets.GCP_GAR_REPO }}/ansible-helm-apigee-hybrid-deployer:${{ steps.commit.outputs.short }} \ - cd /app && ansible-playbook playbook.yaml --list-tags + bash run_playbook.sh \ + ${{ github.workspace }} latest shell: bash - # working-directory: ./test/scripts + working-directory: ./test/scripts env: TF_BACKEND_BUCKET: ${{ secrets.TF_BACKEND_BUCKET }} GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }} GCP_REGION: ${{ secrets.GCP_REGION }} + GOOGLE_APPLICATION_CREDENTIALS: ${{ steps.auth.outputs.credentials_file_path }} + GCP_GAR_REPO: ${{ secrets.GCP_GAR_REPO }} + GCP_ACCESS_TOKEN: ${{ steps.auth.outputs.access_token }} diff --git a/test/scripts/run_playbook.sh b/test/scripts/run_playbook.sh new file mode 100755 index 0000000..e9733aa --- /dev/null +++ b/test/scripts/run_playbook.sh @@ -0,0 +1,39 @@ +#!/bin/bash + +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -x +ANSIBLE_DIR="${1}" +GIT_COMMIT_SHORT_ID="$2" +cd "$ANSIBLE_DIR" || exit + +# Function to replace a string from a file +function replace_string() { + # Get the search and replacement strings from the user + input_file="$1" + search_string="$2" + replacement_string="$3" + # Replace the string in the file + sed -i "s/$search_string/$replacement_string/g" "$input_file" +} + +replace_string "$ANSIBLE_DIR/vars/test.yaml" "_GCP_PROJECT_ID_" "${GCP_PROJECT_ID}" +replace_string "$ANSIBLE_DIR/vars/test.yaml" "_GCP_REGION_" "${GCP_REGION}" + +docker run -v "$ANSIBLE_DIR:/app" \ + -v "$GOOGLE_APPLICATION_CREDENTIALS:/app/kubeconfig" \ + -e GOOGLE_APPLICATION_CREDENTIALS=/app/kubeconfig \ + "$GCP_REGION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_GAR_REPO/ansible-helm-apigee-hybrid-deployer:$GIT_COMMIT_SHORT_ID" \ + /bin/bash -c "cd /app && ansible-playbook playbook.yaml --tags 'dc1' -e @vars/test.yaml" diff --git a/vars/test.yaml b/vars/test.yaml new file mode 100644 index 0000000..025de2d --- /dev/null +++ b/vars/test.yaml @@ -0,0 +1,451 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +# Path to download/generate files +setup_path: "/tmp" + +# Set `cert_manager_version: : v1.7.2` refer: https://cloud.google.com/apigee/docs/hybrid/v1.10/install-cert-manager +install_cert_manager: false +cert_manager_version: v1.7.2 + +################################################ TLS certificate details ################################################ + +# Set `generate_certificates: true`` to generate self signed certifcates +# This will also create the K8s secrets to referece in overrides.yaml unless overidden below +generate_certificates: true + +# Set this only when `generate_certificates: true` +# Use `cert_cn` to set certifcate CN +cert_cn: apigee.com + +################################################ TLS certificate details ################################################ + +################################################ Service Account details ################################################ + +# Set to true to download service accounts JSON and create K8s Secrets +create_service_account: true + +# Set this only when `create_service_account: true` +# Set to `prod` OR `non-prod` to generate service accounts based on https://cloud.google.com/apigee/docs/hybrid/v1.10/sa-about#recommended-sas +deployment_environment: prod + +# Set this only when `create_service_account: false` +# Set the Synchronizer service account to run https://cloud.google.com/apigee/docs/hybrid/v1.10/install-enable-synchronizer-access +synchronizer_prod_svc_account: apigee-synchronizer + +################################################ Service Account details ################################################ + +################################################ Helm details ################################################ +# refer: https://cloud.google.com/apigee/docs/hybrid/preview/helm-install#pull-apigee-helm-charts + +helm_chart_repo: oci://us-docker.pkg.dev/apigee-release/apigee-hybrid-helm-charts +helm_chart_version: 1.10.3 +helm_charts: + - apigee-operator + - apigee-datastore + - apigee-env + - apigee-ingress-manager + - apigee-org + - apigee-redis + - apigee-telemetry + - apigee-virtualhost + +################################################helm details ################################################ + +################################################Kubeconfigs ################################################ + +kubeconfigs: + # set `primary: ` to deploy Apigee Hybrid Primary DC + primary: /Users/ashwinknaik/codes/git/apigee-hybrid-ansible/ansible/certs/dc1.config + # set `secondary: ` to deploy Apigee Hybrid Secondary DC + # secondary: /tmp/dc2.config + +################################################Kubeconfigs ################################################ + +################################################Post Setup Validation Details ################################################ + +internet_access: true +validate_api_redeploy: false + +################################################Post Setup Validation Details ################################################ + +################################################Apigee Hybrid Helm Values ################################################ + +## To fill this section refer the https://cloud.google.com/apigee/docs/hybrid/v1.10/config-prop-ref + +overrides: + k8sCluster: + name: apigee-hybrid-cicd-test + region: _GCP_REGION_ + # + # The closet GCP region of the k8s cluster + # + # NOTE: StackDriver (SD) does not provide logging regionalization yet: go/logging-regionalization + # but the region is still required as it is one of the mandatory labels that the logs are tagged + # with when pushed to SD. + # + # Currently, projectID and projectIDRuntime are being used by the apigee-logger and the apigee-metrics + # to push their data in the below specific GCP project with the cluster name and the GCP region. The + # projectIDRuntime property is optional. If not used, it is assumed that projectID value is + # used for both the Apigee organization's GCP project and the runtime K8S cluster's project. + # + gcp: + region: _GCP_REGION_ + projectID: _GCP_PROJECT_ID_ + revision: "1103" + instanceID: "asdasdmasdmasmd" + # + # For Telemetry support for Multi-Org cluster. The feature is disabled by default. + # Enabling this flag will export the metrics from Multi-Org cluster to the + # "gcp.projectID" overrides.yaml configuration. + # + multiOrgCluster: false + # + # k8s secret name to use for pulling the docker images. + # + imagePullSecrets: + + # httpProxy: + # host: 172.23.3.99 + # port: 8080 + # scheme: HTTP + + + nodeSelector: + requiredForScheduling: true + apigeeRuntime: + key: "apigee-nodepool" + value: "apigee-runtime" + apigeeData: + key: "apigee-nodepool" + value: "apigee-data" + # + # Enables strict validation of service account permissions. This uses Cloud Resource Manager API + # method "testIamPermissions" to verify that the provided service account has the required + # permissions. In the case of service accounts for an Apigee Org, the project ID check is the one + # mapped to the Organization. For Metrics and Logger, the project checked is based on the + # "gcp.projectID" overrides.yaml configuration. + validateServiceAccounts: true + # + # Enables strict validation for the link between the Apigee Org and GCP project, as well + # as if the environment groups already exist. + validateOrg: true + # + # Enables org scoped UDCA deployment rather than the per-environment UDCA deployment model + orgScopedUDCA: true + + virtualhosts: + - name: test1 + sslSecret: apigee1-tls-secret + hostnames: + - test1.api.example.com + + - name: test2 + sslSecret: apigee2-tls-secret + hostnames: + - test2.api.example.com + + envs: + - name: test1 + synchronizer: + replicaCountMin: 1 + replicaCountMax: 4 + runtime: + replicaCountMax: 3 + + - name: test2 + + mart: + serviceAccountRef: apigee-hybrid-secret + replicaCountMin: 1 + replicaCountMax: 2 + image: + url: "gcr.io/apigee-release/hybrid/apigee-mart-server" + tag: "1.10.3" + pullPolicy: IfNotPresent + resources: + requests: + cpu: 500m + memory: 512Mi + + mintTaskScheduler: + image: + url: "gcr.io/apigee-release/hybrid/apigee-mint-task-scheduler" + tag: "1.10.3" + pullPolicy: IfNotPresent + resources: + requests: + cpu: 500m + memory: 512Mi + # + # Apigee Sychronizer. + # + synchronizer: + replicaCountMin: 1 + replicaCountMax: 4 + serviceAccountRef: apigee-hybrid-secret + image: + url: "gcr.io/apigee-release/hybrid/apigee-synchronizer" + tag: "1.10.3" + pullPolicy: IfNotPresent + resources: + requests: + cpu: 100m + memory: 512Mi + # + # Apigee Runtime. + # + runtime: + serviceAccountRef: apigee-hybrid-secret + replicaCountMin: 1 + replicaCountMax: 4 + image: + url: "gcr.io/apigee-release/hybrid/apigee-runtime" + tag: "1.10.3" + pullPolicy: IfNotPresent + resources: + requests: + cpu: 500m + memory: 512Mi + # + # Apigee Cassandra. + # + cassandra: + hostNetwork: false + auth: + secret: "" + image: + url: "gcr.io/apigee-release/hybrid/apigee-hybrid-cassandra-client" + tag: "1.10.3" + pullPolicy: IfNotPresent + replicaCount: 3 + # multiRegionSeedHost: + storage: + storageclass: + capacity: 10Gi + image: + url: "gcr.io/apigee-release/hybrid/apigee-hybrid-cassandra" + tag: "1.10.3" + pullPolicy: IfNotPresent + resources: + requests: + cpu: 500m + memory: 1Gi + maxHeapSize: 512M + heapNewSize: 100M + # datacenter: "dc-1" + backup: + enabled: false + image: + url: "gcr.io/apigee-release/hybrid/apigee-cassandra-backup-utility" + tag: "1.10.3" + pullPolicy: IfNotPresent + serviceAccountRef: apigee-hybrid-secret + schedule: "0 2 * * *" + dbStorageBucket: + restore: + enabled: false + snapshotTimestamp: + image: + url: "gcr.io/apigee-release/hybrid/apigee-cassandra-backup-utility" + tag: "1.10.3" + pullPolicy: IfNotPresent + serviceAccountRef: apigee-hybrid-secret + dbStorageBucket: "" + # + # Apigee UDCA. + # + udca: + serviceAccountRef: apigee-hybrid-secret + replicaCountMin: 1 + replicaCountMax: 4 + image: + url: "gcr.io/apigee-release/hybrid/apigee-udca" + tag: "1.10.3" + pullPolicy: IfNotPresent + resources: + requests: + cpu: 250m + memory: 256Mi + fluentd: + image: + url: "gcr.io/apigee-release/hybrid/apigee-stackdriver-logging-agent" + tag: "1.9.12-2" + pullPolicy: IfNotPresent + resources: + limits: + memory: 500Mi + requests: + cpu: 500m + memory: 250Mi + # + # Hybrid container logger. + # + logger: + enabled: false + terminationGracePeriodSeconds: 30 + image: + url: "gcr.io/apigee-release/hybrid/apigee-fluent-bit" + tag: "2.1.8" + pullPolicy: IfNotPresent + serviceAccountRef: apigee-hybrid-secret + resources: + limits: + cpu: 200m + memory: 500Mi + requests: + cpu: 100m + memory: 250Mi + proxyURL: + # + # Apigee Metrics. + # + metrics: + enabled: true + serviceAccountRef: apigee-hybrid-secret + appStackdriverExporter: + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 128m + memory: 512Mi + proxyStackdriverExporter: + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 128m + memory: 512Mi + adapter: + image: + url: "gcr.io/apigee-release/hybrid/apigee-prometheus-adapter" + tag: "v0.11.0" + pullPolicy: IfNotPresent + serviceAccountRef: apigee-hybrid-secret + prometheus: + image: + url: "gcr.io/apigee-release/hybrid/apigee-prom-prometheus" + tag: "v2.45.0" + pullPolicy: IfNotPresent + sdSidecar: + image: + url: "gcr.io/apigee-release/hybrid/apigee-stackdriver-prometheus-sidecar" + tag: "0.9.0" + pullPolicy: IfNotPresent + proxyURL: + # Apigee Connect Agent + connectAgent: + serviceAccountRef: apigee-hybrid-secret + image: + url: "gcr.io/apigee-release/hybrid/apigee-connect-agent" + tag: "1.10.3" + pullPolicy: IfNotPresent + replicaCountMin: 1 + replicaCountMax: 1 + resources: + requests: + cpu: 200m + memory: 128Mi + # Apigee Watcher + watcher: + serviceAccountRef: apigee-hybrid-secret + image: + url: "gcr.io/apigee-release/hybrid/apigee-watcher" + tag: "1.10.3" + pullPolicy: IfNotPresent + replicaCountMin: 1 + replicaCountMax: 1 + resources: + requests: + cpu: 200m + memory: 128Mi + # Apigee Redis + redis: + image: + url: "gcr.io/apigee-release/hybrid/apigee-redis" + tag: "1.10.3" + pullPolicy: IfNotPresent + replicaCount: 2 + resources: + requests: + cpu: 500m + envoy: + image: + url: "gcr.io/apigee-release/hybrid/apigee-envoy" + tag: "v1.27.0" + pullPolicy: IfNotPresent + replicaCountMin: 1 + replicaCountMax: 1 + resources: + requests: + cpu: "500m" + # Apigee Operators controller + ao: + image: + url: "gcr.io/apigee-release/hybrid/apigee-operators" + tag: "1.10.3" + pullPolicy: IfNotPresent + resources: + limits: + cpu: 1000m + memory: 1024Mi + requests: + cpu: 200m + memory: 512Mi + installer: + image: + url: "gcr.io/apigee-release/hybrid/apigee-installer" + tag: "1.10.3" + pullPolicy: IfNotPresent + # kube rbac proxy + kubeRBACProxy: + image: + url: "gcr.io/apigee-release/hybrid/apigee-kube-rbac-proxy" + tag: "v0.14.2" + pullPolicy: IfNotPresent + + # Apigee istiod. + istiod: + image: + url: "gcr.io/apigee-release/hybrid/apigee-asm-istiod" + tag: "1.17.2-asm.8-distroless" + pullPolicy: IfNotPresent + resources: + limits: + cpu: 1000m + memory: 1024Mi + requests: + cpu: 200m + memory: 512Mi + accessLogFile: '/dev/stdout' + accessLogFormat: '{"start_time":"%START_TIME%","remote_address":"%DOWNSTREAM_DIRECT_REMOTE_ADDRESS%","user_agent":"%REQ(USER-AGENT)%","host":"%REQ(:AUTHORITY)%","request":"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%","request_time":"%DURATION%","status":"%RESPONSE_CODE%","status_details":"%RESPONSE_CODE_DETAILS%","bytes_received":"%BYTES_RECEIVED%","bytes_sent":"%BYTES_SENT%","upstream_address":"%UPSTREAM_HOST%","upstream_response_flags":"%RESPONSE_FLAGS%","upstream_response_time":"%RESPONSE_DURATION%","upstream_service_time":"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%","upstream_cluster":"%UPSTREAM_CLUSTER%","x_forwarded_for":"%REQ(X-FORWARDED-FOR)%","request_method":"%REQ(:METHOD)%","request_path":"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","request_protocol":"%PROTOCOL%","tls_protocol":"%DOWNSTREAM_TLS_VERSION%","request_id":"%REQ(X-REQUEST-ID)%","sni_host":"%REQUESTED_SERVER_NAME%","apigee_dynamic_data":"%DYNAMIC_METADATA(envoy.lua)%"}' + # Apigee Ingressgateway. + ingressGateway: + image: + url: "gcr.io/apigee-release/hybrid/apigee-asm-ingress" + tag: "1.17.2-asm.8-distroless" + pullPolicy: IfNotPresent + resources: + limits: + cpu: 2000m + memory: 1Gi + requests: + cpu: 300m + memory: 128Mi + +################################################Apigee Hybrid Helm Values ############ diff --git a/vars/vars.yaml b/vars/vars.yaml index ab3ed50..6f06d32 100644 --- a/vars/vars.yaml +++ b/vars/vars.yaml @@ -68,7 +68,7 @@ helm_charts: kubeconfigs: # set `primary: ` to deploy Apigee Hybrid Primary DC - primary: /Users/ashwinknaik/codes/git/apigee-hybrid-ansible/ansible/certs/dc1.config + primary: /app/kubeconfig # set `secondary: ` to deploy Apigee Hybrid Secondary DC # secondary: /tmp/dc2.config From 08fbfc7754bded0d9d126389a354d83c7e863859 Mon Sep 17 00:00:00 2001 From: anaik91 Date: Sat, 28 Oct 2023 19:30:11 +0530 Subject: [PATCH 3/9] fix: fixed access token validation for svc account --- .../files/validate_apigee_objects.py | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/roles/validate-input-apigee-control-plane/files/validate_apigee_objects.py b/roles/validate-input-apigee-control-plane/files/validate_apigee_objects.py index 9bf7f05..0b76fe7 100644 --- a/roles/validate-input-apigee-control-plane/files/validate_apigee_objects.py +++ b/roles/validate-input-apigee-control-plane/files/validate_apigee_objects.py @@ -42,18 +42,11 @@ def __init__( else "Basic {}".format(access_token) # noqa } - def get_token_user(self, token): - url = f"https://www.googleapis.com/oauth2/v1/tokeninfo?access_token={token}" # noqa - response = requests.get(url) - if response.status_code == 200: - return response.json()['email'] - return '' - def is_token_valid(self, token): url = f"https://www.googleapis.com/oauth2/v1/tokeninfo?access_token={token}" # noqa response = requests.get(url) if response.status_code == 200: - print(f"Token Validated for user {response.json()['email']}") + print("Token Validated") return True return False @@ -139,18 +132,17 @@ def main(): args.access_token, ) validations = [] - authenticated_user = TargetApigee.get_token_user(args.access_token) if not TargetApigee.get_org(): - validations.append(f"Apigee Organization : {apigee_org} doesnt exist OR user {authenticated_user} doesnt have permissions ") # noqa pylint: disable=line-too-long + validations.append(f"Apigee Organization : {apigee_org} doesnt exist OR user doesnt have permissions ") # noqa pylint: disable=line-too-long for apigee_env in apigee_envs: if not TargetApigee.get_environment(apigee_env['name']): - validations.append(f"Apigee Environment : {apigee_env['name']} doesnt exist OR user {authenticated_user} doesnt have permissions ") # noqa pylint: disable=line-too-long + validations.append(f"Apigee Environment : {apigee_env['name']} doesnt exist OR user doesnt have permissions ") # noqa pylint: disable=line-too-long for apigee_vhost in apigee_vhosts: apigee_vhost_status, apigee_vhost_info = TargetApigee.get_env_group(apigee_vhost['name']) # noqa pylint: disable=line-too-long if not apigee_vhost_status: - validations.append(f"Apigee Environment Group : {apigee_vhost['name']} doesnt exist OR user {authenticated_user} doesnt have permissions ") # noqa pylint: disable=line-too-long + validations.append(f"Apigee Environment Group : {apigee_vhost['name']} doesnt exist OR user doesnt have permissions ") # noqa pylint: disable=line-too-long if apigee_vhost_status: apigee_vhost_hostname = apigee_vhost.get('hostnames', []) From 4bec32f7ecdaa99503780a374713be9f82c7e73a Mon Sep 17 00:00:00 2001 From: anaik91 Date: Sat, 28 Oct 2023 19:41:06 +0530 Subject: [PATCH 4/9] fix: fixed workflow script --- .github/workflows/testing.yml | 2 +- test/scripts/run_playbook.sh | 12 +++++++++--- vars/test.yaml | 6 +++--- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 9c6c74b..880eb7d 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -164,7 +164,7 @@ jobs: bash run_playbook.sh \ ${{ github.workspace }} latest shell: bash - working-directory: ./test/scripts + working-directory: ./test/scripts env: TF_BACKEND_BUCKET: ${{ secrets.TF_BACKEND_BUCKET }} GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }} diff --git a/test/scripts/run_playbook.sh b/test/scripts/run_playbook.sh index e9733aa..29dbddf 100755 --- a/test/scripts/run_playbook.sh +++ b/test/scripts/run_playbook.sh @@ -33,7 +33,13 @@ replace_string "$ANSIBLE_DIR/vars/test.yaml" "_GCP_PROJECT_ID_" "${GCP_PROJECT_I replace_string "$ANSIBLE_DIR/vars/test.yaml" "_GCP_REGION_" "${GCP_REGION}" docker run -v "$ANSIBLE_DIR:/app" \ - -v "$GOOGLE_APPLICATION_CREDENTIALS:/app/kubeconfig" \ - -e GOOGLE_APPLICATION_CREDENTIALS=/app/kubeconfig \ + -v "$GOOGLE_APPLICATION_CREDENTIALS:/svc_account/account.json" \ + -e GOOGLE_APPLICATION_CREDENTIALS=/svc_account/account.json \ "$GCP_REGION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_GAR_REPO/ansible-helm-apigee-hybrid-deployer:$GIT_COMMIT_SHORT_ID" \ - /bin/bash -c "cd /app && ansible-playbook playbook.yaml --tags 'dc1' -e @vars/test.yaml" + /bin/bash -c "cd /app && \ + gcloud auth login --cred-file=/svc_account/account.json && \ + gcloud container clusters get-credentials apigee-hybrid-cicd-test --region $GCP_REGION --project $GCP_PROJECT_ID && \ + ansible-playbook playbook.yaml --tags 'dc1' -e @vars/test.yaml || PLAYBOOK_STATUS=fail && \ + gsutil cp -r /tmp/setup gs://$TF_BACKEND_BUCKET/ansible_run_log/$(date +%s) && \ + if [ \"$PLAYBOOK_STATUS\" == \"fail\" ]; then exit 1; fi + " diff --git a/vars/test.yaml b/vars/test.yaml index 025de2d..b65348a 100644 --- a/vars/test.yaml +++ b/vars/test.yaml @@ -14,10 +14,10 @@ --- # Path to download/generate files -setup_path: "/tmp" +setup_path: "/tmp/setup" # Set `cert_manager_version: : v1.7.2` refer: https://cloud.google.com/apigee/docs/hybrid/v1.10/install-cert-manager -install_cert_manager: false +install_cert_manager: true cert_manager_version: v1.7.2 ################################################ TLS certificate details ################################################ @@ -68,7 +68,7 @@ helm_charts: kubeconfigs: # set `primary: ` to deploy Apigee Hybrid Primary DC - primary: /Users/ashwinknaik/codes/git/apigee-hybrid-ansible/ansible/certs/dc1.config + primary: /root/.kube/config # set `secondary: ` to deploy Apigee Hybrid Secondary DC # secondary: /tmp/dc2.config From 0a075122a253bbe70691af7d1e9cea316cffdccf Mon Sep 17 00:00:00 2001 From: anaik91 Date: Sun, 29 Oct 2023 17:17:52 +0530 Subject: [PATCH 5/9] fix: fixed overrides generation issues --- .../templates/overrides.yaml.j2 | 2 -- .../templates/service_account.j2 | 3 +-- test/scripts/run_playbook.sh | 13 ++++++------- 3 files changed, 7 insertions(+), 11 deletions(-) diff --git a/roles/apigee-hybrid-overrides/templates/overrides.yaml.j2 b/roles/apigee-hybrid-overrides/templates/overrides.yaml.j2 index 0b1b369..f41562d 100644 --- a/roles/apigee-hybrid-overrides/templates/overrides.yaml.j2 +++ b/roles/apigee-hybrid-overrides/templates/overrides.yaml.j2 @@ -80,8 +80,6 @@ envs: runtime: replicaCountMax: {{ each_env.get('runtime',{}).get('replicaCountMax',{}) if each_env.get('runtime',{}).get('replicaCountMax',{}) else '' }} replicaCountMin: {{ each_env.get('runtime',{}).get('replicaCountMin',{}) if each_env.get('runtime',{}).get('replicaCountMin',{}) else '' }} - serviceAccountPaths: - synchronizer: serviceAccountSecretRefs: synchronizer: {{ svc_account(create_service_account, deployment_environment,'synchronizer', overrides.synchronizer.serviceAccountRef) | indent( width=4)}} udca: {{ svc_account(create_service_account, deployment_environment,'udca', overrides.udca.serviceAccountRef) | indent( width=4)}} diff --git a/roles/apigee-hybrid-overrides/templates/service_account.j2 b/roles/apigee-hybrid-overrides/templates/service_account.j2 index 409f8e0..fd3875a 100644 --- a/roles/apigee-hybrid-overrides/templates/service_account.j2 +++ b/roles/apigee-hybrid-overrides/templates/service_account.j2 @@ -7,8 +7,7 @@ {% else %} {{ 'apigee-non-prod-svc-account-secret' % project_id }} {%- endif %} -{%- endif %} -{% if name -%} +{% else %} {{ name }} {%- endif %} {% endmacro %} diff --git a/test/scripts/run_playbook.sh b/test/scripts/run_playbook.sh index 29dbddf..b7fa851 100755 --- a/test/scripts/run_playbook.sh +++ b/test/scripts/run_playbook.sh @@ -36,10 +36,9 @@ docker run -v "$ANSIBLE_DIR:/app" \ -v "$GOOGLE_APPLICATION_CREDENTIALS:/svc_account/account.json" \ -e GOOGLE_APPLICATION_CREDENTIALS=/svc_account/account.json \ "$GCP_REGION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_GAR_REPO/ansible-helm-apigee-hybrid-deployer:$GIT_COMMIT_SHORT_ID" \ - /bin/bash -c "cd /app && \ - gcloud auth login --cred-file=/svc_account/account.json && \ - gcloud container clusters get-credentials apigee-hybrid-cicd-test --region $GCP_REGION --project $GCP_PROJECT_ID && \ - ansible-playbook playbook.yaml --tags 'dc1' -e @vars/test.yaml || PLAYBOOK_STATUS=fail && \ - gsutil cp -r /tmp/setup gs://$TF_BACKEND_BUCKET/ansible_run_log/$(date +%s) && \ - if [ \"$PLAYBOOK_STATUS\" == \"fail\" ]; then exit 1; fi - " + /bin/bash -c "cd /app; PLAYBOOK_STATUS=\"success\";\ + gcloud auth login --cred-file=/svc_account/account.json; \ + gcloud container clusters get-credentials apigee-hybrid-cicd-test --region $GCP_REGION --project $GCP_PROJECT_ID; \ + ansible-playbook playbook.yaml --tags 'dc1' -e @vars/test.yaml || PLAYBOOK_STATUS=\"fail\"; \ + gsutil cp -q -r /tmp/setup gs://$TF_BACKEND_BUCKET/ansible_run_log/$(date +%s) && \ + [[ \"$PLAYBOOK_STATUS\" = 'fail' ]] && exit 1" \ No newline at end of file From fb08c32bf8a0faefe18df746869ac28023e033b5 Mon Sep 17 00:00:00 2001 From: anaik91 Date: Sun, 29 Oct 2023 18:43:28 +0530 Subject: [PATCH 6/9] fix: fixed service account key download script --- .github/workflows/testing.yml | 4 ++-- roles/prepare-service-accounts/tasks/main.yml | 15 +++++++-------- test/scripts/run_playbook.sh | 12 +++++++----- 3 files changed, 16 insertions(+), 15 deletions(-) diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 880eb7d..3e38dda 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -123,7 +123,7 @@ jobs: GCP_REGION: ${{ secrets.GCP_REGION }} deploy-runtime-plane: - name: Deploy Apigee Hybrid Runtime GKE Platform + name: Deploy Apigee Hybrid Cluster runs-on: self-hosted if: github.event_name == 'push' # needs: @@ -162,7 +162,7 @@ jobs: id: init run: | bash run_playbook.sh \ - ${{ github.workspace }} latest + ${{ github.workspace }} ${{ steps.commit.outputs.short }} shell: bash working-directory: ./test/scripts env: diff --git a/roles/prepare-service-accounts/tasks/main.yml b/roles/prepare-service-accounts/tasks/main.yml index 77c4ada..4033381 100644 --- a/roles/prepare-service-accounts/tasks/main.yml +++ b/roles/prepare-service-accounts/tasks/main.yml @@ -76,14 +76,13 @@ - name: Create Service Account shell: | download_keys(){ - local sa_name=$1 - local sa_email=$2 - local output_dir=$3 - local project_id=$4 - gcloud iam service-accounts keys create "${output_dir}/${project_id}-${sa_name}.json" \ - --iam-account="${sa_email}" || \ - log_error "Failed to download keys for service account ${sa_name}" - echo "JSON Key ${sa_name} was successfully download to directory ${output_dir}." + local sa_name=$1 + local sa_email=$2 + local output_dir=$3 + local project_id=$4 + gcloud iam service-accounts keys create "${output_dir}/${project_id}-${sa_name}.json" \ + --iam-account="${sa_email}" || exit 1 + echo "JSON Key ${sa_name} was successfully download to directory ${output_dir}." } download_keys {{ item }} {{ item }}@{{ overrides.gcp.projectID }}.iam.gserviceaccount.com {{ setup_path }}/service-accounts {{ overrides.gcp.projectID }} with_items: "{{ missing_svc_account_files }}" diff --git a/test/scripts/run_playbook.sh b/test/scripts/run_playbook.sh index b7fa851..aacced5 100755 --- a/test/scripts/run_playbook.sh +++ b/test/scripts/run_playbook.sh @@ -35,10 +35,12 @@ replace_string "$ANSIBLE_DIR/vars/test.yaml" "_GCP_REGION_" "${GCP_REGION}" docker run -v "$ANSIBLE_DIR:/app" \ -v "$GOOGLE_APPLICATION_CREDENTIALS:/svc_account/account.json" \ -e GOOGLE_APPLICATION_CREDENTIALS=/svc_account/account.json \ - "$GCP_REGION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_GAR_REPO/ansible-helm-apigee-hybrid-deployer:$GIT_COMMIT_SHORT_ID" \ - /bin/bash -c "cd /app; PLAYBOOK_STATUS=\"success\";\ + "$GCP_REGION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_GAR_REPO/ansible-helm-apigee-hybrid-deployer:latest" \ + /bin/bash -c "cd /app; \ + PIPELINE_STATUS=\"success\"; \ gcloud auth login --cred-file=/svc_account/account.json; \ gcloud container clusters get-credentials apigee-hybrid-cicd-test --region $GCP_REGION --project $GCP_PROJECT_ID; \ - ansible-playbook playbook.yaml --tags 'dc1' -e @vars/test.yaml || PLAYBOOK_STATUS=\"fail\"; \ - gsutil cp -q -r /tmp/setup gs://$TF_BACKEND_BUCKET/ansible_run_log/$(date +%s) && \ - [[ \"$PLAYBOOK_STATUS\" = 'fail' ]] && exit 1" \ No newline at end of file + ansible-playbook playbook.yaml --tags 'dc1' -e @vars/test.yaml || \ + PIPELINE_STATUS=\"fail\"; \ + gsutil -m cp -r /tmp/setup gs://$TF_BACKEND_BUCKET/ansible_run_log/$GIT_COMMIT_SHORT_ID; + if [ \"$PIPELINE_STATUS\" == \"fail\" ]; then exit 1; fi" From f1ebe8527a45c9f00f91b0d25e311b28cbf9a9bd Mon Sep 17 00:00:00 2001 From: anaik91 Date: Mon, 30 Oct 2023 12:01:25 +0530 Subject: [PATCH 7/9] feat: updated job dependency --- .github/workflows/testing.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 3e38dda..1b414bd 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -126,10 +126,10 @@ jobs: name: Deploy Apigee Hybrid Cluster runs-on: self-hosted if: github.event_name == 'push' - # needs: - # - docker-build - # - deploy-runtime-plane-gke - # - deploy-control-plane + needs: + - docker-build + - deploy-runtime-plane-gke + - deploy-control-plane permissions: contents: 'read' id-token: 'write' From ee00b33fa436063d980a71c09a06e3fe19c46c3c Mon Sep 17 00:00:00 2001 From: anaik91 Date: Mon, 30 Oct 2023 12:55:44 +0530 Subject: [PATCH 8/9] feat: failure test check --- .github/workflows/testing.yml | 3 ++- test/scripts/run_playbook.sh | 21 ++++++++++++++++----- 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 1b414bd..0c730ed 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -162,7 +162,8 @@ jobs: id: init run: | bash run_playbook.sh \ - ${{ github.workspace }} ${{ steps.commit.outputs.short }} + ${{ github.workspace }} \ + ${{ steps.commit.outputs.short }} shell: bash working-directory: ./test/scripts env: diff --git a/test/scripts/run_playbook.sh b/test/scripts/run_playbook.sh index aacced5..4e1c22a 100755 --- a/test/scripts/run_playbook.sh +++ b/test/scripts/run_playbook.sh @@ -32,15 +32,26 @@ function replace_string() { replace_string "$ANSIBLE_DIR/vars/test.yaml" "_GCP_PROJECT_ID_" "${GCP_PROJECT_ID}" replace_string "$ANSIBLE_DIR/vars/test.yaml" "_GCP_REGION_" "${GCP_REGION}" -docker run -v "$ANSIBLE_DIR:/app" \ +DATE_EPOCH=$(date +%s) +CONTAINER_NAME="ansible-run-${DATE_EPOCH}" + +docker run --name "${CONTAINER_NAME}"\ + -v "$ANSIBLE_DIR:/app" \ -v "$GOOGLE_APPLICATION_CREDENTIALS:/svc_account/account.json" \ -e GOOGLE_APPLICATION_CREDENTIALS=/svc_account/account.json \ "$GCP_REGION-docker.pkg.dev/$GCP_PROJECT_ID/$GCP_GAR_REPO/ansible-helm-apigee-hybrid-deployer:latest" \ /bin/bash -c "cd /app; \ PIPELINE_STATUS=\"success\"; \ + mkdir -p /tmp/setup; echo \"started\" > /tmp/setup/start.log; \ gcloud auth login --cred-file=/svc_account/account.json; \ gcloud container clusters get-credentials apigee-hybrid-cicd-test --region $GCP_REGION --project $GCP_PROJECT_ID; \ - ansible-playbook playbook.yaml --tags 'dc1' -e @vars/test.yaml || \ - PIPELINE_STATUS=\"fail\"; \ - gsutil -m cp -r /tmp/setup gs://$TF_BACKEND_BUCKET/ansible_run_log/$GIT_COMMIT_SHORT_ID; - if [ \"$PIPELINE_STATUS\" == \"fail\" ]; then exit 1; fi" + ansible-playbook playbook.yaml --tags 'dc1' -e @vars/test.yaml" + +LOG_DUMP=$(mktemp -d) +docker cp "$CONTAINER_NAME:/tmp/setup" "$LOG_DUMP" +gsutil -m cp -r "$LOG_DUMP" "gs://$TF_BACKEND_BUCKET/ansible_run_log/$GIT_COMMIT_SHORT_ID" + +CONTAINER_EXIT_CODE=$(docker inspect "$CONTAINER_NAME" --format='{{.State.ExitCode}}') +if [ "$CONTAINER_EXIT_CODE" -ne 0 ]; then + exit 1 +fi From 05b8231670f7b2471f0d21caa865b066d8ddcacf Mon Sep 17 00:00:00 2001 From: anaik91 Date: Mon, 30 Oct 2023 20:38:21 +0530 Subject: [PATCH 9/9] feat: enabled logs only for failed builds --- .github/workflows/testing.yml | 4 ++-- test/scripts/run_playbook.sh | 7 +++---- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 0c730ed..07a7512 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -84,7 +84,7 @@ jobs: GCP_REGION: ${{ secrets.GCP_REGION }} deploy-runtime-plane-gke: - name: Deploy Apigee Hybrid Runtime GKE Platform + name: Deploy GKE Cluster runs-on: ubuntu-latest if: github.event_name == 'push' permissions: @@ -123,7 +123,7 @@ jobs: GCP_REGION: ${{ secrets.GCP_REGION }} deploy-runtime-plane: - name: Deploy Apigee Hybrid Cluster + name: Deploy Apigee Hybrid Single DC runs-on: self-hosted if: github.event_name == 'push' needs: diff --git a/test/scripts/run_playbook.sh b/test/scripts/run_playbook.sh index 4e1c22a..87dcede 100755 --- a/test/scripts/run_playbook.sh +++ b/test/scripts/run_playbook.sh @@ -47,11 +47,10 @@ docker run --name "${CONTAINER_NAME}"\ gcloud container clusters get-credentials apigee-hybrid-cicd-test --region $GCP_REGION --project $GCP_PROJECT_ID; \ ansible-playbook playbook.yaml --tags 'dc1' -e @vars/test.yaml" -LOG_DUMP=$(mktemp -d) -docker cp "$CONTAINER_NAME:/tmp/setup" "$LOG_DUMP" -gsutil -m cp -r "$LOG_DUMP" "gs://$TF_BACKEND_BUCKET/ansible_run_log/$GIT_COMMIT_SHORT_ID" - CONTAINER_EXIT_CODE=$(docker inspect "$CONTAINER_NAME" --format='{{.State.ExitCode}}') if [ "$CONTAINER_EXIT_CODE" -ne 0 ]; then + LOG_DUMP=$(mktemp -d) + docker cp "$CONTAINER_NAME:/tmp/setup" "$LOG_DUMP" + gsutil -m cp -r "$LOG_DUMP" "gs://$TF_BACKEND_BUCKET/ansible_run_log/$GIT_COMMIT_SHORT_ID" exit 1 fi