Skip to content

Commit

Permalink
ci: switch azure ci test to use rbac for key vault access (ratify-pro…
Browse files Browse the repository at this point in the history
  • Loading branch information
akashsinghal authored May 30, 2024
1 parent ab324ad commit 3f66411
Show file tree
Hide file tree
Showing 4 changed files with 25 additions and 14 deletions.
3 changes: 2 additions & 1 deletion .github/workflows/e2e-aks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ jobs:
AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500
AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
AZURE_SP_OBJECT_ID: fd917b28-cdc0-4828-92c9-1ca8203842a3
runs-on: ubuntu-latest
timeout-minutes: 30
environment: azure-test
Expand Down Expand Up @@ -60,7 +61,7 @@ jobs:
- name: Run e2e on Azure
run: |
make e2e-aks KUBERNETES_VERSION=${{ inputs.k8s_version }} GATEKEEPER_VERSION=${{ inputs.gatekeeper_version }} TENANT_ID=${{ env.AZURE_TENANT_ID }}
make e2e-aks KUBERNETES_VERSION=${{ inputs.k8s_version }} GATEKEEPER_VERSION=${{ inputs.gatekeeper_version }} TENANT_ID=${{ env.AZURE_TENANT_ID }} AZURE_SP_OBJECT_ID=${{ env.AZURE_SP_OBJECT_ID }}
- name: Upload artifacts
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
Expand Down
3 changes: 2 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ TEST_REGISTRY_PASSWORD = test_pw
# Azure Key Vault Setup
KEYVAULT_NAME ?= ratify-akv
KEYVAULT_KEY_NAME ?= test-key
AZURE_SP_OBJECT_ID ?= 00000000-0000-0000-0000-000000000000

all: build test

Expand Down Expand Up @@ -659,7 +660,7 @@ e2e-helm-deploy-ratify-replica: e2e-helm-deploy-redis e2e-notation-setup e2e-bui
rm mount_config.json

e2e-aks:
./scripts/azure-ci-test.sh ${KUBERNETES_VERSION} ${GATEKEEPER_VERSION} ${TENANT_ID} ${GATEKEEPER_NAMESPACE} ${CERT_DIR}
./scripts/azure-ci-test.sh ${KUBERNETES_VERSION} ${GATEKEEPER_VERSION} ${TENANT_ID} ${GATEKEEPER_NAMESPACE} ${CERT_DIR} ${AZURE_SP_OBJECT_ID}

e2e-cleanup:
./scripts/azure-ci-test-cleanup.sh ${AZURE_SUBSCRIPTION_ID}
Expand Down
1 change: 1 addition & 0 deletions scripts/azure-ci-test.sh
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ GATEKEEPER_VERSION=${2:-3.16.0}
TENANT_ID=$3
export RATIFY_NAMESPACE=${4:-gatekeeper-system}
CERT_DIR=${5:-"~/ratify/certs"}
export AZURE_SP_OBJECT_ID=$6
export NOTATION_PEM_NAME="notation"
export NOTATION_CHAIN_PEM_NAME="notationchain"
export KEYVAULT_KEY_NAME="test-key"
Expand Down
32 changes: 20 additions & 12 deletions scripts/create-azure-resources.sh
Original file line number Diff line number Diff line change
Expand Up @@ -23,12 +23,6 @@ set -o pipefail
: "${AKS_NAME:?AKS_NAME environment variable empty or not defined.}"
: "${ACR_NAME:?ACR_NAME environment variable empty or not defined.}"

register_feature() {
az extension add --name aks-preview
az feature register --namespace "Microsoft.ContainerService" --name "EnableWorkloadIdentityPreview"
az provider register --namespace Microsoft.ContainerService
}

create_user_managed_identity() {
SUBSCRIPTION_ID="$(az account show --query id --output tsv)"

Expand Down Expand Up @@ -95,15 +89,29 @@ create_akv() {

echo "AKV '${KEYVAULT_NAME}' is created"

# Grant permissions to access the certificate.
az keyvault set-policy --name ${KEYVAULT_NAME} --secret-permissions get --key-permissions get --object-id ${USER_ASSIGNED_IDENTITY_OBJECT_ID}
# Grant ratify identity permissions to access the secret
az role assignment create \
--assignee-object-id ${USER_ASSIGNED_IDENTITY_OBJECT_ID} \
--assignee-principal-type "ServicePrincipal" \
--role "Key Vault Secrets User" \
--scope subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${GROUP_NAME}/providers/Microsoft.KeyVault/vaults/${KEYVAULT_NAME}

# Grant ratify identity permissions to access keys
az role assignment create \
--assignee-object-id ${USER_ASSIGNED_IDENTITY_OBJECT_ID} \
--assignee-principal-type "ServicePrincipal" \
--role "Key Vault Crypto User" \
--scope subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${GROUP_NAME}/providers/Microsoft.KeyVault/vaults/${KEYVAULT_NAME}

# Grant runner SP permissions to create keys and import certificates
az role assignment create \
--assignee-object-id ${AZURE_SP_OBJECT_ID} \
--assignee-principal-type "ServicePrincipal" \
--role "Key Vault Administrator" \
--scope subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${GROUP_NAME}/providers/Microsoft.KeyVault/vaults/${KEYVAULT_NAME}
}

main() {
export -f register_feature
# might take around 20 minutes to register
timeout --foreground 1200 bash -c register_feature

az group create --name "${GROUP_NAME}" --tags "ratifye2e" --location "${LOCATION}" >/dev/null

create_user_managed_identity
Expand Down

0 comments on commit 3f66411

Please sign in to comment.