Skip to content
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
99 changes: 99 additions & 0 deletions .github/workflows/e2e-vault-secrets.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
---
name: OSAC E2E — Vault Secrets

on:
workflow_call:
inputs:
test-suite:
description: "Test suite to run: vmaas, caas, or empty string for all"
required: false
type: string
default: "vmaas"
test-filter:
description: "pytest -k filter expression (optional)"
required: false
type: string
default: ""
namespace:
description: "OSAC namespace on the cluster"
required: false
type: string
default: "osac-e2e-ci"
vm-template:
description: "VM template for compute instances"
required: false
type: string
default: "osac.templates.ocp_virt_vm"
test-image:
description: "Test container image override"
required: false
type: string
default: "ghcr.io/osac-project/osac-test-infra:latest"
outputs:
result:
description: "Test result: PASSED or FAILED"
value: ${{ jobs.e2e.outputs.result }}

jobs:
e2e:
runs-on: osac-ci
environment: e2e-test
permissions:
contents: read
id-token: write
outputs:
result: ${{ steps.test.outcome == 'success' && 'PASSED' || 'FAILED' }}

steps:
- name: Retrieve secrets from Vault
id: vault
uses: hashicorp/vault-action@v4
with:
url: http://127.0.0.1:8200
method: jwt
role: osac-e2e
jwtGithubAudience: https://github.com/osac-project
exportEnv: false
secrets: |
secret/data/osac/e2e/pull-secret dockerconfigjson | PULL_SECRET ;
secret/data/osac/e2e/aap-license license | AAP_LICENSE

- name: Write secrets to files
run: |
echo '${{ steps.vault.outputs.PULL_SECRET }}' > "$RUNNER_TEMP/pull-secret.json"
chmod 600 "$RUNNER_TEMP/pull-secret.json"

echo '${{ steps.vault.outputs.AAP_LICENSE }}' | base64 -d > "$RUNNER_TEMP/aap-license.zip"
chmod 600 "$RUNNER_TEMP/aap-license.zip"

- name: Run E2E tests
id: test
run: |
TEST_ARGS="tests/"
if [ -n "${{ inputs.test-suite }}" ]; then
TEST_ARGS="tests/${{ inputs.test-suite }}/"
fi

FILTER_ARGS=""
if [ -n "${{ inputs.test-filter }}" ]; then
FILTER_ARGS="-k ${{ inputs.test-filter }}"
fi

podman run --rm \
--network host \
-v "${HOME}/.kube/config:/root/.kube/config:ro,Z" \
-v "${RUNNER_TEMP}/pull-secret.json:/root/pull-secret:ro,Z" \
-v "${RUNNER_TEMP}/aap-license.zip:/root/aap-license.zip:ro,Z" \
-e KUBECONFIG=/root/.kube/config \
-e OSAC_VM_KUBECONFIG=/root/.kube/config \
-e OSAC_NAMESPACE=${{ inputs.namespace }} \
-e OSAC_VM_TEMPLATE=${{ inputs.vm-template }} \
-e OSAC_PULL_SECRET_PATH=/root/pull-secret \
${{ inputs.test-image }} \
pytest ${TEST_ARGS} ${FILTER_ARGS} \
--junitxml=/tmp/junit.xml -v

- name: Clean up secrets
if: always()
run: |
rm -f "$RUNNER_TEMP/pull-secret.json" "$RUNNER_TEMP/aap-license.zip"