diff --git a/.github/actions/write-credentials/action.yml b/.github/actions/write-credentials/action.yml new file mode 100644 index 00000000..021744cc --- /dev/null +++ b/.github/actions/write-credentials/action.yml @@ -0,0 +1,33 @@ +name: 'write-credentials' +description: | + Collect the needed credentials for integration testing and place them in a + directory named "rendered". Note that all of these secrets are + assumed to be base64-encoded JSON service account keys. +inputs: + buffer-app-sa-b64: + description: 'Base64-encoded buffer (RBS) service account' + required: true + janitor-sa-b64: + description: 'Base64-encoded CRL Janitor service account' + required: true + +runs: + using: "composite" + steps: + - name: Write credentials + id: 'setup-user-delegated-creds' + run: | + mkdir -p rendered + + BUFFER_APP_SA_B64=${{ inputs.buffer-app-sa-b64 }} + echo ::add-mask::BUFFER_APP_SA_B64 + BUFFER_APP_SA=$(echo $BUFFER_APP_SA_B64 | base64 --decode) + echo ::add-mask::$BUFFER_APP_SA + echo $BUFFER_APP_SA > rendered/sa-account.json + + JANITOR_SA_B64=${{ inputs.janitor-sa-b64 }} + echo ::add-mask::$JANITOR_SA_B64 + JANITOR_SA=$(echo $JANITOR_SA_B64 | base64 --decode) + echo ::add-mask::$JANITOR_SA + echo $JANITOR_SA > rendered/janitor-client-sa-account.json + shell: bash diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c324d6aa..252c2b1b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -39,28 +39,13 @@ jobs: uses: ./.github/actions/bump-skip with: event-name: ${{ github.event_name }} - - name: Pull Vault image + - name: Write credentials for integration tests if: steps.skiptest.outputs.is-bump == 'no' - run: docker pull vault:1.1.0 - # Currently, there's no way to add capabilities to Docker actions on Git, and Vault needs IPC_LOCK to run. - - name: Get Vault token - if: steps.skiptest.outputs.is-bump == 'no' - id: vault-token-step - run: | - VAULT_TOKEN=$(docker run --rm --cap-add IPC_LOCK \ - -e "VAULT_ADDR=${VAULT_ADDR}" \ - vault:1.1.0 \ - vault write -field token \ - auth/approle/login role_id=${{ secrets.VAULT_APPROLE_ROLE_ID }} \ - secret_id=${{ secrets.VAULT_APPROLE_SECRET_ID }}) - echo ::add-mask::$VAULT_TOKEN - echo vault-token=$VAULT_TOKEN >> $GITHUB_OUTPUT - - name: Grant execute permission for render-config - if: steps.skiptest.outputs.is-bump == 'no' - run: chmod +x local-dev/render-config.sh - - name: Render configuration for tests - if: steps.skiptest.outputs.is-bump == 'no' - run: local-dev/render-config.sh ${{ steps.vault-token-step.outputs.vault-token }} + id: write-credentials + uses: ./.github/actions/write-credentials + with: + janitor-sa-b64: ${{ secrets.JANITOR_SA_DEV }} + buffer-app-sa-b64: ${{ secrets.BUFFER_APP_SA_DEV }} - name: Initialize Postgres DB if: steps.skiptest.outputs.is-bump == 'no' env: diff --git a/gradle/testing.gradle b/gradle/testing.gradle index 382477ee..f45280e7 100644 --- a/gradle/testing.gradle +++ b/gradle/testing.gradle @@ -6,7 +6,7 @@ test { import org.gradle.api.tasks.testing.logging.TestExceptionFormat // This is the path to the default Google service account for the buffer service to run as. -def googleCredentialsFile = "${projectDir}/src/test/resources/rendered/sa-account.json" +def googleCredentialsFile = "${projectDir}/rendered/sa-account.json" tasks.withType(Test) { environment = [ 'GOOGLE_APPLICATION_CREDENTIALS': "${googleCredentialsFile}" diff --git a/src/test/resources/application-integration.yml b/src/test/resources/application-integration.yml index 0aac1a62..6eb412f2 100644 --- a/src/test/resources/application-integration.yml +++ b/src/test/resources/application-integration.yml @@ -3,7 +3,7 @@ buffer: # If CRL is used in testing mode. testing-mode: true # Use in test to clean up created cloud resource. - janitor-client-credential-file-path: src/test/resources/rendered/janitor-client-sa-account.json + janitor-client-credential-file-path: rendered/janitor-client-sa-account.json janitor-track-resource-project-id: terra-kernel-k8s janitor-track-resource-topic-id: crljanitor-tools-pubsub-topic pool: