ci(test): replace the service principal with federated managed identity to access AKV (#213)

CI:
- removed service principal.
- added federated credential with user assigned managed identity.
- added `actions/github-script@v6` action to get federated token file
for container test cases as `az` CLI is not available in container.
- the E2E test uses `E2E` Github environment, which needs manually
approval from maintainers. This can improve the security.

---------

Signed-off-by: Junjie Gao <[email protected]>

Author: JeyJeyGao

.github/workflows/test.yml

@@ -12,6 +12,10 @@ on:
       - main
       - release-*
 
+permissions:
+  id-token: write # Require write permission to Fetch an OIDC token.
+  contents: read
+
 jobs:
   lint:
     name: Lint Code Base
@@ -36,6 +40,7 @@ jobs:
           VALIDATE_CHECKOV: false
           VALIDATE_MARKDOWN: false
           VALIDATE_JSCPD: false
+          VALIDATE_SHELL_SHFMT: false
   test:
     name: Unit Testing and Build
     runs-on: ubuntu-latest
@@ -62,7 +67,6 @@ jobs:
           # the binary will be used in E2E test
           python3 ./scripts/build.py v0.0.1 linux-x64 --enable-aot
       - name: Upload Linux artifact
-        if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'push'
         uses: actions/upload-artifact@v4
         with:
           name: linux-amd64-binary
@@ -73,7 +77,6 @@ jobs:
           # the binary will be used in E2E test
           python3 ./scripts/build.py v0.0.1 osx-x64
       - name: Upload macOS artifact
-        if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'push'
         uses: actions/upload-artifact@v4
         with:
           name: darwin-amd64-binary
@@ -82,8 +85,8 @@ jobs:
   e2e-mariner-container:
     name: E2E testing for Mariner container
     runs-on: ubuntu-latest
+    environment: E2E
     needs: test
-    if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'push'
     steps:
       - name: Check out code into the project directory
         uses: actions/checkout@v4
@@ -101,15 +104,33 @@ jobs:
           docker push localhost:5000/hello-world:v1
       - name: Build notation-akv:v1 image
         run: docker build -t notation-akv:v1 -f ./test/e2e/containerized/Dockerfile.mariner .
+      - name: Install OIDC Client from Core Package
+        run: npm install @actions/[email protected] @actions/http-client
+      - name: Write Id Token
+        uses: actions/github-script@v6
+        id: idtoken
+        with:
+          script: |
+            try {
+              const core = require('@actions/core')
+              const fs = require('fs')
+              let id_token = await core.getIDToken('api://AzureADTokenExchange')
+              fs.writeFileSync("./federated_token", id_token);
+              console.log(`Federated Token written to ./federated_token`);
+            } catch (error) {
+              core.setFailed(`Action failed with error: ${error.message}`);
+            }
       - name: Run e2e
         run: bash ./test/e2e/containerized/test.sh
         env:
-          AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+          AZURE_FEDERATED_TOKEN_FILE: ./federated_token
   e2e-linux:
     name: E2E testing on Linux
     runs-on: ubuntu-latest
+    environment: E2E
     needs: test
-    if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'push'
     steps:
       - name: Check out code into the project directory
         uses: actions/checkout@v4
@@ -137,7 +158,9 @@ jobs:
       - name: Azure login
         uses: azure/login@v2
         with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
       - name: E2E testing
         uses: ./test/e2e
         with:
@@ -146,8 +169,8 @@ jobs:
   e2e-windows:
     name: E2E testing on Windows
     runs-on: windows-latest
+    environment: E2E
     needs: test
-    if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'push'
     steps:
       - name: Check out code into the project directory
         uses: actions/checkout@v4
@@ -180,7 +203,9 @@ jobs:
       - name: Azure login
         uses: azure/login@v2
         with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
       - name: E2E testing
         uses: ./test/e2e
         with:
@@ -189,8 +214,8 @@ jobs:
   e2e-macos:
     name: E2E testing on macOS
     runs-on: macos-13
+    environment: E2E
     needs: test
-    if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'push'
     steps:
       - name: Check out code into the project directory
         uses: actions/checkout@v4
@@ -223,7 +248,9 @@ jobs:
       - name: Azure login
         uses: azure/login@v2
         with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
       - name: E2E testing
         uses: ./test/e2e
         with:

test/e2e/containerized/test.sh

@@ -1,45 +1,41 @@
 #!/bin/bash
 #
 # containerized e2e test for azure-kv plugin
-# prerequisite: 
+# prerequisite:
 #   - notation-akv:v1 image
-#   - AZURE_CREDENTIALS environment variable
+#   - Environment variables:
+#       - AZURE_CLIENT_ID
+#       - AZURE_TENANT_ID
+#       - AZURE_FEDERATED_TOKEN_FILE
 
 set -e
+echo "which az"
+which az
 
-# setup credentials
-if [ -z "$AZURE_CREDENTIALS" ]; then
-    echo "AZURE_CREDENTIALS is not set"
-    exit 1
-fi
-
-AZURE_TENANT_ID=$(echo "$AZURE_CREDENTIALS" | jq -r .tenantId)
-AZURE_CLIENT_ID=$(echo "$AZURE_CREDENTIALS" | jq -r .clientId)
-AZURE_CLIENT_SECRET=$(echo "$AZURE_CREDENTIALS" | jq -r .clientSecret)
-
-function testSign(){
+function testSign() {
     # print all the arguments
     echo "notation sign --signature-format cose localhost:5000/hello-world:v1 --plugin azure-kv" "$@"
     docker run \
         -v "$(pwd)"/test/:/test \
-        -e AZURE_CLIENT_SECRET="$AZURE_CLIENT_SECRET" \
         -e AZURE_CLIENT_ID="$AZURE_CLIENT_ID" \
         -e AZURE_TENANT_ID="$AZURE_TENANT_ID" \
+        -e AZURE_FEDERATED_TOKEN_FILE=/root/federated-token \
+        --mount type=bind,source="$AZURE_FEDERATED_TOKEN_FILE",target=/root/federated-token,readonly \
         --network host notation-akv:v1 \
         notation sign --signature-format cose localhost:5000/hello-world:v1 --plugin azure-kv "$@"
     local result=$?
     echo ""
     return $result
 }
 
-function assertSucceeded(){
+function assertSucceeded() {
     if [ $? -ne 0 ]; then
         echo "test failed"
         exit 1
     fi
 }
 
-function assertFailed(){
+function assertFailed() {
     if [ $? -eq 0 ]; then
         echo "test failed"
         exit 1
@@ -58,7 +54,7 @@ testSign --id https://acrci-test-kv.vault.azure.net/keys/imported-ca-issued-pem-
 assertSucceeded
 testSign --id https://acrci-test-kv.vault.azure.net/keys/imported-ca-issued-pkcs12/20548a2bcaba42308f609df2d79682b5
 assertSucceeded
-testSign --id https://acrci-test-kv.vault.azure.net/keys/imported-ca-issued-pkcs12-unordered/b4fdf86062e44839b666ce8ff3f3a470 
+testSign --id https://acrci-test-kv.vault.azure.net/keys/imported-ca-issued-pkcs12-unordered/b4fdf86062e44839b666ce8ff3f3a470
 assertSucceeded
 testSign --id https://acrci-test-kv.vault.azure.net/keys/csr-ca-issued-pem-chain/09cd1aeaaa894e60b0ef83f062604863
 assertSucceeded
@@ -76,4 +72,4 @@ assertFailed
 testSign --id https://acrci-test-kv.vault.azure.net/keys/imported-ca-issued-pem/5a768b6209564c3cb30ecc30d800dc43 --plugin-config self_signed=true
 assertFailed
 testSign --id https://acrci-test-kv.vault.azure.net/keys/imported-ca-issued-pem/5a768b6209564c3cb30ecc30d800dc43 --plugin-config self_signed=true --plugin-config ca_certs=./test/e2e/certs/cert-bundle.pem
-assertFailed
+assertFailed