Skip to content

Commit 4684d34

Browse files
bmsiegelbmsiegel
committed
Add IAMRA Testing
Signed-off-by: Brady Siegel <[email protected]>
1 parent f37f946 commit 4684d34

File tree

3 files changed

+86
-0
lines changed

3 files changed

+86
-0
lines changed

.github/workflows/on-safe-to-test-label.yml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -178,6 +178,22 @@ jobs:
178178
if: ${{ always() }}
179179
run: |
180180
make kind-cluster-delete
181+
- name: Run test cases with IAMRA
182+
if: ${{ always() }}
183+
run: |
184+
./e2e/iamra-test/test.sh
185+
make e2etest
186+
- name: Copy Kind logs to S3
187+
if: ${{ always() }}
188+
run: |
189+
mkdir logs-iamra-test
190+
export E2E_ARTIFACTS_DIRECTORY=logs-iamra-test
191+
make kind-export-logs
192+
aws s3 cp --recursive logs-iamra-test s3://aws-privateca-issuer-k8s-logs-test-us-east-1/${{ needs.start-runner.outputs.ec2-instance-id }}-logs-iamra-test/
193+
- name: Terminate Kind cluster
194+
if: ${{ always() }}
195+
run: |
196+
make kind-cluster-delete
181197
- name: Run helm test
182198
if: ${{ !contains(github.event.pull_request.labels.*.name, 'chart update') && inputs.architecture != 'arm64' }}
183199
run: |

e2e/iamra-test/iamra-values.yaml

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
serviceAccount:
2+
create: false
3+
4+
image:
5+
repository: localhost:5000/aws-privateca-issuer
6+
tag: latest
7+
pullPolicy: Always
8+
9+
env:
10+
AWS_EC2_METADATA_SERVICE_ENDPOINT: "http://127.0.0.1:9911"
11+
12+
extraContainers:
13+
- name: "rolesanywhere-credential-helper"
14+
image: "public.ecr.aws/rolesanywhere/credential-helper:latest"
15+
command: ["aws_signing_helper"]
16+
args:
17+
- "serve"
18+
- "--private-key"
19+
- "/etc/cert/tls.key"
20+
- "--certificate"
21+
- "/etc/cert/tls.crt"
22+
- "--role-arn"
23+
- "$ROLE_ARN"
24+
- "--profile-arn"
25+
- "$PROFILE_ARN"
26+
- "--trust-anchor-arn"
27+
- "$TRUST_ANCHOR_ARN"
28+
volumeMounts:
29+
- name: cert
30+
mountPath: /etc/cert/
31+
readOnly: true
32+
33+
volumes:
34+
- name: cert
35+
secret:
36+
secretName: cert

e2e/iamra-test/test.sh

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
set -euo pipefail
2+
3+
CA_ARN=$(aws ssm get-parameter --name /iamra/certificate-authority-arn | jq -r '.Parameter.Value')
4+
TRUST_ANCHOR_ARN=$(aws ssm get-parameter --name /iamra/trust-anchor-arn | jq -r '.Parameter.Value')
5+
PROFILE_ARN=$(aws ssm get-parameter --name /iamra/profile-arn | jq -r '.Parameter.Value')
6+
ROLE_ARN=$(aws ssm get-parameter --name /iamra/role-arn | jq -r '.Parameter.Value')
7+
8+
openssl req -out iamra.csr -new -newkey rsa:2048 -nodes -keyout iamra.key -subj "/CN=iamra-issuer"
9+
10+
CERT_ARN=$(aws acm-pca issue-certificate \
11+
--certificate-authority-arn $CA_ARN \
12+
--csr fileb://iamra.csr \
13+
--signing-algorithm "SHA256WITHRSA" \
14+
--validity Value=1,Type="DAYS" | jq -r .CertificateArn)
15+
16+
aws acm-pca get-certificate \
17+
--certificate-authority-arn $CA_ARN \
18+
--certificate-arn $CERT_ARN | \
19+
jq -r .Certificate > iamra-cert.pem
20+
21+
PROFILE_ARN=$PROFILE_ARN ROLE_ARN=$ROLE_ARN TRUST_ANCHOR_ARN=$TRUST_ANCHOR_ARN envsubst <e2e/iamra-test/iamra-values.yaml >replaced-values.yaml
22+
23+
make manager
24+
make create-local-registry
25+
make kind-cluster
26+
make deploy-cert-manager
27+
make docker-build
28+
make docker-push-local
29+
30+
kubectl create secret tls -n aws-privateca-issuer cert --cert=iamra-cert.pem --key=iamra.key
31+
32+
sleep 15
33+
34+
helm install issuer ./charts/aws-pca-issuer -f replaced-values.yaml -n aws-privateca-issuer

0 commit comments

Comments
 (0)