UID2-3783 Add steps for eks e2e test

.github/workflows/shared-run-e2e-tests.yaml

@@ -40,15 +40,15 @@ on:
         description: 'Config: Operator branch for config'
         type: string
         default: main
-      core_branch:
+      branch_core:
         description: 'Config: Core branch for config'
         type: string
         default: main
-      optout_branch:
+      branch_optout:
         description: 'Config: Optout branch for config'
         type: string
         default: main
-      admin_branch:
+      branch_admin:
         description: 'Config: Admin branch for config'
         type: string
         default: main
@@ -88,6 +88,10 @@ on:
         description: The AWS PCR0
         type: string
 
+      eks_pcr0:
+        description: The EKS PCR0
+        type: string
+
 env:
   REGISTRY: ghcr.io
 
@@ -120,28 +124,28 @@ jobs:
       - name: Checkout uid2-core repo
         uses: actions/checkout@v4
         with:
-          ref: ${{ inputs.core_branch }}
+          ref: ${{ inputs.branch_core }}
           repository: IABTechLab/uid2-core
           path: uid2-core
 
       - name: Checkout uid2-optout repo
         uses: actions/checkout@v4
         with:
-          ref: ${{ inputs.optout_branch }}
+          ref: ${{ inputs.branch_optout }}
           repository: IABTechLab/uid2-optout
           path: uid2-optout
 
       - name: Checkout uid2-admin repo
         uses: actions/checkout@v4
         with:
-          ref: ${{ inputs.admin_branch }}
+          ref: ${{ inputs.branch_admin }}
           repository: IABTechLab/uid2-admin
           path: uid2-admin
 
       - name: Checkout uid2-shared-actions repo
         uses: actions/checkout@v4
         with:
-          ref: v2
+          ref: v3
           repository: IABTechLab/uid2-shared-actions
           path: uid2-shared-actions
 
@@ -157,7 +161,7 @@ jobs:
 
       - name: Bring up bore
         id: bore
-        if: ${{ inputs.operator_type == 'gcp' || inputs.operator_type == 'azure' || inputs.operator_type == 'aws' }}
+        if: ${{ inputs.operator_type == 'gcp' || inputs.operator_type == 'azure' || inputs.operator_type == 'aws' || inputs.operator_type == 'eks'}}
         run: |
           bash uid2-shared-actions/scripts/setup_bore.sh
 
@@ -188,6 +192,15 @@ jobs:
           admin_root: ${{ inputs.admin_root }}
           aws_pcr0: ${{ inputs.aws_pcr0 }}
 
+      - name: Prepare EKS metadata
+        id: prepare_eks_metadata
+        if: ${{ inputs.operator_type == 'eks' }}
+        uses: IABTechLab/uid2-shared-actions/actions/prepare_eks_metadata@v3
+        with:
+          operator_image_version: ${{ inputs.operator_image_version }}
+          admin_root: ${{ inputs.admin_root }}
+          eks_pcr0: ${{ inputs.eks_pcr0 }}
+
       - name: Bring up Docker Compose
         id: docker-compose
         env:
@@ -213,7 +226,6 @@ jobs:
         with:
           bore_url_core: ${{ steps.bore.outputs.BORE_URL_CORE }}
           bore_url_optout: ${{ steps.bore.outputs.BORE_URL_OPTOUT }}
-          bore_url_localstack: ${{ steps.bore.outputs.BORE_URL_LOCALSTACK }}
           gcp_project: ${{ inputs.gcp_project }}
           gcp_service_account: ${{ inputs.gcp_service_account }}
           image_hash: ${{ steps.prepare_gcp_metadata.outputs.image_hash }}
@@ -244,6 +256,19 @@ jobs:
           identity_scope: ${{ inputs.uid2_e2e_identity_scope }}
           operator_key: ${{ steps.prepare_aws_metadata.outputs.operator_key }}
 
+      - name: Start EKS operator
+        id: start_EKS_operator
+        if: ${{ inputs.operator_type == 'eks' }}
+        uses: IABTechLab/uid2-shared-actions/actions/start_eks_operator@v3
+        with:
+          bore_url_core: ${{ steps.bore.outputs.BORE_URL_CORE }}
+          bore_url_optout: ${{ steps.bore.outputs.BORE_URL_OPTOUT }}
+          bore_url_localstack: ${{ steps.bore.outputs.BORE_URL_LOCALSTACK }}
+          identity_scope: ${{ inputs.uid2_e2e_identity_scope }}
+          operator_image_version: ${{ inputs.operator_image_version }}
+          operator_root: ${{ inputs.operator_root }}
+          operator_key: ${{ steps.prepare_eks_metadata.outputs.operator_key }}
+
       - name: Decide E2E test environment variables
         id: decide_env_var
         shell: bash
@@ -327,3 +352,7 @@ jobs:
           AWS_REGION: ${{ inputs.aws_region }}
         run: |
           bash uid2-shared-actions/scripts/aws/stop_aws_enclave.sh
+
+      - name: Stop EKS operator
+        if: ${{ inputs.operator_type == 'eks' }}
+        uses: IABTechLab/uid2-shared-actions/actions/stop_eks_operator@v3

.gitignore

@@ -1 +1,2 @@
-.idea/
+.idea/
+*.key

actions/prepare_eks_metadata/action.yaml

@@ -0,0 +1,32 @@
+name: Prepare AWS Metadata
+description: Prepares the AWS Nitro enclave metadata
+
+inputs:
+  operator_image_version:
+    description: The uid2-operator image version
+    default: latest
+  admin_root:
+    description: The root path for uid2-admin folder
+    default: uid2-admin
+  eks_pcr0:
+    description: The EKS PCR0
+    required: true
+
+outputs:
+  operator_key:
+    description: The operator key
+    value: ${{ steps.enclave_metadata.outputs.OPERATOR_KEY }}
+
+runs:
+  using: "composite"
+
+  steps:
+    - name: Prepare EKS enclave metadata
+      id: enclave_metadata
+      shell: bash
+      env:
+        ADMIN_ROOT: ${{ inputs.admin_root }}
+        ENCLAVE_ID: ${{ inputs.eks_pcr0 }}
+        ENCLAVE_PROTOCOL: aws-nitro
+      run: |
+        bash uid2-shared-actions/scripts/save_enclave_id_to_admin.sh

actions/start_eks_operator/action.yaml

@@ -0,0 +1,75 @@
+name: Start EKS Private Operator
+description: Spins up an EKS private operator
+
+inputs:
+  bore_url_core:
+    description: The bore URL for core service
+    required: true
+  bore_url_optout:
+    description: The bore URL for optout service
+    required: true
+  bore_url_localstack:
+    description: The bore URL for localstack service
+    required: true
+  identity_scope:
+    description: The identity scope [UID2, EUID]
+    required: true
+  operator_image_version:
+    description: The uid2-operator image version
+    default: latest
+  operator_root:
+    description: The root path for uid2-operator folder
+    default: uid2-operator
+  operator_key:
+    description: The operator key
+    required: true
+
+# outputs:
+#   uid2_e2e_pipeline_operator_url:
+#     description: The EKS operator URL
+#     value: ${{ steps.start_aws.outputs.uid2_e2e_pipeline_operator_url }}
+
+runs:
+  using: "composite"
+
+  steps:
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-region: us-east-2
+        role-to-assume: arn:aws:iam::072245134533:role/github-runner-for-uid2-operator
+
+    - name: Check AWS caller identity
+      shell: bash
+      run: aws sts get-caller-identity
+
+    - name: Set up kubernetes context
+      shell: bash
+      run: |
+        aws eks --region us-east-2 update-kubeconfig --name uid-test-git-us-east-2
+
+    - name: Create secrets in the kubernetes cluster
+      id: create_secrets
+      shell: bash
+      env:
+        OPERATOR_KEY: ${{ inputs.operator_key }}
+        BORE_URL_CORE: ${{ inputs.bore_url_core }}
+        BORE_URL_OPTOUT: ${{ inputs.bore_url_optout }}
+      run: |
+        bash uid2-shared-actions/scripts/eks/create_secret_in_k8.sh
+
+    - name: Prepare EKS enclave deployment files
+      id: enclave_metadata
+      shell: bash
+      env:
+        IMAGE_VERSION: ${{ inputs.operator_image_version }}
+        OPERATOR_ROOT: ${{ inputs.operator_root }}
+      run: |
+        bash uid2-shared-actions/scripts/eks/prepare_eks_deployment_files.sh
+
+    - name: Start EKS operator
+      id: start_eks
+      shell: bash
+      run: |
+        cat ${{ inputs.operator_root }}/scripts/aws/eks/deployment_files/deployment.yaml
+        kubectl apply -f ${{ inputs.operator_root }}/scripts/aws/eks/deployment_files/deployment.yaml

actions/start_gcp_private_operator/action.yaml

@@ -8,9 +8,6 @@ inputs:
   bore_url_optout:
     description: The bore URL for optout service
     required: true
-  bore_url_localstack:
-    description: The bore URL for localstack service
-    required: true
   gcp_project:
     description: The name of the GCP project
     required: true
@@ -44,7 +41,6 @@ runs:
         SERVICE_ACCOUNT: ${{ inputs.gcp_service_account }}
         BORE_URL_CORE: ${{ inputs.bore_url_core }}
         BORE_URL_OPTOUT: ${{ inputs.bore_url_optout }}
-        BORE_URL_LOCALSTACK: ${{ inputs.bore_url_localstack }}
         OPERATOR_KEY: ${{ inputs.operator_key }}
         IMAGE_HASH: ${{ inputs.image_hash }}
       run: |

actions/stop_eks_operator/action.yaml

@@ -0,0 +1,27 @@
+name: Stop EKS Operator
+
+runs:
+  using: "composite"
+
+  steps:
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-region: us-east-2
+        role-to-assume: arn:aws:iam::072245134533:role/github-runner-for-uid2-operator
+
+    - name: Check AWS caller identity
+      shell: bash
+      run: aws sts get-caller-identity
+
+    - name: Set up kubernetes context
+      shell: bash
+      run: |
+        aws eks --region us-east-2 update-kubeconfig --name uid-test-git-us-east-2
+
+    - name: Stop EKS operator
+      id: stop_eks
+      shell: bash
+      run: |
+        kubectl delete deployment uid2-operator
+        kubectl delete secret github-test-secret

scripts/eks/create_secret_in_k8.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+set -ex
+
+if [ -z "${OPERATOR_KEY}" ]; then
+  echo "OPERATOR_KEY can not be empty"
+  exit 1
+fi
+
+if [ -z "${BORE_URL_CORE}" ]; then
+  echo "BORE_URL_CORE can not be empty"
+  exit 1
+fi
+
+if [ -z "${BORE_URL_OPTOUT}" ]; then
+  echo "BORE_URL_OPTOUT can not be empty"
+  exit 1
+fi
+
+source "uid2-shared-actions/scripts/jq_helper.sh"
+
+SECRET_JSON_FILE="uid2-shared-actions/scripts/eks/secret.json"
+
+jq_string_update ${SECRET_JSON_FILE} core_base_url "http://${BORE_URL_CORE}"
+jq_string_update ${SECRET_JSON_FILE} optout_base_url "http://${BORE_URL_OPTOUT}"
+jq_string_update ${SECRET_JSON_FILE} api_token "${OPERATOR_KEY}"
+
+cat ${SECRET_JSON_FILE}
+
+kubectl create secret generic github-test-secret --from-file=config=uid2-shared-actions/scripts/eks/secret.json

scripts/eks/prepare_eks_deployment_files.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+set -ex
+
+if [ -z "${OPERATOR_ROOT}" ]; then
+  echo "${OPERATOR_ROOT} can not be empty"
+  exit 1
+fi
+
+if [ -z "${IMAGE_VERSION}" ]; then
+  echo "IMAGE_VERSION can not be empty"
+  exit 1
+fi
+
+ROOT="."
+DEPLOYMENT_FILES_ROOT="${OPERATOR_ROOT}/scripts/aws/eks/deployment_files"
+
+ls -al
+
+IMAGE="ghcr.io/iabtechlab/uid2-operator-eks-uid2:${IMAGE_VERSION}"
+
+sed -i "s#IMAGE_PLACEHOLDER#${IMAGE}#g" "${DEPLOYMENT_FILES_ROOT}/deployment.yaml"
+if [[ $? -ne 0 ]]; then
+  echo "Failed to pre-process deployment file"
+  exit 1
+fi

scripts/eks/secret.json

@@ -0,0 +1,10 @@
+{
+    "api_token": "fake-operator-key",
+    "service_instances": 6,
+    "enclave_cpu_count": 6,
+    "enclave_memory_mb": 24576,
+    "environment": "integ",
+    "customize_enclave": "false",
+    "core_base_url": "https://core-integ.uidapi.com",
+    "optout_base_url": "https://optout-integ.uidapi.com"
+}

scripts/save_enclave_id_to_admin.sh

@@ -26,6 +26,7 @@ OPERATOR_KEY=$(jq -r '.[] | select(.protocol=="'${ENCLAVE_PROTOCOL}'") | .key' $
 
 # Update enclave ID
 cat <<< $(jq '(.[] | select((.protocol=="'${ENCLAVE_PROTOCOL}'") and (.name | test(".*Debug.*") | not)) | .identifier) |="'${ENCLAVE_ID}'"' ${ENCLAVE_FILE}) > ${ENCLAVE_FILE}
+cat ${ENCLAVE_FILE}
 
 # Export to GitHub output
 echo "OPERATOR_KEY=${OPERATOR_KEY}"