-
Notifications
You must be signed in to change notification settings - Fork 1
146 lines (130 loc) · 6.45 KB
/
post_tests.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
name: post_tests
on:
# checkov:skip=CKV_GHA_7:The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty.
workflow_dispatch:
inputs:
posts:
type: choice
description: Select post
default: 2024-05-03-secure-cheap-amazon-eks-with-pod-identities
options:
- 2022-11-27-cheapest-amazon-eks
- 2022-12-24-amazon-eks-karpenter-tests 2022-11-27-cheapest-amazon-eks
- 2023-03-08-trivy-operator-grafana 2022-11-27-cheapest-amazon-eks
- 2023-03-20-velero-and-cert-manager 2022-11-27-cheapest-amazon-eks
- 2023-04-01-secrets-store-csi-driver-reloader 2023-03-20-velero-and-cert-manager 2022-11-27-cheapest-amazon-eks
- 2023-06-06-my-favourite-krew-plugins-kubectl 2022-11-27-cheapest-amazon-eks
- 2023-08-03-cilium-amazon-eks
- 2023-09-25-secure-cheap-amazon-eks
- 2024-04-27-exploit-vulnerability-wordpress-plugin-kali-linux-1
- 2024-05-03-secure-cheap-amazon-eks-with-pod-identities
- 2023-03-20-velero-and-cert-manager 2024-05-03-secure-cheap-amazon-eks-with-pod-identities
- 2024-05-09-exploit-vulnerability-wordpress-plugin-kali-linux-2
- 2024-07-07-detect-a-hacker-attacks-eks-vm
- 2024-12-12-terraform-keep-sorted
action:
type: choice
description: Select action
default: build + destroy
options:
- build
- destroy
- build + destroy
env:
AWS_DEFAULT_REGION: us-east-1
AWS_ROLE_TO_ASSUME: ${{ secrets.AWS_ROLE_TO_ASSUME }}
GOOGLE_CLIENT_ID: ${{ secrets.GOOGLE_CLIENT_ID }}
GOOGLE_CLIENT_SECRET: ${{ secrets.GOOGLE_CLIENT_SECRET }}
CLUSTER_FQDN: "k01.k8s.mylabs.dev"
TAGS: "product_id='12345',used_for=dev,[email protected],cluster=k01.k8s.mylabs.dev"
permissions: read-all
jobs:
post-pipeline:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
name: "${{ inputs.action }} | ${{ inputs.posts }}"
concurrency:
group: post_tests
timeout-minutes: 100
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-duration-seconds: 7000
role-session-name: GitHubOidcFederatedRole
aws-region: ${{ env.AWS_DEFAULT_REGION }}
mask-aws-account-id: true
- name: Check out repository code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: "${{ inputs.action }} | ${{ inputs.posts }}"
env:
GH_TOKEN: ${{ github.token }}
GH_ACTION: ${{ inputs.action }}
GH_INPUTS: ${{ inputs.posts }}
run: |
set -euxo pipefail
export TMP_DIR="${PWD}/mytmp"
eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
POST_FILES_ARRAY=()
# shellcheck disable=SC2043
for POST_FILE in ${GH_INPUTS}; do
POST_FILES_ARRAY+=("$(find "${PWD}/_posts" -type f -name "*${POST_FILE}*.md")")
done
if grep -Eq '(^| )eksctl ' "${POST_FILES_ARRAY[@]}" && ! command -v eksctl &> /dev/null ; then
echo "*** Installing eksctl"
brew install eksctl
eksctl version
fi
if grep -Eq '(^| )copilot ' "${POST_FILES_ARRAY[@]}" && ! command -v copilot &> /dev/null ; then
echo "*** Installing copilot"
brew install copilot
fi
if grep -Eq '(^| )cilium ' "${POST_FILES_ARRAY[@]}" && ! command -v cilium &> /dev/null ; then
echo "*** Installing cilium"
brew install cilium-cli
fi
if grep -Eq '(^| )rain ' "${POST_FILES_ARRAY[@]}" && ! command -v rain &> /dev/null ; then
echo "*** Installing rain"
brew install rain
fi
if grep -Eq '(^| )velero ' "${POST_FILES_ARRAY[@]}" && ! command -v velero &> /dev/null ; then
echo "*** Installing velero"
brew install velero
fi
if [[ "${GH_ACTION}" =~ 'build' ]]; then
echo -e "********************\n*** Create\n********************"
for (( idx=${#POST_FILES_ARRAY[@]}-1 ; idx>=0 ; idx-- )); do
echo "*** ${POST_FILES_ARRAY[idx]} | build"
# shellcheck disable=SC1090
source <(echo "set -euxo pipefail" ; sed -n "/^\s*\`\`\`bash$/,/^\s*\`\`\`$/p" "${POST_FILES_ARRAY[idx]}" | sed 's/^\s*```*//')
if [[ "${POST_FILES_ARRAY[*]}" =~ eks && ${idx} -eq ${#POST_FILES_ARRAY[@]}-1 ]]; then
(
echo "<https://${CLUSTER_FQDN}>"
echo '```'
# shellcheck disable=SC2028
echo "eval \"\$(aws sts assume-role --role-arn \"\${AWS_ROLE_TO_ASSUME}\" --role-session-name \"\$USER@\$(hostname -f)-k8s-\$(date +%s)\" --duration-seconds 36000 | jq -r '.Credentials | \"export AWS_ACCESS_KEY_ID=\(.AccessKeyId)\\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey)\\nexport AWS_SESSION_TOKEN=\(.SessionToken)\\n\"')\""
echo "export KUBECONFIG=\"/tmp/kubeconfig-${CLUSTER_NAME}.conf\""
echo "aws eks update-kubeconfig --region \"${AWS_DEFAULT_REGION}\" --name \"${CLUSTER_NAME}\" --kubeconfig \"\$KUBECONFIG\""
echo '```'
) | tee -a "${GITHUB_STEP_SUMMARY}"
fi
done
fi
if [[ "${GH_ACTION}" =~ 'destroy' ]]; then
echo -e "********************\n*** Destroy\n********************"
export AWS_DEFAULT_REGION="${AWS_DEFAULT_REGION:-us-east-1}"
export CLUSTER_NAME="${CLUSTER_FQDN%%.*}"
export TMP_DIR="${TMP_DIR:-${PWD}}"
if eksctl get clusters --name="${CLUSTER_NAME}" &> /dev/null; then
export KUBECONFIG="${TMP_DIR}/${CLUSTER_FQDN}/kubeconfig-${CLUSTER_NAME}.conf"
aws eks update-kubeconfig --region "${AWS_DEFAULT_REGION}" --name "${CLUSTER_NAME}" --kubeconfig "${KUBECONFIG}" || true
fi
for POST_FILE in "${POST_FILES_ARRAY[@]}"; do
echo "*** ${POST_FILE} | destroy"
# shellcheck disable=SC1090
source <(echo "set -euxo pipefail" ; sed -n "/^\`\`\`sh$/,/^\`\`\`$/p" "${POST_FILE}" | sed "/^\`\`\`*/d") || true
done
fi