Merge pull request #607 from fluxcd/oci-test-ci-setup-docs

oci/tests/int: IAM setup automation docs & exit code propagation
fluxcd · Jul 21, 2023 · 2a323d7 · 2a323d7
2 parents 1df1ec5 + 524494d
commit 2a323d7
Show file tree

Hide file tree

Showing 3 changed files with 94 additions and 14 deletions.
diff --git a/oci/tests/integration/README.md b/oci/tests/integration/README.md
@@ -66,6 +66,48 @@ the tests:
 - `Microsoft.ContainerRegistry/*`
 - `Microsoft.ContainerService/*`
 
+#### IAM and CI setup
+
+To create the necessary IAM role with all the permissions, set up CI secrets and
+variables using
+[azure-gh-actions](https://github.com/fluxcd/test-infra/tree/main/tf-modules/azure/github-actions)
+use the terraform configuration below. Please make sure all the requirements of
+azure-gh-actions are followed before running it.
+
+```hcl
+provider "github" {
+  owner = "fluxcd"
+}
+
+module "azure_gh_actions" {
+  source = "git::https://github.com/fluxcd/test-infra.git//tf-modules/azure/github-actions"
+
+  azure_owners          = ["owner-id-1", "owner-id-2"]
+  azure_app_name        = "pkg-oci-e2e"
+  azure_app_description = "pkg oci e2e"
+  azure_permissions = [
+    "Microsoft.Kubernetes/*",
+    "Microsoft.Resources/*",
+    "Microsoft.Authorization/roleAssignments/Read",
+    "Microsoft.Authorization/roleAssignments/Write",
+    "Microsoft.Authorization/roleAssignments/Delete",
+    "Microsoft.ContainerRegistry/*",
+    "Microsoft.ContainerService/*"
+  ]
+  azure_location = "eastus"
+
+  github_project = "pkg"
+
+  github_secret_client_id_name       = "OCI_E2E_AZ_ARM_CLIENT_ID"
+  github_secret_client_secret_name   = "OCI_E2E_AZ_ARM_CLIENT_SECRET"
+  github_secret_subscription_id_name = "OCI_E2E_AZ_ARM_SUBSCRIPTION_ID"
+  github_secret_tenant_id_name       = "OCI_E2E_AZ_ARM_TENANT_ID"
+}
+```
+
+**NOTE:** The environment variables used above are for the GitHub workflow that
+runs the tests. Change the variable names if needed accordingly.
+
 ### Google Cloud Platform
 
 - GCP account with project and GKE, GCR and Artifact Registry services enabled
@@ -115,14 +157,54 @@ $ gcrgc gcr.io/<project-name>
 
 Following roles are needed for provisioning the infrastructure and running the
 tests:
-- `Artifact Registry Administrator`
-- `Compute Instance Admin (v1)`
-- `Compute Storage Admin`
-- `Kubernetes Engine Admin`
-- `Service Account Admin`
-- `Service Account Token Creator`
-- `Service Account User`
-- `Storage Admin`
+- Artifact Registry Administrator - `roles/artifactregistry.admin`
+- Compute Instance Admin (v1) - `roles/compute.instanceAdmin.v1`
+- Compute Storage Admin - `roles/compute.storageAdmin`
+- Kubernetes Engine Admin - `roles/container.admin`
+- Service Account Admin - `roles/iam.serviceAccountAdmin`
+- Service Account Token Creator - `roles/iam.serviceAccountTokenCreator`
+- Service Account User - `roles/iam.serviceAccountUser`
+- Storage Admin - `roles/storage.admin`
+
+#### IAM and CI setup
+
+To create the necessary IAM role with all the permissions, set up CI secrets and
+variables using
+[gcp-gh-actions](https://github.com/fluxcd/test-infra/tree/main/tf-modules/gcp/github-actions)
+use the terraform configuration below. Please make sure all the requirements of
+gcp-gh-actions are followed before running it.
+
+```hcl
+provider "google" {}
+
+provider "github" {
+  owner = "fluxcd"
+}
+
+module "gcp_gh_actions" {
+  source = "git::https://github.com/fluxcd/test-infra.git//tf-modules/gcp/github-actions"
+
+  gcp_service_account_id   = "pkg-oci-e2e"
+  gcp_service_account_name = "pkg-oci-e2e"
+  gcp_roles = [
+    "roles/artifactregistry.admin",
+    "roles/compute.instanceAdmin.v1",
+    "roles/compute.storageAdmin",
+    "roles/container.admin",
+    "roles/iam.serviceAccountAdmin",
+    "roles/iam.serviceAccountTokenCreator",
+    "roles/iam.serviceAccountUser",
+    "roles/storage.admin"
+  ]
+
+  github_project = "pkg"
+
+  github_secret_credentials_name = "OCI_E2E_GOOGLE_CREDENTIALS"
+}
+```
+
+**NOTE:** The environment variables used above are for the GitHub workflow that
+runs the tests. Change the variable names if needed accordingly.
 
 ## Test setup
 

diff --git a/oci/tests/integration/suite_test.go b/oci/tests/integration/suite_test.go
@@ -190,14 +190,11 @@ func TestMain(m *testing.M) {
 			log.Printf("Failed to stop environment: %v", err)
 		}
 
-		// Calling exit on panic prevents logging of panic error.
-		// Exit only on normal return. Explicitly detect panic and log the error
-		// on panic.
-		if err := recover(); err == nil {
-			os.Exit(exitCode)
-		} else {
+		// Log the panic error before exit to surface the cause of panic.
+		if err := recover(); err != nil {
 			log.Printf("panic: %v", err)
 		}
+		os.Exit(exitCode)
 	}()
 
 	// Get terraform state output.

diff --git a/oci/tests/integration/terraform/azure/main.tf b/oci/tests/integration/terraform/azure/main.tf
@@ -27,6 +27,7 @@ module "acr" {
   location         = var.azure_location
   aks_principal_id = [module.aks.principal_id]
   resource_group   = module.aks.resource_group
+  admin_enabled    = true
   tags             = var.tags
 
   depends_on = [module.aks]