testing oidc setup for private ECR pulls

mozilla-it · Nov 29, 2021 · 8b64e69 · 8b64e69
1 parent 610e3cd
commit 8b64e69
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 14 deletions.
diff --git a/.github/ct.yaml b/.github/ct.yaml
@@ -3,7 +3,7 @@ helm-extra-args: --timeout 600s
 check-version-increment: true
 validate-yaml: true
 validate-chart-schema: true
-validate-maintainers: true
+validate-maintainers: false
 target-branch: main
 
 chart-dirs:

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -6,6 +6,9 @@ jobs:
   lint-test:
     env:
       NAMESPACE: "chart-ci-e2e"
+    permissions:
+      id-token: write
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -46,6 +49,8 @@ jobs:
         run: |
           set -e
 
+          kubectl create ns ${{ env.NAMESPACE }}
+
           helm repo add bitnami https://charts.bitnami.com/bitnami
           helm repo update
 
@@ -88,25 +93,31 @@ jobs:
             --set persistence.enabled=false \
             redis-discourse bitnami/redis
 
+      - name: Configure AWS credentials
+        if: steps.list-changed.outputs.changed == 'true'
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: arn:aws:iam::783633885093:role/ecr-readonly-iam
+          aws-region: us-west-2
+
       - name: Install ECR Secret
         if: steps.list-changed.outputs.changed == 'true'
         run: |
           # Gets a valid token to pull from ECR and creates a secret with it
-          ACCOUNT=$(aws sts get-caller-identity --output text --query Account)
           REGION=us-west-2
           SECRET_NAME=ecr-registry
           EMAIL=itse@mozilla.com
 
           # Fetch token (which will expire in 12 hours)
-          TOKEN=$(aws ecr --region=$REGION get-authorization-token --output text --query authorizationData[].authorizationToken | base64 -d | cut -d: -f2)
+          TOKEN=$(aws ecr --region=${REGION} get-authorization-token --output text --query authorizationData[].authorizationToken | base64 -d | cut -d: -f2)
 
           # Create or replace secret
-          kubectl delete secret -n $NAMESPACE --ignore-not-found "$SECRET_NAME"
-          kubectl create secret -n $NAMESPACE docker-registry "$SECRET_NAME" \
-          --docker-server="https://${ACCOUNT}.dkr.ecr.${REGION}.amazonaws.com" \
+          kubectl delete secret -n ${{ env.NAMESPACE }} --ignore-not-found "$SECRET_NAME"
+          kubectl create secret -n ${{ env.NAMESPACE }} docker-registry "$SECRET_NAME" \
+          --docker-server="https://783633885093.dkr.ecr.${REGION}.amazonaws.com" \
           --docker-username=AWS \
           --docker-password="${TOKEN}" \
           --docker-email="${EMAIL}"
            
       - name: Run chart-testing (install)
-        run: ct install --config .github/ct.yaml
+        run: ct install --config .github/ct.yaml --namespace=${{ env.NAMESPACE }}
diff --git a/README.md b/README.md
@@ -10,18 +10,18 @@ This repository contains a collection of Helm charts curated by Mozilla's Servic
 
 ## Referencing images in ECR
 Charts referencing Docker Images stored in an ECR repo under `itsre-apps` subaccount can't be pulled without credentials.   
-Travis is configured to get Pull credentials for repositories inside that account.  
-In order to instruct the testing suite to
-use those credentials you have to create a folder named `ci` inside your chart, a file `test-values.yaml` inside it with the next content:
+
+GitHub Actions is configured to get Pull credentials for repositories inside that account.  
+
+<!-- In order to instruct the testing suite to use those credentials you have to create a folder named `ci` inside your chart, a file `test-values.yaml` inside it with the next content:
 ```
 imagePullSecrets:
   - name: ecr-registry
 ```
-Check [here](https://github.com/mozilla-it/helm-charts/pull/39/commits/1a0fbfed5810a6d6875ca0172adac5065ee03b74#diff-245000fef8fab28267cb8040d6a3d7f6) for an example.
+Check [here](https://github.com/mozilla-it/helm-charts/pull/39/commits/1a0fbfed5810a6d6875ca0172adac5065ee03b74#diff-245000fef8fab28267cb8040d6a3d7f6) for an example. -->
 
 ## Installing Helm Charts from this repository
-This repository is serving Helm Charts using the webserver provided by Github pages. In order to install Helm charts in your cluster
-add this repository to your helm repository list running `helm repo add mozilla-helm-charts https://mozilla-it.github.io/helm-charts/`
+This repository is serving Helm Charts using the webserver provided by Github pages. In order to install Helm charts in your cluster add this repository to your helm repository list running `helm repo add mozilla-helm-charts https://mozilla-it.github.io/helm-charts/`
 
 ## Debug a Chart deployment
 This section describes how to verify that your chart is installed correctly as well as what to do if it is not.

diff --git a/charts/etherpad/Chart.yaml b/charts/etherpad/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: etherpad
 description: A Helm chart for the Mozilla Etherpad application
 type: application
-version: 1.0.0
+version: 1.0.1
 
 keywords:
   - Mozilla

diff --git a/charts/etherpad/ci/test-values.yaml b/charts/etherpad/ci/test-values.yaml
@@ -11,6 +11,15 @@ configMap:
     ETHERPAD_API_KEY: dumberetherpadapikey
     ETHERPAD_SESSION_KEY: dumbetherpadsecretkey
 
+deployment:
+  resources:
+    requests:
+      cpu: 250m
+      memory: 1Gi
+    limits:
+      cpu: 1
+      memory: 2Gi
+
 image:
   tag: stg-9922b5f