[Java/EKS] Add OTLP/OCB test case

Author: majanjua-amzn

.github/workflows/java-eks-otlp-ocb-canary.yml

@@ -0,0 +1,35 @@
+## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+## SPDX-License-Identifier: Apache-2.0
+
+# TODO: Add comment
+name: Java EKS OTLP/OCB Enablement Canary Test
+on:
+  # schedule:
+  #   - cron: '12,37 * * * *' # run the workflow at 12th and 37th minute of every hour
+  workflow_dispatch: # be able to run the workflow on demand
+  push:
+    branches:
+      - otlp-ocb
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  eks:
+    strategy:
+      fail-fast: false
+      matrix:
+        aws-region: ['us-east-1']
+        # aws-region: ['af-south-1','ap-east-1','ap-northeast-1','ap-northeast-2','ap-northeast-3','ap-south-1','ap-south-2','ap-southeast-1',
+        #              'ap-southeast-2','ap-southeast-3','ap-southeast-4','ca-central-1','eu-central-1','eu-central-2','eu-north-1',
+        #              'eu-south-1','eu-south-2','eu-west-1','eu-west-2','eu-west-3','il-central-1','me-central-1','me-south-1', 'sa-east-1',
+        #              'us-east-1','us-east-2','us-west-1','us-west-2']
+    uses: ./.github/workflows/java-eks-otlp-ocb-retry.yml
+    secrets: inherit
+    with:
+      aws-region: ${{ matrix.aws-region }}
+      test-cluster-name: 'e2e-playground'
+      # test-cluster-name: 'e2e-java-otlp-ocb-canary-test'
+      caller-workflow-name: 'appsignals-java-e2e-eks-otlp-ocb-canary-test'
+      java-version: '11'

.github/workflows/java-eks-otlp-ocb-retry.yml

@@ -0,0 +1,71 @@
+## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+## SPDX-License-Identifier: Apache-2.0
+
+# This is a reusable workflow for running the Enablement test for App Signals.
+# It is meant to be called from another workflow.
+# Read more about reusable workflows: https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview
+name: Java EKS OTLP/OCB Retry
+on:
+  workflow_call:
+    inputs:
+      aws-region:
+        required: true
+        type: string
+      test-cluster-name:
+        required: true
+        type: string
+      caller-workflow-name:
+        required: true
+        type: string
+      java-version:
+        required: true
+        type: string
+
+concurrency:
+  group: 'java-eks-otlp-ocb-${{ inputs.aws-region }}-${{ github.ref_name }}'
+  cancel-in-progress: false
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  java-eks-otlp-ocb-attempt-1:
+    uses: ./.github/workflows/java-eks-otlp-ocb-test.yml
+    secrets: inherit
+    with:
+      aws-region: ${{ inputs.aws-region }}
+      test-cluster-name: ${{ inputs.test-cluster-name }}
+      caller-workflow-name: ${{ inputs.caller-workflow-name }}
+      java-version: ${{ inputs.java-version }}
+
+  # java-eks-otlp-ocb-attempt-2:
+  #   needs: [ java-eks-otlp-ocb-attempt-1 ]
+  #   if: ${{ needs.java-eks-otlp-ocb-attempt-1.outputs.job-started != 'true' }}
+  #   uses: ./.github/workflows/java-eks-otlp-ocb-test.yml
+  #   secrets: inherit
+  #   with:
+  #     aws-region: ${{ inputs.aws-region }}
+  #     test-cluster-name: ${{ inputs.test-cluster-name }}
+  #     caller-workflow-name: ${{ inputs.caller-workflow-name }}
+  #     java-version: ${{ inputs.java-version }}
+
+  # publish-metric-attempt-1:
+  #   needs: [ java-eks-otlp-ocb-attempt-1, java-eks-otlp-ocb-attempt-2 ]
+  #   if: always()
+  #   uses: ./.github/workflows/enablement-test-publish-result.yml
+  #   secrets: inherit
+  #   with:
+  #     aws-region: ${{ inputs.aws-region }}
+  #     caller-workflow-name: ${{ inputs.caller-workflow-name }}
+  #     validation-result: ${{ needs.java-eks-otlp-ocb-attempt-1.outputs.validation-result || needs.java-eks-otlp-ocb-attempt-2.outputs.validation-result }}
+
+  # publish-metric-attempt-2:
+  #   needs: [ java-eks-otlp-ocb-attempt-1, java-eks-otlp-ocb-attempt-2, publish-metric-attempt-1 ]
+  #   if: ${{ always() && needs.publish-metric-attempt-1.outputs.job-started != 'true' }}
+  #   uses: ./.github/workflows/enablement-test-publish-result.yml
+  #   secrets: inherit
+  #   with:
+  #     aws-region: ${{ inputs.aws-region }}
+  #     caller-workflow-name: ${{ inputs.caller-workflow-name }}
+  #     validation-result: ${{ needs.java-eks-otlp-ocb-attempt-1.outputs.validation-result || needs.java-eks-otlp-ocb-attempt-2.outputs.validation-result }}

.github/workflows/java-eks-otlp-ocb-test.yml

@@ -0,0 +1,268 @@
+## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+## SPDX-License-Identifier: Apache-2.0
+
+# This is a reusable workflow for running the Enablement test for App Signals.
+# It is meant to be called from another workflow.
+# Read more about reusable workflows: https://docs.github.com/en/actions/using-workflows/reusing-workflows#overview
+name: Java EKS OTLP/OCB Use Case
+on:
+  workflow_call:
+    inputs:
+      aws-region:
+        required: true
+        type: string
+      test-cluster-name:
+        required: true
+        type: string
+      caller-workflow-name:
+        required: true
+        type: string
+      java-version:
+        description: "Currently support version 8, 11, 17, 21, 22"
+        required: false
+        type: string
+        default: '11'
+      adot-image-name:
+        required: false
+        type: string
+      cw-agent-operator-tag:
+        required: false
+        type: string
+    outputs:
+      job-started:
+        value: ${{ jobs.metric-limiter.outputs.job-started }}
+      validation-result:
+        value: ${{ jobs.metric-limiter.outputs.validation-result }}
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  # The precense of this env var is required for use by terraform and AWS CLI commands
+  # It is not redundant
+  E2E_TEST_AWS_REGION: ${{ inputs.aws-region }}
+  CLUSTER_NAME: ${{ inputs.test-cluster-name }}
+  CALLER_WORKFLOW_NAME: ${{ inputs.caller-workflow-name }}
+  JAVA_VERSION: ${{ inputs.java-version }}
+  ADOT_IMAGE_NAME: ${{ inputs.adot-image-name }}
+  CW_AGENT_OPERATOR_TAG: ${{ inputs.cw-agent-operator-tag }}
+  E2E_TEST_ACCOUNT_ID: ${{ secrets.APPLICATION_SIGNALS_E2E_TEST_ACCOUNT_ID }}
+  E2E_TEST_ROLE_NAME: ${{ secrets.APPLICATION_SIGNALS_E2E_TEST_ROLE_NAME }}
+  METRIC_NAMESPACE: ApplicationSignals
+  LOG_GROUP_NAME: /aws/application-signals/data
+  TEST_RESOURCES_FOLDER: ${GITHUB_WORKSPACE}
+
+jobs:
+  otlp-ocb:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    outputs:
+      job-started: ${{ steps.job-started.outputs.job-started }}
+      validation-result: ${{ steps.validation-result.outputs.validation-result }}
+    steps:
+      - name: Check if the job started
+        id: job-started
+        run: echo "job-started=true" >> $GITHUB_OUTPUT
+
+      - name: Generate testing id and sample app namespace
+        run: |
+          echo TESTING_ID="${{ github.job }}-${{ github.run_id }}-${{ github.run_number }}-${{ github.run_attempt }}" >> $GITHUB_ENV
+          echo SAMPLE_APP_NAMESPACE="ns-${{ github.run_id }}-${{ github.run_number }}" >> $GITHUB_ENV
+
+      - uses: actions/checkout@v4
+        with:
+          repository: 'aws-observability/aws-application-signals-test-framework'
+          ref: ${{ env.CALLER_WORKFLOW_NAME == 'main-build' && 'main' || github.ref }}
+          fetch-depth: 0
+
+        # We initialize Gradlew Daemon early on during the workflow because sometimes initialization
+        # fails due to transient issues. If it fails here, then we will try again later before the validators
+      - name: Initiate Gradlew Daemon
+        id: initiate-gradlew
+        uses: ./.github/workflows/actions/execute_and_retry
+        continue-on-error: true
+        with:
+          command: "./gradlew :validator:build"
+          cleanup: "./gradlew clean"
+          max_retry: 3
+          sleep_time: 60
+
+      - name: Download enablement script
+        uses: ./.github/workflows/actions/execute_and_retry
+        with:
+          pre-command: "mkdir enablement-script && cd enablement-script"
+          command: "wget https://raw.githubusercontent.com/aws-observability/application-signals-demo/refs/heads/ocb/scripts/eks/appsignals/enable-app-signals-ocb.sh"
+          cleanup: "rm -f enable-app-signals.sh && rm -f clean-app-signals.sh"
+          post-command: "chmod +x enable-app-signals.sh && chmod +x clean-app-signals.sh"
+
+      - name: Remove log group deletion command
+        if: always()
+        working-directory: enablement-script
+        run: |
+          delete_log_group="aws logs delete-log-group --log-group-name '${{ env.LOG_GROUP_NAME }}' --region \$REGION"
+          sed -i "s#$delete_log_group##g" clean-app-signals.sh
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ env.E2E_TEST_ACCOUNT_ID }}:role/${{ env.E2E_TEST_ROLE_NAME }}
+          aws-region: us-east-1
+
+      - name: Retrieve account
+        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+        with:
+          secret-ids: |
+            ACCOUNT_ID, region-account/${{ env.E2E_TEST_AWS_REGION }}
+            JAVA_MAIN_SAMPLE_APP_IMAGE, e2e-test/java-main-sample-app-image
+            JAVA_REMOTE_SAMPLE_APP_IMAGE, e2e-test/java-remote-sample-app-image
+
+      # If the workflow is running as a canary, then we want to log in to the aws account in the appropriate region
+      - name: Configure AWS Credentials
+        if: ${{ github.event.repository.name == 'aws-application-signals-test-framework' }}
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ env.ACCOUNT_ID }}:role/${{ env.E2E_TEST_ROLE_NAME }}
+          aws-region: ${{ env.E2E_TEST_AWS_REGION }}
+
+      # local directory to store the kubernetes config
+      - name: Create kubeconfig directory
+        run: mkdir -p ${{ github.workspace }}/.kube
+
+      - name: Set KUBECONFIG environment variable
+        run: echo KUBECONFIG="${{ github.workspace }}/.kube/config" >> $GITHUB_ENV
+
+      - name: Set up kubeconfig
+        run: aws eks update-kubeconfig --name ${{ env.CLUSTER_NAME }} --region ${{ env.E2E_TEST_AWS_REGION }}
+
+      - name: Download and install eksctl
+        uses: ./.github/workflows/actions/execute_and_retry
+        with:
+          pre-command: 'mkdir ${{ github.workspace }}/eksctl'
+          command: 'curl -sLO "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_Linux_amd64.tar.gz" 
+            && tar -xzf eksctl_Linux_amd64.tar.gz -C ${{ github.workspace }}/eksctl && rm eksctl_Linux_amd64.tar.gz'
+          cleanup: 'rm -f eksctl_Linux_amd64.tar.gz'
+
+      - name: Add eksctl to Github Path
+        run: |
+          echo "${{ github.workspace }}/eksctl" >> $GITHUB_PATH
+
+      # This step deletes lingering resources from previous test runs
+      - name: Delete all sample app namespaces
+        continue-on-error: true
+        timeout-minutes: 5
+        run: kubectl get namespace | awk '/^ns-[0-9]+-[0-9]+/{print $1}' | xargs kubectl delete namespace
+
+      # Set up App Signals permissions and resources
+      - name: Create role for AWS access from the sample app
+        id: create_service_account
+        uses: ./.github/workflows/actions/execute_and_retry
+        with:
+          command: "eksctl create iamserviceaccount \
+            --name service-account-${{ env.TESTING_ID }} \
+            --namespace ${{ env.SAMPLE_APP_NAMESPACE }} \
+            --cluster ${{ env.CLUSTER_NAME }} \
+            --role-name eks-s3-access-${{ env.TESTING_ID }} \
+            --attach-policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess \
+            --region ${{ env.E2E_TEST_AWS_REGION }} \
+            --approve"
+          cleanup: "eksctl delete iamserviceaccount \
+            --name service-account-${{ env.TESTING_ID }} \
+            --namespace ${{ env.SAMPLE_APP_NAMESPACE }} \
+            --cluster ${{ env.CLUSTER_NAME }} \
+            --region ${{ env.E2E_TEST_AWS_REGION }}"
+          sleep_time: 60
+
+      - name: Set up terraform
+        uses: ./.github/workflows/actions/execute_and_retry
+        with:
+          command: "wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg"
+          post-command: 'echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
+              && sudo apt update && sudo apt install terraform'
+          sleep_time: 60
+
+      - name: Initiate Terraform
+        uses: ./.github/workflows/actions/execute_and_retry
+        with:
+          command: "cd ${{ env.TEST_RESOURCES_FOLDER }}/terraform/java/eks-otlp-ocb && terraform init && terraform validate"
+          cleanup: "rm -rf .terraform && rm -rf .terraform.lock.hcl"
+          max_retry: 6
+          sleep_time: 60
+
+      - name: Set Sample App Image
+        run: |
+          echo MAIN_SAMPLE_APP_IMAGE_ARN="${{ env.ACCOUNT_ID }}.dkr.ecr.${{ env.E2E_TEST_AWS_REGION }}.amazonaws.com/${{ env.JAVA_MAIN_SAMPLE_APP_IMAGE }}:v${{ env.JAVA_VERSION }}" >> $GITHUB_ENV
+          echo REMOTE_SAMPLE_APP_IMAGE_ARN="${{ env.ACCOUNT_ID }}.dkr.ecr.${{ env.E2E_TEST_AWS_REGION }}.amazonaws.com/${{ env.JAVA_REMOTE_SAMPLE_APP_IMAGE }}:v${{ env.JAVA_VERSION }}" >> $GITHUB_ENV
+
+      # TODO: Fix retry, clean-app-signals doesn't work for enable-app-signals-ocb.sh
+      - name: Install OTel Operator using enablement script
+        uses: ./.github/workflows/actions/execute_and_retry
+        with:
+          command: "${{ env.TEST_RESOURCES_FOLDER }}/enablement-script/enable-app-signals-ocb.sh \
+            ${{ env.CLUSTER_NAME }} \
+            ${{ env.E2E_TEST_AWS_REGION }} \
+            ${{ env.SAMPLE_APP_NAMESPACE }}"
+          max_retry: 1
+          sleep_time: 60
+          # TODO: cleanup and increase retries
+          # cleanup: "TODO"
+
+      - name: Install OTel Collector
+        uses: ./.github/workflows/actions/execute_and_retry
+        with:
+          command: "cd ${{ env.TEST_RESOURCES_FOLDER }}/terraform/java/eks-otlp-ocb/util && kubectl apply -f ./appsignals-collector.yaml -n ${{ env.SAMPLE_APP_NAMESPACE }}"
+          cleanup: "kubectl delete -f ./appsignals-collector.yaml -n ${{ env.SAMPLE_APP_NAMESPACE }} && \
+            aws eks update-kubeconfig --name ${{ env.CLUSTER_NAME }} --region ${{ env.E2E_TEST_AWS_REGION }}"
+
+      - name: Deploy sample app via terraform and wait for the endpoint to come online
+        id: deploy-sample-app
+        uses: ./.github/workflows/actions/execute_and_retry
+        with:
+          command: "cd ${{ env.TEST_RESOURCES_FOLDER }}/terraform/java/eks-otlp-ocb && \
+            terraform apply -auto-approve \
+              -var=\"test_id=${{ env.TESTING_ID }}\" \
+              -var=\"aws_region=${{ env.E2E_TEST_AWS_REGION }}\" \
+              -var=\"kube_directory_path=${{ github.workspace }}/.kube\" \
+              -var=\"eks_cluster_name=${{ env.CLUSTER_NAME }}\" \
+              -var=\"eks_cluster_context_name=$(kubectl config current-context)\" \
+              -var=\"test_namespace=${{ env.SAMPLE_APP_NAMESPACE }}\" \
+              -var=\"service_account_aws_access=service-account-${{ env.TESTING_ID }}\" \
+              -var=\"sample_app_image=${{ env.MAIN_SAMPLE_APP_IMAGE_ARN }}\" \
+              -var=\"sample_remote_app_image=${{ env.REMOTE_SAMPLE_APP_IMAGE_ARN }}\" \
+              -var='account_id=${{ env.ACCOUNT_ID }}'"
+          cleanup: "terraform destroy -auto-approve \
+            -var=\"test_id=${{ env.TESTING_ID }}\" \
+            -var=\"aws_region=${{ env.E2E_TEST_AWS_REGION }}\" \
+            -var=\"kube_directory_path=${{ github.workspace }}/.kube\" \
+            -var=\"eks_cluster_name=${{ env.CLUSTER_NAME }}\" \
+            -var=\"test_namespace=${{ env.SAMPLE_APP_NAMESPACE }}\" \
+            -var=\"service_account_aws_access=service-account-${{ env.TESTING_ID }}\" \
+            -var=\"sample_app_image=${{ env.MAIN_SAMPLE_APP_IMAGE_ARN }}\" \
+            -var=\"sample_remote_app_image=${{ env.REMOTE_SAMPLE_APP_IMAGE_ARN }}\""
+          max_retry: 2
+          sleep_time: 60
+
+      - name: Validate traces
+        id: trace-validation
+        run: echo "TEST"
+
+      - name: Refresh AWS Credentials
+        if: ${{ github.event.repository.name == 'aws-application-signals-test-framework' }}
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::${{ env.ACCOUNT_ID }}:role/${{ env.E2E_TEST_ROLE_NAME }}
+          aws-region: ${{ env.E2E_TEST_AWS_REGION }}
+
+      - name: Save test results
+        if: always()
+        id: validation-result
+        run: |
+          if [ "${{ steps.trace-validation.outcome }}" = "success" ]; then
+            echo "validation-result=success" >> $GITHUB_OUTPUT
+          else
+            echo "validation-result=failure" >> $GITHUB_OUTPUT
+          fi
+
+      # TODO: Cleanup
+      - name: Clean up
+        run: echo "TODO"

terraform/java/eks-otlp-ocb/kubeconfig.tpl

@@ -0,0 +1,18 @@
+apiVersion: v1
+clusters:
+- cluster:
+    certificate-authority-data: ${CA_DATA}
+    server: ${SERVER_ENDPOINT}
+  name: ${CLUSTER_NAME}
+contexts:
+- context:
+    cluster: ${CLUSTER_NAME}
+    user: terraform_user
+  name: ${CLUSTER_NAME}
+current-context: ${CLUSTER_NAME}
+kind: Config
+preferences: {}
+users:
+- name: terraform_user
+  user:
+    token: ${TOKEN}