|
15 | 15 | - Azure account with an active subscription to be able to create AKS and ACR, |
16 | 16 | and permission to assign roles. Role assignment is required for allowing AKS |
17 | 17 | workloads to access ACR. |
18 | | -- Azure CLI, need to be logged in using `az login`. |
| 18 | +- Azure CLI, need to be logged in using `az login` as a User (not a Service |
| 19 | + Principal). |
| 20 | + |
| 21 | + **NOTE:** To use Service Principal (for example in CI environment), set the |
| 22 | + `ARM-*` variables in `.env`, source it and authenticate Azure CLI with: |
| 23 | + ```console |
| 24 | + $ az login --service-principal -u $ARM_CLIENT_ID -p $ARM_CLIENT_SECRET --tenant $ARM_TENANT_ID |
| 25 | + ``` |
| 26 | + In this case, the AzureRM client in terraform uses the Service Principal to |
| 27 | + authenticate and the Azure CLI is used only for authenticating with ACR for |
| 28 | + logging in and pushing container images. Attempting to authenticate terraform |
| 29 | + using Azure CLI with Service Principal results in the following error: |
| 30 | + > Authenticating using the Azure CLI is only supported as a User (not a Service Principal). |
19 | 31 | - Docker CLI for registry login. |
20 | 32 | - kubectl for applying certain install manifests. |
21 | 33 |
|
| 34 | +#### Permissions |
| 35 | + |
| 36 | +Following permissions are needed for provisioning the infrastructure and running |
| 37 | +the tests: |
| 38 | +- `Microsoft.Kubernetes/*` |
| 39 | +- `Microsoft.Resources/*` |
| 40 | +- `Microsoft.Authorization/roleAssignments/{Read,Write,Delete}` |
| 41 | +- `Microsoft.ContainerRegistry/*` |
| 42 | +- `Microsoft.ContainerService/*` |
| 43 | + |
22 | 44 | ### Google Cloud Platform |
23 | 45 |
|
24 | 46 | - GCP account with project and GKE, GCR and Artifact Registry services enabled |
25 | 47 | in the project. |
26 | | -- gcloud CLI, need to be logged in using `gcloud auth login`. |
| 48 | +- gcloud CLI, need to be logged in using `gcloud auth login` as a User (not a |
| 49 | + Service Account), configure application default credentials with `gcloud auth |
| 50 | + application-default login` and docker credential helper with `gcloud auth configure-docker`. |
| 51 | + |
| 52 | + **NOTE:** To use Service Account (for example in CI environment), set |
| 53 | + `GOOGLE_APPLICATION_CREDENTIALS` variable in `.env` with the path to the JSON |
| 54 | + key file, source it and authenticate gcloud CLI with: |
| 55 | + ```console |
| 56 | + $ gcloud auth activate-service-account --key-file=$GOOGLE_APPLICATION_CREDENTIALS |
| 57 | + ``` |
| 58 | + Depending on the Container/Artifact Registry host used in the test, authenticate |
| 59 | + docker accordingly |
| 60 | + ```console |
| 61 | + $ gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://us-central1-docker.pkg.dev |
| 62 | + $ gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://gcr.io |
| 63 | + ``` |
| 64 | + In this case, the GCP client in terraform uses the Service Account to |
| 65 | + authenticate and the gcloud CLI is used only to authenticate with Google |
| 66 | + Container Registry and Google Artifact Registry. |
| 67 | + |
| 68 | + **NOTE FOR CI USAGE:** When saving the JSON key file as a CI secret, compress |
| 69 | + the file content with |
| 70 | + ```console |
| 71 | + $ cat key.json | jq -r tostring |
| 72 | + ``` |
| 73 | + to prevent aggressive masking in the logs. Refer |
| 74 | + [aggressive replacement in logs](https://github.com/google-github-actions/auth/blob/v1.1.0/docs/TROUBLESHOOTING.md#aggressive--replacement-in-logs) |
| 75 | + for more details. |
27 | 76 | - Docker CLI for registry login. |
28 | 77 | - kubectl for applying certain install manifests. |
29 | 78 |
|
30 | 79 | **NOTE:** Unlike ECR, ACR and Google Artifact Registry, Google Container |
31 | 80 | Registry tests don't create a new registry. It pushes to an existing registry |
32 | 81 | host in a project, for example `gcr.io`. Due to this, the test images pushed to |
33 | 82 | GCR aren't cleaned up automatically at the end of the test and have to be |
34 | | -deleted manually. |
| 83 | +deleted manually. [`gcrgc`](https://github.com/graillus/gcrgc) can be used to |
| 84 | +automatically delete all the GCR images. |
| 85 | +```console |
| 86 | +$ gcrgc gcr.io/<project-name> |
| 87 | +``` |
| 88 | + |
| 89 | +#### Permissions |
| 90 | + |
| 91 | +Following roles are needed for provisioning the infrastructure and running the |
| 92 | +tests: |
| 93 | +- `Artifact Registry Administrator` |
| 94 | +- `Compute Instance Admin (v1)` |
| 95 | +- `Compute Storage Admin` |
| 96 | +- `Kubernetes Engine Admin` |
| 97 | +- `Service Account Admin` |
| 98 | +- `Service Account Token Creator` |
| 99 | +- `Service Account User` |
| 100 | +- `Storage Admin` |
35 | 101 |
|
36 | 102 | ## Test setup |
37 | 103 |
|
|
0 commit comments