Skip to content

Commit 6814c01

Browse files
kubabuczakkubabuczak
authored
Merge pull request #1630 from splunk/CSPL-4201-use-OIDC-in-github-pipelines
CSPL-4201 use OIDC in GitHub pipelines
2 parents 6b371c4 + 85bb593 commit 6814c01

32 files changed

+328
-150
lines changed

.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -89,11 +89,12 @@ jobs:
8989
sudo chmod +x operator-sdk_${OS}_${ARCH}
9090
sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk
9191
- name: Configure AWS credentials
92-
uses: aws-actions/configure-aws-credentials@v1
92+
uses: aws-actions/configure-aws-credentials@v5
9393
with:
94-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
95-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
96-
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
94+
role-to-assume: ${{ vars.AWS_ROLE_ARN }}
95+
role-session-name: github-${{ github.run_id }}
96+
aws-region: ${{ vars.AWS_REGION }}
97+
role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }}
9798
- name: Login to Amazon ECR
9899
id: login-ecr
99100
uses: aws-actions/amazon-ecr-login@v1
@@ -211,11 +212,12 @@ jobs:
211212
run: |
212213
echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA" >> $GITHUB_ENV
213214
- name: Configure AWS credentials
214-
uses: aws-actions/configure-aws-credentials@v1
215+
uses: aws-actions/configure-aws-credentials@v5
215216
with:
216-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
217-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
218-
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
217+
role-to-assume: ${{ vars.AWS_ROLE_ARN }}
218+
role-session-name: github-${{ github.run_id }}
219+
aws-region: ${{ vars.AWS_REGION }}
220+
role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }}
219221
- name: Login to Amazon ECR
220222
id: login-ecr
221223
uses: aws-actions/amazon-ecr-login@v1
@@ -240,6 +242,10 @@ jobs:
240242
cp /snap/bin/kustomize ./bin/kustomize
241243
- name: Run smoke test
242244
id: smoketest
245+
timeout-minutes: 240
246+
env:
247+
TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }}
248+
TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }}
243249
run: |
244250
make int-test
245251
- name: Collect Test Logs

.github/workflows/arm-AL2023-int-test-workflow.yml

Lines changed: 14 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,6 @@ on:
1313
jobs:
1414
build-operator-image-arm-al2023:
1515
runs-on: ubuntu-latest
16-
timeout-minutes: 360
1716
env:
1817
SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.ECR_PREFIX }}/${{ github.event.inputs.splunk_image_repository_tag }}
1918
SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator
@@ -39,11 +38,12 @@ jobs:
3938
sudo chmod +x operator-sdk_${OS}_${ARCH}
4039
sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk
4140
- name: Configure AWS credentials
42-
uses: aws-actions/configure-aws-credentials@v1
41+
uses: aws-actions/configure-aws-credentials@v5
4342
with:
44-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
45-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
46-
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
43+
role-to-assume: ${{ vars.AWS_ROLE_ARN }}
44+
role-session-name: github-${{ github.run_id }}
45+
aws-region: ${{ vars.AWS_REGION }}
46+
role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }}
4747
- name: Login to Amazon ECR
4848
id: login-ecr
4949
uses: aws-actions/amazon-ecr-login@v1
@@ -161,11 +161,12 @@ jobs:
161161
run: |
162162
echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA" >> $GITHUB_ENV
163163
- name: Configure AWS credentials
164-
uses: aws-actions/configure-aws-credentials@v1
164+
uses: aws-actions/configure-aws-credentials@v5
165165
with:
166-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
167-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
168-
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
166+
role-to-assume: ${{ vars.AWS_ROLE_ARN }}
167+
role-session-name: github-${{ github.run_id }}
168+
aws-region: ${{ vars.AWS_REGION }}
169+
role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }}
169170
- name: Login to Amazon ECR
170171
id: login-ecr
171172
uses: aws-actions/amazon-ecr-login@v1
@@ -189,6 +190,10 @@ jobs:
189190
mkdir -p ./bin
190191
cp /snap/bin/kustomize ./bin/kustomize
191192
- name: Run Integration test
193+
timeout-minutes: 240
194+
env:
195+
TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }}
196+
TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }}
192197
run: |
193198
make int-test
194199
- name: Collect Test Logs

.github/workflows/arm-RHEL-build-test-push-workflow.yml

Lines changed: 15 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,6 @@ on:
1313
jobs:
1414
build-operator-image-arm-rhel:
1515
runs-on: ubuntu-latest
16-
timeout-minutes: 360
1716
env:
1817
SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.ECR_PREFIX }}/${{ github.event.inputs.splunk_image_repository_tag }}
1918
SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator
@@ -39,11 +38,12 @@ jobs:
3938
sudo chmod +x operator-sdk_${OS}_${ARCH}
4039
sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk
4140
- name: Configure AWS credentials
42-
uses: aws-actions/configure-aws-credentials@v1
41+
uses: aws-actions/configure-aws-credentials@v5
4342
with:
44-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
45-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
46-
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
43+
role-to-assume: ${{ vars.AWS_ROLE_ARN }}
44+
role-session-name: github-${{ github.run_id }}
45+
aws-region: ${{ vars.AWS_REGION }}
46+
role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }}
4747
- name: Login to Amazon ECR
4848
id: login-ecr
4949
uses: aws-actions/amazon-ecr-login@v1
@@ -55,6 +55,7 @@ jobs:
5555
export IMG=${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA
5656
make docker-buildx PLATFORMS=$PLATFORMS BASE_IMAGE=$BASE_IMAGE BASE_IMAGE_VERSION=$BASE_IMAGE_VERSION IMG=$IMG
5757
smoke-tests-arm-rhel:
58+
timeout-minutes: 240
5859
strategy:
5960
fail-fast: false
6061
matrix:
@@ -161,11 +162,12 @@ jobs:
161162
run: |
162163
echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA" >> $GITHUB_ENV
163164
- name: Configure AWS credentials
164-
uses: aws-actions/configure-aws-credentials@v1
165+
uses: aws-actions/configure-aws-credentials@v5
165166
with:
166-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
167-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
168-
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
167+
role-to-assume: ${{ vars.AWS_ROLE_ARN }}
168+
role-session-name: github-${{ github.run_id }}
169+
aws-region: ${{ vars.AWS_REGION }}
170+
role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }}
169171
- name: Login to Amazon ECR
170172
id: login-ecr
171173
uses: aws-actions/amazon-ecr-login@v1
@@ -189,6 +191,10 @@ jobs:
189191
mkdir -p ./bin
190192
cp /snap/bin/kustomize ./bin/kustomize
191193
- name: Run smoke test
194+
timeout-minutes: 240
195+
env:
196+
TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }}
197+
TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }}
192198
run: |
193199
make int-test
194200
- name: Collect Test Logs

.github/workflows/arm-RHEL-int-test-workflow.yml

Lines changed: 14 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,6 @@ on:
1313
jobs:
1414
build-operator-image-arm-rhel:
1515
runs-on: ubuntu-latest
16-
timeout-minutes: 360
1716
env:
1817
SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.ECR_PREFIX }}/${{ github.event.inputs.splunk_image_repository_tag }}
1918
SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator
@@ -39,11 +38,12 @@ jobs:
3938
sudo chmod +x operator-sdk_${OS}_${ARCH}
4039
sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk
4140
- name: Configure AWS credentials
42-
uses: aws-actions/configure-aws-credentials@v1
41+
uses: aws-actions/configure-aws-credentials@v5
4342
with:
44-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
45-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
46-
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
43+
role-to-assume: ${{ vars.AWS_ROLE_ARN }}
44+
role-session-name: github-${{ github.run_id }}
45+
aws-region: ${{ vars.AWS_REGION }}
46+
role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }}
4747
- name: Login to Amazon ECR
4848
id: login-ecr
4949
uses: aws-actions/amazon-ecr-login@v1
@@ -161,11 +161,12 @@ jobs:
161161
run: |
162162
echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA" >> $GITHUB_ENV
163163
- name: Configure AWS credentials
164-
uses: aws-actions/configure-aws-credentials@v1
164+
uses: aws-actions/configure-aws-credentials@v5
165165
with:
166-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
167-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
168-
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
166+
role-to-assume: ${{ vars.AWS_ROLE_ARN }}
167+
role-session-name: github-${{ github.run_id }}
168+
aws-region: ${{ vars.AWS_REGION }}
169+
role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }}
169170
- name: Login to Amazon ECR
170171
id: login-ecr
171172
uses: aws-actions/amazon-ecr-login@v1
@@ -189,6 +190,10 @@ jobs:
189190
mkdir -p ./bin
190191
cp /snap/bin/kustomize ./bin/kustomize
191192
- name: Run Integration test
193+
timeout-minutes: 240
194+
env:
195+
TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }}
196+
TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }}
192197
run: |
193198
make int-test
194199
- name: Collect Test Logs

.github/workflows/arm-Ubuntu-build-test-push-workflow.yml

Lines changed: 16 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -89,21 +89,22 @@ jobs:
8989
sudo chmod +x operator-sdk_${OS}_${ARCH}
9090
sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk
9191
- name: Configure AWS credentials
92-
uses: aws-actions/configure-aws-credentials@v1
92+
uses: aws-actions/configure-aws-credentials@v5
9393
with:
94-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
95-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
96-
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
94+
role-to-assume: ${{ vars.AWS_ROLE_ARN }}
95+
role-session-name: github-${{ github.run_id }}
96+
aws-region: ${{ vars.AWS_REGION }}
97+
role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }}
9798
- name: Login to Amazon ECR
9899
id: login-ecr
99100
uses: aws-actions/amazon-ecr-login@v1
100101
- name: Build and push Splunk Operator Image
101102
run: |
102103
export PLATFORMS=linux/arm64,linux/amd64
103104
export BASE_IMAGE=ubuntu
104-
export BASE_IMAGE_VERSION=24.10
105+
export BASE_IMAGE_VERSION=24.04
105106
export IMG=${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA
106-
make docker-buildx PLATFORMS=$PLATFORMS BASE_IMAGE=$BASE_IMAGE BASE_IMAGE_VERSION=$BASE_IMAGE_VERSION IMG=$IMG
107+
make docker-buildx PLATFORMS=$PLATFORMS BASE_IMAGE=$BASE_IMAGE BASE_IMAGE_VERSION=$BASE_IMAGE_VERSION IMG=$IMG
107108
- name: Sign Splunk Operator image with a key
108109
run: |
109110
cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:${{ github.sha }}
@@ -211,11 +212,12 @@ jobs:
211212
run: |
212213
echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA" >> $GITHUB_ENV
213214
- name: Configure AWS credentials
214-
uses: aws-actions/configure-aws-credentials@v1
215+
uses: aws-actions/configure-aws-credentials@v5
215216
with:
216-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
217-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
218-
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
217+
role-to-assume: ${{ vars.AWS_ROLE_ARN }}
218+
role-session-name: github-${{ github.run_id }}
219+
aws-region: ${{ vars.AWS_REGION }}
220+
role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }}
219221
- name: Login to Amazon ECR
220222
id: login-ecr
221223
uses: aws-actions/amazon-ecr-login@v1
@@ -240,6 +242,10 @@ jobs:
240242
cp /snap/bin/kustomize ./bin/kustomize
241243
- name: Run smoke test
242244
id: smoketest
245+
timeout-minutes: 240
246+
env:
247+
TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }}
248+
TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }}
243249
run: |
244250
make int-test
245251
- name: Collect Test Logs

.github/workflows/arm-Ubuntu-int-test-workflow.yml

Lines changed: 15 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,6 @@ on:
1313
jobs:
1414
build-operator-image-arm-ubuntu:
1515
runs-on: ubuntu-latest
16-
timeout-minutes: 360
1716
env:
1817
SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.ECR_PREFIX }}/${{ github.event.inputs.splunk_image_repository_tag }}
1918
SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator
@@ -39,19 +38,20 @@ jobs:
3938
sudo chmod +x operator-sdk_${OS}_${ARCH}
4039
sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk
4140
- name: Configure AWS credentials
42-
uses: aws-actions/configure-aws-credentials@v1
41+
uses: aws-actions/configure-aws-credentials@v5
4342
with:
44-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
45-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
46-
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
43+
role-to-assume: ${{ vars.AWS_ROLE_ARN }}
44+
role-session-name: github-${{ github.run_id }}
45+
aws-region: ${{ vars.AWS_REGION }}
46+
role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }}
4747
- name: Login to Amazon ECR
4848
id: login-ecr
4949
uses: aws-actions/amazon-ecr-login@v1
5050
- name: Build and push Splunk Operator Image
5151
run: |
5252
export PLATFORMS=linux/arm64,linux/amd64
5353
export BASE_IMAGE=ubuntu
54-
export BASE_IMAGE_VERSION=24.10
54+
export BASE_IMAGE_VERSION=24.04
5555
export IMG=${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA
5656
make docker-buildx PLATFORMS=$PLATFORMS BASE_IMAGE=$BASE_IMAGE BASE_IMAGE_VERSION=$BASE_IMAGE_VERSION IMG=$IMG
5757
int-tests-arm-ubuntu:
@@ -161,11 +161,12 @@ jobs:
161161
run: |
162162
echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA" >> $GITHUB_ENV
163163
- name: Configure AWS credentials
164-
uses: aws-actions/configure-aws-credentials@v1
164+
uses: aws-actions/configure-aws-credentials@v5
165165
with:
166-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
167-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
168-
aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
166+
role-to-assume: ${{ vars.AWS_ROLE_ARN }}
167+
role-session-name: github-${{ github.run_id }}
168+
aws-region: ${{ vars.AWS_REGION }}
169+
role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }}
169170
- name: Login to Amazon ECR
170171
id: login-ecr
171172
uses: aws-actions/amazon-ecr-login@v1
@@ -189,6 +190,10 @@ jobs:
189190
mkdir -p ./bin
190191
cp /snap/bin/kustomize ./bin/kustomize
191192
- name: Run Integration test
193+
timeout-minutes: 240
194+
env:
195+
TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }}
196+
TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }}
192197
run: |
193198
make int-test
194199
- name: Collect Test Logs

.github/workflows/automated-release-workflow.yml

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11
name: Automated Release Workflow
2+
permissions:
3+
contents: read
4+
packages: write
5+
id-token: write
6+
pull-requests: write
27
on:
38
workflow_dispatch:
49
inputs:
@@ -37,11 +42,12 @@ jobs:
3742
uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359
3843

3944
- name: Configure AWS credentials
40-
uses: aws-actions/configure-aws-credentials@v4
45+
uses: aws-actions/configure-aws-credentials@v5
4146
with:
42-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
43-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
44-
aws-region: us-east-1
47+
role-to-assume: ${{ vars.AWS_ROLE_ARN }}
48+
role-session-name: github-${{ github.run_id }}
49+
aws-region: ${{ vars.AWS_REGION }}
50+
role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }}
4551

4652
- name: Login to Amazon ECR
4753
id: login-ecr-public

.github/workflows/bias-language-workflow.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,8 @@
11
name: Bias Language
2+
permissions:
3+
contents: read
4+
packages: write
5+
pull-requests: write
26
on: [push]
37
jobs:
48
biased_lang:

0 commit comments

Comments
 (0)