diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 65d2b7b12..367d662a3 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -12,7 +12,7 @@ _How did you test these changes? What automated tests are added?_ ### Related Issues -_Jira tickets, GitHub issues, Support tickets..._ +_Jira tickets, GitHub issues, Support tickets etc._ ### PR Checklist diff --git a/.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml b/.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml index 9ac21142d..6be5e4fba 100644 --- a/.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml +++ b/.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml @@ -89,11 +89,12 @@ jobs: sudo chmod +x operator-sdk_${OS}_${ARCH} sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -203,11 +204,12 @@ jobs: run: | echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA" >> $GITHUB_ENV - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -232,6 +234,10 @@ jobs: cp /snap/bin/kustomize ./bin/kustomize - name: Run smoke test id: smoketest + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | make int-test - name: Collect Test Logs diff --git a/.github/workflows/arm-AL2023-int-test-workflow.yml b/.github/workflows/arm-AL2023-int-test-workflow.yml index 8a228fb8c..3a760f3b4 100644 --- a/.github/workflows/arm-AL2023-int-test-workflow.yml +++ b/.github/workflows/arm-AL2023-int-test-workflow.yml @@ -13,7 +13,6 @@ on: jobs: build-operator-image-arm-al2023: runs-on: ubuntu-latest - timeout-minutes: 360 env: SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.ECR_PREFIX }}/${{ github.event.inputs.splunk_image_repository_tag }} SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator @@ -39,11 +38,12 @@ jobs: sudo chmod +x operator-sdk_${OS}_${ARCH} sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -153,11 +153,12 @@ jobs: run: | echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA" >> $GITHUB_ENV - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -181,6 +182,10 @@ jobs: mkdir -p ./bin cp /snap/bin/kustomize ./bin/kustomize - name: Run Integration test + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | make int-test - name: Collect Test Logs diff --git a/.github/workflows/arm-RHEL-build-test-push-workflow.yml b/.github/workflows/arm-RHEL-build-test-push-workflow.yml index dcc08f5ae..ab6c7dab7 100644 --- a/.github/workflows/arm-RHEL-build-test-push-workflow.yml +++ b/.github/workflows/arm-RHEL-build-test-push-workflow.yml @@ -13,7 +13,6 @@ on: jobs: build-operator-image-arm-rhel: runs-on: ubuntu-latest - timeout-minutes: 360 env: SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.ECR_PREFIX }}/${{ github.event.inputs.splunk_image_repository_tag }} SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator @@ -39,11 +38,12 @@ jobs: sudo chmod +x operator-sdk_${OS}_${ARCH} sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -153,11 +153,12 @@ jobs: run: | echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA" >> $GITHUB_ENV - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -181,6 +182,10 @@ jobs: mkdir -p ./bin cp /snap/bin/kustomize ./bin/kustomize - name: Run Integration test + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | make int-test - name: Collect Test Logs diff --git a/.github/workflows/arm-RHEL-int-test-workflow.yml b/.github/workflows/arm-RHEL-int-test-workflow.yml index dcc08f5ae..ab6c7dab7 100644 --- a/.github/workflows/arm-RHEL-int-test-workflow.yml +++ b/.github/workflows/arm-RHEL-int-test-workflow.yml @@ -13,7 +13,6 @@ on: jobs: build-operator-image-arm-rhel: runs-on: ubuntu-latest - timeout-minutes: 360 env: SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.ECR_PREFIX }}/${{ github.event.inputs.splunk_image_repository_tag }} SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator @@ -39,11 +38,12 @@ jobs: sudo chmod +x operator-sdk_${OS}_${ARCH} sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -153,11 +153,12 @@ jobs: run: | echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA" >> $GITHUB_ENV - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -181,6 +182,10 @@ jobs: mkdir -p ./bin cp /snap/bin/kustomize ./bin/kustomize - name: Run Integration test + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | make int-test - name: Collect Test Logs diff --git a/.github/workflows/arm-Ubuntu-build-test-push-workflow.yml b/.github/workflows/arm-Ubuntu-build-test-push-workflow.yml index a16f17354..13970b6bf 100644 --- a/.github/workflows/arm-Ubuntu-build-test-push-workflow.yml +++ b/.github/workflows/arm-Ubuntu-build-test-push-workflow.yml @@ -89,11 +89,12 @@ jobs: sudo chmod +x operator-sdk_${OS}_${ARCH} sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -203,11 +204,12 @@ jobs: run: | echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA" >> $GITHUB_ENV - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -232,6 +234,10 @@ jobs: cp /snap/bin/kustomize ./bin/kustomize - name: Run smoke test id: smoketest + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | make int-test - name: Collect Test Logs diff --git a/.github/workflows/arm-Ubuntu-int-test-workflow.yml b/.github/workflows/arm-Ubuntu-int-test-workflow.yml index 1815f177f..53898225c 100644 --- a/.github/workflows/arm-Ubuntu-int-test-workflow.yml +++ b/.github/workflows/arm-Ubuntu-int-test-workflow.yml @@ -13,7 +13,6 @@ on: jobs: build-operator-image-arm-ubuntu: runs-on: ubuntu-latest - timeout-minutes: 360 env: SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.ECR_PREFIX }}/${{ github.event.inputs.splunk_image_repository_tag }} SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator @@ -39,11 +38,12 @@ jobs: sudo chmod +x operator-sdk_${OS}_${ARCH} sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -153,11 +153,12 @@ jobs: run: | echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA" >> $GITHUB_ENV - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -181,6 +182,10 @@ jobs: mkdir -p ./bin cp /snap/bin/kustomize ./bin/kustomize - name: Run Integration test + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | make int-test - name: Collect Test Logs diff --git a/.github/workflows/automated-release-workflow.yml b/.github/workflows/automated-release-workflow.yml index ebb31b2b8..4eca74189 100644 --- a/.github/workflows/automated-release-workflow.yml +++ b/.github/workflows/automated-release-workflow.yml @@ -1,4 +1,9 @@ name: Automated Release Workflow +permissions: + contents: read + packages: write + id-token: write + pull-requests: write on: workflow_dispatch: inputs: @@ -37,11 +42,12 @@ jobs: uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-east-1 + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr-public diff --git a/.github/workflows/bias-language-workflow.yml b/.github/workflows/bias-language-workflow.yml index 2597b467a..2ea42b520 100644 --- a/.github/workflows/bias-language-workflow.yml +++ b/.github/workflows/bias-language-workflow.yml @@ -1,4 +1,8 @@ name: Bias Language +permissions: + contents: read + packages: write + pull-requests: write on: [push] jobs: biased_lang: diff --git a/.github/workflows/build-test-push-workflow.yml b/.github/workflows/build-test-push-workflow.yml index 5776eb081..24f2344fd 100644 --- a/.github/workflows/build-test-push-workflow.yml +++ b/.github/workflows/build-test-push-workflow.yml @@ -1,10 +1,16 @@ name: Build and Test +permissions: + contents: read + packages: write + id-token: write + pull-requests: write on: pull_request: {} push: branches: - main - develop + - CSPL-4201-pipeline-tests-base jobs: check-formating: runs-on: ubuntu-latest @@ -85,11 +91,12 @@ jobs: sudo chmod +x operator-sdk_${OS}_${ARCH} sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -106,6 +113,7 @@ jobs: permissions: actions: read contents: read + id-token: write security-events: write runs-on: ubuntu-latest needs: build-operator-image @@ -125,11 +133,12 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2.5.0 - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR uses: aws-actions/amazon-ecr-login@v1 @@ -249,11 +258,12 @@ jobs: - name: Pull Splunk Enterprise Image run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }} - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -279,6 +289,10 @@ jobs: cp /snap/bin/kustomize ./bin/kustomize - name: Run smoke test id: smoketest + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | make int-test - name: Collect Test Logs diff --git a/.github/workflows/bundle-push-post-release.yml b/.github/workflows/bundle-push-post-release.yml index b122242cf..7b10c5061 100644 --- a/.github/workflows/bundle-push-post-release.yml +++ b/.github/workflows/bundle-push-post-release.yml @@ -1,4 +1,8 @@ name: Bundle Push Post Release Workflow +permissions: + contents: read + packages: write + pull-requests: write on: workflow_dispatch: inputs: diff --git a/.github/workflows/distroless-build-test-push-workflow.yml b/.github/workflows/distroless-build-test-push-workflow.yml index 789196b02..c45dea746 100644 --- a/.github/workflows/distroless-build-test-push-workflow.yml +++ b/.github/workflows/distroless-build-test-push-workflow.yml @@ -1,4 +1,9 @@ -name: Build and Test Distroless +name: Build and Test Distroles +permissions: + contents: read + packages: write + id-token: write + pull-requests: write on: pull_request: {} push: @@ -84,11 +89,12 @@ jobs: sudo chmod +x operator-sdk_${OS}_${ARCH} sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -126,11 +132,12 @@ jobs: # - name: Set up Docker Buildx # uses: docker/setup-buildx-action@v2.5.0 # - name: Configure AWS credentials -# uses: aws-actions/configure-aws-credentials@v1 +# uses: aws-actions/configure-aws-credentials@v5 # with: -# aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} -# aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} -# aws-region: ${{ secrets.AWS_DEFAULT_REGION }} +# role-to-assume: ${{ vars.AWS_ROLE_ARN }} +# role-session-name: github-${{ github.run_id }} +# aws-region: ${{ vars.AWS_REGION }} +# role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} # # - name: Login to Amazon ECR # uses: aws-actions/amazon-ecr-login@v1 @@ -250,11 +257,12 @@ jobs: - name: Pull Splunk Enterprise Image run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }} - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -280,6 +288,10 @@ jobs: cp /snap/bin/kustomize ./bin/kustomize - name: Run smoke test id: smoketest + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | make int-test - name: Collect Test Logs diff --git a/.github/workflows/distroless-int-test-workflow.yml b/.github/workflows/distroless-int-test-workflow.yml index e234eb3d7..d2d545f9c 100644 --- a/.github/workflows/distroless-int-test-workflow.yml +++ b/.github/workflows/distroless-int-test-workflow.yml @@ -1,13 +1,18 @@ name: Integration Test Workflow Distroless +permissions: + contents: read + packages: write + id-token: write + pull-requests: write on: push: branches: - develop - main + - CSPL-4201-pipeline-tests-base jobs: build-operator-image-distroless: runs-on: ubuntu-latest - timeout-minutes: 360 env: SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator @@ -33,11 +38,12 @@ jobs: sudo chmod +x operator-sdk_${OS}_${ARCH} sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -145,13 +151,14 @@ jobs: password: ${{ secrets.DOCKERHUB_TOKEN}} - name: Set Splunk Operator image run: | - echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA-distroless" >> $GITHUB_ENV + echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA-distroless" >> $GITHUB_ENV - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -174,6 +181,10 @@ jobs: mkdir -p ./bin cp /snap/bin/kustomize ./bin/kustomize - name: Run Integration test + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | make int-test - name: Collect Test Logs diff --git a/.github/workflows/helm-test-workflow.yml b/.github/workflows/helm-test-workflow.yml index 16fa24988..3fab4474b 100644 --- a/.github/workflows/helm-test-workflow.yml +++ b/.github/workflows/helm-test-workflow.yml @@ -1,10 +1,16 @@ name: Helm Test WorkFlow +permissions: + contents: read + packages: write + id-token: write + pull-requests: write on: push: branches: - develop - main - feature** + - CSPL-4201-pipeline-tests-base workflow_dispatch: jobs: build-operator-image: @@ -34,11 +40,12 @@ jobs: sudo chmod +x operator-sdk_${OS}_${ARCH} sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -137,11 +144,12 @@ jobs: - name: Pull Splunk Enterprise Image run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }} - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -195,6 +203,8 @@ jobs: AWS_S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} TEST_S3_BUCKET: ${{ secrets.TEST_BUCKET }} TEST_VPC_ENDPOINT_URL: ${{ secrets.TEST_VPC_ENDPOINT_URL }} + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | kubectl kuttl test --config kuttl/kuttl-test-helm.yaml --report xml - name: Publish Results diff --git a/.github/workflows/int-test-azure-workflow.yml b/.github/workflows/int-test-azure-workflow.yml index c8fccb5e2..575095660 100644 --- a/.github/workflows/int-test-azure-workflow.yml +++ b/.github/workflows/int-test-azure-workflow.yml @@ -1,9 +1,14 @@ name: Integration Test on Azure WorkFlow +permissions: + contents: read + packages: write + pull-requests: write on: push: branches: - develop - main + - CSPL-4201-pipeline-tests-base jobs: build-operator-image: runs-on: ubuntu-latest @@ -218,6 +223,7 @@ jobs: mkdir -p ./bin cp /snap/bin/kustomize ./bin/kustomize - name: Run Integration test + timeout-minutes: 240 run: | make int-test - name: Collect Test Logs diff --git a/.github/workflows/int-test-gcp-workflow.yml b/.github/workflows/int-test-gcp-workflow.yml index 7b7d6afef..324a34725 100644 --- a/.github/workflows/int-test-gcp-workflow.yml +++ b/.github/workflows/int-test-gcp-workflow.yml @@ -1,10 +1,15 @@ name: Integration Test on GCP Workflow +permissions: + contents: read + packages: write + pull-requests: write on: push: branches: - develop - main + - CSPL-4201-pipeline-tests-base jobs: build-operator-image: runs-on: ubuntu-latest @@ -249,6 +254,7 @@ jobs: kubectl apply -f test/gcp-storageclass.yaml - name: Run Integration Tests + timeout-minutes: 240 run: | export GCP_SERVICE_ACCOUNT_KEY=${{ secrets.GCP_SERVICE_ACCOUNT_KEY_BASE64 }} make int-test diff --git a/.github/workflows/int-test-workflow.yml b/.github/workflows/int-test-workflow.yml index 6d2b9f6cc..7dfce69c7 100644 --- a/.github/workflows/int-test-workflow.yml +++ b/.github/workflows/int-test-workflow.yml @@ -1,14 +1,19 @@ name: Integration Test WorkFlow +permissions: + contents: read + packages: write + id-token: write + pull-requests: write on: push: branches: - develop - main - feature** + - CSPL-4201-pipeline-tests-base jobs: build-operator-image: runs-on: ubuntu-latest - timeout-minutes: 360 env: SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator @@ -34,11 +39,12 @@ jobs: sudo chmod +x operator-sdk_${OS}_${ARCH} sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -145,11 +151,12 @@ jobs: - name: Pull Splunk Enterprise Image run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }} - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -174,6 +181,10 @@ jobs: mkdir -p ./bin cp /snap/bin/kustomize ./bin/kustomize - name: Run Integration test + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | make int-test - name: Collect Test Logs diff --git a/.github/workflows/kubectl-splunk-workflow.yml b/.github/workflows/kubectl-splunk-workflow.yml index 4e88c70d7..70bc6fecf 100644 --- a/.github/workflows/kubectl-splunk-workflow.yml +++ b/.github/workflows/kubectl-splunk-workflow.yml @@ -2,6 +2,11 @@ name: Kubectl Splunk CI +permissions: + contents: read + packages: write + pull-requests: write + on: push: branches: diff --git a/.github/workflows/manual-int-test-workflow.yml b/.github/workflows/manual-int-test-workflow.yml index 91e818d80..efa729cd7 100644 --- a/.github/workflows/manual-int-test-workflow.yml +++ b/.github/workflows/manual-int-test-workflow.yml @@ -1,4 +1,9 @@ name: Manual Integration Test WorkFlow +permissions: + contents: read + packages: write + id-token: write + pull-requests: write on: workflow_dispatch: inputs: @@ -97,11 +102,12 @@ jobs: - name: Pull Splunk Enterprise Image run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }} - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -130,6 +136,10 @@ jobs: mkdir -p ./bin cp /snap/bin/kustomize ./bin/kustomize - name: Run Integration test + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | export SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA make int-test @@ -168,11 +178,12 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2.5.0 - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR uses: aws-actions/amazon-ecr-login@v1 - name: Pull Splunk Operator Image Locally diff --git a/.github/workflows/merge-develop-to-main-workflow.yml b/.github/workflows/merge-develop-to-main-workflow.yml index bafdfb6fe..1eb79a0c1 100644 --- a/.github/workflows/merge-develop-to-main-workflow.yml +++ b/.github/workflows/merge-develop-to-main-workflow.yml @@ -1,4 +1,9 @@ name: Merge Develop To Main Workflow +permissions: + contents: read + packages: write + id-token: write + pull-requests: write on: workflow_dispatch: inputs: @@ -61,12 +66,13 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2.5.0 - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-east-1 + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr-public diff --git a/.github/workflows/namespace-scope-int-workflow.yml b/.github/workflows/namespace-scope-int-workflow.yml index 646c662c6..3e5f2e9f4 100644 --- a/.github/workflows/namespace-scope-int-workflow.yml +++ b/.github/workflows/namespace-scope-int-workflow.yml @@ -1,4 +1,9 @@ name: Namespace-scope Operator Integration Test WorkFlow +permissions: + contents: read + packages: write + id-token: write + pull-requests: write on: schedule: - cron: "0 02 * * WED,SUN" @@ -94,11 +99,12 @@ jobs: - name: Pull Splunk Enterprise Edge Image run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }} - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -127,6 +133,10 @@ jobs: mkdir -p ./bin cp /snap/bin/kustomize ./bin/kustomize - name: Run Integration test + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | export SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA make int-test diff --git a/.github/workflows/nightly-int-test-workflow.yml b/.github/workflows/nightly-int-test-workflow.yml index 811e75904..e59fb1291 100644 --- a/.github/workflows/nightly-int-test-workflow.yml +++ b/.github/workflows/nightly-int-test-workflow.yml @@ -1,4 +1,9 @@ name: Nightly Integration Test WorkFlow +permissions: + contents: read + packages: write + id-token: write + pull-requests: write on: schedule: - cron: "0 06 * * 0" @@ -32,11 +37,12 @@ jobs: sudo chmod +x operator-sdk_${OS}_${ARCH} sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -130,11 +136,12 @@ jobs: - name: Pull Splunk Enterprise Image run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }} - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -166,6 +173,10 @@ jobs: mkdir -p ./bin cp /snap/bin/kustomize ./bin/kustomize - name: Run Integration test + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | export SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA make int-test @@ -207,11 +218,12 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2.5.0 - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR uses: aws-actions/amazon-ecr-login@v1 - name: Pull Splunk Operator Image Locally diff --git a/.github/workflows/pre-release-workflow.yml b/.github/workflows/pre-release-workflow.yml index d6b7ab806..b5b48bacc 100644 --- a/.github/workflows/pre-release-workflow.yml +++ b/.github/workflows/pre-release-workflow.yml @@ -1,4 +1,8 @@ name: Pre Release Workflow +permissions: + contents: read + packages: write + pull-requests: write on: workflow_dispatch: inputs: diff --git a/.github/workflows/prodsec-workflow.yml b/.github/workflows/prodsec-workflow.yml index 07e2bd8d4..791f69646 100644 --- a/.github/workflows/prodsec-workflow.yml +++ b/.github/workflows/prodsec-workflow.yml @@ -1,10 +1,15 @@ +name: Prodsec Workflow +permissions: + contents: read + packages: write + pull-requests: write on: pull_request: {} push: branches: - main - develop -name: Prodsec Workflow + - CSPL-4201-pipeline-tests-base jobs: semgrep: name: Semgrep Scanner diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ffd713373..31e78b221 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,8 @@ name: Release Charts +permissions: + contents: read + packages: write + pull-requests: write on: push: branches: diff --git a/kuttl/tests/helm/c3-with-apps-private-link/02-create-s3-secret.yaml b/kuttl/tests/helm/c3-with-apps-private-link/02-create-s3-secret.yaml index 7046b6f17..ee8436626 100644 --- a/kuttl/tests/helm/c3-with-apps-private-link/02-create-s3-secret.yaml +++ b/kuttl/tests/helm/c3-with-apps-private-link/02-create-s3-secret.yaml @@ -3,7 +3,7 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: - - script: kubectl create secret generic s3-secret --from-literal=s3_access_key=$AWS_ACCESS_KEY_ID --from-literal=s3_secret_key=$AWS_SECRET_ACCESS_KEY --namespace $NAMESPACE + - script: kubectl create secret generic s3-secret --from-literal=s3_access_key=${TEST_S3_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} --from-literal=s3_secret_key=${TEST_S3_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} --namespace $NAMESPACE background: false #namespaced: true skipLogOutput: true \ No newline at end of file diff --git a/kuttl/tests/helm/c3-with-apps/02-create-s3-secret.yaml b/kuttl/tests/helm/c3-with-apps/02-create-s3-secret.yaml index 7046b6f17..ee8436626 100644 --- a/kuttl/tests/helm/c3-with-apps/02-create-s3-secret.yaml +++ b/kuttl/tests/helm/c3-with-apps/02-create-s3-secret.yaml @@ -3,7 +3,7 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: - - script: kubectl create secret generic s3-secret --from-literal=s3_access_key=$AWS_ACCESS_KEY_ID --from-literal=s3_secret_key=$AWS_SECRET_ACCESS_KEY --namespace $NAMESPACE + - script: kubectl create secret generic s3-secret --from-literal=s3_access_key=${TEST_S3_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} --from-literal=s3_secret_key=${TEST_S3_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} --namespace $NAMESPACE background: false #namespaced: true skipLogOutput: true \ No newline at end of file diff --git a/kuttl/tests/helm/s1-with-smartstore/02-create-s3-secret.yaml b/kuttl/tests/helm/s1-with-smartstore/02-create-s3-secret.yaml index 7046b6f17..ee8436626 100644 --- a/kuttl/tests/helm/s1-with-smartstore/02-create-s3-secret.yaml +++ b/kuttl/tests/helm/s1-with-smartstore/02-create-s3-secret.yaml @@ -3,7 +3,7 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: - - script: kubectl create secret generic s3-secret --from-literal=s3_access_key=$AWS_ACCESS_KEY_ID --from-literal=s3_secret_key=$AWS_SECRET_ACCESS_KEY --namespace $NAMESPACE + - script: kubectl create secret generic s3-secret --from-literal=s3_access_key=${TEST_S3_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} --from-literal=s3_secret_key=${TEST_S3_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} --namespace $NAMESPACE background: false #namespaced: true skipLogOutput: true \ No newline at end of file diff --git a/test/README.md b/test/README.md index 4bcfbe916..45dbe24d4 100644 --- a/test/README.md +++ b/test/README.md @@ -69,8 +69,8 @@ Note: To run a specific test, you can Smoke and integration tests will run on Github actions. This tests can be triggered on schedule or after a certain event occur depending of the content of the workflow files. To run the tests on different clusters platforms, you will need to define the following project environment variables. For AWS: -AWS_ACCESS_KEY_ID -AWS_SECRET_ACCESS_KEY +TEST_S3_ACCESS_KEY_ID (optional, defaults to AWS_ACCESS_KEY_ID if not set) +TEST_S3_SECRET_ACCESS_KEY (optional, defaults to AWS_SECRET_ACCESS_KEY if not set) CLUSTER_PROVIDER=[eks] ECR_REGISTRY diff --git a/test/testenv/testcaseenv.go b/test/testenv/testcaseenv.go index a1081e0a0..3987226ab 100644 --- a/test/testenv/testcaseenv.go +++ b/test/testenv/testcaseenv.go @@ -518,8 +518,18 @@ func (testenv *TestCaseEnv) CreateServiceAccount(name string) error { func (testenv *TestCaseEnv) createIndexSecret() error { secretName := testenv.s3IndexSecret ns := testenv.namespace - data := map[string][]byte{"s3_access_key": []byte(os.Getenv("AWS_ACCESS_KEY_ID")), - "s3_secret_key": []byte(os.Getenv("AWS_SECRET_ACCESS_KEY"))} + + accessKey := os.Getenv("TEST_S3_ACCESS_KEY_ID") + if accessKey == "" { + accessKey = os.Getenv("AWS_ACCESS_KEY_ID") + } + secretKey := os.Getenv("TEST_S3_SECRET_ACCESS_KEY") + if secretKey == "" { + secretKey = os.Getenv("AWS_SECRET_ACCESS_KEY") + } + + data := map[string][]byte{"s3_access_key": []byte(accessKey), + "s3_secret_key": []byte(secretKey)} secret := newSecretSpec(ns, secretName, data) if err := testenv.GetKubeClient().Create(context.TODO(), secret); err != nil { testenv.Log.Error(err, "Unable to create s3 index secret object")