diff --git a/.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml b/.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml index a826ab910..de972ba59 100644 --- a/.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml +++ b/.github/workflows/arm-AL2023-build-test-push-workflow-AL2023.yml @@ -89,11 +89,12 @@ jobs: sudo chmod +x operator-sdk_${OS}_${ARCH} sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -211,11 +212,12 @@ jobs: run: | echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA" >> $GITHUB_ENV - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -240,6 +242,10 @@ jobs: cp /snap/bin/kustomize ./bin/kustomize - name: Run smoke test id: smoketest + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | make int-test - name: Collect Test Logs diff --git a/.github/workflows/arm-AL2023-int-test-workflow.yml b/.github/workflows/arm-AL2023-int-test-workflow.yml index c762222e6..b0bd87391 100644 --- a/.github/workflows/arm-AL2023-int-test-workflow.yml +++ b/.github/workflows/arm-AL2023-int-test-workflow.yml @@ -13,7 +13,6 @@ on: jobs: build-operator-image-arm-al2023: runs-on: ubuntu-latest - timeout-minutes: 360 env: SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.ECR_PREFIX }}/${{ github.event.inputs.splunk_image_repository_tag }} SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator @@ -39,11 +38,12 @@ jobs: sudo chmod +x operator-sdk_${OS}_${ARCH} sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -161,11 +161,12 @@ jobs: run: | echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA" >> $GITHUB_ENV - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -189,6 +190,10 @@ jobs: mkdir -p ./bin cp /snap/bin/kustomize ./bin/kustomize - name: Run Integration test + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | make int-test - name: Collect Test Logs diff --git a/.github/workflows/arm-RHEL-build-test-push-workflow.yml b/.github/workflows/arm-RHEL-build-test-push-workflow.yml index 182f94229..48bb7f4b1 100644 --- a/.github/workflows/arm-RHEL-build-test-push-workflow.yml +++ b/.github/workflows/arm-RHEL-build-test-push-workflow.yml @@ -13,7 +13,6 @@ on: jobs: build-operator-image-arm-rhel: runs-on: ubuntu-latest - timeout-minutes: 360 env: SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.ECR_PREFIX }}/${{ github.event.inputs.splunk_image_repository_tag }} SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator @@ -39,11 +38,12 @@ jobs: sudo chmod +x operator-sdk_${OS}_${ARCH} sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -55,6 +55,7 @@ jobs: export IMG=${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA make docker-buildx PLATFORMS=$PLATFORMS BASE_IMAGE=$BASE_IMAGE BASE_IMAGE_VERSION=$BASE_IMAGE_VERSION IMG=$IMG smoke-tests-arm-rhel: + timeout-minutes: 420 strategy: fail-fast: false matrix: @@ -161,11 +162,12 @@ jobs: run: | echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA" >> $GITHUB_ENV - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -189,6 +191,10 @@ jobs: mkdir -p ./bin cp /snap/bin/kustomize ./bin/kustomize - name: Run smoke test + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | make int-test - name: Collect Test Logs diff --git a/.github/workflows/arm-RHEL-int-test-workflow.yml b/.github/workflows/arm-RHEL-int-test-workflow.yml index 88d02978f..4ba671c50 100644 --- a/.github/workflows/arm-RHEL-int-test-workflow.yml +++ b/.github/workflows/arm-RHEL-int-test-workflow.yml @@ -13,7 +13,6 @@ on: jobs: build-operator-image-arm-rhel: runs-on: ubuntu-latest - timeout-minutes: 360 env: SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.ECR_PREFIX }}/${{ github.event.inputs.splunk_image_repository_tag }} SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator @@ -39,11 +38,12 @@ jobs: sudo chmod +x operator-sdk_${OS}_${ARCH} sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -161,11 +161,12 @@ jobs: run: | echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA" >> $GITHUB_ENV - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -189,6 +190,10 @@ jobs: mkdir -p ./bin cp /snap/bin/kustomize ./bin/kustomize - name: Run Integration test + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | make int-test - name: Collect Test Logs diff --git a/.github/workflows/arm-Ubuntu-build-test-push-workflow.yml b/.github/workflows/arm-Ubuntu-build-test-push-workflow.yml index 0319eea5b..9b20e9a89 100644 --- a/.github/workflows/arm-Ubuntu-build-test-push-workflow.yml +++ b/.github/workflows/arm-Ubuntu-build-test-push-workflow.yml @@ -89,11 +89,12 @@ jobs: sudo chmod +x operator-sdk_${OS}_${ARCH} sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -101,7 +102,7 @@ jobs: run: | export PLATFORMS=linux/arm64,linux/amd64 export BASE_IMAGE=ubuntu - export BASE_IMAGE_VERSION=24.10 + export BASE_IMAGE_VERSION=24.04 export IMG=${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA make docker-buildx PLATFORMS=$PLATFORMS BASE_IMAGE=$BASE_IMAGE BASE_IMAGE_VERSION=$BASE_IMAGE_VERSION IMG=$IMG - name: Sign Splunk Operator image with a key @@ -211,11 +212,12 @@ jobs: run: | echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA" >> $GITHUB_ENV - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -240,6 +242,10 @@ jobs: cp /snap/bin/kustomize ./bin/kustomize - name: Run smoke test id: smoketest + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | make int-test - name: Collect Test Logs diff --git a/.github/workflows/arm-Ubuntu-int-test-workflow.yml b/.github/workflows/arm-Ubuntu-int-test-workflow.yml index 954655422..f4a1ce18c 100644 --- a/.github/workflows/arm-Ubuntu-int-test-workflow.yml +++ b/.github/workflows/arm-Ubuntu-int-test-workflow.yml @@ -13,7 +13,6 @@ on: jobs: build-operator-image-arm-ubuntu: runs-on: ubuntu-latest - timeout-minutes: 360 env: SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.ECR_PREFIX }}/${{ github.event.inputs.splunk_image_repository_tag }} SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator @@ -39,11 +38,12 @@ jobs: sudo chmod +x operator-sdk_${OS}_${ARCH} sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -51,7 +51,7 @@ jobs: run: | export PLATFORMS=linux/arm64,linux/amd64 export BASE_IMAGE=ubuntu - export BASE_IMAGE_VERSION=24.10 + export BASE_IMAGE_VERSION=24.04 export IMG=${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA make docker-buildx PLATFORMS=$PLATFORMS BASE_IMAGE=$BASE_IMAGE BASE_IMAGE_VERSION=$BASE_IMAGE_VERSION IMG=$IMG int-tests-arm-ubuntu: @@ -161,11 +161,12 @@ jobs: run: | echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA" >> $GITHUB_ENV - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -189,6 +190,10 @@ jobs: mkdir -p ./bin cp /snap/bin/kustomize ./bin/kustomize - name: Run Integration test + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | make int-test - name: Collect Test Logs diff --git a/.github/workflows/automated-release-workflow.yml b/.github/workflows/automated-release-workflow.yml index bf4bdf013..348dea7ed 100644 --- a/.github/workflows/automated-release-workflow.yml +++ b/.github/workflows/automated-release-workflow.yml @@ -1,4 +1,9 @@ name: Automated Release Workflow +permissions: + contents: read + packages: write + id-token: write + pull-requests: write on: workflow_dispatch: inputs: @@ -37,11 +42,12 @@ jobs: uses: falti/dotenv-action@d4d12eaa0e1dd06d5bdc3d7af3bf4c8c93cb5359 - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-east-1 + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr-public diff --git a/.github/workflows/bias-language-workflow.yml b/.github/workflows/bias-language-workflow.yml index 2597b467a..2ea42b520 100644 --- a/.github/workflows/bias-language-workflow.yml +++ b/.github/workflows/bias-language-workflow.yml @@ -1,4 +1,8 @@ name: Bias Language +permissions: + contents: read + packages: write + pull-requests: write on: [push] jobs: biased_lang: diff --git a/.github/workflows/build-test-push-workflow.yml b/.github/workflows/build-test-push-workflow.yml index bc876543f..dd547e2b1 100644 --- a/.github/workflows/build-test-push-workflow.yml +++ b/.github/workflows/build-test-push-workflow.yml @@ -1,4 +1,9 @@ name: Build and Test +permissions: + contents: read + packages: write + id-token: write + pull-requests: write on: pull_request: {} push: @@ -85,11 +90,12 @@ jobs: sudo chmod +x operator-sdk_${OS}_${ARCH} sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -106,6 +112,7 @@ jobs: permissions: actions: read contents: read + id-token: write security-events: write runs-on: ubuntu-latest needs: build-operator-image @@ -125,11 +132,12 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2.5.0 - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR uses: aws-actions/amazon-ecr-login@v1 @@ -256,11 +264,12 @@ jobs: - name: Pull Splunk Enterprise Image run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }} - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -286,6 +295,10 @@ jobs: cp /snap/bin/kustomize ./bin/kustomize - name: Run smoke test id: smoketest + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | make int-test - name: Collect Test Logs diff --git a/.github/workflows/bundle-push-post-release.yml b/.github/workflows/bundle-push-post-release.yml index b122242cf..7b10c5061 100644 --- a/.github/workflows/bundle-push-post-release.yml +++ b/.github/workflows/bundle-push-post-release.yml @@ -1,4 +1,8 @@ name: Bundle Push Post Release Workflow +permissions: + contents: read + packages: write + pull-requests: write on: workflow_dispatch: inputs: diff --git a/.github/workflows/distroless-build-test-push-workflow.yml b/.github/workflows/distroless-build-test-push-workflow.yml index 870ace4c6..ef652f5b9 100644 --- a/.github/workflows/distroless-build-test-push-workflow.yml +++ b/.github/workflows/distroless-build-test-push-workflow.yml @@ -1,4 +1,9 @@ -name: Build and Test Distroless +name: Build and Test Distroles +permissions: + contents: read + packages: write + id-token: write + pull-requests: write on: pull_request: {} push: @@ -84,11 +89,12 @@ jobs: sudo chmod +x operator-sdk_${OS}_${ARCH} sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -126,11 +132,12 @@ jobs: # - name: Set up Docker Buildx # uses: docker/setup-buildx-action@v2.5.0 # - name: Configure AWS credentials -# uses: aws-actions/configure-aws-credentials@v1 +# uses: aws-actions/configure-aws-credentials@v5 # with: -# aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} -# aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} -# aws-region: ${{ secrets.AWS_DEFAULT_REGION }} +# role-to-assume: ${{ vars.AWS_ROLE_ARN }} +# role-session-name: github-${{ github.run_id }} +# aws-region: ${{ vars.AWS_REGION }} +# role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} # # - name: Login to Amazon ECR # uses: aws-actions/amazon-ecr-login@v1 @@ -258,11 +265,12 @@ jobs: - name: Pull Splunk Enterprise Image run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }} - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -288,6 +296,10 @@ jobs: cp /snap/bin/kustomize ./bin/kustomize - name: Run smoke test id: smoketest + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | make int-test - name: Collect Test Logs diff --git a/.github/workflows/distroless-int-test-workflow.yml b/.github/workflows/distroless-int-test-workflow.yml index fb6c9f805..88b67f82c 100644 --- a/.github/workflows/distroless-int-test-workflow.yml +++ b/.github/workflows/distroless-int-test-workflow.yml @@ -1,4 +1,9 @@ name: Integration Test Workflow Distroless +permissions: + contents: read + packages: write + id-token: write + pull-requests: write on: push: branches: @@ -7,7 +12,6 @@ on: jobs: build-operator-image-distroless: runs-on: ubuntu-latest - timeout-minutes: 360 env: SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator @@ -33,11 +37,12 @@ jobs: sudo chmod +x operator-sdk_${OS}_${ARCH} sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -153,13 +158,14 @@ jobs: password: ${{ secrets.DOCKERHUB_TOKEN}} - name: Set Splunk Operator image run: | - echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA-distroless" >> $GITHUB_ENV + echo "SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA-distroless" >> $GITHUB_ENV - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -182,6 +188,10 @@ jobs: mkdir -p ./bin cp /snap/bin/kustomize ./bin/kustomize - name: Run Integration test + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | make int-test - name: Collect Test Logs diff --git a/.github/workflows/helm-test-workflow.yml b/.github/workflows/helm-test-workflow.yml index b26969a11..48b27c4a0 100644 --- a/.github/workflows/helm-test-workflow.yml +++ b/.github/workflows/helm-test-workflow.yml @@ -1,4 +1,9 @@ name: Helm Test WorkFlow +permissions: + contents: read + packages: write + id-token: write + pull-requests: write on: push: branches: @@ -34,11 +39,12 @@ jobs: sudo chmod +x operator-sdk_${OS}_${ARCH} sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -46,6 +52,7 @@ jobs: run: | make docker-buildx IMG=${{ secrets.ECR_REPOSITORY }}/${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA int-tests: + timeout-minutes: 420 runs-on: ubuntu-latest needs: build-operator-image env: @@ -143,11 +150,12 @@ jobs: - name: Pull Splunk Enterprise Image run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }} - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -201,6 +209,8 @@ jobs: AWS_S3_REGION: ${{ secrets.AWS_DEFAULT_REGION }} TEST_S3_BUCKET: ${{ secrets.TEST_BUCKET }} TEST_VPC_ENDPOINT_URL: ${{ secrets.TEST_VPC_ENDPOINT_URL }} + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | kubectl kuttl test --config kuttl/kuttl-test-helm.yaml --report xml - name: Publish Results diff --git a/.github/workflows/int-test-azure-workflow.yml b/.github/workflows/int-test-azure-workflow.yml index da27d8599..b58a04959 100644 --- a/.github/workflows/int-test-azure-workflow.yml +++ b/.github/workflows/int-test-azure-workflow.yml @@ -1,4 +1,8 @@ name: Integration Test on Azure WorkFlow +permissions: + contents: read + packages: write + pull-requests: write on: push: branches: @@ -216,6 +220,7 @@ jobs: mkdir -p ./bin cp /snap/bin/kustomize ./bin/kustomize - name: Run Integration test + timeout-minutes: 240 run: | make int-test - name: Collect Test Logs diff --git a/.github/workflows/int-test-gcp-workflow.yml b/.github/workflows/int-test-gcp-workflow.yml index b6b4687af..bae27e97e 100644 --- a/.github/workflows/int-test-gcp-workflow.yml +++ b/.github/workflows/int-test-gcp-workflow.yml @@ -1,4 +1,8 @@ name: Integration Test on GCP Workflow +permissions: + contents: read + packages: write + pull-requests: write on: push: @@ -250,6 +254,7 @@ jobs: kubectl apply -f test/gcp-storageclass.yaml - name: Run Integration Tests + timeout-minutes: 240 run: | export GCP_SERVICE_ACCOUNT_KEY=${{ secrets.GCP_SERVICE_ACCOUNT_KEY_BASE64 }} make int-test diff --git a/.github/workflows/int-test-workflow.yml b/.github/workflows/int-test-workflow.yml index 52960e7f8..fabc2b4fa 100644 --- a/.github/workflows/int-test-workflow.yml +++ b/.github/workflows/int-test-workflow.yml @@ -1,4 +1,9 @@ name: Integration Test WorkFlow +permissions: + contents: read + packages: write + id-token: write + pull-requests: write on: push: branches: @@ -8,7 +13,6 @@ on: jobs: build-operator-image: runs-on: ubuntu-latest - timeout-minutes: 360 env: SPLUNK_ENTERPRISE_IMAGE: ${{ secrets.SPLUNK_ENTERPRISE_IMAGE }} SPLUNK_OPERATOR_IMAGE_NAME: splunk/splunk-operator @@ -34,11 +38,12 @@ jobs: sudo chmod +x operator-sdk_${OS}_${ARCH} sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -152,11 +157,12 @@ jobs: - name: Pull Splunk Enterprise Image run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }} - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -181,6 +187,10 @@ jobs: mkdir -p ./bin cp /snap/bin/kustomize ./bin/kustomize - name: Run Integration test + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | make int-test - name: Collect Test Logs diff --git a/.github/workflows/kubectl-splunk-workflow.yml b/.github/workflows/kubectl-splunk-workflow.yml index 4e88c70d7..70bc6fecf 100644 --- a/.github/workflows/kubectl-splunk-workflow.yml +++ b/.github/workflows/kubectl-splunk-workflow.yml @@ -2,6 +2,11 @@ name: Kubectl Splunk CI +permissions: + contents: read + packages: write + pull-requests: write + on: push: branches: diff --git a/.github/workflows/manual-int-test-workflow.yml b/.github/workflows/manual-int-test-workflow.yml index fd66257ac..dc6981e46 100644 --- a/.github/workflows/manual-int-test-workflow.yml +++ b/.github/workflows/manual-int-test-workflow.yml @@ -1,4 +1,9 @@ name: Manual Integration Test WorkFlow +permissions: + contents: read + packages: write + id-token: write + pull-requests: write on: workflow_dispatch: inputs: @@ -105,11 +110,12 @@ jobs: - name: Pull Splunk Enterprise Image run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }} - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -138,6 +144,10 @@ jobs: mkdir -p ./bin cp /snap/bin/kustomize ./bin/kustomize - name: Run Integration test + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | export SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA make int-test @@ -176,11 +186,12 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2.5.0 - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR uses: aws-actions/amazon-ecr-login@v1 - name: Pull Splunk Operator Image Locally diff --git a/.github/workflows/merge-develop-to-main-workflow.yml b/.github/workflows/merge-develop-to-main-workflow.yml index e7f7ee79c..db8aa9cef 100644 --- a/.github/workflows/merge-develop-to-main-workflow.yml +++ b/.github/workflows/merge-develop-to-main-workflow.yml @@ -1,4 +1,9 @@ name: Merge Develop To Main Workflow +permissions: + contents: read + packages: write + id-token: write + pull-requests: write on: workflow_dispatch: inputs: @@ -61,12 +66,13 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2.5.0 - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-east-1 + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr-public diff --git a/.github/workflows/namespace-scope-int-workflow.yml b/.github/workflows/namespace-scope-int-workflow.yml index 5a8185277..03cbc2b4f 100644 --- a/.github/workflows/namespace-scope-int-workflow.yml +++ b/.github/workflows/namespace-scope-int-workflow.yml @@ -1,4 +1,9 @@ name: Namespace-scope Operator Integration Test WorkFlow +permissions: + contents: read + packages: write + id-token: write + pull-requests: write on: schedule: - cron: "0 02 * * WED,SUN" @@ -102,11 +107,12 @@ jobs: - name: Pull Splunk Enterprise Edge Image run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }} - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -135,6 +141,10 @@ jobs: mkdir -p ./bin cp /snap/bin/kustomize ./bin/kustomize - name: Run Integration test + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | export SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA make int-test diff --git a/.github/workflows/nightly-int-test-workflow.yml b/.github/workflows/nightly-int-test-workflow.yml index 4b67bd375..769bac74a 100644 --- a/.github/workflows/nightly-int-test-workflow.yml +++ b/.github/workflows/nightly-int-test-workflow.yml @@ -1,4 +1,9 @@ name: Nightly Integration Test WorkFlow +permissions: + contents: read + packages: write + id-token: write + pull-requests: write on: schedule: - cron: "0 06 * * 0" @@ -32,11 +37,12 @@ jobs: sudo chmod +x operator-sdk_${OS}_${ARCH} sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -138,11 +144,12 @@ jobs: - name: Pull Splunk Enterprise Image run: docker pull ${{ env.SPLUNK_ENTERPRISE_IMAGE }} - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v1 @@ -174,6 +181,10 @@ jobs: mkdir -p ./bin cp /snap/bin/kustomize ./bin/kustomize - name: Run Integration test + timeout-minutes: 240 + env: + TEST_S3_ACCESS_KEY_ID: ${{ vars.TEST_S3_ACCESS_KEY_ID }} + TEST_S3_SECRET_ACCESS_KEY: ${{ secrets.TEST_S3_SECRET_ACCESS_KEY }} run: | export SPLUNK_OPERATOR_IMAGE=${{ env.SPLUNK_OPERATOR_IMAGE_NAME }}:$GITHUB_SHA make int-test @@ -215,11 +226,12 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2.5.0 - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v5 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_DEFAULT_REGION }} + role-to-assume: ${{ vars.AWS_ROLE_ARN }} + role-session-name: github-${{ github.run_id }} + aws-region: ${{ vars.AWS_REGION }} + role-duration-seconds: ${{ vars.AWS_ROLE_DURATION_SECONDS }} - name: Login to Amazon ECR uses: aws-actions/amazon-ecr-login@v1 - name: Pull Splunk Operator Image Locally diff --git a/.github/workflows/pre-release-workflow.yml b/.github/workflows/pre-release-workflow.yml index d6b7ab806..b5b48bacc 100644 --- a/.github/workflows/pre-release-workflow.yml +++ b/.github/workflows/pre-release-workflow.yml @@ -1,4 +1,8 @@ name: Pre Release Workflow +permissions: + contents: read + packages: write + pull-requests: write on: workflow_dispatch: inputs: diff --git a/.github/workflows/prodsec-workflow.yml b/.github/workflows/prodsec-workflow.yml index 07e2bd8d4..54942b0b2 100644 --- a/.github/workflows/prodsec-workflow.yml +++ b/.github/workflows/prodsec-workflow.yml @@ -1,10 +1,14 @@ +name: Prodsec Workflow +permissions: + contents: read + packages: write + pull-requests: write on: pull_request: {} push: branches: - main - develop -name: Prodsec Workflow jobs: semgrep: name: Semgrep Scanner diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ffd713373..31e78b221 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,8 @@ name: Release Charts +permissions: + contents: read + packages: write + pull-requests: write on: push: branches: diff --git a/kuttl/tests/helm/c3-with-apps-private-link/00-create-bucket.yaml b/kuttl/tests/helm/c3-with-apps-private-link/00-create-bucket.yaml index e87c9ed8c..baecc1491 100644 --- a/kuttl/tests/helm/c3-with-apps-private-link/00-create-bucket.yaml +++ b/kuttl/tests/helm/c3-with-apps-private-link/00-create-bucket.yaml @@ -7,7 +7,7 @@ commands: skipLogOutput: true - script: aws s3 cp --recursive s3://$TEST_S3_BUCKET/appframework/v2apps s3://helm-test-c3-with-apps-$NAMESPACE/appframework --region $AWS_DEFAULT_REGION background: false - skipLogOutput: true + skipLogOutput: false - script: aws s3 mb s3://helm-test-c3-with-apps-smartstore-$NAMESPACE --region $AWS_DEFAULT_REGION background: false skipLogOutput: true \ No newline at end of file diff --git a/kuttl/tests/helm/c3-with-apps-private-link/02-create-s3-secret.yaml b/kuttl/tests/helm/c3-with-apps-private-link/02-create-s3-secret.yaml index 7046b6f17..ee8436626 100644 --- a/kuttl/tests/helm/c3-with-apps-private-link/02-create-s3-secret.yaml +++ b/kuttl/tests/helm/c3-with-apps-private-link/02-create-s3-secret.yaml @@ -3,7 +3,7 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: - - script: kubectl create secret generic s3-secret --from-literal=s3_access_key=$AWS_ACCESS_KEY_ID --from-literal=s3_secret_key=$AWS_SECRET_ACCESS_KEY --namespace $NAMESPACE + - script: kubectl create secret generic s3-secret --from-literal=s3_access_key=${TEST_S3_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} --from-literal=s3_secret_key=${TEST_S3_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} --namespace $NAMESPACE background: false #namespaced: true skipLogOutput: true \ No newline at end of file diff --git a/kuttl/tests/helm/c3-with-apps/00-create-bucket.yaml b/kuttl/tests/helm/c3-with-apps/00-create-bucket.yaml index e87c9ed8c..baecc1491 100644 --- a/kuttl/tests/helm/c3-with-apps/00-create-bucket.yaml +++ b/kuttl/tests/helm/c3-with-apps/00-create-bucket.yaml @@ -7,7 +7,7 @@ commands: skipLogOutput: true - script: aws s3 cp --recursive s3://$TEST_S3_BUCKET/appframework/v2apps s3://helm-test-c3-with-apps-$NAMESPACE/appframework --region $AWS_DEFAULT_REGION background: false - skipLogOutput: true + skipLogOutput: false - script: aws s3 mb s3://helm-test-c3-with-apps-smartstore-$NAMESPACE --region $AWS_DEFAULT_REGION background: false skipLogOutput: true \ No newline at end of file diff --git a/kuttl/tests/helm/c3-with-apps/02-create-s3-secret.yaml b/kuttl/tests/helm/c3-with-apps/02-create-s3-secret.yaml index 7046b6f17..ee8436626 100644 --- a/kuttl/tests/helm/c3-with-apps/02-create-s3-secret.yaml +++ b/kuttl/tests/helm/c3-with-apps/02-create-s3-secret.yaml @@ -3,7 +3,7 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: - - script: kubectl create secret generic s3-secret --from-literal=s3_access_key=$AWS_ACCESS_KEY_ID --from-literal=s3_secret_key=$AWS_SECRET_ACCESS_KEY --namespace $NAMESPACE + - script: kubectl create secret generic s3-secret --from-literal=s3_access_key=${TEST_S3_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} --from-literal=s3_secret_key=${TEST_S3_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} --namespace $NAMESPACE background: false #namespaced: true skipLogOutput: true \ No newline at end of file diff --git a/kuttl/tests/helm/s1-with-smartstore/00-create-bucket.yaml b/kuttl/tests/helm/s1-with-smartstore/00-create-bucket.yaml index b4e4dfde7..8e89da9bb 100644 --- a/kuttl/tests/helm/s1-with-smartstore/00-create-bucket.yaml +++ b/kuttl/tests/helm/s1-with-smartstore/00-create-bucket.yaml @@ -7,7 +7,7 @@ commands: skipLogOutput: true - script: aws s3 cp --recursive s3://$TEST_S3_BUCKET/appframework/v2apps s3://helm-test-s1-with-apps-$NAMESPACE/appframework --region $AWS_DEFAULT_REGION background: false - skipLogOutput: true + skipLogOutput: false - script: aws s3 mb s3://helm-test-s1-with-apps-smartstore-$NAMESPACE --region $AWS_DEFAULT_REGION background: false skipLogOutput: true \ No newline at end of file diff --git a/kuttl/tests/helm/s1-with-smartstore/02-create-s3-secret.yaml b/kuttl/tests/helm/s1-with-smartstore/02-create-s3-secret.yaml index 7046b6f17..ee8436626 100644 --- a/kuttl/tests/helm/s1-with-smartstore/02-create-s3-secret.yaml +++ b/kuttl/tests/helm/s1-with-smartstore/02-create-s3-secret.yaml @@ -3,7 +3,7 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: - - script: kubectl create secret generic s3-secret --from-literal=s3_access_key=$AWS_ACCESS_KEY_ID --from-literal=s3_secret_key=$AWS_SECRET_ACCESS_KEY --namespace $NAMESPACE + - script: kubectl create secret generic s3-secret --from-literal=s3_access_key=${TEST_S3_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} --from-literal=s3_secret_key=${TEST_S3_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} --namespace $NAMESPACE background: false #namespaced: true skipLogOutput: true \ No newline at end of file diff --git a/test/README.md b/test/README.md index 4bcfbe916..45dbe24d4 100644 --- a/test/README.md +++ b/test/README.md @@ -69,8 +69,8 @@ Note: To run a specific test, you can Smoke and integration tests will run on Github actions. This tests can be triggered on schedule or after a certain event occur depending of the content of the workflow files. To run the tests on different clusters platforms, you will need to define the following project environment variables. For AWS: -AWS_ACCESS_KEY_ID -AWS_SECRET_ACCESS_KEY +TEST_S3_ACCESS_KEY_ID (optional, defaults to AWS_ACCESS_KEY_ID if not set) +TEST_S3_SECRET_ACCESS_KEY (optional, defaults to AWS_SECRET_ACCESS_KEY if not set) CLUSTER_PROVIDER=[eks] ECR_REGISTRY diff --git a/test/testenv/testcaseenv.go b/test/testenv/testcaseenv.go index a1081e0a0..3987226ab 100644 --- a/test/testenv/testcaseenv.go +++ b/test/testenv/testcaseenv.go @@ -518,8 +518,18 @@ func (testenv *TestCaseEnv) CreateServiceAccount(name string) error { func (testenv *TestCaseEnv) createIndexSecret() error { secretName := testenv.s3IndexSecret ns := testenv.namespace - data := map[string][]byte{"s3_access_key": []byte(os.Getenv("AWS_ACCESS_KEY_ID")), - "s3_secret_key": []byte(os.Getenv("AWS_SECRET_ACCESS_KEY"))} + + accessKey := os.Getenv("TEST_S3_ACCESS_KEY_ID") + if accessKey == "" { + accessKey = os.Getenv("AWS_ACCESS_KEY_ID") + } + secretKey := os.Getenv("TEST_S3_SECRET_ACCESS_KEY") + if secretKey == "" { + secretKey = os.Getenv("AWS_SECRET_ACCESS_KEY") + } + + data := map[string][]byte{"s3_access_key": []byte(accessKey), + "s3_secret_key": []byte(secretKey)} secret := newSecretSpec(ns, secretName, data) if err := testenv.GetKubeClient().Create(context.TODO(), secret); err != nil { testenv.Log.Error(err, "Unable to create s3 index secret object")