microsoft
diff --git a/‎.github/workflows/_cleanup.yml
Lines changed: 54 additions & 0 deletions b/‎.github/workflows/_cleanup.yml
Lines changed: 54 additions & 0 deletions
diff --git a/‎.github/workflows/_create_aks_cluster.yml
Lines changed: 64 additions & 0 deletions b/‎.github/workflows/_create_aks_cluster.yml
Lines changed: 64 additions & 0 deletions
diff --git a/‎.github/workflows/_deploy_kafka_test.yml
Lines changed: 77 additions & 0 deletions b/‎.github/workflows/_deploy_kafka_test.yml
Lines changed: 77 additions & 0 deletions
diff --git a/‎.github/workflows/_setup_aks_cluster.yml
Lines changed: 110 additions & 0 deletions b/‎.github/workflows/_setup_aks_cluster.yml
Lines changed: 110 additions & 0 deletions
diff --git a/‎.github/workflows/_test_workload.yml
Lines changed: 68 additions & 0 deletions b/‎.github/workflows/_test_workload.yml
Lines changed: 68 additions & 0 deletions
@@ -0,0 +1,54 @@
+name: Cleanup
+
+on:
+  workflow_call:
+  schedule:
+    - cron: "0 0 * * *"
+
+jobs:
+  remove-workload-and-cluster:
+    name: Clean Up
+    runs-on: ubuntu-latest
+    steps:
+      - name: Log into Azure
+        run: |
+          az login --service-principal \
+            --username ${{ secrets.AZURE_SERVICE_PRINCIPAL_APP_ID }} \
+            --password ${{ secrets.AZURE_SERVICE_PRINCIPAL_PASSWORD }} \
+            --tenant ${{ secrets.AZURE_SERVICE_PRINCIPAL_TENANT }}
+
+      - name: Clean Up
+        id: cleanup
+        env: 
+          RESOURCE_GROUP: ${{ vars.RESOURCE_GROUP }}
+        run: | 
+          result=$(az aks list -g $RESOURCE_GROUP --query "[].name" -otsv)
+
+          for name in $result 
+          do
+              max_retries=5
+              retries=0
+              while [ $retries -lt $max_retries ]; do
+                  echo "Querying for cluster state"
+                  clusterstate=$(az aks show -g $RESOURCE_GROUP -n $name --query 'provisioningState' -otsv) 
+                  if [[ $clusterstate == *"Succeeded"* ]]; then
+                      echo "Returned result is $clusterstate"
+                      echo "Cluster is ready to be deleted."
+                      az aks stop --resource-group $RESOURCE_GROUP --name $name 2>&1
+                      az aks delete --resource-group $RESOURCE_GROUP --name $name --no-wait --yes
+                      break  # Exit the loop on successful attempt
+                  elif [[ $clusterstate == *"Stopped"* ]] || [[ $clusterstate == *"Failed"* ]]; then
+                      az aks delete --resource-group $RESOURCE_GROUP --name $name --no-wait --yes
+                      break  # Exit the loop on successful attempt
+                  else
+                      echo "Returned cluster provisioning state is $clusterstate"
+                      echo "Retrying in 3 minutes..."
+                      retries=$((retries+1))
+                      sleep 180
+                  fi
+              done
+              if [ $retries -eq $max_retries ]; then
+                  echo "The operation has been tried 5 times without success."
+                  exit 1
+              fi
+          done
@@ -0,0 +1,64 @@
+name: Create AKS Cluster
+
+on:
+  workflow_call:
+    outputs:
+      cluster-name:
+        description: AKS Cluster Name
+        value: ${{ jobs.create-aks-cluster.outputs.cluster-name }}
+  workflow_dispatch:
+    
+jobs:
+  create-aks-cluster:
+    name: Create AKS Cluster
+    runs-on: ubuntu-latest
+    env: 
+      RESOURCE_GROUP: ${{ vars.RESOURCE_GROUP }} 
+      KUBERNETES_VERSION: ${{ vars.KUBERNETES_VERSION }}
+    outputs:
+      cluster-name: ${{ steps.create-aks-cluster.outputs.cluster-name }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Get Workflow ID
+        id: generate-id
+        run: echo "id=$(openssl rand -hex 8 | tr -d '\n')" >> $GITHUB_OUTPUT
+      
+      - name: Log into Azure
+        run: |
+          az login --service-principal \
+          --username ${{ secrets.AZURE_SERVICE_PRINCIPAL_APP_ID }} \
+          --password ${{ secrets.AZURE_SERVICE_PRINCIPAL_PASSWORD }} \
+          --tenant ${{ secrets.AZURE_SERVICE_PRINCIPAL_TENANT }}
+
+      - name: Install Dependencies 
+        id: install-dependencies 
+        run: |
+          result=$(az extension list -o table  2>&1 || true)
+          if [[ $result == *"aks-preview"* ]]; then
+            echo "aks-preview already installed, upgrading aks-preview version."
+            az extension update --name aks-preview
+          else
+            echo "aks-preview extension not found. Installing aks-preview..."
+            az extension add --name aks-preview
+          fi
+
+      - name: Create AKS Cluster
+        id: create-aks-cluster
+        if: steps.install-dependencies.outcome == 'success'
+        env: 
+          RUN_ID: ${{ steps.generate-id.outputs.id}}
+        run: |
+          az aks create --resource-group $RESOURCE_GROUP \
+          --name skr-kafka-demo-${RUN_ID} \
+          --kubernetes-version $KUBERNETES_VERSION \
+          --os-sku AzureLinux \
+          --node-vm-size Standard_DC4as_cc_v5 \
+          --tags "Owner=accct" \
+          --enable-oidc-issuer \
+          --enable-workload-identity \
+          --workload-runtime KataCcIsolation \
+          --node-count 1 \
+          --generate-ssh-keys
+          echo "cluster-name=skr-kafka-demo-${RUN_ID}" >> $GITHUB_OUTPUT
@@ -0,0 +1,77 @@
+name: Deploy Kafka Test
+
+on:
+  workflow_call:
+    inputs:
+      cluster-name:
+        required: true
+        description: AKS Cluster Name
+        type: string
+      key-release-image: 
+        required: true 
+        description: "The image of the SKR sidecar to use"
+        type: string
+      consumer-image: 
+        description: "Consumer Image"
+        required: true
+        type: string
+      producer-image: 
+        description: "Producer Image"
+        required: true
+        type: string
+jobs:
+  deploy-kafka:
+    name: Deploy Kafka Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          path: main
+
+      - name: Log into Azure
+        run: |
+          az login --service-principal \
+            --username ${{ secrets.AZURE_SERVICE_PRINCIPAL_APP_ID }} \
+            --password ${{ secrets.AZURE_SERVICE_PRINCIPAL_PASSWORD }} \
+            --tenant ${{ secrets.AZURE_SERVICE_PRINCIPAL_TENANT }}
+            
+      - name: Install Dependencies 
+        id: install-dependencies 
+        run: |
+            curl -L https://github.com/a8m/envsubst/releases/download/v1.2.0/envsubst-`uname -s`-`uname -m` -o envsubst --fail-with-body 
+            chmod +x envsubst
+            sudo mv envsubst /usr/local/bin
+
+            result=$(az extension list -o table  2>&1 || true)
+            if [[ $result == *"confcom"* ]]; then
+              echo "confcom already installed, upgrading confcom version."
+              az extension update --name confcom
+            else
+              echo "confcom extension not found. Installing confcom..."
+              az extension add --name confcom
+            fi
+
+            curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" --fail-with-body 
+            chmod +x kubectl
+            sudo mv kubectl /usr/local/bin
+            kubectl version 2>&1 || true
+
+      - name: Run Workload
+        env:
+          AZURE_AKV_RESOURCE_ENDPOINT: ${{ secrets.SKR_CLIENT_AKV_ENDPOINT }}
+          MAA_ENDPOINT: ${{ secrets.SKR_CLIENT_MAA_ENDPOINT }}
+          CLUSTER_NAME: ${{ inputs.cluster-name }}
+          RESOURCE_GROUP: ${{ vars.RESOURCE_GROUP }} 
+          SIDECAR_IMAGE: ${{ inputs.key-release-image }}
+          CONSUMER_IMAGE: ${{ inputs.consumer-image }}
+          PRODUCER_IMAGE: ${{ inputs.producer-image }}
+        id: run-workload
+        run: | 
+          az aks get-credentials --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP  --overwrite-existing
+          cd main/kafka
+          chmod +x test-setup.sh
+          bash test-setup.sh kafka-demo-pipeline $AZURE_AKV_RESOURCE_ENDPOINT
+
+          
+      
@@ -0,0 +1,110 @@
+name: Create and Prepare AKS Cluster
+
+on:
+  workflow_call:
+    inputs:
+      cluster-name:
+        required: true
+        description: AKS Cluster Name
+        type: string
+  workflow_dispatch:
+    
+jobs:
+  setup-aks-cluster:
+    name: Setup AKS Cluster
+    runs-on: ubuntu-latest
+    env: 
+      RESOURCE_GROUP: ${{ vars.RESOURCE_GROUP }} 
+      USER_ASSIGNED_IDENTITY_NAME: ${{ vars.USER_ASSIGNED_IDENTITY_NAME }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Log into Azure
+        run: |
+          az login --service-principal \
+          --username ${{ secrets.AZURE_SERVICE_PRINCIPAL_APP_ID }} \
+          --password ${{ secrets.AZURE_SERVICE_PRINCIPAL_PASSWORD }} \
+          --tenant ${{ secrets.AZURE_SERVICE_PRINCIPAL_TENANT }}
+
+      - name: Install Dependencies 
+        id: install-dependencies 
+        run: |
+          result=$(az extension list -o table  2>&1 || true)
+          if [[ $result == *"aks-preview"* ]]; then
+            echo "aks-preview already installed, upgrading aks-preview version."
+            az extension update --name aks-preview
+          else
+            echo "aks-preview extension not found. Installing aks-preview..."
+            az extension add --name aks-preview
+          fi
+
+          curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"  --fail-with-body
+          chmod +x kubectl
+          sudo mv kubectl /usr/local/bin
+          kubectl version 2>&1 || true
+
+      - name: Prepare Workload Identity Env Var
+        id: prepare-workload-identity-env-vars
+        env:
+          CLUSTER_NAME: ${{ inputs.cluster-name}}
+        run: |
+          az aks get-credentials --name $CLUSTER_NAME --resource-group $RESOURCE_GROUP  --overwrite-existing
+          export AKS_OIDC_ISSUER="$(az aks show -n $CLUSTER_NAME -g $RESOURCE_GROUP --query "oidcIssuerProfile.issuerUrl" -otsv)"
+          echo "Setting AKS_OIDC_ISSUER to $AKS_OIDC_ISSUER"
+
+          export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group $RESOURCE_GROUP --name $USER_ASSIGNED_IDENTITY_NAME --query 'clientId' -otsv)"
+          echo "Setting USER_ASSIGNED_CLIENT_ID to $USER_ASSIGNED_CLIENT_ID"
+
+          echo "AKS_OIDC_ISSUER=$AKS_OIDC_ISSUER" >> $GITHUB_OUTPUT
+          echo "USER_ASSIGNED_CLIENT_ID=$USER_ASSIGNED_CLIENT_ID" >> $GITHUB_OUTPUT
+        
+      - name: Create Kafka Namespace 
+        id: create-kafka-namespace
+        if: steps.prepare-workload-identity-env-vars.outcome == 'success'
+        run: |
+          result=$(kubectl get namespace kafka 2>&1 || true)
+          if [[ $result == *"not found"* ]]; then
+              echo "kafka namespace not found. Create kafka namespace..."
+              kubectl create namespace kafka
+          else
+              echo "kafka namespace already exists."
+          fi
+      
+      - name: Create Service Account
+        id: create-service-account
+        if: steps.create-kafka-namespace.outcome == 'success'
+        run: |
+          kubectl delete sa -n kafka workload-identity-sa 2>&1 || true
+          cat <<EOF | kubectl apply -f - 
+          apiVersion: v1 
+          kind: ServiceAccount 
+          metadata: 
+            annotations: 
+              azure.workload.identity/client-id: ${{ steps.prepare-workload-identity-env-vars.outputs.USER_ASSIGNED_CLIENT_ID }}
+            name: workload-identity-sa 
+            namespace: kafka 
+          EOF
+      
+      - name: Setup Workload Identity
+        id: setup-workload-identity
+        if: steps.create-service-account.outcome == 'success'
+        run: |
+          result=$(az identity federated-credential show --name myFedIdentity --identity-name $USER_ASSIGNED_IDENTITY_NAME --resource-group $RESOURCE_GROUP 2>&1 || true)
+          if [[ $result == *${{ steps.prepare-workload-identity-env-vars.outputs.AKS_OIDC_ISSUER }}* ]]; then
+              echo "Federated identity already exists"
+          else
+              echo "Federated identity not found. Creating... "
+              az identity federated-credential create --name myFedIdentity --identity-name $USER_ASSIGNED_IDENTITY_NAME --resource-group $RESOURCE_GROUP --issuer ${{ steps.prepare-workload-identity-env-vars.outputs.AKS_OIDC_ISSUER }} --subject system:serviceaccount:kafka:workload-identity-sa
+          fi
+          
+      - name: Setup Kafka Cluster 
+        id: apply-kafka-cr-files
+        if: steps.setup-workload-identity.outcome == 'success'
+        run: |
+          kubectl create -f 'https://strimzi.io/install/latest?namespace=kafka' -n kafka 2>&1
+          # Apply the `Kafka` Cluster CR file
+          kubectl apply -f https://strimzi.io/examples/latest/kafka/kafka-persistent-single.yaml -n kafka 2>&1
+  
+          echo "Sleep for 3 minutes and wait for Kafka cluster to be created and fully working..."
+          sleep 180
@@ -0,0 +1,68 @@
+name: Test Workload
+
+on:
+  workflow_call:
+    inputs:
+      cluster-name:
+        required: true
+        description: AKS Cluster Name
+        type: string
+
+jobs:
+  test-workload:
+    name: Test Workload
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          path: main
+
+      - name: Log into Azure
+        run: |
+          az login --service-principal \
+            --username ${{ secrets.AZURE_SERVICE_PRINCIPAL_APP_ID }} \
+            --password ${{ secrets.AZURE_SERVICE_PRINCIPAL_PASSWORD }} \
+            --tenant ${{ secrets.AZURE_SERVICE_PRINCIPAL_TENANT }}
+            
+      - name: Install Dependencies 
+        id: install-dependencies 
+        run: |
+            curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" --fail-with-body 
+            chmod +x kubectl
+            sudo mv kubectl /usr/local/bin
+            kubectl version 2>&1 || true
+
+      - name: Test Workload
+        env:
+          CLUSTER_NAME: ${{ inputs.cluster-name }}
+          RESOURCE_GROUP: ${{ vars.RESOURCE_GROUP }} 
+        id: test-workload
+        run: | 
+          az aks get-credentials --name $CLUSTER_NAME  --resource-group $RESOURCE_GROUP  --overwrite-existing
+
+          echo "Wait for 120 sec before checking expected Kafka message."
+          sleep 120
+
+          max_retries=5
+          retries=0
+          while [ $retries -lt $max_retries ]; do
+              echo "Querying for the decrypted message from $ConsumerIP"
+              result=$(kubectl logs -n kafka kafka-golang-consumer -c kafka-golang-consumer) 
+
+              if [[ $result == *"Azure Confidential Computing"* ]]; then
+                  echo "Returned result is $result"
+                  echo "Found decrypted message, workload is successful."
+                  break  # Exit the loop on successful attempt
+              else
+                  echo "Returned result is $result"
+                  echo "Returned result does not contain text that indicates successful execution, retrying in 5 seconds..."
+                  retries=$((retries+1))
+              fi
+              sleep 5
+          done
+
+          if [ $retries -eq $max_retries ]; then
+            echo "The operation has been tried 3 times without success."
+            exit 1
+          fi