uds-core/.github/workflows/test-eks.yaml at 2f3fa497b0bd2122d7a59ead369ffdd262d7fc31 · defenseunicorns/uds-core · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
# Copyright 2025-2026 Defense Unicorns
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial

name: EKS Test

on:
  schedule:
    - cron: "0 0 * * 0" # Every Sunday Midnight (UTC) / Saturday 5pm MT
  workflow_call: {}

permissions:
  id-token: write
  contents: read
  packages: read

jobs:
  test-eks-install:
    strategy:
      fail-fast: false
      matrix:
        flavor: [upstream, registry1, unicorn]
    runs-on: ubuntu-latest
    name: test-eks
    permissions:
      id-token: write
      contents: read
      packages: read
      pull-requests: write # Allows writing to pull requests (needed for renovate-readiness)
    env:
      SHA: ${{ github.sha }}
      UDS_REGION: us-gov-west-1
      UDS_PERMISSIONS_BOUNDARY_ARN: ${{ secrets.GOV_PERMISSIONS_BOUNDARY_ARN }}
      UDS_PERMISSIONS_BOUNDARY_NAME: ${{ secrets.PERMISSIONS_BOUNDARY_NAME }}
      # UDS_STATE_BUCKET_NAME: uds-tf-state-20250305185900362500000001 # commercial
      UDS_STATE_BUCKET_NAME: uds-tf-state-20250305185903808500000001 # govcloud
      UDS_STATE_DYNAMODB_TABLE_NAME: uds-tf-state-lock
    steps:
      - name: Set ENV
        run: |
          echo "UDS_CLUSTER_NAME=uds-ci-${{ matrix.flavor }}-${SHA:0:7}" >> $GITHUB_ENV
          echo "UDS_STATE_KEY="tfstate/ci/install/${SHA:0:7}-eks-core-${{ matrix.flavor }}-aws.tfstate >> $GITHUB_ENV
          echo "TF_VAR_region=${UDS_REGION}" >> $GITHUB_ENV
          echo "TF_VAR_name=uds-ci-${{ matrix.flavor }}-${SHA:0:7}" >> $GITHUB_ENV
          echo "TF_VAR_permissions_boundary_name=${UDS_PERMISSIONS_BOUNDARY_NAME}" >> $GITHUB_ENV

      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Check renovate readiness
        if: startsWith(github.event.pull_request.head.ref, 'renovate/') # Only call for Renovate PRs
        uses: ./.github/actions/renovate-readiness
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6
        with:
          role-to-assume: ${{ secrets.AWS_GOVCLOUD_ROLE_TO_ASSUME }}
          role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }}
          aws-region: ${{ env.UDS_REGION }}
          role-duration-seconds: 7200

      - name: Environment setup
        uses: ./.github/actions/setup
        with:
          ghToken: ${{ secrets.GITHUB_TOKEN }}
          registry1Username: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_USERNAME || '' }}
          registry1Password: ${{ (matrix.flavor == 'registry1') && secrets.IRON_BANK_ROBOT_PASSWORD || '' }}
          chainguardIdentity: ${{ (matrix.flavor == 'unicorn') && secrets.CHAINGUARD_IDENTITY || '' }}

      - name: Setup Tofu
        uses: opentofu/setup-opentofu@fc711fa910b93cba0f3fbecaafc9f42fd0c411cb # v2.0.0
        with:
          # renovate: datasource=github-tags depName=opentofu/opentofu extractVersion=^v?(?<version>.*)$
          tofu_version: 1.11.6
          tofu_wrapper: false

      - name: Create UDS Core Package
        run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package --no-progress --with create_options="--skip-sbom" --set FLAVOR=${{ matrix.flavor }}

      - name: Create Core Bundle
        run: uds create .github/bundles/eks --confirm -a amd64

      - name: Create Cluster
        run: uds run -f tasks/iac.yaml create-iac --no-progress --set K8S_DISTRO=eks --set CLOUD=aws
        timeout-minutes: 60

      - name: Get Kubeconfig
        run: uds run -f tasks/iac.yaml eks-get-kubeconfig --no-progress
        timeout-minutes: 5

      - name: Setup GP3 Storage Class
        run: uds run -f tasks/utils.yaml eks-storageclass-setup --no-progress

      - name: Wait for cluster ready
        run: uds run -f tasks/iac.yaml cluster-ready --no-progress

      - name: Deploy Core Bundle
        env:
          UDS_CONFIG: .github/bundles/eks/uds-config.yaml
        run: uds deploy .github/bundles/eks/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm
        timeout-minutes: 40

      - name: Test UDS Core
        run: uds run -f tasks/test.yaml uds-core-non-k3d

      - name: Debug Output
        if: ${{ always() }}
        uses: ./.github/actions/debug-output

      - name: Save logs
        if: always()
        uses: ./.github/actions/save-logs
        with:
          suffix: -eks-${{ matrix.flavor }}
          distro: "eks"

      - name: Remove UDS Core
        if: always()
        run: uds remove .github/bundles/eks/uds-bundle-uds-core-eks-*.tar.zst --confirm
        timeout-minutes: 10
        continue-on-error: true

      - name: Teardown EKS cluster
        if: always()
        run: uds run -f tasks/iac.yaml destroy-iac --no-progress --set K8S_DISTRO=eks --set CLOUD=aws
        timeout-minutes: 30
        continue-on-error: true

      - name: Send Slack notification
        if: failure() && github.event_name == 'schedule'
        uses: ./.github/actions/slack-alert
        with:
          webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
          channel: ${{ vars.SLACK_ALERT_CHANNEL }}