Modifies integration tests to be runnable outside of AWS (#667)

This patch reworks the test and CI system for integration tests to make the
execution of the tests more platform agnostic. A system to manage and inject
credentials is added that makes the tests runnable outside of an AWS context,
and substantial adaptations are made to the test setup and runtime to
make them run on a pure github action or linux environment.

Co-authored-by: Bennett Sala <[email protected]>

Author: BennettJames

.github/actions/integration-test/action.yaml

@@ -0,0 +1,78 @@
+name: "Run Integration Test"
+description: "Runs integration tests in a kinD cluster on a github action"
+
+inputs:
+  aws_role:
+    description: "role to acquire from aws"
+    required: true
+  vpc_id:
+    description: "aws vpc id to use for the test"
+    required: true
+  account_id:
+    description: "aws account id to use"
+    required: true
+  cluster_name:
+    description: "name of the test cluster"
+    required: false
+    default: "test-cluster"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install Go 1.17
+      uses: actions/setup-go@v3
+      with:
+        go-version: '1.17.*'
+      id: go
+
+    - name: Setup Test Tools
+      shell: bash
+      run: |
+        export GOBIN=/usr/local/bin/
+
+        mkdir -vp ~/.docker/cli-plugins/
+        curl -sL -o ~/.docker/cli-plugins/docker-buildx "https://github.com/docker/buildx/releases/download/v0.3.0/buildx-v0.3.0.linux-amd64"
+        chmod a+x ~/.docker/cli-plugins/docker-buildx
+
+        curl -L -o kubebuilder.tar.gz "https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.1/kubebuilder_2.3.1_linux_amd64.tar.gz"
+        tar xzf kubebuilder.tar.gz
+        sudo mv "kubebuilder_2.3.1_linux_amd64" /usr/local/kubebuilder
+        export PATH=$PATH:/usr/local/kubebuilder/bin
+
+        curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
+        chmod 700 get_helm.sh
+        ./get_helm.sh
+
+        ./scripts/install-controller-gen.sh
+        ./scripts/install-kubectl.sh
+        go install sigs.k8s.io/kustomize/kustomize/v4@latest
+
+        go mod download
+        go install github.com/onsi/ginkgo/[email protected]
+
+    - name: Run Unit Tests
+      shell: bash
+      run: |
+        make test
+
+    - name: Configure AWS Credentials (build)
+      uses: aws-actions/configure-aws-credentials@v1-node16
+      with:
+        aws-region: us-west-2
+        role-to-assume: ${{ inputs.aws_role }}
+        role-session-name: IntegrationTest
+
+    - name: Setup Kind
+      uses: engineerd/[email protected]
+      with:
+        version: "v0.17.0"
+        name: "${{ inputs.cluster_name }}"
+
+    - name: Run Integration Tests
+      shell: bash
+      env:
+        VPC_ID: "${{ inputs.vpc_id }}"
+        AWS_ACCOUNT_ID: "${{ inputs.account_id }}"
+        CLUSTER_NAME: "${{ inputs.cluster_name }}"
+      run: |
+        KUBECONFIG="${HOME}/.kube/config" ./scripts/test-with-kind.sh

.github/workflows/beta-release.yaml

@@ -7,85 +7,57 @@ on:
         required: true
 
 permissions:
+  id-token: write
   contents: read
 
+env:
+  IMAGE_HOST: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com"
+  IMAGE: "${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com/amazon/appmesh-controller"
+  IMAGE_TAG: "${{ github.event.inputs.tag }}"
+  IMAGE_TAG_AMD: "${{ github.event.inputs.tag }}-linux_amd64"
+  IMAGE_TAG_ARM: "${{ github.event.inputs.tag }}-linux_arm64"
+
 jobs:
-  build:
-    name: integration-test
-    runs-on: [ self-hosted, aws-app-mesh-controller-for-k8s, X64 ]
+  integration-test:
+    name: Integration Test
+    runs-on: ubuntu-22.04
     steps:
-      - name: clean work dir from previous runs
-        run: |
-          rm -rf *
-      - name: setup go 1.17
-        uses: actions/setup-go@v3
-        with:
-          go-version: '1.17.*'
-        id: go
-      - name: setup environment
-        run: |
-          source ~/.bashrc
-      - name: checkout code
-        uses: actions/checkout@v2
+      - name: Checkout Code
+        uses: actions/checkout@v3
         with:
           ref: refs/tags/${{ github.event.inputs.tag }}
-      - name: setup kind and run integration tests
-        run: VERSION=${{ github.event.inputs.tag }} make integration-test
-      - name: cleanup all the kind clusters
-        run: VERSION=${{ github.event.inputs.tag }} make delete-all-kind-clusters
-  build-arm64:
-    name: build-arm64
-    runs-on: [ self-hosted, aws-app-mesh-controller-for-k8s, ARM64 ]
+      - name: Run integration test action
+        uses: ./.github/actions/integration-test
+        with:
+          aws_role: "${{ secrets.BETA_TEST_AWS_ROLE }}"
+          vpc_id: "${{ secrets.INTEG_TEST_VPC }}"
+          account_id: "${{ secrets.BETA_AWS_ACCOUNT }}"
+
+  push-images:
+    name: Build And Push Images
+    runs-on: ubuntu-22.04
+    needs: [ integration-test ]
     steps:
-      - name: clean work dir from previous runs
+      - name: Clean
         run: |
           rm -rf *
-      - name: setup go 1.17
-        uses: actions/setup-go@v3
-        with:
-          go-version: '1.17.*'
-        id: go
-      - name: setup environment
-        run: |
-          source ~/.bashrc
-      - name: checkout code
-        uses: actions/checkout@v2
+      - name: Checkout Code
+        uses: actions/checkout@v3
         with:
           ref: refs/tags/${{ github.event.inputs.tag }}
-      - name: build for arm64
-        run: |
-          docker buildx build --platform linux/arm64 -t ${{ secrets.CI_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com/amazon/appmesh-controller:${{ github.event.inputs.tag }}-linux_arm64 . --load
-          aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin ${{ secrets.CI_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com
-          docker push ${{ secrets.CI_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com/amazon/appmesh-controller:${{ github.event.inputs.tag }}-linux_arm64
-  beta-release:
-    name: beta-release
-    runs-on: ubuntu-18.04
-    needs: [ build, build-arm64 ]
-    permissions:
-      id-token: write
-      contents: read
-    steps:
-      - name: Configure AWS Credentials (build)
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          aws-region: us-west-2
-          role-to-assume: ${{ secrets.CI_AWS_ROLE }}
-          role-session-name: ControllerBetaRelease
-      - name: Pull docker image
-        run: |
-          aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin ${{ secrets.CI_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com
-          docker pull ${{ secrets.CI_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com/amazon/appmesh-controller:${{ github.event.inputs.tag }}
-          docker pull ${{ secrets.CI_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com/amazon/appmesh-controller:${{ github.event.inputs.tag }}-linux_arm64
-      - name: Configure AWS Credentials (beta)
-        uses: aws-actions/configure-aws-credentials@v1
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1-node16
         with:
           aws-region: us-west-2
           role-to-assume: ${{ secrets.BETA_AWS_ROLE }}
-          role-session-name: ControllerBetaRelease
-      - name: Push docker image
+          role-session-name: ImagePusher
+
+      - name: Build Images
         run: |
-          aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin ${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com
-          docker tag ${{ secrets.CI_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com/amazon/appmesh-controller:${{ github.event.inputs.tag }} ${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com/amazon/appmesh-controller:${{ github.event.inputs.tag }}
-          docker tag ${{ secrets.CI_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com/amazon/appmesh-controller:${{ github.event.inputs.tag }}-linux_arm64 ${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com/amazon/appmesh-controller:${{ github.event.inputs.tag }}-linux_arm64
-          docker push ${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com/amazon/appmesh-controller:${{ github.event.inputs.tag }}
-          docker push ${{ secrets.BETA_AWS_ACCOUNT }}.dkr.ecr.us-west-2.amazonaws.com/amazon/appmesh-controller:${{ github.event.inputs.tag }}-linux_arm64
+          aws ecr get-login-password --region us-west-2 | \
+            docker login --username AWS --password-stdin $IMAGE_HOST
+          # Note: right now, this pushes the amd image under the default. This
+          # behavior should be changed to supporting multiarch shortly.
+          docker buildx build --platform linux/amd64 -t "${IMAGE}:${IMAGE_TAG}" . --push
+          docker buildx build --platform linux/arm64 -t "${IMAGE}:${IMAGE_TAG_ARM}" . --push

.github/workflows/integration-test.yaml

@@ -5,32 +5,19 @@ on:
       - master
 
 permissions:
+  id-token: write
   contents: read
 
 jobs:
-  build:
-    name: integration-test
-    runs-on: [self-hosted, aws-app-mesh-controller-for-k8s, X64 ]
+  integration-test:
+    name: Integration Test
+    runs-on: ubuntu-22.04
     steps:
-      - name: clean work dir from previous runs
-        run: |
-          rm -rf *
-      - name: setup go 1.17
-        uses: actions/setup-go@v3
+      - name: Checkout Code
+        uses: actions/checkout@v3
+      - name: Run integration test action
+        uses: ./.github/actions/integration-test
         with:
-          go-version: '1.17.*'
-        id: go
-      - name: setup environment
-        run: |
-          source ~/.bashrc
-      - name: checkout code
-        uses: actions/checkout@v2
-      - name: setup kind and run integration tests
-        run: make integration-test
-  cleanup:
-    runs-on: [self-hosted, aws-app-mesh-controller-for-k8s, X64]
-    if: ${{ always() }}
-    needs: [build]
-    steps:
-      - name: delete kind clusters
-        run: make delete-all-kind-clusters
+          aws_role: "${{ secrets.BETA_TEST_AWS_ROLE }}"
+          vpc_id: "${{ secrets.INTEG_TEST_VPC }}"
+          account_id: "${{ secrets.BETA_AWS_ACCOUNT }}"

Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:experimental
 
 # Build the controller binary
-FROM --platform=${TARGETPLATFORM} golang:1.17 as builder
+FROM --platform=${BUILDPLATFORM} golang:1.17 as builder
 
 WORKDIR /workspace
 
@@ -15,7 +15,13 @@ ENV GOPROXY=${GOPROXY}
 
 RUN go mod download
 
-COPY . ./
+COPY ./main.go ./ATTRIBUTION.txt ./
+COPY .git/ ./.git/
+COPY pkg/ ./pkg/
+COPY apis/ ./apis/
+COPY controllers/ ./controllers/
+COPY mocks/ ./mocks/
+COPY webhooks/ ./webhooks/
 
 ARG TARGETOS
 ARG TARGETARCH

config/helm/appmesh-controller/templates/deployment.yaml

@@ -74,6 +74,9 @@ spec:
         - --envoy-admin-access-enable-ipv6={{ .Values.sidecar.envoyAdminAccessEnableIPv6 }}
         - --dual-stack-endpoint={{ .Values.sidecar.useDualStackEndpoint }}
         - --fips-endpoint={{ .Values.sidecar.useFipsEndpoint }}
+        - --envoy-aws-access-key-id={{ .Values.sidecar.envoyAwsAccessKeyId }}
+        - --envoy-aws-secret-access-key={{ .Values.sidecar.envoyAwsSecretAccessKey }}
+        - --envoy-aws-session-token={{ .Values.sidecar.envoyAwsSessionToken }}
         - --preview={{ .Values.preview }}
         - --enable-sds={{ .Values.sds.enabled }}
         - --sds-uds-path={{ .Values.sds.udsPath }}

pkg/inject/config.go

@@ -33,6 +33,10 @@ const (
 	flagWaitUntilProxyReady        = "wait-until-proxy-ready"
 	flagFipsEndpoint               = "fips-endpoint"
 
+	flagEnvoyAwsAccessKeyId     = "envoy-aws-access-key-id"
+	flagEnvoyAwsSecretAccessKey = "envoy-aws-secret-access-key"
+	flagEnvoyAwsSessionToken    = "envoy-aws-session-token"
+
 	flagInitImage  = "init-image"
 	flagIgnoredIPs = "ignored-ips"
 
@@ -91,6 +95,10 @@ type Config struct {
 	WaitUntilProxyReady        bool
 	FipsEndpoint               bool
 
+	EnvoyAwsAccessKeyId     string
+	EnvoyAwsSecretAccessKey string
+	EnvoyAwsSessionToken    string
+
 	// Init container settings
 	InitImage  string
 	IgnoredIPs string
@@ -210,6 +218,12 @@ func (cfg *Config) BindFlags(fs *pflag.FlagSet) {
 	fs.BoolVar(&cfg.WaitUntilProxyReady, flagWaitUntilProxyReady, false,
 		"Enable pod postStart hook to delay application startup until proxy is ready to accept traffic")
 	fs.BoolVar(&cfg.FipsEndpoint, flagFipsEndpoint, false, "Use Fips Endpoint")
+	fs.StringVar(&cfg.EnvoyAwsAccessKeyId, flagEnvoyAwsAccessKeyId, "",
+		"Access key for envoy container (for integration testing)")
+	fs.StringVar(&cfg.EnvoyAwsSecretAccessKey, flagEnvoyAwsSecretAccessKey, "",
+		"Secret access key for envoy container (for integration testing)")
+	fs.StringVar(&cfg.EnvoyAwsSessionToken, flagEnvoyAwsSessionToken, "",
+		"Session token for envoy container (for integration testing)")
 }
 
 func (cfg *Config) BindEnv() error {

pkg/inject/envoy.go

@@ -53,6 +53,9 @@ type envoyMutatorConfig struct {
 	useDualStackEndpoint       bool
 	enableAdminAccessIPv6      bool
 	useFipsEndpoint            bool
+	awsAccessKeyId             string
+	awsSecretAccessKey         string
+	awsSessionToken            string
 }
 
 func newEnvoyMutator(mutatorConfig envoyMutatorConfig, ms *appmesh.Mesh, vn *appmesh.VirtualNode) *envoyMutator {
@@ -169,6 +172,9 @@ func (m *envoyMutator) buildTemplateVariables(pod *corev1.Pod) EnvoyTemplateVari
 		EnableAdminAccessForIpv6: m.mutatorConfig.enableAdminAccessIPv6,
 		WaitUntilProxyReady:      m.mutatorConfig.waitUntilProxyReady,
 		UseFipsEndpoint:          useFipsEndpoint,
+		AwsAccessKeyId:           m.mutatorConfig.awsAccessKeyId,
+		AwsSecretAccessKey:       m.mutatorConfig.awsSecretAccessKey,
+		AwsSessionToken:          m.mutatorConfig.awsSessionToken,
 	}
 }
 

pkg/inject/inject.go

@@ -153,6 +153,9 @@ func (m *SidecarInjector) injectAppMeshPatches(ms *appmesh.Mesh, vn *appmesh.Vir
 				postStartTimeout:           m.config.PostStartTimeout,
 				postStartInterval:          m.config.PostStartInterval,
 				useFipsEndpoint:            m.config.FipsEndpoint,
+				awsAccessKeyId:             m.config.EnvoyAwsAccessKeyId,
+				awsSecretAccessKey:         m.config.EnvoyAwsSecretAccessKey,
+				awsSessionToken:            m.config.EnvoyAwsSessionToken,
 			}, ms, vn),
 			newXrayMutator(xrayMutatorConfig{
 				awsRegion:             m.awsRegion,
@@ -206,6 +209,9 @@ func (m *SidecarInjector) injectAppMeshPatches(ms *appmesh.Mesh, vn *appmesh.Vir
 			useDualStackEndpoint:       m.config.DualStackEndpoint,
 			enableAdminAccessIPv6:      m.config.EnvoyAdminAccessEnableIPv6,
 			useFipsEndpoint:            m.config.FipsEndpoint,
+			awsAccessKeyId:             m.config.EnvoyAwsAccessKeyId,
+			awsSecretAccessKey:         m.config.EnvoyAwsSecretAccessKey,
+			awsSessionToken:            m.config.EnvoyAwsSessionToken,
 		}, ms, vg),
 			newXrayMutator(xrayMutatorConfig{
 				awsRegion:             m.awsRegion,

pkg/inject/sidecar_builder.go

@@ -51,6 +51,9 @@ type EnvoyTemplateVariables struct {
 	UseDualStackEndpoint     string
 	WaitUntilProxyReady      bool
 	UseFipsEndpoint          string
+	AwsAccessKeyId           string
+	AwsSecretAccessKey       string
+	AwsSessionToken          string
 }
 
 func updateEnvMapForEnvoy(vars EnvoyTemplateVariables, env map[string]string, vname string) error {
@@ -60,6 +63,18 @@ func updateEnvMapForEnvoy(vars EnvoyTemplateVariables, env map[string]string, vn
 	env["APPMESH_VIRTUAL_NODE_NAME"] = vname
 	env["AWS_REGION"] = vars.AWSRegion
 
+	// For usage outside traditional EC2 / Fargate IAM based profiles, this is needed to
+	// propagate permissions to envoy. This is a rare use-case that's mostly just for testing.
+	if len(vars.AwsAccessKeyId) > 0 {
+		env["AWS_ACCESS_KEY_ID"] = vars.AwsAccessKeyId
+	}
+	if len(vars.AwsSecretAccessKey) > 0 {
+		env["AWS_SECRET_ACCESS_KEY"] = vars.AwsSecretAccessKey
+	}
+	if len(vars.AwsSessionToken) > 0 {
+		env["AWS_SESSION_TOKEN"] = vars.AwsSessionToken
+	}
+
 	env["ENVOY_ADMIN_ACCESS_ENABLE_IPV6"] = strconv.FormatBool(vars.EnableAdminAccessForIpv6)
 
 	env["APPMESH_DUALSTACK_ENDPOINT"] = vars.UseDualStackEndpoint