adding openid connect provider to enable irsa feature #2226
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is only workflow that requires cloud credentials and therefore will not run on PRs coming from forks. | |
| name: "Test Nebari Provider" | |
| on: | |
| schedule: | |
| - cron: "0 3 * * *" | |
| pull_request: | |
| paths: | |
| - ".github/workflows/test-provider.yaml" | |
| - ".github/failed-workflow-issue-templates/test-provider.md" | |
| - ".github/actions/publish-from-template" | |
| - "tests/**" | |
| - "scripts/**" | |
| - "src/**" | |
| - "pyproject.toml" | |
| push: | |
| branches: | |
| - main | |
| - develop | |
| - release/\d{4}.\d{1,2}.\d{1,2} | |
| paths: | |
| - ".github/workflows/test-provider.yaml" | |
| - "tests/**" | |
| - "scripts/**" | |
| - "src/**" | |
| - "pyproject.toml" | |
| workflow_call: | |
| inputs: | |
| pr_number: | |
| required: true | |
| type: string | |
| jobs: | |
| test-render-providers: | |
| # avoid running on PRs coming from a fork | |
| if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request' | |
| name: "Test Nebari Provider" | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read | |
| pull-requests: write | |
| strategy: | |
| matrix: | |
| provider: | |
| - aws | |
| - azure | |
| - do | |
| - gcp | |
| - local | |
| - existing | |
| cicd: | |
| - none | |
| - github-actions | |
| - gitlab-ci | |
| fail-fast: false | |
| steps: | |
| - name: "Checkout Infrastructure" | |
| uses: actions/checkout@v3 | |
| - name: Checkout the branch from the PR that triggered the job | |
| if: ${{ github.event_name == 'issue_comment' }} | |
| run: hub pr checkout ${{ inputs.pr_number }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: 3.8 | |
| - name: Retrieve secret from Vault | |
| uses: hashicorp/vault-action@v2.5.0 | |
| with: | |
| method: jwt | |
| url: "https://quansight-vault-public-vault-b2379fa7.d415e30e.z1.hashicorp.cloud:8200" | |
| namespace: "admin/quansight" | |
| role: "repository-nebari-dev-nebari-role" | |
| secrets: | | |
| kv/data/repository/nebari-dev/nebari/amazon_web_services/nebari-dev-ci role_name | AWS_ROLE_ARN; | |
| kv/data/repository/nebari-dev/nebari/google_cloud_platform/nebari-dev-ci/github-nebari-dev-repo-ci project_id | PROJECT_ID; | |
| kv/data/repository/nebari-dev/nebari/google_cloud_platform/nebari-dev-ci/github-nebari-dev-repo-ci workload_identity_provider | GCP_WORKFLOW_PROVIDER; | |
| kv/data/repository/nebari-dev/nebari/google_cloud_platform/nebari-dev-ci/github-nebari-dev-repo-ci service_account_name | GCP_SERVICE_ACCOUNT; | |
| kv/data/repository/nebari-dev/nebari/azure/nebari-dev-ci/github-nebari-dev-repo-ci client_id | ARM_CLIENT_ID; | |
| kv/data/repository/nebari-dev/nebari/azure/nebari-dev-ci/github-nebari-dev-repo-ci tenant_id | ARM_TENANT_ID; | |
| kv/data/repository/nebari-dev/nebari/azure/nebari-dev-ci/github-nebari-dev-repo-ci subscription_id | ARM_SUBSCRIPTION_ID; | |
| kv/data/repository/nebari-dev/nebari/shared_secrets DIGITALOCEAN_TOKEN | DIGITALOCEAN_TOKEN; | |
| kv/data/repository/nebari-dev/nebari/shared_secrets SPACES_ACCESS_KEY_ID | SPACES_ACCESS_KEY_ID; | |
| kv/data/repository/nebari-dev/nebari/shared_secrets SPACES_SECRET_ACCESS_KEY | SPACES_SECRET_ACCESS_KEY; | |
| - name: 'Authenticate to GCP' | |
| if: ${{ matrix.provider == 'gcp' }} | |
| uses: 'google-github-actions/auth@v1' | |
| with: | |
| token_format: access_token | |
| create_credentials_file: 'true' | |
| workload_identity_provider: ${{ env.GCP_WORKFLOW_PROVIDER }} | |
| service_account: ${{ env.GCP_SERVICE_ACCOUNT }} | |
| - name: Set required environment variables | |
| if: ${{ matrix.provider == 'gcp' }} | |
| run: | | |
| echo "GOOGLE_CREDENTIALS=${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" >> $GITHUB_ENV | |
| - name: 'Authenticate to AWS' | |
| if: ${{ matrix.provider == 'aws' }} | |
| uses: aws-actions/configure-aws-credentials@v1 | |
| with: | |
| role-to-assume: ${{ env.AWS_ROLE_ARN }} | |
| role-session-name: github-action | |
| aws-region: us-east-1 | |
| - name: 'Azure login' | |
| if: ${{ matrix.provider == 'azure' }} | |
| uses: azure/login@v1 | |
| with: | |
| client-id: ${{ env.ARM_CLIENT_ID }} | |
| tenant-id: ${{ env.ARM_TENANT_ID }} | |
| subscription-id: ${{ env.ARM_SUBSCRIPTION_ID }} | |
| - name: Install Nebari | |
| run: | | |
| pip install --upgrade pip | |
| pip install .[dev] | |
| - name: Nebari Initialize | |
| run: | | |
| nebari init "${{ matrix.provider }}" --project "TestProvider" --domain "${{ matrix.provider }}.nebari.dev" --auth-provider password --disable-prompt --ci-provider ${{ matrix.cicd }} | |
| cat "nebari-config.yaml" | |
| - name: Nebari Render | |
| run: | | |
| nebari render -c "nebari-config.yaml" -o "nebari-${{ matrix.provider }}-${{ matrix.cicd }}-deployment" | |
| cp "nebari-config.yaml" "nebari-${{ matrix.provider }}-${{ matrix.cicd }}-deployment/nebari-config.yaml" | |
| - name: Nebari Render Artifact | |
| uses: actions/upload-artifact@master | |
| with: | |
| name: "nebari-${{ matrix.provider }}-${{ matrix.cicd }}-artifact" | |
| path: "nebari-${{ matrix.provider }}-${{ matrix.cicd }}-deployment" | |
| - if: failure() || github.event_name == 'pull_request' | |
| name: Publish information from template | |
| uses: ./.github/actions/publish-from-template | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PROVIDER: ${{ matrix.provider }} | |
| CICD: ${{ matrix.cicd }} | |
| with: | |
| filename: .github/failed-workflow-issue-templates/test-provider.md |