Skip to content

Commit 2ee3e08

Browse files
miledxzsjberman
andcommitted
NFR: Add convenience script and update workflow token (nginx#1639)
* Add convenience script and update workflow token --------- Co-authored-by: Saylor Berman <s.berman@f5.com>
1 parent 8860174 commit 2ee3e08

File tree

5 files changed

+34
-2
lines changed

5 files changed

+34
-2
lines changed

.github/workflows/nfr.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,7 @@ jobs:
4141
permissions:
4242
contents: write # needed for opening PR with the results files
4343
pull-requests: write # needed for opening PR with the results files
44+
id-token: write # needed for authenticating to GCP
4445

4546
steps:
4647
- name: Checkout Repository
@@ -132,7 +133,7 @@ jobs:
132133
- name: Create GKE cluster
133134
working-directory: ./tests
134135
run:
135-
make create-gke-cluster
136+
make create-gke-cluster CI=true
136137

137138
- name: Create and setup VM
138139
working-directory: ./tests

tests/Makefile

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ GW_SVC_GKE_INTERNAL=false
1212
GINKGO_LABEL=
1313
GINKGO_FLAGS=
1414
NGF_VERSION=
15+
CI=false
1516

1617
ifneq ($(GINKGO_LABEL),)
1718
override GINKGO_FLAGS += -ginkgo.label-filter "$(GINKGO_LABEL)"
@@ -86,8 +87,12 @@ cleanup-gcp: cleanup-router cleanup-vm delete-gke-cluster ## Cleanup all GCP res
8687

8788
.PHONY: create-gke-cluster
8889
create-gke-cluster: ## Create a GKE cluster
89-
bash scripts/create-gke-cluster.sh
90+
bash scripts/create-gke-cluster.sh $(CI)
9091

9192
.PHONY: delete-gke-cluster
9293
delete-gke-cluster: ## Delete the GKE cluster
9394
bash scripts/delete-gke-cluster.sh
95+
96+
.PHONY: add-local-ip-to-cluster
97+
add-local-ip-to-cluster: ## Add local IP to the GKE cluster master-authorized-networks
98+
bash scripts/add-local-ip-to-cluster.sh

tests/README.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ make
3737
```
3838

3939
```text
40+
add-local-ip-to-cluster Add local IP to the GKE cluster master-authorized-networks
4041
build-images-with-plus Build NGF and NGINX Plus images
4142
build-images Build NGF and NGINX images
4243
cleanup-gcp Cleanup all GCP resources
@@ -101,6 +102,15 @@ and `GKE_NODES_SERVICE_ACCOUNT` needs to be the name of a service account that h
101102
make create-gke-cluster
102103
```
103104

105+
> Note: The GKE cluster is created with `master-authorized-networks`, meaning only IPs from explicitly allowed CIDR ranges
106+
> will be able to access the cluster. The script will automatically add your current IP to the authorized list, but if
107+
> your IP changes, you can add your new local IP to the `master-authorized-networks` of the cluster by running the
108+
> following:
109+
110+
```makefile
111+
make add-local-ip-to-cluster
112+
```
113+
104114
## Step 2 - Build and Load Images
105115

106116
Loading the images only applies to a `kind` cluster. If using a cloud provider, you will need to tag and push
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
#!/bin/bash
2+
3+
source scripts/vars.env
4+
5+
CURRENT_AUTH_NETWORK=$(gcloud container clusters describe ${GKE_CLUSTER_NAME} --zone=${GKE_CLUSTER_ZONE} \
6+
--format="value(masterAuthorizedNetworksConfig.cidrBlocks[0])" | sed 's/cidrBlock=//')
7+
8+
gcloud container clusters update ${GKE_CLUSTER_NAME} --zone=${GKE_CLUSTER_ZONE} --enable-master-authorized-networks --master-authorized-networks=${SOURCE_IP_RANGE},${CURRENT_AUTH_NETWORK}

tests/scripts/create-gke-cluster.sh

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,8 @@ source scripts/vars.env
44

55
ip_random_digit=$((1 + $RANDOM % 250))
66

7+
IS_CI=${1:-false}
8+
79
gcloud container clusters create ${GKE_CLUSTER_NAME} \
810
--project ${GKE_PROJECT} \
911
--zone ${GKE_CLUSTER_ZONE} \
@@ -13,3 +15,9 @@ gcloud container clusters create ${GKE_CLUSTER_NAME} \
1315
--enable-private-nodes \
1416
--master-ipv4-cidr 172.16.${ip_random_digit}.32/28 \
1517
--metadata=block-project-ssh-keys=TRUE
18+
19+
# Add current IP to GKE master control node access, if this script is not invoked during a CI run.
20+
if [ "${IS_CI}" = "false" ]; then
21+
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
22+
bash ${SCRIPT_DIR}/add-local-ip-auth-networks.sh
23+
fi

0 commit comments

Comments
 (0)