Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update credential precedence in bicepconfig.json #7803

Merged
merged 8 commits into from
Aug 13, 2024
Merged

Update credential precedence in bicepconfig.json #7803

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
a77b24a
update credential precedence
sk593 Aug 12, 2024
3a8df14
testing publish to acr
sk593 Aug 12, 2024
f62e9cb
add temp bicepconfig to validate bicep
sk593 Aug 12, 2024
ad17b1d
nit
sk593 Aug 12, 2024
850243a
update cloud workflow
sk593 Aug 12, 2024
45a446e
nit
sk593 Aug 12, 2024
b2581bb
nit
sk593 Aug 12, 2024
0f85d87
nit
sk593 Aug 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
101 changes: 59 additions & 42 deletions .github/workflows/functional-test-cloud.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -314,6 +314,64 @@ jobs:
append: true
message: |
:hourglass: Publishing Bicep Recipes for functional tests...
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moving this into the build job so we make sure to upload any bicep changes before pushing recipes

- name: Setup Node.js
uses: actions/setup-node@v2
with:
node-version: '18'

- name: Generate Bicep extensibility types from OpenAPI specs
run: |
make generate-bicep-types VERSION=${{ env.REL_VERSION == 'edge' && 'latest' || env.REL_VERSION }}
- name: Upload Radius Bicep types artifacts
uses: actions/upload-artifact@v4
with:
name: radius_bicep_types_cloud
path: ./hack/bicep-types-radius/generated
if-no-files-found: error

- name: 'Login via Azure CLI'
uses: azure/login@v2
with:
client-id: ${{ secrets.BICEPTYPES_CLIENT_ID }}
tenant-id: ${{ secrets.BICEPTYPES_TENANT_ID }}
subscription-id: ${{ secrets.BICEPTYPES_SUBSCRIPTION_ID }}

- name: Setup and verify bicep CLI
run: |
curl -Lo bicep https://github.com/Azure/bicep/releases/latest/download/bicep-linux-x64
chmod +x ./bicep
sudo mv ./bicep /usr/local/bin/bicep
bicep --version
- name: Publish bicep types
run: |
bicep publish-extension ./hack/bicep-types-radius/generated/index.json --target br:${{ env.BICEP_TYPES_REGISTRY }}/test/radius:${{ env.REL_VERSION == 'edge' && 'latest' || env.REL_VERSION }} --force
- name: Generate test bicepconfig.json
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have of two of these in this workflow. Is this expected?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, the files dont persist between jobs so we need it in both places. the first one is part of the workaround because we need to disable azure auth before we publish the bicep test recipes (this will eventually be removed once the auth bug is fixed) and the second is so we can test against the PR versions of the types (in the event that there are bicep changes in a PR)

run: |
if [[ "${{ env.REL_VERSION }}" == "edge" ]]; then
RADIUS_VERSION="latest"
else
RADIUS_VERSION="${{ env.REL_VERSION }}"
fi
cat <<EOF > ./test/bicepconfig.json
{
"experimentalFeaturesEnabled": {
"extensibility": true,
"extensionRegistry": true,
"dynamicTypeLoading": true
},
"extensions": {
"radius": "br:${{ env.BICEP_TYPES_REGISTRY }}/test/radius:$RADIUS_VERSION",
"aws": "br:${{ env.BICEP_TYPES_REGISTRY }}/aws:latest"
},
"cloud": {
"credentialPrecedence": ["Environment"]
}
}
EOF
- name: Publish Bicep Test Recipes
run: |
Expand Down Expand Up @@ -351,50 +409,9 @@ jobs:
message: |
:x: Test recipe publishing failed
publish-test-bicep-types:
name: Publish Radius bicep types to ACR
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Parse release version and set environment variables
run: python ./.github/scripts/get_release_version.py
- name: Set up Go ${{ env.GOVER }}
uses: actions/setup-go@v5
with:
go-version: ${{ env.GOVER }}
- name: Setup Node.js
uses: actions/setup-node@v2
with:
node-version: '18'
- name: Generate Bicep extensibility types from OpenAPI specs
run: |
make generate-bicep-types VERSION=${{ env.REL_VERSION == 'edge' && 'latest' || env.REL_VERSION }}
- name: Upload Radius Bicep types artifacts
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.name }}_radius_bicep_types
path: ./hack/bicep-types-radius/generated
if-no-files-found: error
- name: 'Login via Azure CLI'
uses: azure/login@v2
with:
client-id: ${{ secrets.BICEPTYPES_CLIENT_ID }}
tenant-id: ${{ secrets.BICEPTYPES_TENANT_ID }}
subscription-id: ${{ secrets.BICEPTYPES_SUBSCRIPTION_ID }}
- name: Setup and verify bicep CLI
run: |
curl -Lo bicep https://github.com/Azure/bicep/releases/latest/download/bicep-linux-x64
chmod +x ./bicep
sudo mv ./bicep /usr/local/bin/bicep
bicep --version
- name: Publish bicep types
run: |
bicep publish-extension ./hack/bicep-types-radius/generated/index.json --target br:${{ env.BICEP_TYPES_REGISTRY }}/test/radius:${{ env.REL_VERSION == 'edge' && 'latest' || env.REL_VERSION }} --force
tests:
name: Run ${{ matrix.name }} functional tests
needs: [build, publish-test-bicep-types]
needs: [build]
if: github.event_name == 'repository_dispatch' || (github.event_name == 'schedule' && github.repository == 'radius-project/radius') || github.event_name == 'workflow_run'
strategy:
fail-fast: true
Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/validate-bicep.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,14 @@ jobs:
bicep --version
- name: Check out repo
uses: actions/checkout@v4
- name: Install jq
run: sudo apt-get install -y jq
- name: Modify bicepconfig.json
run: |
# Add credential preference to the bicepconfig.json file
jq '. + {"cloud": {"credentialPrecedence": ["Environment"]}}' bicepconfig.json > tmp.json && mv tmp.json bicepconfig.json
- name: Print updated bicepconfig.json
run: cat bicepconfig.json
Comment on lines +53 to +54
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need this in production?

Copy link
Contributor Author

@sk593 sk593 Aug 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, this is in place of the initial workaround since there were authentication issues with the ACR even though we have anonymous pulls. The issue is that when we publish to ACR, we have to authenticate so only having "Environment" authentication removed any Azure CLI auth. Instead, we'll add the "Environment" workaround when we want to disable azure auth. Ideally, we can remove this everywhere in the repo once the bug is fixed: #7804

- name: Verify Bicep files
run: ./build/validate-bicep.sh
env:
Expand Down
3 changes: 0 additions & 3 deletions bicepconfig.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,5 @@
"extensions": {
"radius": "br:biceptypes.azurecr.io/radius:latest",
"aws": "br:biceptypes.azurecr.io/aws:latest"
},
"cloud": {
"credentialPrecedence": ["Environment"]
}
}
Loading