diff --git a/README.md b/README.md index eea4c0243..64fe77e01 100644 --- a/README.md +++ b/README.md @@ -163,6 +163,26 @@ This requires the following: The CI jobs will create and delete AKS clusters in a Resource Group called `pinniped-ci` within the provided Subscription. +## Configure AWS for CI to test on EKS + +There are several CI jobs which test that Pinniped works when installed on Amazon's EKS. +For these jobs to run, they need to be able to create and delete ephemeral EKS clusters. +There are also some jobs to cleanup any orphaned resources (e.g. IP addresses) in the AWS account. +These jobs requires the following: + +1. An active AWS account, which will only be used for this purpose. +2. Two IAM users in that account, each with a role that can be assumed. + These IAM users which should only be used for Pinniped CI and no other purpose. + They should only have permissions to perform AWS actions in the relevant AWS account, and no other account. +3. The first user and role should have permission to create and delete EKS clusters using `eksctl`. + The permissions required can be found in the [eksctl docs](https://eksctl.io/usage/minimum-iam-policies). + The user also needs permission to run `aws logs put-retention-policy`, `aws ec2 describe-nat-gateways`, + and `aws ec2 delete-nat-gateway`. +4. The second user and role should have broad permissions to get and delete everything in the account. + It will be used to run `aws-nuke` to list and/or clean resources from the AWS account. + To use `aws-nuke`, the user also needs to have an AWS account alias + (see the [cleanup-aws task](pipelines/shared-tasks/cleanup-aws/task.sh) for details). + ## Setting Up Active Directory Test Environment To test the `ActiveDirectoryIdentityProvider` functionality, we have a long-running Active Directory Domain Controller diff --git a/pipelines/shared-tasks/cleanup-aws/task.sh b/pipelines/shared-tasks/cleanup-aws/task.sh index 3cfe01838..9005dfbba 100755 --- a/pipelines/shared-tasks/cleanup-aws/task.sh +++ b/pipelines/shared-tasks/cleanup-aws/task.sh @@ -92,4 +92,7 @@ set +o pipefail # continually send "tua-test1" to stdin to serve as a confirmation for aws-nuke. # this is done in a loop since aws-nuke uses a new buffered reader to consume # stdin each time it wants to accept input from the user. +# Note that the AWS account being used to run this tool must have an AWS account +# alias with this "tua-test1" name. See https://stackoverflow.com/a/54322848. +# If you assign the account a different alias, then you need to change it here too. (while true; do echo tua-test1; sleep 1; done) | ${cmd} diff --git a/pipelines/shared-tasks/deploy-eks-cluster/task.sh b/pipelines/shared-tasks/deploy-eks-cluster/task.sh index 6eb037dd6..f0675a5ae 100755 --- a/pipelines/shared-tasks/deploy-eks-cluster/task.sh +++ b/pipelines/shared-tasks/deploy-eks-cluster/task.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +# Copyright 2020-2025 the Pinniped contributors. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 set -euo pipefail @@ -32,6 +32,8 @@ echo "$CLUSTER_NAME" > name # The kubeconfig file becomes the value of the lock in the pool. echo "Creating $CLUSTER_NAME in $AWS_DEFAULT_REGION..." +# Note that the AWS account being used to run this command needs to have certain permissions. +# See https://eksctl.io/usage/minimum-iam-policies/ for permissions. # See https://eksctl.io/usage/schema/ for documentation of this yaml. cat <