Add IAMRA Testing

Signed-off-by: Brady Siegel <[email protected]>

Author: bmsiegel

.github/workflows/on-safe-to-test-label.yml

@@ -178,6 +178,22 @@ jobs:
         if: ${{ always() }}
         run: |
           make kind-cluster-delete
+      - name: Run test cases with IAMRA
+        if: ${{ always() }}
+        run: |
+          ./e2e/iamra-test/test.sh
+          make e2etest
+      - name: Copy Kind logs to S3
+        if: ${{ always() }}
+        run: |
+          mkdir logs-iamra-test
+          export E2E_ARTIFACTS_DIRECTORY=logs-iamra-test
+          make kind-export-logs
+          aws s3 cp --recursive logs-iamra-test s3://aws-privateca-issuer-k8s-logs-brsiegel-us-east-1/${{ needs.start-runner.outputs.ec2-instance-id }}-logs-iamra-test/
+      - name: Terminate Kind cluster
+        if: ${{ always() }}
+        run: |
+          make kind-cluster-delete
       - name: Run helm test
         if: ${{ !contains(github.event.pull_request.labels.*.name, 'chart update') && inputs.architecture != 'arm64' }}
         run: |

e2e/iamra-test/iamra-values.yaml

@@ -0,0 +1,36 @@
+serviceAccount:
+  create: false
+
+image:
+  repository: localhost:5000/aws-privateca-issuer
+  tag: latest
+  pullPolicy: Always
+
+env:
+  AWS_EC2_METADATA_SERVICE_ENDPOINT: "http://127.0.0.1:9911"
+
+extraContainers:
+  - name: "rolesanywhere-credential-helper"
+    image: "public.ecr.aws/rolesanywhere/credential-helper:latest"
+    command: ["aws_signing_helper"]
+    args:
+      - "serve"
+      - "--private-key"
+      - "/etc/cert/tls.key"
+      - "--certificate"
+      - "/etc/cert/tls.crt"
+      - "--role-arn"
+      - "$ROLE_ARN"
+      - "--profile-arn"
+      - "$PROFILE_ARN"
+      - "--trust-anchor-arn"
+      - "$TRUST_ANCHOR_ARN"
+    volumeMounts:
+      - name: cert
+        mountPath: /etc/cert/
+        readOnly: true
+
+volumes:
+  - name: cert
+    secret:
+      secretName: cert

e2e/iamra-test/test.sh

@@ -0,0 +1,43 @@
+set -euo pipefail
+
+CA_ARN=$(aws ssm  get-parameter --name /iamra/certificate-authority-arn | jq -r '.Parameter.Value')
+TRUST_ANCHOR_ARN=$(aws ssm  get-parameter --name /iamra/trust-anchor-arn | jq -r '.Parameter.Value')
+PROFILE_ARN=$(aws ssm  get-parameter --name /iamra/profile-arn | jq -r '.Parameter.Value')
+ROLE_ARN=$(aws ssm  get-parameter --name /iamra/role-arn | jq -r '.Parameter.Value')
+
+echo $CA_ARN
+echo $TRUST_ANCHOR_ARN
+echo $PROFILE_ARN
+echo $ROLE_ARN
+
+openssl req -out iamra.csr -new -newkey rsa:2048 -nodes -keyout iamra.key -subj "/CN=iamra-issuer"
+
+CERT_ARN=$(aws acm-pca issue-certificate \
+      --certificate-authority-arn $CA_ARN \
+      --csr fileb://iamra.csr \
+      --signing-algorithm "SHA256WITHRSA" \
+      --validity Value=1,Type="DAYS" | jq -r .CertificateArn)
+
+aws acm-pca get-certificate \
+      --certificate-authority-arn $CA_ARN \
+      --certificate-arn $CERT_ARN | \
+      jq -r .Certificate > iamra-cert.pem
+
+cat iamra-cert.pem
+
+PROFILE_ARN=$PROFILE_ARN ROLE_ARN=$ROLE_ARN TRUST_ANCHOR_ARN=$TRUST_ANCHOR_ARN envsubst <e2e/iamra-test/iamra-values.yaml >replaced-values.yaml
+
+cat replaced-values.yaml
+
+make manager
+make create-local-registry
+make kind-cluster
+make deploy-cert-manager
+make docker-build
+make docker-push-local
+
+kubectl create secret tls -n aws-privateca-issuer cert --cert=iamra-cert.pem --key=iamra.key
+
+sleep 15
+
+helm install issuer ./charts/aws-pca-issuer -f replaced-values.yaml -n aws-privateca-issuer