Merge branch 'main' into crib-524/crib-deploy-for-gapv2

actions/crib-purge-environment/CHANGELOG.md

@@ -1,5 +1,14 @@
 # crib-purge-environment
 
+## 0.3.0
+
+### Minor Changes
+
+- [#692](https://github.com/smartcontractkit/.github/pull/692)
+  [`3bb9ad4`](https://github.com/smartcontractkit/.github/commit/3bb9ad43053a6319386d171d63c8680ee8ef6148)
+  Thanks [@njegosrailic](https://github.com/njegosrailic)! - Adding support for
+  gracefully terminating Kubernetes namespace
+
 ## 0.2.1
 
 ### Patch Changes

actions/crib-purge-environment/action.yml

@@ -1,13 +1,25 @@
 name: crib-purge-environment
 description: |
-  Action to destroy CRIB epehemeral environment.
-  It requires to run crib-deployment-environment beforehand
+  Action to destroy the CRIB ephemeral environment.
+  It requires running `crib-deployment-environment` beforehand
   and depends on the environment setup from a dependent composite action.
 
 inputs:
   namespace:
     description: "The CRIB namespace that should be destroyed."
     required: true
+  gracefully-terminate:
+    description:
+      "Whether to gracefully terminate the namespace. Defaults to false. If set
+      to true, please also provide the termination period."
+    required: false
+    default: "false"
+  gracefully-terminate-period:
+    description: |
+      "The grace period (in seconds) for gracefully terminating the namespace.
+      Default is 0 seconds."
+    required: false
+    default: "0"
 
 runs:
   using: composite
@@ -19,11 +31,13 @@ runs:
         KUBECACHEDIR: /dev/null
       run: |
         NAMESPACE="${{ inputs.namespace }}"
+        GRACEFULLY_TERMINATE="${{ inputs.gracefully-terminate }}"
+        GRACEFULLY_TERMINATE_PERIOD="${{ inputs.gracefully-terminate-period }}"
 
         # Check if the namespace exists
         if kubectl get ns "$NAMESPACE" > /dev/null 2>&1; then
           echo "Namespace $NAMESPACE exists. Proceeding with deletion.."
-          kubectl delete ns "$NAMESPACE" --grace-period=0 --wait=false
+          kubectl delete ns "$NAMESPACE" --grace-period="$GRACEFULLY_TERMINATE_PERIOD" --wait="$GRACEFULLY_TERMINATE"
         else
           echo "Namespace $NAMESPACE does not exist. Skipping deletion."
         fi

actions/crib-purge-environment/package.json

@@ -1,6 +1,6 @@
 {
   "name": "crib-purge-environment",
-  "version": "0.2.1",
+  "version": "0.3.0",
   "description": "",
   "private": true,
   "scripts": {},

actions/setup-gap/CHANGELOG.md

@@ -1,5 +1,14 @@
 # setup-gap
 
+## 1.0.0
+
+### Major Changes
+
+- [#693](https://github.com/smartcontractkit/.github/pull/693)
+  [`cd10ac2`](https://github.com/smartcontractkit/.github/commit/cd10ac239d5332f3a5333940dfa449b953157cb4)
+  Thanks [@chainchad](https://github.com/chainchad)! - Switch over to GAP v2
+  compatibility
+
 ## 0.6.1
 
 ### Patch Changes

actions/setup-gap/README.md

@@ -1,3 +1,8 @@
 # setup-gap
 
 > setup github actions proxy
+
+## Certificate Authorities
+
+The contents of ./aws-ca.crt are pulled from the PEM files on the
+[AWS Certificate Authority](https://www.amazontrust.com/repository/) page.

actions/setup-gap/action.yml

@@ -3,10 +3,6 @@ description: "setup github actions proxy"
 
 inputs:
   # general inputs
-  api-gateway-stage-name:
-    description: "The stage name for the target service on the AWS API GW."
-    required: false
-    default: "primary"
   gap-name:
     description:
       "The name of the GAP. Used in the dir name for self-signed certs and the
@@ -16,55 +12,14 @@ inputs:
     default: execute-api
   use-tls:
     description:
-      "Enable TLS for the local sigv4 proxy container. Ignored if `use-k8s:
+      "Enable TLS for the local envoy proxy container. Ignored if `use-k8s:
       true` as that input will automatically use TLS."
     required: false
     default: "false"
-  # aws sig4 proxy inputs
-  api-gateway-host:
-    description: |
-      The AWS API Gateway host for the target service.
-      Usually of the form <gateway id>.execute-api.<region>.amazonaws.com.
-    required: true
-  proxy-version:
-    description:
-      "The aws-sigv4-proxy image version / tag, if using the public ecr."
-    required: false
-    default: "1.8"
   proxy-port:
     description: "The port the proxy will listen on. Defaults to 8080."
     required: false
     default: "8080"
-  duplicate-authorization-header:
-    description:
-      "Whether to duplicate the Authorization header to
-      X-Original-Authorization. Note this is only used by the public image, it
-      is on by default for the private image. Defaults to false."
-    required: false
-    default: "false"
-  # ecr inputs
-  use-private-ecr-registry:
-    description:
-      "Whether to use a private ECR registry to pull the aws-sigv4-proxy image.
-      Defaults to false."
-    required: false
-    default: "false"
-  ecr-private-registry:
-    description:
-      "The ECR registry (account id) for the aws-sigv4-proxy. Required if
-      use-private-ecr-registry is true."
-    required: false
-  ecr-private-image-tag:
-    description:
-      "The aws-sigv4-proxy image tag for the private ECR registry. Defaults to a
-      known tag."
-    required: false
-    default: "6cc1e6d2bce23c04aace47d26511ad65205975b8"
-  ecr-private-aws-region:
-    description:
-      "The region for the private ECR registry, if different from aws-region
-      input."
-    required: false
   # aws role inputs
   aws-role-duration-seconds:
     description:
@@ -82,25 +37,6 @@ inputs:
       "The AWS role with API Gateway invoke permissions, ECR pull permissions
       for aws-sigv4-proxy, and if for k8s then EKS describe permissions"
     required: false
-  # argocd inputs
-  use-argocd:
-    description:
-      "Whether to setup GAP for communicating with argocd. Cannot be used with
-      use-k8s. Defaults to false."
-    required: false
-    default: "false"
-  argocd-version:
-    description: "The version of argocd to install. Defaults to 2.8.2."
-    required: false
-    default: "2.8.2"
-  argocd-user:
-    description:
-      "The username for argocd login. Required if use-argocd is true."
-    required: false
-  argocd-pass:
-    description:
-      "The password for argocd login. Required if use-argocd is true."
-    required: false
   # k8s inputs
   use-k8s:
     description:
@@ -115,6 +51,17 @@ inputs:
     description:
       "The region for the EKS cluster, if different from aws-region input."
     required: false
+  envoy-proxy-image:
+    description: "Envoy Proxy image used to run Envoy proxy for GAP"
+    required: false
+    default: "envoyproxy/envoy:v1.31.0"
+  k8s-api-endpoint:
+    required: true
+    description: "Endpoint"
+outputs:
+  gh-jwt-token:
+    description: "GitHub JWT token to be used for GAP requests"
+    value: ${{ steps.get-jwt-token.outputs.token }}
 
 runs:
   using: composite
@@ -132,7 +79,7 @@ runs:
       # ---
       # Kubectl requires a TLS connection to it's configured endpoint, and performs certificate
       # validation through the CA configured in the kubeconfig.
-      # The local aws-sigv4-proxy container will act as the k8s endpoint for kubectl, and therefore requires a
+      # The local envoy container will act as the k8s endpoint for kubectl, and therefore requires a
       # certificate signed by a trusted CA. Because this is for local TLS we can generate a CA, generate a server
       # certificate, sign the server certificate with the CA, and update the CA in the kubeconfig to trust it.
       # Also useful for other use-cases where a local TLS connection is required.
@@ -195,100 +142,45 @@ runs:
 
         echo "::debug::Setting up kubeconfig for localhost proxy"
 
-        # Update the server to use the localhost proxy
-        kubectl config set clusters.$CLUSTER_ARN.server https://localhost:${{ inputs.proxy-port }}/${{ inputs.api-gateway-stage-name }}
+        kubectl config set clusters."$CLUSTER_ARN".server "https://localhost:${{ inputs.proxy-port }}"
 
         # Set the certificate-authority to the ephemeral certificate authority configured above
         kubectl config set clusters.$CLUSTER_ARN.certificate-authority "${PATH_CERTS_DIR}/ca.crt"
 
         # Remove certificate-authority-data populated from `aws eks update-kubeconfig` which is for the endpoint which is not publicly accessible
         kubectl config unset clusters.$CLUSTER_ARN.certificate-authority-data
 
-    - name: Login to AWS ECR (public ecr only)
-      if: inputs.use-private-ecr-registry != 'true'
-      uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
-      env:
-        AWS_REGION: us-east-1
+    - name: Get GH JWT Token
+      if: inputs.use-k8s == 'true'
+      id: get-jwt-token
+      uses: actions/github-script@v7
       with:
-        registry-type: public
+        script: |
+          const audience = 'gap';
+          const id_token = await core.getIDToken(audience);
+          core.setOutput('token', id_token);
 
-    - name: Run aws sig4 proxy container (public ecr only)
-      if: inputs.use-private-ecr-registry != 'true'
-      shell: bash
+    - name: Run Envoy proxy
+      if: inputs.use-k8s == 'true'
+      shell: sh
       env:
-        AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
-        AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
-        AWS_SESSION_TOKEN: ${{ env.AWS_SESSION_TOKEN }}
-        GAP_NAME: ${{ inputs.gap-name }}
+        PROXY_PORT: ${{ inputs.proxy-port }}
+        JWT_TOKEN: ${{ steps.get-jwt-token.outputs.token }}
+        K8S_API_ENDPOINT: ${{ inputs.k8s-api-endpoint}}
+        ENVOY_PROXY_IMAGE: ${{ inputs.envoy-proxy-image }}
       run: |
-        DUPLICATE_AUTH_HEADER_FLAG=""
-        if [ "${{ inputs.duplicate-authorization-header }}" == "true" ]; then
-          DUPLICATE_AUTH_HEADER_FLAG="--duplicate-headers Authorization"
-        fi
-
-        docker run --rm -d \
-          -e AWS_ACCESS_KEY_ID \
-          -e AWS_SECRET_ACCESS_KEY \
-          -e AWS_SESSION_TOKEN \
-          -p "${{ inputs.proxy-port }}":"${{ inputs.proxy-port }}" \
-          public.ecr.aws/aws-observability/aws-sigv4-proxy:${{ inputs.proxy-version }} \
-          --name "${GAP_NAME}" --region ${{ inputs.aws-region }} \
-          --host "${{ inputs.api-gateway-host }}" \
-          --log-failed-requests $DUPLICATE_AUTH_HEADER_FLAG
-
-    - name: Login to AWS ECR (private ecr only)
-      if: inputs.use-private-ecr-registry == 'true'
-      uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
-      env:
-        AWS_REGION: ${{ inputs.ecr-private-aws-region || inputs.aws-region }}
-      with:
-        registries: ${{ inputs.ecr-private-registry }}
+        # Generate Envoy config from template
+        ls -l
+        envsubst < "${GITHUB_ACTION_PATH}/envoy.yaml.template" > "${GITHUB_ACTION_PATH}/envoy.yaml"
 
-    - name: Pull from custom proxy image (private ecr only)
-      if: inputs.use-private-ecr-registry == 'true'
-      shell: bash
-      run: |
-        docker pull ${{ inputs.ecr-private-registry }}.dkr.ecr.${{ inputs.ecr-private-aws-region || inputs.aws-region }}.amazonaws.com/aws-sigv4-proxy:${{ inputs.ecr-private-image-tag }}
+        # Copy AWS CA certs
+        cp ${{ github.action_path }}/aws-ca.crt "${PATH_CERTS_DIR}"
+        chmod 644 "${PATH_CERTS_DIR}/server.key"
 
-    - name: Run aws sig4 proxy container (private ecr only)
-      if: inputs.use-private-ecr-registry == 'true'
-      shell: bash
-      env:
-        AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
-        AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
-        AWS_SESSION_TOKEN: ${{ env.AWS_SESSION_TOKEN }}
-      run: |
         docker run --rm -d \
-          -e AWS_ACCESS_KEY_ID \
-          -e AWS_SECRET_ACCESS_KEY \
-          -e AWS_SESSION_TOKEN \
-          -p ${{ inputs.proxy-port }}:${{ inputs.proxy-port }} \
+          --name "gap-v2" \
+          -p "${PROXY_PORT}:${PROXY_PORT}" \
           -v "${PATH_CERTS_DIR}":/tls \
-          ${{ inputs.ecr-private-registry }}.dkr.ecr.${{ inputs.ecr-private-aws-region || inputs.aws-region }}.amazonaws.com/aws-sigv4-proxy:${{ inputs.ecr-private-image-tag }} \
-            --name execute-api \
-            --region ${{ inputs.aws-region }} \
-            --host "${{ inputs.api-gateway-host }}" \
-            --log-failed-requests \
-            --port :${{ inputs.proxy-port }} \
-            --enable-tls --tls-key-file /tls/server.key --tls-cert-file /tls/server.crt \
-            --duplicate-headers Authorization
-
-    - name: Setup argocd
-      if: inputs.use-argocd == 'true'
-      uses: clowdhaus/argo-cd-action@c38276b240079e18653fef3ea63e0a1ef3b00a1d # v2.2.0
-      with:
-        command: version
-        options: --client
-        version: ${{ inputs.argocd-version }}
-
-    - name: Argocd login
-      if: inputs.use-argocd == 'true'
-      shell: bash
-      run: |
-        argocd login \
-          localhost:${{ inputs.proxy-port }}/${{ inputs.api-gateway-stage-name }} \
-          --skip-test-tls \
-          --plaintext \
-          --grpc-web
-          --username ${{ inputs.argocd-user }} \
-          --password ${{ inputs.argocd-pass }}
+          -v "${GITHUB_ACTION_PATH}/envoy.yaml":/etc/envoy/envoy.yaml \
+          "${ENVOY_PROXY_IMAGE}" \
+          /usr/local/bin/envoy -c /etc/envoy/envoy.yaml