NFR: Add convenience script and update workflow token (#1639)

* Add convenience script and update workflow token

---------

Co-authored-by: Saylor Berman <[email protected]>

.github/workflows/nfr.yml

@@ -41,6 +41,7 @@ jobs:
     permissions:
       contents: write # needed for opening PR with the results files
       pull-requests: write # needed for opening PR with the results files
+      id-token: write # needed for authenticating to GCP
 
     steps:
     - name: Checkout Repository
@@ -132,7 +133,7 @@ jobs:
     - name: Create GKE cluster
       working-directory: ./tests
       run:
-        make create-gke-cluster
+        make create-gke-cluster CI=true
 
     - name: Create and setup VM
       working-directory: ./tests

tests/Makefile

@@ -12,6 +12,7 @@ GW_SVC_GKE_INTERNAL=false
 GINKGO_LABEL=
 GINKGO_FLAGS=
 NGF_VERSION=
+CI=false
 
 ifneq ($(GINKGO_LABEL),)
     override GINKGO_FLAGS += -ginkgo.label-filter "$(GINKGO_LABEL)"
@@ -86,8 +87,12 @@ cleanup-gcp: cleanup-router cleanup-vm delete-gke-cluster ## Cleanup all GCP res
 
 .PHONY: create-gke-cluster
 create-gke-cluster: ## Create a GKE cluster
-	bash scripts/create-gke-cluster.sh
+	bash scripts/create-gke-cluster.sh $(CI)
 
 .PHONY: delete-gke-cluster
 delete-gke-cluster: ## Delete the GKE cluster
 	bash scripts/delete-gke-cluster.sh
+
+.PHONY: add-local-ip-to-cluster
+add-local-ip-to-cluster: ## Add local IP to the GKE cluster master-authorized-networks
+	bash scripts/add-local-ip-to-cluster.sh

tests/README.md

@@ -37,6 +37,7 @@ make
 ```
 
 ```text
+add-local-ip-to-cluster        Add local IP to the GKE cluster master-authorized-networks
 build-images-with-plus         Build NGF and NGINX Plus images
 build-images                   Build NGF and NGINX images
 cleanup-gcp                    Cleanup all GCP resources
@@ -101,6 +102,15 @@ and `GKE_NODES_SERVICE_ACCOUNT` needs to be the name of a service account that h
 make create-gke-cluster
 ```
 
+> Note: The GKE cluster is created with `master-authorized-networks`, meaning only IPs from explicitly allowed CIDR ranges
+> will be able to access the cluster. The script will automatically add your current IP to the authorized list, but if
+> your IP changes, you can add your new local IP to the `master-authorized-networks` of the cluster by running the
+> following:
+
+```makefile
+make add-local-ip-to-cluster
+```
+
 ## Step 2 - Build and Load Images
 
 Loading the images only applies to a `kind` cluster. If using a cloud provider, you will need to tag and push

tests/scripts/add-local-ip-auth-networks.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+source scripts/vars.env
+
+CURRENT_AUTH_NETWORK=$(gcloud container clusters describe ${GKE_CLUSTER_NAME} --zone=${GKE_CLUSTER_ZONE} \
+                        --format="value(masterAuthorizedNetworksConfig.cidrBlocks[0])" | sed 's/cidrBlock=//')
+
+gcloud container clusters update ${GKE_CLUSTER_NAME} --zone=${GKE_CLUSTER_ZONE} --enable-master-authorized-networks --master-authorized-networks=${SOURCE_IP_RANGE},${CURRENT_AUTH_NETWORK}

tests/scripts/create-gke-cluster.sh

@@ -4,6 +4,8 @@ source scripts/vars.env
 
 ip_random_digit=$((1 + $RANDOM % 250))
 
+IS_CI=${1:-false}
+
 gcloud container clusters create ${GKE_CLUSTER_NAME} \
     --project ${GKE_PROJECT} \
     --zone ${GKE_CLUSTER_ZONE} \
@@ -13,3 +15,9 @@ gcloud container clusters create ${GKE_CLUSTER_NAME} \
     --enable-private-nodes \
     --master-ipv4-cidr 172.16.${ip_random_digit}.32/28 \
     --metadata=block-project-ssh-keys=TRUE
+
+# Add current IP to GKE master control node access, if this script is not invoked during a CI run.
+if [ "${IS_CI}" = "false" ]; then
+    SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+    bash ${SCRIPT_DIR}/add-local-ip-auth-networks.sh
+fi