diff --git a/.github/workflows/nfr.yml b/.github/workflows/nfr.yml index 922b3621a5..0a33888cb9 100644 --- a/.github/workflows/nfr.yml +++ b/.github/workflows/nfr.yml @@ -41,6 +41,7 @@ jobs: permissions: contents: write # needed for opening PR with the results files pull-requests: write # needed for opening PR with the results files + id-token: write # needed for authenticating to GCP steps: - name: Checkout Repository @@ -132,7 +133,7 @@ jobs: - name: Create GKE cluster working-directory: ./tests run: - make create-gke-cluster + make create-gke-cluster CI=true - name: Create and setup VM working-directory: ./tests diff --git a/tests/Makefile b/tests/Makefile index 3770196a00..6b32e47d07 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -12,6 +12,7 @@ GW_SVC_GKE_INTERNAL=false GINKGO_LABEL= GINKGO_FLAGS= NGF_VERSION= +CI=false ifneq ($(GINKGO_LABEL),) override GINKGO_FLAGS += -ginkgo.label-filter "$(GINKGO_LABEL)" @@ -86,8 +87,12 @@ cleanup-gcp: cleanup-router cleanup-vm delete-gke-cluster ## Cleanup all GCP res .PHONY: create-gke-cluster create-gke-cluster: ## Create a GKE cluster - bash scripts/create-gke-cluster.sh + bash scripts/create-gke-cluster.sh $(CI) .PHONY: delete-gke-cluster delete-gke-cluster: ## Delete the GKE cluster bash scripts/delete-gke-cluster.sh + +.PHONY: add-local-ip-to-cluster +add-local-ip-to-cluster: ## Add local IP to the GKE cluster master-authorized-networks + bash scripts/add-local-ip-to-cluster.sh diff --git a/tests/README.md b/tests/README.md index 50dda8b2f7..07a8ea141e 100644 --- a/tests/README.md +++ b/tests/README.md @@ -37,6 +37,7 @@ make ``` ```text +add-local-ip-to-cluster Add local IP to the GKE cluster master-authorized-networks build-images-with-plus Build NGF and NGINX Plus images build-images Build NGF and NGINX images cleanup-gcp Cleanup all GCP resources @@ -101,6 +102,15 @@ and `GKE_NODES_SERVICE_ACCOUNT` needs to be the name of a service account that h make create-gke-cluster ``` +> Note: The GKE cluster is created with `master-authorized-networks`, meaning only IPs from explicitly allowed CIDR ranges +> will be able to access the cluster. The script will automatically add your current IP to the authorized list, but if +> your IP changes, you can add your new local IP to the `master-authorized-networks` of the cluster by running the +> following: + +```makefile +make add-local-ip-to-cluster +``` + ## Step 2 - Build and Load Images Loading the images only applies to a `kind` cluster. If using a cloud provider, you will need to tag and push diff --git a/tests/scripts/add-local-ip-auth-networks.sh b/tests/scripts/add-local-ip-auth-networks.sh new file mode 100644 index 0000000000..525260fe93 --- /dev/null +++ b/tests/scripts/add-local-ip-auth-networks.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +source scripts/vars.env + +CURRENT_AUTH_NETWORK=$(gcloud container clusters describe ${GKE_CLUSTER_NAME} --zone=${GKE_CLUSTER_ZONE} \ + --format="value(masterAuthorizedNetworksConfig.cidrBlocks[0])" | sed 's/cidrBlock=//') + +gcloud container clusters update ${GKE_CLUSTER_NAME} --zone=${GKE_CLUSTER_ZONE} --enable-master-authorized-networks --master-authorized-networks=${SOURCE_IP_RANGE},${CURRENT_AUTH_NETWORK} diff --git a/tests/scripts/create-gke-cluster.sh b/tests/scripts/create-gke-cluster.sh index d048eda368..20e7c08bcf 100644 --- a/tests/scripts/create-gke-cluster.sh +++ b/tests/scripts/create-gke-cluster.sh @@ -4,6 +4,8 @@ source scripts/vars.env ip_random_digit=$((1 + $RANDOM % 250)) +IS_CI=${1:-false} + gcloud container clusters create ${GKE_CLUSTER_NAME} \ --project ${GKE_PROJECT} \ --zone ${GKE_CLUSTER_ZONE} \ @@ -13,3 +15,9 @@ gcloud container clusters create ${GKE_CLUSTER_NAME} \ --enable-private-nodes \ --master-ipv4-cidr 172.16.${ip_random_digit}.32/28 \ --metadata=block-project-ssh-keys=TRUE + +# Add current IP to GKE master control node access, if this script is not invoked during a CI run. +if [ "${IS_CI}" = "false" ]; then + SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) + bash ${SCRIPT_DIR}/add-local-ip-auth-networks.sh +fi