From e81e8df5225788c5bfab0a9c43c155c01682e869 Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Wed, 18 Feb 2026 10:02:10 +1100 Subject: [PATCH 01/27] Add AKS related e2e test steps back --- .github/workflows/shared-run-e2e-tests.yaml | 24 +++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/.github/workflows/shared-run-e2e-tests.yaml b/.github/workflows/shared-run-e2e-tests.yaml index 13d70757..02364942 100644 --- a/.github/workflows/shared-run-e2e-tests.yaml +++ b/.github/workflows/shared-run-e2e-tests.yaml @@ -201,6 +201,16 @@ jobs: target_environment: ${{ inputs.target_environment }} aws_pcr0: ${{ inputs.aws_pcr0 }} + - name: Prepare AKS metadata + id: prepare_aks_metadata + if: ${{ inputs.operator_type == 'aks' }} + uses: IABTechLab/uid2-shared-actions/actions/prepare_aks_metadata@v3 + with: + operator_image_version: ${{ inputs.operator_image_version }} + target_environment: ${{ inputs.target_environment }} + bore_url_core: ${{ steps.bore.outputs.bore_url_core }} + bore_url_optout: ${{ steps.bore.outputs.bore_url_optout }} + - name: Bring up Docker Compose id: docker-compose if: ${{ inputs.target_environment == 'mock' }} @@ -255,6 +265,14 @@ jobs: target_environment: ${{ inputs.target_environment }} operator_key: ${{ steps.prepare_aws_metadata.outputs.operator_key }} + - name: Start AKS private operator + id: start_aks_private_operator + if: ${{ inputs.operator_type == 'aks' }} + uses: IABTechLab/uid2-shared-actions/actions/start_aks_private_operator@v3 + with: + template_file: ${{ steps.prepare_aks_metadata.outputs.template_file }} + azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} + - name: Decide E2E test environment variables id: decide_env_var shell: bash @@ -358,3 +376,9 @@ jobs: with: aws_stack_name: ${{ needs.e2e-test.outputs.aws_stack_name }} aws_region: ${{ inputs.aws_region }} + + - name: Stop AKS operator + if: ${{ inputs.operator_type == 'aks' }} + uses: IABTechLab/uid2-shared-actions/actions/stop_aks_private_operator@v3 + with: + azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} From 44f4a1cbd2245eee3678c4dcac40753358eb3f40 Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Wed, 18 Feb 2026 11:25:30 +1100 Subject: [PATCH 02/27] Create AKS cluster every time for the e2e test --- .github/workflows/shared-run-e2e-tests.yaml | 24 ++++- actions/prepare_aks_metadata/action.yaml | 4 + actions/start_aks_cluster/action.yaml | 23 +++++ scripts/aks/aks_env.sh | 16 +++ scripts/aks/prepare_aks_artifacts.sh | 45 ++++++--- scripts/aks/start_aks_cluster.sh | 104 ++++++++++++++++++++ scripts/aks/start_aks_enclave.sh | 15 +-- scripts/aks/stop_aks_enclave.sh | 14 +-- scripts/get_operator_key.sh | 4 + 9 files changed, 211 insertions(+), 38 deletions(-) create mode 100644 actions/start_aks_cluster/action.yaml create mode 100644 scripts/aks/aks_env.sh create mode 100644 scripts/aks/start_aks_cluster.sh diff --git a/.github/workflows/shared-run-e2e-tests.yaml b/.github/workflows/shared-run-e2e-tests.yaml index 02364942..d3aec75d 100644 --- a/.github/workflows/shared-run-e2e-tests.yaml +++ b/.github/workflows/shared-run-e2e-tests.yaml @@ -94,6 +94,9 @@ env: E2E_EUID_PROD_AWS_ARGS_JSON: ${{ secrets.E2E_EUID_PROD_AWS_ARGS_JSON }} E2E_EUID_PROD_AWS_OPERATOR_API_KEY: ${{ secrets.E2E_EUID_PROD_AWS_OPERATOR_API_KEY }} + E2E_UID2_INTEG_AKS_OPERATOR_KEY: ${{ secrets.E2E_UID2_INTEG_AKS_OPERATOR_KEY }} + E2E_UID2_PROD_AKS_OPERATOR_KEY: ${{ secrets.E2E_UID2_PROD_AKS_OPERATOR_KEY }} + jobs: e2e-test: name: E2E Test @@ -201,15 +204,34 @@ jobs: target_environment: ${{ inputs.target_environment }} aws_pcr0: ${{ inputs.aws_pcr0 }} + - name: Start AKS cluster + id: start_aks_cluster + if: ${{ inputs.operator_type == 'aks' }} + uses: IABTechLab/uid2-shared-actions/actions/start_aks_cluster@kcc-UID2-6321-reenable-aks-e2e + with: + azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Get AKS operator key + id: get_aks_operator_key + if: ${{ inputs.operator_type == 'aks' }} + shell: bash + env: + IDENTITY_SCOPE: ${{ inputs.identity_scope }} + TARGET_ENVIRONMENT: ${{ inputs.target_environment }} + ENCLAVE_PROTOCOL: azure-cc + run: | + bash uid2-shared-actions/scripts/get_operator_key.sh + - name: Prepare AKS metadata id: prepare_aks_metadata if: ${{ inputs.operator_type == 'aks' }} - uses: IABTechLab/uid2-shared-actions/actions/prepare_aks_metadata@v3 + uses: IABTechLab/uid2-shared-actions/actions/prepare_aks_metadata@kcc-UID2-6321-reenable-aks-e2e with: operator_image_version: ${{ inputs.operator_image_version }} target_environment: ${{ inputs.target_environment }} bore_url_core: ${{ steps.bore.outputs.bore_url_core }} bore_url_optout: ${{ steps.bore.outputs.bore_url_optout }} + operator_key: ${{ steps.get_aks_operator_key.outputs.OPERATOR_KEY }} - name: Bring up Docker Compose id: docker-compose diff --git a/actions/prepare_aks_metadata/action.yaml b/actions/prepare_aks_metadata/action.yaml index d169eefc..909a82b7 100644 --- a/actions/prepare_aks_metadata/action.yaml +++ b/actions/prepare_aks_metadata/action.yaml @@ -14,6 +14,9 @@ inputs: bore_url_optout: description: The bore URL for optout service required: true + operator_key: + description: The operator key secret for the target environment + required: true outputs: template_file: description: The template file @@ -36,6 +39,7 @@ runs: BORE_URL_OPTOUT: ${{ inputs.bore_url_optout }} IMAGE_VERSION: ${{ inputs.operator_image_version }} TARGET_ENVIRONMENT: ${{ inputs.target_environment }} + OPERATOR_KEY: ${{ inputs.operator_key }} run: | bash uid2-shared-actions/scripts/aks/prepare_aks_artifacts.sh diff --git a/actions/start_aks_cluster/action.yaml b/actions/start_aks_cluster/action.yaml new file mode 100644 index 00000000..37213bd5 --- /dev/null +++ b/actions/start_aks_cluster/action.yaml @@ -0,0 +1,23 @@ +name: Start AKS Private Operator +description: Spins up an AKS private operator + +inputs: + azure_credentials: + description: The Azure credentials + required: true + +runs: + using: "composite" + + steps: + - name: Log in to Azure + uses: azure/login@v2 + with: + creds: ${{ inputs.azure_credentials }} + enable-AzPSSession: true + + - name: Start AKS private operator + id: start_aks + shell: bash + run: | + bash uid2-shared-actions/scripts/aks/start_aks_cluster.sh diff --git a/scripts/aks/aks_env.sh b/scripts/aks/aks_env.sh new file mode 100644 index 00000000..6e31a64c --- /dev/null +++ b/scripts/aks/aks_env.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +# Common AKS environment variables used by multiple scripts + +export RESOURCE_GROUP="opr-e2e-vn-aks" +export LOCATION="eastus" +export VNET_NAME="opr-e2e-vnet" +export PUBLIC_IP_ADDRESS_NAME="opr-e2e-public-ip" +export NAT_GATEWAY_NAME="opr-e2e-nat-gateway" +export AKS_CLUSTER_NAME="opr-e2evncluster" +export KEYVAULT_NAME="opr-e2e-vn-aks-vault" +export KEYVAULT_SECRET_NAME="opr-e2e-vn-aks-opr-key-name" +export MANAGED_IDENTITY="opr-e2e-vn-aks-opr-id" +export AKS_NODE_RESOURCE_GROUP="MC_${RESOURCE_GROUP}_${AKS_CLUSTER_NAME}_${LOCATION}" +export SUBSCRIPTION_ID="$(az account show --query id --output tsv)" +export DEPLOYMENT_ENV="integ" + diff --git a/scripts/aks/prepare_aks_artifacts.sh b/scripts/aks/prepare_aks_artifacts.sh index 592b16d0..5ef2a2d9 100644 --- a/scripts/aks/prepare_aks_artifacts.sh +++ b/scripts/aks/prepare_aks_artifacts.sh @@ -21,31 +21,44 @@ if [ -z "${TARGET_ENVIRONMENT}" ]; then exit 1 fi -# Below resources should be prepared ahead of running the E2E test. +if [ -z "${OPERATOR_KEY}" ]; then + echo "OPERATOR_KEY can not be empty" + exit 1 +fi + # See https://github.com/UnifiedID2/aks-demo/tree/master/vn-aks#setup-aks--node-pool -export RESOURCE_GROUP="pipeline-vn-aks" -export LOCATION="eastus" -export VNET_NAME="pipeline-vnet" -export PUBLIC_IP_ADDRESS_NAME="pipeline-public-ip" -export NAT_GATEWAY_NAME="pipeline-nat-gateway" -export AKS_CLUSTER_NAME="pipelinevncluster" -export KEYVAULT_NAME="pipeline-vn-aks-vault" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +source "${SCRIPT_DIR}/aks_env.sh" + if [ ${TARGET_ENVIRONMENT} == "mock" ]; then - export KEYVAULT_SECRET_NAME="pipeline-vn-aks-opr-key-name" + export KEYVAULT_SECRET_NAME="opr-e2e-vn-aks-opr-key-name" elif [ ${TARGET_ENVIRONMENT} == "integ" ]; then - KEYVAULT_SECRET_NAME="pipeline-vn-aks-opr-key-name-integ" + export KEYVAULT_SECRET_NAME="opr-e2e-vn-aks-opr-key-name-integ" elif [ ${TARGET_ENVIRONMENT} == "prod" ]; then - KEYVAULT_SECRET_NAME="pipeline-vn-aks-opr-key-name-prod" + export KEYVAULT_SECRET_NAME="opr-e2e-vn-aks-opr-key-name-prod" else echo "Arguments not supported: TARGET_ENVIRONMENT=${TARGET_ENVIRONMENT}" exit 1 fi -export MANAGED_IDENTITY="pipeline-vn-aks-opr-id" -export AKS_NODE_RESOURCE_GROUP="MC_${RESOURCE_GROUP}_${AKS_CLUSTER_NAME}_${LOCATION}" -export SUBSCRIPTION_ID="$(az account show --query id --output tsv)" -export DEPLOYMENT_ENV="integ" -export MANAGED_IDENTITY_ID="/subscriptions/001a3882-eb1c-42ac-9edc-5e2872a07783/resourcegroups/pipeline-vn-aks/providers/Microsoft.ManagedIdentity/userAssignedIdentities/pipeline-vn-aks-opr-id" +# --- Create Key Vault & Managed Identity --- +# Login to AKS cluster +az aks get-credentials --name ${AKS_CLUSTER_NAME} --resource-group ${RESOURCE_GROUP} +# Create managed identity +az identity create --name "${MANAGED_IDENTITY}" --resource-group "${RESOURCE_GROUP}" --location "${LOCATION}" +# Create key vault with purge protection and RBAC authorization +az keyvault create --name "${KEYVAULT_NAME}" --resource-group "${RESOURCE_GROUP}" --location "${LOCATION}" --enable-purge-protection --enable-rbac-authorization +# Get keyvault resource ID +export KEYVAULT_RESOURCE_ID="$(az keyvault show --resource-group "${RESOURCE_GROUP}" --name "${KEYVAULT_NAME}" --query id --output tsv)" +# Set keyvault secret +az keyvault secret set --vault-name "${KEYVAULT_NAME}" --name "${KEYVAULT_SECRET_NAME}" --value "${OPERATOR_KEY}" +# Get identity principal ID +export IDENTITY_PRINCIPAL_ID="$(az identity show --name "${MANAGED_IDENTITY}" --resource-group "${RESOURCE_GROUP}" --query principalId --output tsv)" +# Create role assignment for Key Vault Secrets User +az role assignment create --assignee-object-id "${IDENTITY_PRINCIPAL_ID}" --role "Key Vault Secrets User" --scope "${KEYVAULT_RESOURCE_ID}" --assignee-principal-type ServicePrincipal + +# Get managed identity ID +export MANAGED_IDENTITY_ID="$(az identity show --name "${MANAGED_IDENTITY}" --resource-group "${RESOURCE_GROUP}" --query id --output tsv)" OPERATOR_ROOT="./uid2-operator" SHARED_ACTIONS_ROOT="./uid2-shared-actions" diff --git a/scripts/aks/start_aks_cluster.sh b/scripts/aks/start_aks_cluster.sh new file mode 100644 index 00000000..9ae87c93 --- /dev/null +++ b/scripts/aks/start_aks_cluster.sh @@ -0,0 +1,104 @@ +#!/usr/bin/env bash +set -ex + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +source "${SCRIPT_DIR}/aks_env.sh" + +# Setup AKS & Node Pool +az group create --name "${RESOURCE_GROUP}" --location "${LOCATION}" + +az network vnet create \ + --resource-group ${RESOURCE_GROUP} \ + --name ${VNET_NAME} \ + --location ${LOCATION} \ + --address-prefixes 10.0.0.0/8 + +# Default Subnet (10.0.0.0/24) +az network vnet subnet create \ + --resource-group ${RESOURCE_GROUP} \ + --vnet-name ${VNET_NAME} \ + --name default \ + --address-prefixes 10.0.0.0/24 + +# AKS Subnet (CIDR /16) +az network vnet subnet create \ + --resource-group ${RESOURCE_GROUP} \ + --vnet-name ${VNET_NAME} \ + --name aks \ + --address-prefixes 10.1.0.0/16 + +# Container Groups Subnet (CIDR /16) with Delegation +az network vnet subnet create \ + --resource-group ${RESOURCE_GROUP} \ + --vnet-name ${VNET_NAME} \ + --name cg \ + --address-prefixes 10.2.0.0/16 \ + --delegations Microsoft.ContainerInstance/containerGroups + +az network public-ip create --name ${PUBLIC_IP_ADDRESS_NAME} --resource-group ${RESOURCE_GROUP} --sku standard --allocation static + +az network nat gateway create \ + --resource-group ${RESOURCE_GROUP} \ + --name ${NAT_GATEWAY_NAME} \ + --public-ip-addresses ${PUBLIC_IP_ADDRESS_NAME} \ + --idle-timeout 4 + +az network vnet subnet update \ + --resource-group ${RESOURCE_GROUP} \ + --vnet-name ${VNET_NAME} \ + --name cg \ + --nat-gateway ${NAT_GATEWAY_NAME} + +export AKS_SUBNET_ID=$(az network vnet subnet show \ + --resource-group ${RESOURCE_GROUP} \ + --vnet-name ${VNET_NAME} \ + --name aks \ + --query id \ + --output tsv) + +# Create the AKS cluster +az aks create \ + --resource-group ${RESOURCE_GROUP} \ + --name ${AKS_CLUSTER_NAME} \ + --location ${LOCATION} \ + --kubernetes-version 1.29.13 \ + --network-plugin azure \ + --network-policy calico \ + --vnet-subnet-id ${AKS_SUBNET_ID} \ + --service-cidr 10.4.0.0/16 \ + --dns-service-ip 10.4.0.10 \ + --node-vm-size Standard_D4d_v5 \ + --node-count 2 \ + --enable-cluster-autoscaler \ + --min-count 2 \ + --max-count 5 \ + --auto-upgrade-channel patch \ + --enable-managed-identity \ + --nodepool-name oprnodepool \ + --os-sku Ubuntu + +export MANAGED_IDENTITY_PRINCIPAL_ID="$(az aks show --resource-group ${RESOURCE_GROUP} --name ${AKS_CLUSTER_NAME} --query "identityProfile.kubeletidentity.clientId" --output tsv)" + +az role assignment create \ + --assignee ${MANAGED_IDENTITY_PRINCIPAL_ID} \ + --scope /subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${AKS_NODE_RESOURCE_GROUP} \ + --role Contributor + +az role assignment create \ + --assignee ${MANAGED_IDENTITY_PRINCIPAL_ID} \ + --scope /subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP} \ + --role Contributor + +# Setup AKS Cluster +az aks get-credentials --name ${AKS_CLUSTER_NAME} --resource-group ${RESOURCE_GROUP} +az provider register -n Microsoft.ContainerInstance +git clone git@github.com:microsoft/virtualnodesOnAzureContainerInstances.git +helm install virtualnode virtualnodesOnAzureContainerInstances/Helm/virtualnode +# Wait for virtualnode-0 to appear +echo "Waiting for virtualnode-0 to be ready..." +while ! kubectl get nodes | grep -q "virtualnode-0"; do + echo "virtualnode-0 not found yet, waiting 10 seconds..." + sleep 10 +done +echo "virtualnode-0 is ready!" +kubectl get nodes \ No newline at end of file diff --git a/scripts/aks/start_aks_enclave.sh b/scripts/aks/start_aks_enclave.sh index 2834891f..d880eb9b 100644 --- a/scripts/aks/start_aks_enclave.sh +++ b/scripts/aks/start_aks_enclave.sh @@ -8,20 +8,7 @@ fi ROOT="./uid2-shared-actions/scripts" -# below resources should be prepared ahead -export RESOURCE_GROUP="pipeline-vn-aks" -export LOCATION="eastus" -export VNET_NAME="pipeline-vnet" -export PUBLIC_IP_ADDRESS_NAME="pipeline-public-ip" -export NAT_GATEWAY_NAME="pipeline-nat-gateway" -export AKS_CLUSTER_NAME="pipelinevncluster" -export KEYVAULT_NAME="pipeline-vn-aks-vault" -export KEYVAULT_SECRET_NAME="pipeline-vn-aks-opr-key-name" -export MANAGED_IDENTITY="pipeline-vn-aks-opr-id" -export AKS_NODE_RESOURCE_GROUP="MC_${RESOURCE_GROUP}_${AKS_CLUSTER_NAME}_${LOCATION}" -export SUBSCRIPTION_ID="$(az account show --query id --output tsv)" -export DEPLOYMENT_ENV="integ" - +source "${ROOT}/aks/aks_env.sh" source "${ROOT}/healthcheck.sh" # --- Deploy operator service and make sure it starts --- diff --git a/scripts/aks/stop_aks_enclave.sh b/scripts/aks/stop_aks_enclave.sh index 87d7c333..7a641036 100644 --- a/scripts/aks/stop_aks_enclave.sh +++ b/scripts/aks/stop_aks_enclave.sh @@ -1,13 +1,13 @@ #!/usr/bin/env bash set -ex -export RESOURCE_GROUP="pipeline-vn-aks" -export AKS_CLUSTER_NAME="pipelinevncluster" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +source "${SCRIPT_DIR}/aks_env.sh" -az aks get-credentials --name ${AKS_CLUSTER_NAME} --resource-group ${RESOURCE_GROUP} -if kubectl get deployment operator-deployment -o name > /dev/null 2>&1; then - kubectl delete deployment operator-deployment - echo "Deployment 'operator-deployment' deleted." +if az group exists --name ${RESOURCE_GROUP} | grep -q true; then + echo "Deleting resource group '${RESOURCE_GROUP}'..." + az group delete --name ${RESOURCE_GROUP} --yes + echo "Resource group '${RESOURCE_GROUP}' successfully deleted." else - echo "Deployment 'operator-deployment' does not exist." + echo "Resource group '${RESOURCE_GROUP}' does not exist." fi \ No newline at end of file diff --git a/scripts/get_operator_key.sh b/scripts/get_operator_key.sh index e27aa2e2..4fc652a3 100644 --- a/scripts/get_operator_key.sh +++ b/scripts/get_operator_key.sh @@ -34,6 +34,10 @@ elif [ "${IDENTITY_SCOPE}" == "EUID" ] && [ "${TARGET_ENVIRONMENT}" == "integ" ] OPERATOR_KEY=${E2E_EUID_INTEG_AWS_OPERATOR_API_KEY} elif [ "${IDENTITY_SCOPE}" == "EUID" ] && [ "${TARGET_ENVIRONMENT}" == "prod" ] && [ "${ENCLAVE_PROTOCOL}" == "aws-nitro" ]; then OPERATOR_KEY=${E2E_EUID_PROD_AWS_OPERATOR_API_KEY} +elif [ "${IDENTITY_SCOPE}" == "UID2" ] && [ "${TARGET_ENVIRONMENT}" == "integ" ] && [ "${ENCLAVE_PROTOCOL}" == "azure-cc" ]; then + OPERATOR_KEY=${E2E_UID2_INTEG_AKS_OPERATOR_KEY} +elif [ "${IDENTITY_SCOPE}" == "UID2" ] && [ "${TARGET_ENVIRONMENT}" == "prod" ] && [ "${ENCLAVE_PROTOCOL}" == "azure-cc" ]; then + OPERATOR_KEY=${E2E_UID2_PROD_AKS_OPERATOR_KEY} else echo "Arguments not supported: IDENTITY_SCOPE=${IDENTITY_SCOPE}, TARGET_ENVIRONMENT=${TARGET_ENVIRONMENT}, ENCLAVE_PROTOCOL=${ENCLAVE_PROTOCOL}" exit 1 From ebc68efdf5e65f441ba824562cfbc18102f35759 Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Wed, 18 Feb 2026 11:34:51 +1100 Subject: [PATCH 03/27] Use relative paths rather than hardcoded uid2-shared-actions/scripts paths --- actions/prepare_aks_metadata/action.yaml | 6 +++--- actions/prepare_aws_metadata/action.yaml | 4 ++-- actions/prepare_azure_metadata/action.yaml | 6 +++--- actions/prepare_gcp_metadata/action.yaml | 6 +++--- actions/start_aks_cluster/action.yaml | 2 +- actions/start_aks_private_operator/action.yaml | 2 +- actions/start_aws_private_operator/action.yaml | 4 ++-- actions/start_azure_private_operator/action.yaml | 2 +- actions/start_gcp_private_operator/action.yaml | 2 +- actions/stop_aks_private_operator/action.yaml | 2 +- actions/stop_aws_private_operator/action.yaml | 2 +- actions/stop_azure_private_operator/action.yaml | 2 +- actions/stop_gcp_private_operator/action.yaml | 2 +- scripts/aks/start_aks_enclave.sh | 6 +++--- scripts/aws/start_aws_enclave.sh | 10 +++++----- scripts/azure/prepare_azure_artifacts.sh | 6 +++--- scripts/azure/start_azure_enclave.sh | 6 +++--- scripts/gcp/start_gcp_enclave.sh | 4 ++-- 18 files changed, 37 insertions(+), 37 deletions(-) diff --git a/actions/prepare_aks_metadata/action.yaml b/actions/prepare_aks_metadata/action.yaml index 909a82b7..ea622e11 100644 --- a/actions/prepare_aks_metadata/action.yaml +++ b/actions/prepare_aks_metadata/action.yaml @@ -41,7 +41,7 @@ runs: TARGET_ENVIRONMENT: ${{ inputs.target_environment }} OPERATOR_KEY: ${{ inputs.operator_key }} run: | - bash uid2-shared-actions/scripts/aks/prepare_aks_artifacts.sh + bash ${{ github.action_path }}/../../scripts/aks/prepare_aks_artifacts.sh - name: Prepare AKS enclave ID id: enclave_id @@ -49,7 +49,7 @@ runs: env: POLICY_DIGEST_FILE: ${{ steps.enclave_artifacts.outputs.policy_digest_file }} run: | - bash uid2-shared-actions/scripts/aks/prepare_aks_enclave_id.sh + bash ${{ github.action_path }}/../../scripts/aks/prepare_aks_enclave_id.sh - name: Prepare AKS enclave metadata id: enclave_metadata @@ -58,4 +58,4 @@ runs: ENCLAVE_ID: ${{ steps.enclave_id.outputs.enclave_id }} ENCLAVE_PROTOCOL: azure-cc run: | - bash uid2-shared-actions/scripts/save_enclave_id_to_admin.sh + bash ${{ github.action_path }}/../../scripts/save_enclave_id_to_admin.sh diff --git a/actions/prepare_aws_metadata/action.yaml b/actions/prepare_aws_metadata/action.yaml index 3dd20c5c..4913b81b 100644 --- a/actions/prepare_aws_metadata/action.yaml +++ b/actions/prepare_aws_metadata/action.yaml @@ -29,7 +29,7 @@ runs: ENCLAVE_ID: ${{ inputs.aws_pcr0 }} ENCLAVE_PROTOCOL: aws-nitro run: | - bash uid2-shared-actions/scripts/save_enclave_id_to_admin.sh + bash ${{ github.action_path }}/../../scripts/save_enclave_id_to_admin.sh - name: Get operator key id: operator_key @@ -39,4 +39,4 @@ runs: TARGET_ENVIRONMENT: ${{ inputs.target_environment }} ENCLAVE_PROTOCOL: aws-nitro run: | - bash ./uid2-shared-actions/scripts/get_operator_key.sh + bash ${{ github.action_path }}/../../scripts/get_operator_key.sh diff --git a/actions/prepare_azure_metadata/action.yaml b/actions/prepare_azure_metadata/action.yaml index f1d739d6..3e3ef2a4 100644 --- a/actions/prepare_azure_metadata/action.yaml +++ b/actions/prepare_azure_metadata/action.yaml @@ -31,7 +31,7 @@ runs: env: IMAGE_VERSION: ${{ inputs.operator_image_version }} run: | - bash uid2-shared-actions/scripts/azure/prepare_azure_artifacts.sh + bash ${{ github.action_path }}/../../scripts/azure/prepare_azure_artifacts.sh - name: Prepare Azure enclave ID id: enclave_id @@ -39,7 +39,7 @@ runs: env: POLICY_DIGEST_FILE: ${{ steps.enclave_artifacts.outputs.policy_digest_file }} run: | - bash uid2-shared-actions/scripts/azure/prepare_azure_enclave_id.sh + bash ${{ github.action_path }}/../../scripts/azure/prepare_azure_enclave_id.sh - name: Prepare Azure enclave metadata id: enclave_metadata @@ -49,4 +49,4 @@ runs: ENCLAVE_ID: ${{ steps.enclave_id.outputs.enclave_id }} ENCLAVE_PROTOCOL: azure-cc run: | - bash uid2-shared-actions/scripts/save_enclave_id_to_admin.sh + bash ${{ github.action_path }}/../../scripts/save_enclave_id_to_admin.sh diff --git a/actions/prepare_gcp_metadata/action.yaml b/actions/prepare_gcp_metadata/action.yaml index fb950237..517ac678 100644 --- a/actions/prepare_gcp_metadata/action.yaml +++ b/actions/prepare_gcp_metadata/action.yaml @@ -69,7 +69,7 @@ runs: env: IMAGE_HASH: ${{ steps.image_digest.outputs.image_hash }} run: | - bash uid2-shared-actions/scripts/gcp/prepare_gcp_enclave_id.sh + bash ${{ github.action_path }}/../../scripts/gcp/prepare_gcp_enclave_id.sh - name: Prepare GCP enclave metadata id: enclave_metadata @@ -79,7 +79,7 @@ runs: ENCLAVE_ID: ${{ steps.enclave_id.outputs.enclave_id }} ENCLAVE_PROTOCOL: gcp-oidc run: | - bash uid2-shared-actions/scripts/save_enclave_id_to_admin.sh + bash ${{ github.action_path }}/../../scripts/save_enclave_id_to_admin.sh - name: Get operator key id: operator_key @@ -89,4 +89,4 @@ runs: TARGET_ENVIRONMENT: ${{ inputs.target_environment }} ENCLAVE_PROTOCOL: gcp-oidc run: | - bash ./uid2-shared-actions/scripts/get_operator_key.sh + bash ${{ github.action_path }}/../../scripts/get_operator_key.sh diff --git a/actions/start_aks_cluster/action.yaml b/actions/start_aks_cluster/action.yaml index 37213bd5..645a944c 100644 --- a/actions/start_aks_cluster/action.yaml +++ b/actions/start_aks_cluster/action.yaml @@ -20,4 +20,4 @@ runs: id: start_aks shell: bash run: | - bash uid2-shared-actions/scripts/aks/start_aks_cluster.sh + bash ${{ github.action_path }}/../../scripts/aks/start_aks_cluster.sh diff --git a/actions/start_aks_private_operator/action.yaml b/actions/start_aks_private_operator/action.yaml index 10b122ae..a9a86d9e 100644 --- a/actions/start_aks_private_operator/action.yaml +++ b/actions/start_aks_private_operator/action.yaml @@ -30,4 +30,4 @@ runs: env: TEMPLATE_FILE: ${{ inputs.template_file }} run: | - bash uid2-shared-actions/scripts/aks/start_aks_enclave.sh + bash ${{ github.action_path }}/../../scripts/aks/start_aks_enclave.sh diff --git a/actions/start_aws_private_operator/action.yaml b/actions/start_aws_private_operator/action.yaml index 0ba3d324..925baada 100644 --- a/actions/start_aws_private_operator/action.yaml +++ b/actions/start_aws_private_operator/action.yaml @@ -47,7 +47,7 @@ runs: - name: Install Python dependencies uses: py-actions/py-dependency-install@v4 with: - path: ./uid2-shared-actions/scripts/aws/requirements.txt + path: ${{ github.action_path }}/../../scripts/aws/requirements.txt - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 @@ -70,4 +70,4 @@ runs: TARGET_ENVIRONMENT: ${{ inputs.target_environment }} OPERATOR_KEY: ${{ inputs.operator_key }} run: | - bash uid2-shared-actions/scripts/aws/start_aws_enclave.sh + bash ${{ github.action_path }}/../../scripts/aws/start_aws_enclave.sh diff --git a/actions/start_azure_private_operator/action.yaml b/actions/start_azure_private_operator/action.yaml index d1fbd6f1..a149b54e 100644 --- a/actions/start_azure_private_operator/action.yaml +++ b/actions/start_azure_private_operator/action.yaml @@ -49,4 +49,4 @@ runs: PARAMETERS_FILE: ${{ inputs.parameters_file }} TARGET_ENVIRONMENT: ${{ inputs.target_environment }} run: | - bash uid2-shared-actions/scripts/azure/start_azure_enclave.sh + bash ${{ github.action_path }}/../../scripts/azure/start_azure_enclave.sh diff --git a/actions/start_gcp_private_operator/action.yaml b/actions/start_gcp_private_operator/action.yaml index 3873a175..e955b978 100644 --- a/actions/start_gcp_private_operator/action.yaml +++ b/actions/start_gcp_private_operator/action.yaml @@ -44,4 +44,4 @@ runs: OPERATOR_KEY: ${{ inputs.operator_key }} IMAGE_HASH: ${{ inputs.image_hash }} run: | - bash uid2-shared-actions/scripts/gcp/start_gcp_enclave.sh + bash ${{ github.action_path }}/../../scripts/gcp/start_gcp_enclave.sh diff --git a/actions/stop_aks_private_operator/action.yaml b/actions/stop_aks_private_operator/action.yaml index a41dcaae..e080ea46 100644 --- a/actions/stop_aks_private_operator/action.yaml +++ b/actions/stop_aks_private_operator/action.yaml @@ -19,4 +19,4 @@ runs: - name: Stop AKS private operator shell: bash run: | - bash uid2-shared-actions/scripts/aks/stop_aks_enclave.sh + bash ${{ github.action_path }}/../../scripts/aks/stop_aks_enclave.sh diff --git a/actions/stop_aws_private_operator/action.yaml b/actions/stop_aws_private_operator/action.yaml index e2ebf29d..cee70226 100644 --- a/actions/stop_aws_private_operator/action.yaml +++ b/actions/stop_aws_private_operator/action.yaml @@ -27,4 +27,4 @@ runs: AWS_STACK_NAME: ${{ inputs.aws_stack_name }} AWS_REGION: ${{ inputs.aws_region }} run: | - bash uid2-shared-actions/scripts/aws/stop_aws_enclave.sh + bash ${{ github.action_path }}/../../scripts/aws/stop_aws_enclave.sh diff --git a/actions/stop_azure_private_operator/action.yaml b/actions/stop_azure_private_operator/action.yaml index 14f8c071..9c73aaaf 100644 --- a/actions/stop_azure_private_operator/action.yaml +++ b/actions/stop_azure_private_operator/action.yaml @@ -24,4 +24,4 @@ runs: env: AZURE_CONTAINER_GROUP_NAME: ${{ inputs.azure_container_group_name }} run: | - bash uid2-shared-actions/scripts/azure/stop_azure_enclave.sh + bash ${{ github.action_path }}/../../scripts/azure/stop_azure_enclave.sh diff --git a/actions/stop_gcp_private_operator/action.yaml b/actions/stop_gcp_private_operator/action.yaml index b75bbe17..9a2b8be3 100644 --- a/actions/stop_gcp_private_operator/action.yaml +++ b/actions/stop_gcp_private_operator/action.yaml @@ -48,4 +48,4 @@ runs: SERVICE_ACCOUNT: ${{ inputs.gcp_service_account }} GCP_INSTANCE_NAME: ${{ inputs.gcp_instance_name }} run: | - bash uid2-shared-actions/scripts/gcp/stop_gcp_enclave.sh + bash ${{ github.action_path }}/../../scripts/gcp/stop_gcp_enclave.sh diff --git a/scripts/aks/start_aks_enclave.sh b/scripts/aks/start_aks_enclave.sh index d880eb9b..269b8522 100644 --- a/scripts/aks/start_aks_enclave.sh +++ b/scripts/aks/start_aks_enclave.sh @@ -6,10 +6,10 @@ if [[ ! -f ${TEMPLATE_FILE} ]]; then exit 1 fi -ROOT="./uid2-shared-actions/scripts" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -source "${ROOT}/aks/aks_env.sh" -source "${ROOT}/healthcheck.sh" +source "${SCRIPT_DIR}/aks_env.sh" +source "${SCRIPT_DIR}/../healthcheck.sh" # --- Deploy operator service and make sure it starts --- az aks get-credentials --name ${AKS_CLUSTER_NAME} --resource-group ${RESOURCE_GROUP} diff --git a/scripts/aws/start_aws_enclave.sh b/scripts/aws/start_aws_enclave.sh index 9458f071..0ad0fb33 100644 --- a/scripts/aws/start_aws_enclave.sh +++ b/scripts/aws/start_aws_enclave.sh @@ -41,9 +41,9 @@ if [ -z "${OPERATOR_KEY}" ]; then exit 1 fi -ROOT="./uid2-shared-actions/scripts" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -source "${ROOT}/healthcheck.sh" +source "${SCRIPT_DIR}/../healthcheck.sh" DATE=$(date '+%Y%m%d%H%M%S') AWS_STACK_NAME="uid2-operator-e2e-${AWS_AMI}-${DATE}" @@ -66,8 +66,8 @@ case "${IDENTITY_SCOPE}" in exit 1 ;; esac -python ${ROOT}/aws/create_cloudformation_stack.py \ - --stack_fp "${ROOT}/aws/stacks" \ +python ${SCRIPT_DIR}/create_cloudformation_stack.py \ + --stack_fp "${SCRIPT_DIR}/stacks" \ --cftemplate_fp "../uid2-operator/scripts/aws" \ --core_url "${BORE_URL_CORE}" \ --optout_url "${BORE_URL_OPTOUT}" \ @@ -84,7 +84,7 @@ aws cloudformation describe-stacks \ --region "${AWS_REGION}" # Get public URL -AWS_INSTANCE_URL=$(python ${ROOT}/aws/get_instance_url.py \ +AWS_INSTANCE_URL=$(python ${SCRIPT_DIR}/get_instance_url.py \ --region "${AWS_REGION}" \ --stack "${AWS_STACK_NAME}") diff --git a/scripts/azure/prepare_azure_artifacts.sh b/scripts/azure/prepare_azure_artifacts.sh index 79e48945..7aa5801f 100644 --- a/scripts/azure/prepare_azure_artifacts.sh +++ b/scripts/azure/prepare_azure_artifacts.sh @@ -1,9 +1,9 @@ #!/usr/bin/env bash set -ex -ROOT="./uid2-shared-actions/scripts/azure" -INPUT_DIR="${ROOT}/artifacts_schema" -OUTPUT_DIR="${ROOT}/azure-artifacts" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +INPUT_DIR="${SCRIPT_DIR}/artifacts_schema" +OUTPUT_DIR="${SCRIPT_DIR}/azure-artifacts" if [ -z "${IMAGE_VERSION}" ]; then echo "IMAGE_VERSION can not be empty" diff --git a/scripts/azure/start_azure_enclave.sh b/scripts/azure/start_azure_enclave.sh index c6064818..7cd65996 100644 --- a/scripts/azure/start_azure_enclave.sh +++ b/scripts/azure/start_azure_enclave.sh @@ -27,10 +27,10 @@ if [ -z "${TARGET_ENVIRONMENT}" ]; then fi # Below resources should be prepared ahead -ROOT="./uid2-shared-actions/scripts" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -source "${ROOT}/jq_helper.sh" -source "${ROOT}/healthcheck.sh" +source "${SCRIPT_DIR}/../jq_helper.sh" +source "${SCRIPT_DIR}/../healthcheck.sh" RESOURCE_GROUP="uid-enclave-ci-cd" IDENTITY="uid-operator" diff --git a/scripts/gcp/start_gcp_enclave.sh b/scripts/gcp/start_gcp_enclave.sh index 7c56db8c..6174d505 100644 --- a/scripts/gcp/start_gcp_enclave.sh +++ b/scripts/gcp/start_gcp_enclave.sh @@ -31,11 +31,11 @@ if [ -z "${IMAGE_HASH}" ]; then exit 1 fi -ROOT="./uid2-shared-actions/scripts" +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" GCP_INSTANCE_NAME="ci-test-${RANDOM}" OPERATOR_KEY_SECRET_NAME=${GCP_INSTANCE_NAME} -source "${ROOT}/healthcheck.sh" +source "${SCRIPT_DIR}/../healthcheck.sh" gcloud config set project ${GCP_PROJECT} From 50250c49361705466c9c707d7f2cdfa3950e2c80 Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Wed, 18 Feb 2026 11:38:30 +1100 Subject: [PATCH 04/27] Set subscription to 63e97a70-d825-4b08-af6d-c0d8ad98bed3 --- scripts/aks/aks_env.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/aks/aks_env.sh b/scripts/aks/aks_env.sh index 6e31a64c..0b7a0542 100644 --- a/scripts/aks/aks_env.sh +++ b/scripts/aks/aks_env.sh @@ -1,6 +1,9 @@ #!/usr/bin/env bash # Common AKS environment variables used by multiple scripts +# Set the correct subscription for AKS E2E tests +az account set --subscription "63e97a70-d825-4b08-af6d-c0d8ad98bed3" + export RESOURCE_GROUP="opr-e2e-vn-aks" export LOCATION="eastus" export VNET_NAME="opr-e2e-vnet" From c515d2b942517ebdd057be03b842f3ae8f3c40c9 Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Wed, 18 Feb 2026 11:58:04 +1100 Subject: [PATCH 05/27] Update k8s version --- scripts/aks/start_aks_cluster.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/aks/start_aks_cluster.sh b/scripts/aks/start_aks_cluster.sh index 9ae87c93..409cfdfb 100644 --- a/scripts/aks/start_aks_cluster.sh +++ b/scripts/aks/start_aks_cluster.sh @@ -61,7 +61,7 @@ az aks create \ --resource-group ${RESOURCE_GROUP} \ --name ${AKS_CLUSTER_NAME} \ --location ${LOCATION} \ - --kubernetes-version 1.29.13 \ + --kubernetes-version 1.33 \ --network-plugin azure \ --network-policy calico \ --vnet-subnet-id ${AKS_SUBNET_ID} \ From 95f645162b935f6ea0c1205247123ea12299f361 Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Wed, 18 Feb 2026 11:59:53 +1100 Subject: [PATCH 06/27] Stop AKS operator --- .github/workflows/shared-run-e2e-tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shared-run-e2e-tests.yaml b/.github/workflows/shared-run-e2e-tests.yaml index d3aec75d..516f5fbe 100644 --- a/.github/workflows/shared-run-e2e-tests.yaml +++ b/.github/workflows/shared-run-e2e-tests.yaml @@ -401,6 +401,6 @@ jobs: - name: Stop AKS operator if: ${{ inputs.operator_type == 'aks' }} - uses: IABTechLab/uid2-shared-actions/actions/stop_aks_private_operator@v3 + uses: IABTechLab/uid2-shared-actions/actions/stop_aks_private_operator@kcc-UID2-6321-reenable-aks-e2e with: azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} From f42d72cc37aec7d450af8252745ea8ddad0c6818 Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Wed, 18 Feb 2026 13:07:00 +1100 Subject: [PATCH 07/27] Update AKS_CLUSTER_NAME name --- scripts/aks/aks_env.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/scripts/aks/aks_env.sh b/scripts/aks/aks_env.sh index 0b7a0542..9192f4fe 100644 --- a/scripts/aks/aks_env.sh +++ b/scripts/aks/aks_env.sh @@ -9,11 +9,10 @@ export LOCATION="eastus" export VNET_NAME="opr-e2e-vnet" export PUBLIC_IP_ADDRESS_NAME="opr-e2e-public-ip" export NAT_GATEWAY_NAME="opr-e2e-nat-gateway" -export AKS_CLUSTER_NAME="opr-e2evncluster" +export AKS_CLUSTER_NAME="opr-e2e-vn-cluster" export KEYVAULT_NAME="opr-e2e-vn-aks-vault" export KEYVAULT_SECRET_NAME="opr-e2e-vn-aks-opr-key-name" export MANAGED_IDENTITY="opr-e2e-vn-aks-opr-id" export AKS_NODE_RESOURCE_GROUP="MC_${RESOURCE_GROUP}_${AKS_CLUSTER_NAME}_${LOCATION}" export SUBSCRIPTION_ID="$(az account show --query id --output tsv)" export DEPLOYMENT_ENV="integ" - From f1147eb81ea99f62c4c4dcf9c883c58c9f445b54 Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Wed, 18 Feb 2026 13:11:27 +1100 Subject: [PATCH 08/27] Wait for managed identity to be available --- scripts/aks/start_aks_cluster.sh | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/scripts/aks/start_aks_cluster.sh b/scripts/aks/start_aks_cluster.sh index 409cfdfb..b4423660 100644 --- a/scripts/aks/start_aks_cluster.sh +++ b/scripts/aks/start_aks_cluster.sh @@ -77,15 +77,24 @@ az aks create \ --nodepool-name oprnodepool \ --os-sku Ubuntu -export MANAGED_IDENTITY_PRINCIPAL_ID="$(az aks show --resource-group ${RESOURCE_GROUP} --name ${AKS_CLUSTER_NAME} --query "identityProfile.kubeletidentity.clientId" --output tsv)" +# Get the managed identity object ID for role assignments +export MANAGED_IDENTITY_OBJECT_ID="$(az aks show --resource-group ${RESOURCE_GROUP} --name ${AKS_CLUSTER_NAME} --query "identityProfile.kubeletidentity.objectId" --output tsv)" -az role assignment create \ - --assignee ${MANAGED_IDENTITY_PRINCIPAL_ID} \ +# Wait for managed identity to be available in AAD and create role assignments +echo "Waiting for managed identity to be available in AAD..." +until az role assignment create \ + --assignee-object-id ${MANAGED_IDENTITY_OBJECT_ID} \ + --assignee-principal-type ServicePrincipal \ --scope /subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${AKS_NODE_RESOURCE_GROUP} \ - --role Contributor + --role Contributor 2>/dev/null; do + echo "Managed identity not yet available, waiting 10 seconds..." + sleep 10 +done +echo "First role assignment created successfully." az role assignment create \ - --assignee ${MANAGED_IDENTITY_PRINCIPAL_ID} \ + --assignee-object-id ${MANAGED_IDENTITY_OBJECT_ID} \ + --assignee-principal-type ServicePrincipal \ --scope /subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP} \ --role Contributor From f9a1b0028d13b4054fea9504021351edbb4c9210 Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Wed, 18 Feb 2026 13:18:24 +1100 Subject: [PATCH 09/27] Use kcc-UID2-6321-reenable-aks-e2e to checkout shared repo --- .github/workflows/shared-run-e2e-tests.yaml | 4 ++-- scripts/aks/aks_env.sh | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/shared-run-e2e-tests.yaml b/.github/workflows/shared-run-e2e-tests.yaml index 516f5fbe..8d384522 100644 --- a/.github/workflows/shared-run-e2e-tests.yaml +++ b/.github/workflows/shared-run-e2e-tests.yaml @@ -372,7 +372,7 @@ jobs: - name: Checkout uid2-shared-actions repo uses: actions/checkout@v4 with: - ref: v3 + ref: kcc-UID2-6321-reenable-aks-e2e repository: IABTechLab/uid2-shared-actions path: uid2-shared-actions @@ -399,7 +399,7 @@ jobs: aws_stack_name: ${{ needs.e2e-test.outputs.aws_stack_name }} aws_region: ${{ inputs.aws_region }} - - name: Stop AKS operator + - name: Stop AKS private operator if: ${{ inputs.operator_type == 'aks' }} uses: IABTechLab/uid2-shared-actions/actions/stop_aks_private_operator@kcc-UID2-6321-reenable-aks-e2e with: diff --git a/scripts/aks/aks_env.sh b/scripts/aks/aks_env.sh index 9192f4fe..dc0407c9 100644 --- a/scripts/aks/aks_env.sh +++ b/scripts/aks/aks_env.sh @@ -16,3 +16,5 @@ export MANAGED_IDENTITY="opr-e2e-vn-aks-opr-id" export AKS_NODE_RESOURCE_GROUP="MC_${RESOURCE_GROUP}_${AKS_CLUSTER_NAME}_${LOCATION}" export SUBSCRIPTION_ID="$(az account show --query id --output tsv)" export DEPLOYMENT_ENV="integ" + +az aks get-credentials --name ${AKS_CLUSTER_NAME} --resource-group ${RESOURCE_GROUP} \ No newline at end of file From a9e56167c46b5850636df2363aa8a8b29756ce58 Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Wed, 18 Feb 2026 13:36:25 +1100 Subject: [PATCH 10/27] Use kcc-UID2-6321-reenable-aks-e2e --- .github/workflows/shared-run-e2e-tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shared-run-e2e-tests.yaml b/.github/workflows/shared-run-e2e-tests.yaml index 8d384522..db188e62 100644 --- a/.github/workflows/shared-run-e2e-tests.yaml +++ b/.github/workflows/shared-run-e2e-tests.yaml @@ -151,7 +151,7 @@ jobs: - name: Checkout uid2-shared-actions repo uses: actions/checkout@v4 with: - ref: v3 + ref: kcc-UID2-6321-reenable-aks-e2e repository: IABTechLab/uid2-shared-actions path: uid2-shared-actions From 79ed9368bb067461bbc6b074629e6af1f8080b6b Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Wed, 18 Feb 2026 13:39:41 +1100 Subject: [PATCH 11/27] Check if AKS cluster already exists and skips creation if it does --- scripts/aks/aks_env.sh | 4 +-- scripts/aks/start_aks_cluster.sh | 45 ++++++++++++++++++-------------- 2 files changed, 26 insertions(+), 23 deletions(-) diff --git a/scripts/aks/aks_env.sh b/scripts/aks/aks_env.sh index dc0407c9..af6d32dc 100644 --- a/scripts/aks/aks_env.sh +++ b/scripts/aks/aks_env.sh @@ -15,6 +15,4 @@ export KEYVAULT_SECRET_NAME="opr-e2e-vn-aks-opr-key-name" export MANAGED_IDENTITY="opr-e2e-vn-aks-opr-id" export AKS_NODE_RESOURCE_GROUP="MC_${RESOURCE_GROUP}_${AKS_CLUSTER_NAME}_${LOCATION}" export SUBSCRIPTION_ID="$(az account show --query id --output tsv)" -export DEPLOYMENT_ENV="integ" - -az aks get-credentials --name ${AKS_CLUSTER_NAME} --resource-group ${RESOURCE_GROUP} \ No newline at end of file +export DEPLOYMENT_ENV="integ" \ No newline at end of file diff --git a/scripts/aks/start_aks_cluster.sh b/scripts/aks/start_aks_cluster.sh index b4423660..d033ecb6 100644 --- a/scripts/aks/start_aks_cluster.sh +++ b/scripts/aks/start_aks_cluster.sh @@ -56,26 +56,31 @@ export AKS_SUBNET_ID=$(az network vnet subnet show \ --query id \ --output tsv) -# Create the AKS cluster -az aks create \ - --resource-group ${RESOURCE_GROUP} \ - --name ${AKS_CLUSTER_NAME} \ - --location ${LOCATION} \ - --kubernetes-version 1.33 \ - --network-plugin azure \ - --network-policy calico \ - --vnet-subnet-id ${AKS_SUBNET_ID} \ - --service-cidr 10.4.0.0/16 \ - --dns-service-ip 10.4.0.10 \ - --node-vm-size Standard_D4d_v5 \ - --node-count 2 \ - --enable-cluster-autoscaler \ - --min-count 2 \ - --max-count 5 \ - --auto-upgrade-channel patch \ - --enable-managed-identity \ - --nodepool-name oprnodepool \ - --os-sku Ubuntu +# Create the AKS cluster if it doesn't exist +if az aks show --resource-group ${RESOURCE_GROUP} --name ${AKS_CLUSTER_NAME} &>/dev/null; then + echo "AKS cluster '${AKS_CLUSTER_NAME}' already exists, skipping creation." +else + echo "Creating AKS cluster '${AKS_CLUSTER_NAME}'..." + az aks create \ + --resource-group ${RESOURCE_GROUP} \ + --name ${AKS_CLUSTER_NAME} \ + --location ${LOCATION} \ + --kubernetes-version 1.33 \ + --network-plugin azure \ + --network-policy calico \ + --vnet-subnet-id ${AKS_SUBNET_ID} \ + --service-cidr 10.4.0.0/16 \ + --dns-service-ip 10.4.0.10 \ + --node-vm-size Standard_D4d_v5 \ + --node-count 2 \ + --enable-cluster-autoscaler \ + --min-count 2 \ + --max-count 5 \ + --auto-upgrade-channel patch \ + --enable-managed-identity \ + --nodepool-name oprnodepool \ + --os-sku Ubuntu +fi # Get the managed identity object ID for role assignments export MANAGED_IDENTITY_OBJECT_ID="$(az aks show --resource-group ${RESOURCE_GROUP} --name ${AKS_CLUSTER_NAME} --query "identityProfile.kubeletidentity.objectId" --output tsv)" From 01ad9be6c1e5a2664caf93fa427d5264177e6ea3 Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Wed, 18 Feb 2026 13:55:00 +1100 Subject: [PATCH 12/27] Change from ssh to https --- scripts/aks/start_aks_cluster.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/aks/start_aks_cluster.sh b/scripts/aks/start_aks_cluster.sh index d033ecb6..d8c39a63 100644 --- a/scripts/aks/start_aks_cluster.sh +++ b/scripts/aks/start_aks_cluster.sh @@ -106,7 +106,7 @@ az role assignment create \ # Setup AKS Cluster az aks get-credentials --name ${AKS_CLUSTER_NAME} --resource-group ${RESOURCE_GROUP} az provider register -n Microsoft.ContainerInstance -git clone git@github.com:microsoft/virtualnodesOnAzureContainerInstances.git +git clone https://github.com/microsoft/virtualnodesOnAzureContainerInstances.git helm install virtualnode virtualnodesOnAzureContainerInstances/Helm/virtualnode # Wait for virtualnode-0 to appear echo "Waiting for virtualnode-0 to be ready..." From 80220f04bf4c85ab7d3dbade787b2c9d620242cc Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Wed, 18 Feb 2026 14:27:25 +1100 Subject: [PATCH 13/27] Create new AKS cluster if duplicated --- scripts/aks/aks_env.sh | 38 ++++++++++++++++++++++++++++---------- 1 file changed, 28 insertions(+), 10 deletions(-) diff --git a/scripts/aks/aks_env.sh b/scripts/aks/aks_env.sh index af6d32dc..2e075298 100644 --- a/scripts/aks/aks_env.sh +++ b/scripts/aks/aks_env.sh @@ -4,15 +4,33 @@ # Set the correct subscription for AKS E2E tests az account set --subscription "63e97a70-d825-4b08-af6d-c0d8ad98bed3" -export RESOURCE_GROUP="opr-e2e-vn-aks" export LOCATION="eastus" -export VNET_NAME="opr-e2e-vnet" -export PUBLIC_IP_ADDRESS_NAME="opr-e2e-public-ip" -export NAT_GATEWAY_NAME="opr-e2e-nat-gateway" -export AKS_CLUSTER_NAME="opr-e2e-vn-cluster" -export KEYVAULT_NAME="opr-e2e-vn-aks-vault" -export KEYVAULT_SECRET_NAME="opr-e2e-vn-aks-opr-key-name" -export MANAGED_IDENTITY="opr-e2e-vn-aks-opr-id" -export AKS_NODE_RESOURCE_GROUP="MC_${RESOURCE_GROUP}_${AKS_CLUSTER_NAME}_${LOCATION}" export SUBSCRIPTION_ID="$(az account show --query id --output tsv)" -export DEPLOYMENT_ENV="integ" \ No newline at end of file +export DEPLOYMENT_ENV="integ" + +# Find an available resource group name +BASE_RESOURCE_GROUP="opr-e2e-vn-aks" +SUFFIX="" +COUNTER=0 + +while true; do + CANDIDATE="${BASE_RESOURCE_GROUP}${SUFFIX}" + if ! az group exists --name "${CANDIDATE}" | grep -q true; then + export RESOURCE_GROUP="${CANDIDATE}" + echo "Using resource group: ${RESOURCE_GROUP}" + break + fi + echo "Resource group '${CANDIDATE}' already exists, trying next..." + COUNTER=$((COUNTER + 1)) + SUFFIX="-${COUNTER}" +done + +# Set dependent variables based on resource group +export VNET_NAME="${RESOURCE_GROUP}-vnet" +export PUBLIC_IP_ADDRESS_NAME="${RESOURCE_GROUP}-public-ip" +export NAT_GATEWAY_NAME="${RESOURCE_GROUP}-nat-gateway" +export AKS_CLUSTER_NAME="${RESOURCE_GROUP}-cluster" +export KEYVAULT_NAME="${RESOURCE_GROUP}-vault" +export KEYVAULT_SECRET_NAME="${RESOURCE_GROUP}-opr-key" +export MANAGED_IDENTITY="${RESOURCE_GROUP}-opr-id" +export AKS_NODE_RESOURCE_GROUP="MC_${RESOURCE_GROUP}_${AKS_CLUSTER_NAME}_${LOCATION}" \ No newline at end of file From 7ff6aa7220329c5e61d7e3d2a0cd26a95486299d Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Wed, 18 Feb 2026 14:27:40 +1100 Subject: [PATCH 14/27] Fix soft delete vaults --- scripts/aks/prepare_aks_artifacts.sh | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/scripts/aks/prepare_aks_artifacts.sh b/scripts/aks/prepare_aks_artifacts.sh index 5ef2a2d9..49cafc07 100644 --- a/scripts/aks/prepare_aks_artifacts.sh +++ b/scripts/aks/prepare_aks_artifacts.sh @@ -47,7 +47,16 @@ az aks get-credentials --name ${AKS_CLUSTER_NAME} --resource-group ${RESOURCE_GR # Create managed identity az identity create --name "${MANAGED_IDENTITY}" --resource-group "${RESOURCE_GROUP}" --location "${LOCATION}" # Create key vault with purge protection and RBAC authorization -az keyvault create --name "${KEYVAULT_NAME}" --resource-group "${RESOURCE_GROUP}" --location "${LOCATION}" --enable-purge-protection --enable-rbac-authorization +# Check if vault exists in deleted state and recover it, otherwise create new +if az keyvault show-deleted --name "${KEYVAULT_NAME}" &>/dev/null; then + echo "Key vault '${KEYVAULT_NAME}' exists in deleted state, recovering..." + az keyvault recover --name "${KEYVAULT_NAME}" +elif az keyvault show --name "${KEYVAULT_NAME}" &>/dev/null; then + echo "Key vault '${KEYVAULT_NAME}' already exists." +else + echo "Creating key vault '${KEYVAULT_NAME}'..." + az keyvault create --name "${KEYVAULT_NAME}" --resource-group "${RESOURCE_GROUP}" --location "${LOCATION}" --enable-purge-protection --enable-rbac-authorization +fi # Get keyvault resource ID export KEYVAULT_RESOURCE_ID="$(az keyvault show --resource-group "${RESOURCE_GROUP}" --name "${KEYVAULT_NAME}" --query id --output tsv)" # Set keyvault secret From ef65e625fc319a0f01e731d7eca4e83a1cabda09 Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Wed, 18 Feb 2026 14:46:36 +1100 Subject: [PATCH 15/27] Revert suffix change --- scripts/aks/aks_env.sh | 38 ++++++++++---------------------------- 1 file changed, 10 insertions(+), 28 deletions(-) diff --git a/scripts/aks/aks_env.sh b/scripts/aks/aks_env.sh index 2e075298..af6d32dc 100644 --- a/scripts/aks/aks_env.sh +++ b/scripts/aks/aks_env.sh @@ -4,33 +4,15 @@ # Set the correct subscription for AKS E2E tests az account set --subscription "63e97a70-d825-4b08-af6d-c0d8ad98bed3" +export RESOURCE_GROUP="opr-e2e-vn-aks" export LOCATION="eastus" +export VNET_NAME="opr-e2e-vnet" +export PUBLIC_IP_ADDRESS_NAME="opr-e2e-public-ip" +export NAT_GATEWAY_NAME="opr-e2e-nat-gateway" +export AKS_CLUSTER_NAME="opr-e2e-vn-cluster" +export KEYVAULT_NAME="opr-e2e-vn-aks-vault" +export KEYVAULT_SECRET_NAME="opr-e2e-vn-aks-opr-key-name" +export MANAGED_IDENTITY="opr-e2e-vn-aks-opr-id" +export AKS_NODE_RESOURCE_GROUP="MC_${RESOURCE_GROUP}_${AKS_CLUSTER_NAME}_${LOCATION}" export SUBSCRIPTION_ID="$(az account show --query id --output tsv)" -export DEPLOYMENT_ENV="integ" - -# Find an available resource group name -BASE_RESOURCE_GROUP="opr-e2e-vn-aks" -SUFFIX="" -COUNTER=0 - -while true; do - CANDIDATE="${BASE_RESOURCE_GROUP}${SUFFIX}" - if ! az group exists --name "${CANDIDATE}" | grep -q true; then - export RESOURCE_GROUP="${CANDIDATE}" - echo "Using resource group: ${RESOURCE_GROUP}" - break - fi - echo "Resource group '${CANDIDATE}' already exists, trying next..." - COUNTER=$((COUNTER + 1)) - SUFFIX="-${COUNTER}" -done - -# Set dependent variables based on resource group -export VNET_NAME="${RESOURCE_GROUP}-vnet" -export PUBLIC_IP_ADDRESS_NAME="${RESOURCE_GROUP}-public-ip" -export NAT_GATEWAY_NAME="${RESOURCE_GROUP}-nat-gateway" -export AKS_CLUSTER_NAME="${RESOURCE_GROUP}-cluster" -export KEYVAULT_NAME="${RESOURCE_GROUP}-vault" -export KEYVAULT_SECRET_NAME="${RESOURCE_GROUP}-opr-key" -export MANAGED_IDENTITY="${RESOURCE_GROUP}-opr-id" -export AKS_NODE_RESOURCE_GROUP="MC_${RESOURCE_GROUP}_${AKS_CLUSTER_NAME}_${LOCATION}" \ No newline at end of file +export DEPLOYMENT_ENV="integ" \ No newline at end of file From d1cdad29c9997be0813a624d3cc7106cbd20dd00 Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Thu, 19 Feb 2026 09:43:00 +1100 Subject: [PATCH 16/27] Use westus temporarly --- scripts/aks/aks_env.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/aks/aks_env.sh b/scripts/aks/aks_env.sh index af6d32dc..6ec19d6a 100644 --- a/scripts/aks/aks_env.sh +++ b/scripts/aks/aks_env.sh @@ -5,7 +5,7 @@ az account set --subscription "63e97a70-d825-4b08-af6d-c0d8ad98bed3" export RESOURCE_GROUP="opr-e2e-vn-aks" -export LOCATION="eastus" +export LOCATION="westus" export VNET_NAME="opr-e2e-vnet" export PUBLIC_IP_ADDRESS_NAME="opr-e2e-public-ip" export NAT_GATEWAY_NAME="opr-e2e-nat-gateway" From 952f18019b29b80bae99d779a1de61b49383bbfb Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Thu, 19 Feb 2026 11:16:15 +1100 Subject: [PATCH 17/27] Add runid to deployment to avoid delayed deletion --- .github/workflows/shared-run-e2e-tests.yaml | 1 + actions/prepare_aks_metadata/action.yaml | 4 ++++ scripts/aks/prepare_aks_artifacts.sh | 7 +++++++ 3 files changed, 12 insertions(+) diff --git a/.github/workflows/shared-run-e2e-tests.yaml b/.github/workflows/shared-run-e2e-tests.yaml index db188e62..a2bdcb38 100644 --- a/.github/workflows/shared-run-e2e-tests.yaml +++ b/.github/workflows/shared-run-e2e-tests.yaml @@ -232,6 +232,7 @@ jobs: bore_url_core: ${{ steps.bore.outputs.bore_url_core }} bore_url_optout: ${{ steps.bore.outputs.bore_url_optout }} operator_key: ${{ steps.get_aks_operator_key.outputs.OPERATOR_KEY }} + run_id: ${{ github.run_id }} - name: Bring up Docker Compose id: docker-compose diff --git a/actions/prepare_aks_metadata/action.yaml b/actions/prepare_aks_metadata/action.yaml index ea622e11..9cef60e3 100644 --- a/actions/prepare_aks_metadata/action.yaml +++ b/actions/prepare_aks_metadata/action.yaml @@ -17,6 +17,9 @@ inputs: operator_key: description: The operator key secret for the target environment required: true + run_id: + description: Unique run identifier to avoid Azure resource conflicts + required: true outputs: template_file: description: The template file @@ -40,6 +43,7 @@ runs: IMAGE_VERSION: ${{ inputs.operator_image_version }} TARGET_ENVIRONMENT: ${{ inputs.target_environment }} OPERATOR_KEY: ${{ inputs.operator_key }} + RUN_ID: ${{ inputs.run_id }} run: | bash ${{ github.action_path }}/../../scripts/aks/prepare_aks_artifacts.sh diff --git a/scripts/aks/prepare_aks_artifacts.sh b/scripts/aks/prepare_aks_artifacts.sh index 49cafc07..acc30cd0 100644 --- a/scripts/aks/prepare_aks_artifacts.sh +++ b/scripts/aks/prepare_aks_artifacts.sh @@ -26,6 +26,11 @@ if [ -z "${OPERATOR_KEY}" ]; then exit 1 fi +if [ -z "${RUN_ID}" ]; then + echo "RUN_ID can not be empty" + exit 1 +fi + # See https://github.com/UnifiedID2/aks-demo/tree/master/vn-aks#setup-aks--node-pool SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" source "${SCRIPT_DIR}/aks_env.sh" @@ -109,6 +114,8 @@ else sed -i "s#VAULT_NAME_PLACEHOLDER#${KEYVAULT_NAME}#g" "${OUTPUT_TEMPLATE_FILE}" sed -i "s#OPERATOR_KEY_SECRET_NAME_PLACEHOLDER#${KEYVAULT_SECRET_NAME}#g" "${OUTPUT_TEMPLATE_FILE}" sed -i "s#DEPLOYMENT_ENVIRONMENT_PLACEHOLDER#integ#g" "${OUTPUT_TEMPLATE_FILE}" + # Make deployment name unique per run to avoid Azure resource conflicts + sed -i "s#operator-deployment#operator-deployment-${RUN_ID}#g" "${OUTPUT_TEMPLATE_FILE}" cat ${OUTPUT_TEMPLATE_FILE} if [ ${TARGET_ENVIRONMENT} == "mock" ]; then From c137cd16f5609e6890d269a10a2a65401f925b53 Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Thu, 19 Feb 2026 11:41:03 +1100 Subject: [PATCH 18/27] Add run_id as a suffix to the aks clusters --- .github/workflows/shared-run-e2e-tests.yaml | 5 +++- actions/start_aks_cluster/action.yaml | 11 +++++--- .../start_aks_private_operator/action.yaml | 4 +++ actions/stop_aks_private_operator/action.yaml | 5 ++++ scripts/aks/aks_env.sh | 26 +++++++++++++------ 5 files changed, 39 insertions(+), 12 deletions(-) diff --git a/.github/workflows/shared-run-e2e-tests.yaml b/.github/workflows/shared-run-e2e-tests.yaml index a2bdcb38..37c5ed4d 100644 --- a/.github/workflows/shared-run-e2e-tests.yaml +++ b/.github/workflows/shared-run-e2e-tests.yaml @@ -210,6 +210,7 @@ jobs: uses: IABTechLab/uid2-shared-actions/actions/start_aks_cluster@kcc-UID2-6321-reenable-aks-e2e with: azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} + run_id: ${{ github.run_id }} - name: Get AKS operator key id: get_aks_operator_key @@ -291,10 +292,11 @@ jobs: - name: Start AKS private operator id: start_aks_private_operator if: ${{ inputs.operator_type == 'aks' }} - uses: IABTechLab/uid2-shared-actions/actions/start_aks_private_operator@v3 + uses: IABTechLab/uid2-shared-actions/actions/start_aks_private_operator@kcc-UID2-6321-reenable-aks-e2e with: template_file: ${{ steps.prepare_aks_metadata.outputs.template_file }} azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} + run_id: ${{ github.run_id }} - name: Decide E2E test environment variables id: decide_env_var @@ -405,3 +407,4 @@ jobs: uses: IABTechLab/uid2-shared-actions/actions/stop_aks_private_operator@kcc-UID2-6321-reenable-aks-e2e with: azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} + run_id: ${{ github.run_id }} diff --git a/actions/start_aks_cluster/action.yaml b/actions/start_aks_cluster/action.yaml index 645a944c..5c36dcd0 100644 --- a/actions/start_aks_cluster/action.yaml +++ b/actions/start_aks_cluster/action.yaml @@ -1,10 +1,13 @@ -name: Start AKS Private Operator -description: Spins up an AKS private operator +name: Start AKS Cluster +description: Creates the AKS cluster and infrastructure inputs: azure_credentials: description: The Azure credentials required: true + run_id: + description: Unique run identifier for resource naming + required: true runs: using: "composite" @@ -16,8 +19,10 @@ runs: creds: ${{ inputs.azure_credentials }} enable-AzPSSession: true - - name: Start AKS private operator + - name: Start AKS cluster id: start_aks shell: bash + env: + RUN_ID: ${{ inputs.run_id }} run: | bash ${{ github.action_path }}/../../scripts/aks/start_aks_cluster.sh diff --git a/actions/start_aks_private_operator/action.yaml b/actions/start_aks_private_operator/action.yaml index a9a86d9e..3b3fbcbb 100644 --- a/actions/start_aks_private_operator/action.yaml +++ b/actions/start_aks_private_operator/action.yaml @@ -8,6 +8,9 @@ inputs: azure_credentials: description: The Azure credentials required: true + run_id: + description: Unique run identifier for resource naming + required: true outputs: uid2_pipeline_e2e_operator_url: @@ -29,5 +32,6 @@ runs: shell: bash env: TEMPLATE_FILE: ${{ inputs.template_file }} + RUN_ID: ${{ inputs.run_id }} run: | bash ${{ github.action_path }}/../../scripts/aks/start_aks_enclave.sh diff --git a/actions/stop_aks_private_operator/action.yaml b/actions/stop_aks_private_operator/action.yaml index e080ea46..8326c838 100644 --- a/actions/stop_aks_private_operator/action.yaml +++ b/actions/stop_aks_private_operator/action.yaml @@ -5,6 +5,9 @@ inputs: azure_credentials: description: The Azure credentials required: true + run_id: + description: Unique run identifier for resource naming + required: true runs: using: "composite" @@ -18,5 +21,7 @@ runs: - name: Stop AKS private operator shell: bash + env: + RUN_ID: ${{ inputs.run_id }} run: | bash ${{ github.action_path }}/../../scripts/aks/stop_aks_enclave.sh diff --git a/scripts/aks/aks_env.sh b/scripts/aks/aks_env.sh index 6ec19d6a..eb1f7a5f 100644 --- a/scripts/aks/aks_env.sh +++ b/scripts/aks/aks_env.sh @@ -4,15 +4,25 @@ # Set the correct subscription for AKS E2E tests az account set --subscription "63e97a70-d825-4b08-af6d-c0d8ad98bed3" -export RESOURCE_GROUP="opr-e2e-vn-aks" +# RUN_ID should be set by the caller (e.g., github.run_id) +# Use short suffix to stay within Azure naming limits (e.g., Key Vault max 24 chars) +if [ -z "${RUN_ID}" ]; then + echo "Warning: RUN_ID not set, using default names (may cause conflicts)" + RUN_SUFFIX="" +else + # Use last 8 digits of RUN_ID to keep names short + RUN_SUFFIX="-${RUN_ID: -8}" +fi + +export RESOURCE_GROUP="opr-e2e-aks${RUN_SUFFIX}" export LOCATION="westus" -export VNET_NAME="opr-e2e-vnet" -export PUBLIC_IP_ADDRESS_NAME="opr-e2e-public-ip" -export NAT_GATEWAY_NAME="opr-e2e-nat-gateway" -export AKS_CLUSTER_NAME="opr-e2e-vn-cluster" -export KEYVAULT_NAME="opr-e2e-vn-aks-vault" -export KEYVAULT_SECRET_NAME="opr-e2e-vn-aks-opr-key-name" -export MANAGED_IDENTITY="opr-e2e-vn-aks-opr-id" +export VNET_NAME="opr-e2e-vnet${RUN_SUFFIX}" +export PUBLIC_IP_ADDRESS_NAME="opr-e2e-ip${RUN_SUFFIX}" +export NAT_GATEWAY_NAME="opr-e2e-nat${RUN_SUFFIX}" +export AKS_CLUSTER_NAME="opr-e2e-cluster${RUN_SUFFIX}" +export KEYVAULT_NAME="opre2evault${RUN_SUFFIX}" +export KEYVAULT_SECRET_NAME="opr-key${RUN_SUFFIX}" +export MANAGED_IDENTITY="opr-e2e-id${RUN_SUFFIX}" export AKS_NODE_RESOURCE_GROUP="MC_${RESOURCE_GROUP}_${AKS_CLUSTER_NAME}_${LOCATION}" export SUBSCRIPTION_ID="$(az account show --query id --output tsv)" export DEPLOYMENT_ENV="integ" \ No newline at end of file From 301cf212f02b86287c149f0cf79150fa0dde0f4c Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Thu, 19 Feb 2026 14:10:15 +1100 Subject: [PATCH 19/27] Wait for public IP address to be assigned --- scripts/aks/start_aks_enclave.sh | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/scripts/aks/start_aks_enclave.sh b/scripts/aks/start_aks_enclave.sh index 269b8522..6d4673f6 100644 --- a/scripts/aks/start_aks_enclave.sh +++ b/scripts/aks/start_aks_enclave.sh @@ -20,8 +20,24 @@ if [ -z "${GITHUB_OUTPUT}" ]; then exit 1 fi -# Get public IP, need to trim quotes -IP=$(az network public-ip list --resource-group ${AKS_NODE_RESOURCE_GROUP} --query "[?starts_with(name, 'kubernetes')].ipAddress" --output tsv) +# Wait for public IP to be assigned (LoadBalancer provisioning can take time) +echo "Waiting for public IP to be assigned..." +for i in {1..30}; do + IP=$(az network public-ip list --resource-group ${AKS_NODE_RESOURCE_GROUP} --query "[?starts_with(name, 'kubernetes')].ipAddress" --output tsv) + if [ -n "${IP}" ]; then + echo "Public IP found: ${IP}" + break + fi + echo "Attempt ${i}/30: Public IP not yet available, waiting 10 seconds..." + sleep 10 +done + +if [ -z "${IP}" ]; then + echo "ERROR: Failed to get public IP after 5 minutes" + echo "Checking available public IPs in resource group:" + az network public-ip list --resource-group ${AKS_NODE_RESOURCE_GROUP} --output table + exit 1 +fi echo "Instance IP: ${IP}" echo "uid2_pipeline_e2e_operator_url=http://${IP}" >> ${GITHUB_OUTPUT} From e1f369637e270c55a5fb03850a00661c9d495c47 Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Thu, 19 Feb 2026 14:38:27 +1100 Subject: [PATCH 20/27] Add missing run_id --- .github/workflows/shared-run-e2e-tests.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/shared-run-e2e-tests.yaml b/.github/workflows/shared-run-e2e-tests.yaml index 37c5ed4d..a56f4146 100644 --- a/.github/workflows/shared-run-e2e-tests.yaml +++ b/.github/workflows/shared-run-e2e-tests.yaml @@ -358,6 +358,8 @@ jobs: - name: Stop AKS operator if: ${{ always() && !inputs.delay_operator_shutdown && inputs.operator_type == 'aks' }} + env: + RUN_ID: ${{ github.run_id }} run: | bash uid2-shared-actions/scripts/aks/stop_aks_enclave.sh From d47142f9223323b82ac12116f2eeb4a9f823a623 Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Tue, 24 Feb 2026 16:19:09 +1100 Subject: [PATCH 21/27] Revert ${{ github.action_path }}/../../ change Co-authored-by: Cursor --- actions/prepare_aks_metadata/action.yaml | 6 +++--- actions/prepare_aws_metadata/action.yaml | 4 ++-- actions/prepare_azure_metadata/action.yaml | 6 +++--- actions/prepare_gcp_metadata/action.yaml | 6 +++--- actions/start_aks_cluster/action.yaml | 2 +- actions/start_aks_private_operator/action.yaml | 2 +- actions/start_aws_private_operator/action.yaml | 4 ++-- actions/start_azure_private_operator/action.yaml | 2 +- actions/start_gcp_private_operator/action.yaml | 2 +- actions/stop_aks_private_operator/action.yaml | 2 +- actions/stop_aws_private_operator/action.yaml | 2 +- actions/stop_azure_private_operator/action.yaml | 2 +- actions/stop_gcp_private_operator/action.yaml | 2 +- 13 files changed, 21 insertions(+), 21 deletions(-) diff --git a/actions/prepare_aks_metadata/action.yaml b/actions/prepare_aks_metadata/action.yaml index 9cef60e3..2be47577 100644 --- a/actions/prepare_aks_metadata/action.yaml +++ b/actions/prepare_aks_metadata/action.yaml @@ -45,7 +45,7 @@ runs: OPERATOR_KEY: ${{ inputs.operator_key }} RUN_ID: ${{ inputs.run_id }} run: | - bash ${{ github.action_path }}/../../scripts/aks/prepare_aks_artifacts.sh + bash uid2-shared-actions/scripts/aks/prepare_aks_artifacts.sh - name: Prepare AKS enclave ID id: enclave_id @@ -53,7 +53,7 @@ runs: env: POLICY_DIGEST_FILE: ${{ steps.enclave_artifacts.outputs.policy_digest_file }} run: | - bash ${{ github.action_path }}/../../scripts/aks/prepare_aks_enclave_id.sh + bash uid2-shared-actions/scripts/aks/prepare_aks_enclave_id.sh - name: Prepare AKS enclave metadata id: enclave_metadata @@ -62,4 +62,4 @@ runs: ENCLAVE_ID: ${{ steps.enclave_id.outputs.enclave_id }} ENCLAVE_PROTOCOL: azure-cc run: | - bash ${{ github.action_path }}/../../scripts/save_enclave_id_to_admin.sh + bash uid2-shared-actions/scripts/save_enclave_id_to_admin.sh diff --git a/actions/prepare_aws_metadata/action.yaml b/actions/prepare_aws_metadata/action.yaml index 4913b81b..ad86820c 100644 --- a/actions/prepare_aws_metadata/action.yaml +++ b/actions/prepare_aws_metadata/action.yaml @@ -29,7 +29,7 @@ runs: ENCLAVE_ID: ${{ inputs.aws_pcr0 }} ENCLAVE_PROTOCOL: aws-nitro run: | - bash ${{ github.action_path }}/../../scripts/save_enclave_id_to_admin.sh + bash uid2-shared-actions/scripts/save_enclave_id_to_admin.sh - name: Get operator key id: operator_key @@ -39,4 +39,4 @@ runs: TARGET_ENVIRONMENT: ${{ inputs.target_environment }} ENCLAVE_PROTOCOL: aws-nitro run: | - bash ${{ github.action_path }}/../../scripts/get_operator_key.sh + bash uid2-shared-actions/scripts/get_operator_key.sh diff --git a/actions/prepare_azure_metadata/action.yaml b/actions/prepare_azure_metadata/action.yaml index 3e3ef2a4..f1d739d6 100644 --- a/actions/prepare_azure_metadata/action.yaml +++ b/actions/prepare_azure_metadata/action.yaml @@ -31,7 +31,7 @@ runs: env: IMAGE_VERSION: ${{ inputs.operator_image_version }} run: | - bash ${{ github.action_path }}/../../scripts/azure/prepare_azure_artifacts.sh + bash uid2-shared-actions/scripts/azure/prepare_azure_artifacts.sh - name: Prepare Azure enclave ID id: enclave_id @@ -39,7 +39,7 @@ runs: env: POLICY_DIGEST_FILE: ${{ steps.enclave_artifacts.outputs.policy_digest_file }} run: | - bash ${{ github.action_path }}/../../scripts/azure/prepare_azure_enclave_id.sh + bash uid2-shared-actions/scripts/azure/prepare_azure_enclave_id.sh - name: Prepare Azure enclave metadata id: enclave_metadata @@ -49,4 +49,4 @@ runs: ENCLAVE_ID: ${{ steps.enclave_id.outputs.enclave_id }} ENCLAVE_PROTOCOL: azure-cc run: | - bash ${{ github.action_path }}/../../scripts/save_enclave_id_to_admin.sh + bash uid2-shared-actions/scripts/save_enclave_id_to_admin.sh diff --git a/actions/prepare_gcp_metadata/action.yaml b/actions/prepare_gcp_metadata/action.yaml index 517ac678..ee4d762b 100644 --- a/actions/prepare_gcp_metadata/action.yaml +++ b/actions/prepare_gcp_metadata/action.yaml @@ -69,7 +69,7 @@ runs: env: IMAGE_HASH: ${{ steps.image_digest.outputs.image_hash }} run: | - bash ${{ github.action_path }}/../../scripts/gcp/prepare_gcp_enclave_id.sh + bash uid2-shared-actions/scripts/gcp/prepare_gcp_enclave_id.sh - name: Prepare GCP enclave metadata id: enclave_metadata @@ -79,7 +79,7 @@ runs: ENCLAVE_ID: ${{ steps.enclave_id.outputs.enclave_id }} ENCLAVE_PROTOCOL: gcp-oidc run: | - bash ${{ github.action_path }}/../../scripts/save_enclave_id_to_admin.sh + bash uid2-shared-actions/scripts/save_enclave_id_to_admin.sh - name: Get operator key id: operator_key @@ -89,4 +89,4 @@ runs: TARGET_ENVIRONMENT: ${{ inputs.target_environment }} ENCLAVE_PROTOCOL: gcp-oidc run: | - bash ${{ github.action_path }}/../../scripts/get_operator_key.sh + bash uid2-shared-actions/scripts/get_operator_key.sh diff --git a/actions/start_aks_cluster/action.yaml b/actions/start_aks_cluster/action.yaml index 5c36dcd0..2925b170 100644 --- a/actions/start_aks_cluster/action.yaml +++ b/actions/start_aks_cluster/action.yaml @@ -25,4 +25,4 @@ runs: env: RUN_ID: ${{ inputs.run_id }} run: | - bash ${{ github.action_path }}/../../scripts/aks/start_aks_cluster.sh + bash uid2-shared-actions/scripts/aks/start_aks_cluster.sh diff --git a/actions/start_aks_private_operator/action.yaml b/actions/start_aks_private_operator/action.yaml index 3b3fbcbb..313a848b 100644 --- a/actions/start_aks_private_operator/action.yaml +++ b/actions/start_aks_private_operator/action.yaml @@ -34,4 +34,4 @@ runs: TEMPLATE_FILE: ${{ inputs.template_file }} RUN_ID: ${{ inputs.run_id }} run: | - bash ${{ github.action_path }}/../../scripts/aks/start_aks_enclave.sh + bash uid2-shared-actions/scripts/aks/start_aks_enclave.sh diff --git a/actions/start_aws_private_operator/action.yaml b/actions/start_aws_private_operator/action.yaml index 925baada..0ba3d324 100644 --- a/actions/start_aws_private_operator/action.yaml +++ b/actions/start_aws_private_operator/action.yaml @@ -47,7 +47,7 @@ runs: - name: Install Python dependencies uses: py-actions/py-dependency-install@v4 with: - path: ${{ github.action_path }}/../../scripts/aws/requirements.txt + path: ./uid2-shared-actions/scripts/aws/requirements.txt - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 @@ -70,4 +70,4 @@ runs: TARGET_ENVIRONMENT: ${{ inputs.target_environment }} OPERATOR_KEY: ${{ inputs.operator_key }} run: | - bash ${{ github.action_path }}/../../scripts/aws/start_aws_enclave.sh + bash uid2-shared-actions/scripts/aws/start_aws_enclave.sh diff --git a/actions/start_azure_private_operator/action.yaml b/actions/start_azure_private_operator/action.yaml index a149b54e..d1fbd6f1 100644 --- a/actions/start_azure_private_operator/action.yaml +++ b/actions/start_azure_private_operator/action.yaml @@ -49,4 +49,4 @@ runs: PARAMETERS_FILE: ${{ inputs.parameters_file }} TARGET_ENVIRONMENT: ${{ inputs.target_environment }} run: | - bash ${{ github.action_path }}/../../scripts/azure/start_azure_enclave.sh + bash uid2-shared-actions/scripts/azure/start_azure_enclave.sh diff --git a/actions/start_gcp_private_operator/action.yaml b/actions/start_gcp_private_operator/action.yaml index e955b978..3873a175 100644 --- a/actions/start_gcp_private_operator/action.yaml +++ b/actions/start_gcp_private_operator/action.yaml @@ -44,4 +44,4 @@ runs: OPERATOR_KEY: ${{ inputs.operator_key }} IMAGE_HASH: ${{ inputs.image_hash }} run: | - bash ${{ github.action_path }}/../../scripts/gcp/start_gcp_enclave.sh + bash uid2-shared-actions/scripts/gcp/start_gcp_enclave.sh diff --git a/actions/stop_aks_private_operator/action.yaml b/actions/stop_aks_private_operator/action.yaml index 8326c838..dc4ee399 100644 --- a/actions/stop_aks_private_operator/action.yaml +++ b/actions/stop_aks_private_operator/action.yaml @@ -24,4 +24,4 @@ runs: env: RUN_ID: ${{ inputs.run_id }} run: | - bash ${{ github.action_path }}/../../scripts/aks/stop_aks_enclave.sh + bash uid2-shared-actions/scripts/aks/stop_aks_enclave.sh diff --git a/actions/stop_aws_private_operator/action.yaml b/actions/stop_aws_private_operator/action.yaml index cee70226..e2ebf29d 100644 --- a/actions/stop_aws_private_operator/action.yaml +++ b/actions/stop_aws_private_operator/action.yaml @@ -27,4 +27,4 @@ runs: AWS_STACK_NAME: ${{ inputs.aws_stack_name }} AWS_REGION: ${{ inputs.aws_region }} run: | - bash ${{ github.action_path }}/../../scripts/aws/stop_aws_enclave.sh + bash uid2-shared-actions/scripts/aws/stop_aws_enclave.sh diff --git a/actions/stop_azure_private_operator/action.yaml b/actions/stop_azure_private_operator/action.yaml index 9c73aaaf..14f8c071 100644 --- a/actions/stop_azure_private_operator/action.yaml +++ b/actions/stop_azure_private_operator/action.yaml @@ -24,4 +24,4 @@ runs: env: AZURE_CONTAINER_GROUP_NAME: ${{ inputs.azure_container_group_name }} run: | - bash ${{ github.action_path }}/../../scripts/azure/stop_azure_enclave.sh + bash uid2-shared-actions/scripts/azure/stop_azure_enclave.sh diff --git a/actions/stop_gcp_private_operator/action.yaml b/actions/stop_gcp_private_operator/action.yaml index 9a2b8be3..b75bbe17 100644 --- a/actions/stop_gcp_private_operator/action.yaml +++ b/actions/stop_gcp_private_operator/action.yaml @@ -48,4 +48,4 @@ runs: SERVICE_ACCOUNT: ${{ inputs.gcp_service_account }} GCP_INSTANCE_NAME: ${{ inputs.gcp_instance_name }} run: | - bash ${{ github.action_path }}/../../scripts/gcp/stop_gcp_enclave.sh + bash uid2-shared-actions/scripts/gcp/stop_gcp_enclave.sh From 4869c748f11f784f3aee20c45f77075d34c1fe53 Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Tue, 24 Feb 2026 16:22:39 +1100 Subject: [PATCH 22/27] Use actions from the same commit as the workflow file itself --- .github/workflows/shared-run-e2e-tests.yaml | 28 ++++++++++----------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/shared-run-e2e-tests.yaml b/.github/workflows/shared-run-e2e-tests.yaml index a56f4146..5e243d86 100644 --- a/.github/workflows/shared-run-e2e-tests.yaml +++ b/.github/workflows/shared-run-e2e-tests.yaml @@ -180,7 +180,7 @@ jobs: - name: Prepare GCP metadata id: prepare_gcp_metadata if: ${{ inputs.operator_type == 'gcp' }} - uses: IABTechLab/uid2-shared-actions/actions/prepare_gcp_metadata@v3 + uses: ./actions/prepare_gcp_metadata with: operator_image_version: ${{ inputs.operator_image_version }} target_environment: ${{ inputs.target_environment }} @@ -190,7 +190,7 @@ jobs: - name: Prepare Azure metadata id: prepare_azure_metadata if: ${{ inputs.operator_type == 'azure' }} - uses: IABTechLab/uid2-shared-actions/actions/prepare_azure_metadata@v3 + uses: ./actions/prepare_azure_metadata with: operator_image_version: ${{ inputs.operator_image_version }} target_environment: ${{ inputs.target_environment }} @@ -198,7 +198,7 @@ jobs: - name: Prepare AWS metadata id: prepare_aws_metadata if: ${{ inputs.operator_type == 'aws' }} - uses: IABTechLab/uid2-shared-actions/actions/prepare_aws_metadata@v3 + uses: ./actions/prepare_aws_metadata with: identity_scope: ${{ inputs.identity_scope }} target_environment: ${{ inputs.target_environment }} @@ -207,7 +207,7 @@ jobs: - name: Start AKS cluster id: start_aks_cluster if: ${{ inputs.operator_type == 'aks' }} - uses: IABTechLab/uid2-shared-actions/actions/start_aks_cluster@kcc-UID2-6321-reenable-aks-e2e + uses: ./actions/start_aks_cluster with: azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} run_id: ${{ github.run_id }} @@ -226,7 +226,7 @@ jobs: - name: Prepare AKS metadata id: prepare_aks_metadata if: ${{ inputs.operator_type == 'aks' }} - uses: IABTechLab/uid2-shared-actions/actions/prepare_aks_metadata@kcc-UID2-6321-reenable-aks-e2e + uses: ./actions/prepare_aks_metadata with: operator_image_version: ${{ inputs.operator_image_version }} target_environment: ${{ inputs.target_environment }} @@ -254,7 +254,7 @@ jobs: - name: Start GCP private operator id: start_gcp_private_operator if: ${{ inputs.operator_type == 'gcp' }} - uses: IABTechLab/uid2-shared-actions/actions/start_gcp_private_operator@v3 + uses: ./actions/start_gcp_private_operator with: bore_url_core: ${{ steps.bore.outputs.bore_url_core }} bore_url_optout: ${{ steps.bore.outputs.bore_url_optout }} @@ -266,7 +266,7 @@ jobs: - name: Start Azure private operator id: start_azure_private_operator if: ${{ inputs.operator_type == 'azure' }} - uses: IABTechLab/uid2-shared-actions/actions/start_azure_private_operator@v3 + uses: ./actions/start_azure_private_operator with: bore_url_core: ${{ steps.bore.outputs.bore_url_core }} bore_url_optout: ${{ steps.bore.outputs.bore_url_optout }} @@ -278,7 +278,7 @@ jobs: - name: Start AWS private operator id: start_aws_private_operator if: ${{ inputs.operator_type == 'aws' }} - uses: IABTechLab/uid2-shared-actions/actions/start_aws_private_operator@v3 + uses: ./actions/start_aws_private_operator with: bore_url_core: ${{ steps.bore.outputs.bore_url_core }} bore_url_optout: ${{ steps.bore.outputs.bore_url_optout }} @@ -292,7 +292,7 @@ jobs: - name: Start AKS private operator id: start_aks_private_operator if: ${{ inputs.operator_type == 'aks' }} - uses: IABTechLab/uid2-shared-actions/actions/start_aks_private_operator@kcc-UID2-6321-reenable-aks-e2e + uses: ./actions/start_aks_private_operator with: template_file: ${{ steps.prepare_aks_metadata.outputs.template_file }} azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} @@ -316,7 +316,7 @@ jobs: - name: Run E2E tests id: e2e - uses: IABTechLab/uid2-shared-actions/actions/run_e2e_tests@v3 + uses: ./actions/run_e2e_tests with: e2e_network: ${{ steps.decide_env_var.outputs.e2e_network }} e2e_image_version: ${{ inputs.e2e_image_version }} @@ -383,7 +383,7 @@ jobs: - name: Stop GCP private operator if: ${{ inputs.operator_type == 'gcp' }} - uses: IABTechLab/uid2-shared-actions/actions/stop_gcp_private_operator@v3 + uses: ./actions/stop_gcp_private_operator with: gcp_project: ${{ inputs.gcp_project }} gcp_service_account: ${{ inputs.gcp_service_account }} @@ -392,21 +392,21 @@ jobs: - name: Stop Azure private operator if: ${{ inputs.operator_type == 'azure' }} - uses: IABTechLab/uid2-shared-actions/actions/stop_azure_private_operator@v3 + uses: ./actions/stop_azure_private_operator with: azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} azure_container_group_name: ${{ needs.e2e-test.outputs.azure_container_group_name }} - name: Stop AWS private operator if: ${{ inputs.operator_type == 'aws' }} - uses: IABTechLab/uid2-shared-actions/actions/stop_aws_private_operator@v3 + uses: ./actions/stop_aws_private_operator with: aws_stack_name: ${{ needs.e2e-test.outputs.aws_stack_name }} aws_region: ${{ inputs.aws_region }} - name: Stop AKS private operator if: ${{ inputs.operator_type == 'aks' }} - uses: IABTechLab/uid2-shared-actions/actions/stop_aks_private_operator@kcc-UID2-6321-reenable-aks-e2e + uses: ./actions/stop_aks_private_operator with: azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} run_id: ${{ github.run_id }} From f92beaf00b0247a139389503b1ae9a2074e1c56a Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Tue, 24 Feb 2026 16:26:12 +1100 Subject: [PATCH 23/27] Use kcc-UID2-6321-reenable-aks-e2e --- .github/workflows/shared-run-e2e-tests.yaml | 28 ++++++++++----------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/shared-run-e2e-tests.yaml b/.github/workflows/shared-run-e2e-tests.yaml index 5e243d86..a56f4146 100644 --- a/.github/workflows/shared-run-e2e-tests.yaml +++ b/.github/workflows/shared-run-e2e-tests.yaml @@ -180,7 +180,7 @@ jobs: - name: Prepare GCP metadata id: prepare_gcp_metadata if: ${{ inputs.operator_type == 'gcp' }} - uses: ./actions/prepare_gcp_metadata + uses: IABTechLab/uid2-shared-actions/actions/prepare_gcp_metadata@v3 with: operator_image_version: ${{ inputs.operator_image_version }} target_environment: ${{ inputs.target_environment }} @@ -190,7 +190,7 @@ jobs: - name: Prepare Azure metadata id: prepare_azure_metadata if: ${{ inputs.operator_type == 'azure' }} - uses: ./actions/prepare_azure_metadata + uses: IABTechLab/uid2-shared-actions/actions/prepare_azure_metadata@v3 with: operator_image_version: ${{ inputs.operator_image_version }} target_environment: ${{ inputs.target_environment }} @@ -198,7 +198,7 @@ jobs: - name: Prepare AWS metadata id: prepare_aws_metadata if: ${{ inputs.operator_type == 'aws' }} - uses: ./actions/prepare_aws_metadata + uses: IABTechLab/uid2-shared-actions/actions/prepare_aws_metadata@v3 with: identity_scope: ${{ inputs.identity_scope }} target_environment: ${{ inputs.target_environment }} @@ -207,7 +207,7 @@ jobs: - name: Start AKS cluster id: start_aks_cluster if: ${{ inputs.operator_type == 'aks' }} - uses: ./actions/start_aks_cluster + uses: IABTechLab/uid2-shared-actions/actions/start_aks_cluster@kcc-UID2-6321-reenable-aks-e2e with: azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} run_id: ${{ github.run_id }} @@ -226,7 +226,7 @@ jobs: - name: Prepare AKS metadata id: prepare_aks_metadata if: ${{ inputs.operator_type == 'aks' }} - uses: ./actions/prepare_aks_metadata + uses: IABTechLab/uid2-shared-actions/actions/prepare_aks_metadata@kcc-UID2-6321-reenable-aks-e2e with: operator_image_version: ${{ inputs.operator_image_version }} target_environment: ${{ inputs.target_environment }} @@ -254,7 +254,7 @@ jobs: - name: Start GCP private operator id: start_gcp_private_operator if: ${{ inputs.operator_type == 'gcp' }} - uses: ./actions/start_gcp_private_operator + uses: IABTechLab/uid2-shared-actions/actions/start_gcp_private_operator@v3 with: bore_url_core: ${{ steps.bore.outputs.bore_url_core }} bore_url_optout: ${{ steps.bore.outputs.bore_url_optout }} @@ -266,7 +266,7 @@ jobs: - name: Start Azure private operator id: start_azure_private_operator if: ${{ inputs.operator_type == 'azure' }} - uses: ./actions/start_azure_private_operator + uses: IABTechLab/uid2-shared-actions/actions/start_azure_private_operator@v3 with: bore_url_core: ${{ steps.bore.outputs.bore_url_core }} bore_url_optout: ${{ steps.bore.outputs.bore_url_optout }} @@ -278,7 +278,7 @@ jobs: - name: Start AWS private operator id: start_aws_private_operator if: ${{ inputs.operator_type == 'aws' }} - uses: ./actions/start_aws_private_operator + uses: IABTechLab/uid2-shared-actions/actions/start_aws_private_operator@v3 with: bore_url_core: ${{ steps.bore.outputs.bore_url_core }} bore_url_optout: ${{ steps.bore.outputs.bore_url_optout }} @@ -292,7 +292,7 @@ jobs: - name: Start AKS private operator id: start_aks_private_operator if: ${{ inputs.operator_type == 'aks' }} - uses: ./actions/start_aks_private_operator + uses: IABTechLab/uid2-shared-actions/actions/start_aks_private_operator@kcc-UID2-6321-reenable-aks-e2e with: template_file: ${{ steps.prepare_aks_metadata.outputs.template_file }} azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} @@ -316,7 +316,7 @@ jobs: - name: Run E2E tests id: e2e - uses: ./actions/run_e2e_tests + uses: IABTechLab/uid2-shared-actions/actions/run_e2e_tests@v3 with: e2e_network: ${{ steps.decide_env_var.outputs.e2e_network }} e2e_image_version: ${{ inputs.e2e_image_version }} @@ -383,7 +383,7 @@ jobs: - name: Stop GCP private operator if: ${{ inputs.operator_type == 'gcp' }} - uses: ./actions/stop_gcp_private_operator + uses: IABTechLab/uid2-shared-actions/actions/stop_gcp_private_operator@v3 with: gcp_project: ${{ inputs.gcp_project }} gcp_service_account: ${{ inputs.gcp_service_account }} @@ -392,21 +392,21 @@ jobs: - name: Stop Azure private operator if: ${{ inputs.operator_type == 'azure' }} - uses: ./actions/stop_azure_private_operator + uses: IABTechLab/uid2-shared-actions/actions/stop_azure_private_operator@v3 with: azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} azure_container_group_name: ${{ needs.e2e-test.outputs.azure_container_group_name }} - name: Stop AWS private operator if: ${{ inputs.operator_type == 'aws' }} - uses: ./actions/stop_aws_private_operator + uses: IABTechLab/uid2-shared-actions/actions/stop_aws_private_operator@v3 with: aws_stack_name: ${{ needs.e2e-test.outputs.aws_stack_name }} aws_region: ${{ inputs.aws_region }} - name: Stop AKS private operator if: ${{ inputs.operator_type == 'aks' }} - uses: ./actions/stop_aks_private_operator + uses: IABTechLab/uid2-shared-actions/actions/stop_aks_private_operator@kcc-UID2-6321-reenable-aks-e2e with: azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} run_id: ${{ github.run_id }} From be53d34b237e60cd9ff167a1816e8eb5ddb2f308 Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Thu, 26 Feb 2026 09:49:26 +1100 Subject: [PATCH 24/27] Update location to eastus --- scripts/aks/aks_env.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/aks/aks_env.sh b/scripts/aks/aks_env.sh index eb1f7a5f..acb10b83 100644 --- a/scripts/aks/aks_env.sh +++ b/scripts/aks/aks_env.sh @@ -15,7 +15,7 @@ else fi export RESOURCE_GROUP="opr-e2e-aks${RUN_SUFFIX}" -export LOCATION="westus" +export LOCATION="eastus" export VNET_NAME="opr-e2e-vnet${RUN_SUFFIX}" export PUBLIC_IP_ADDRESS_NAME="opr-e2e-ip${RUN_SUFFIX}" export NAT_GATEWAY_NAME="opr-e2e-nat${RUN_SUFFIX}" From 1a6e40d32d05545f4fff4678355533df20d30a2a Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Thu, 26 Feb 2026 09:52:55 +1100 Subject: [PATCH 25/27] Fix core/optout bore url bugs --- scripts/aks/prepare_aks_artifacts.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/scripts/aks/prepare_aks_artifacts.sh b/scripts/aks/prepare_aks_artifacts.sh index acc30cd0..8635c9b3 100644 --- a/scripts/aks/prepare_aks_artifacts.sh +++ b/scripts/aks/prepare_aks_artifacts.sh @@ -118,9 +118,8 @@ else sed -i "s#operator-deployment#operator-deployment-${RUN_ID}#g" "${OUTPUT_TEMPLATE_FILE}" cat ${OUTPUT_TEMPLATE_FILE} - if [ ${TARGET_ENVIRONMENT} == "mock" ]; then - python3 ${SHARED_ACTIONS_ROOT}/scripts/aks/add_env.py ${OUTPUT_TEMPLATE_FILE} uid2-operator CORE_BASE_URL ${BORE_URL_CORE} OPTOUT_BASE_URL ${BORE_URL_OPTOUT} SKIP_VALIDATIONS true - fi + # Add bore URLs for connecting to mock core/optout services (used in all E2E test environments) + python3 ${SHARED_ACTIONS_ROOT}/scripts/aks/add_env.py ${OUTPUT_TEMPLATE_FILE} uid2-operator CORE_BASE_URL ${BORE_URL_CORE} OPTOUT_BASE_URL ${BORE_URL_OPTOUT} SKIP_VALIDATIONS true cat ${OUTPUT_TEMPLATE_FILE} # --- Finished updating yaml file with resources --- From 2a0bac2b47e33bf51b8d79eece00742d28781430 Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Thu, 26 Feb 2026 10:42:19 +1100 Subject: [PATCH 26/27] Change location to westus --- scripts/aks/aks_env.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/aks/aks_env.sh b/scripts/aks/aks_env.sh index acb10b83..eb1f7a5f 100644 --- a/scripts/aks/aks_env.sh +++ b/scripts/aks/aks_env.sh @@ -15,7 +15,7 @@ else fi export RESOURCE_GROUP="opr-e2e-aks${RUN_SUFFIX}" -export LOCATION="eastus" +export LOCATION="westus" export VNET_NAME="opr-e2e-vnet${RUN_SUFFIX}" export PUBLIC_IP_ADDRESS_NAME="opr-e2e-ip${RUN_SUFFIX}" export NAT_GATEWAY_NAME="opr-e2e-nat${RUN_SUFFIX}" From 5515aa22d9e885a3a36577442324a0dc2e1a7ec9 Mon Sep 17 00:00:00 2001 From: Katherine Chen Date: Thu, 26 Feb 2026 13:58:35 +1100 Subject: [PATCH 27/27] Revert back to v3 --- .github/workflows/shared-run-e2e-tests.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/shared-run-e2e-tests.yaml b/.github/workflows/shared-run-e2e-tests.yaml index a56f4146..459647dc 100644 --- a/.github/workflows/shared-run-e2e-tests.yaml +++ b/.github/workflows/shared-run-e2e-tests.yaml @@ -151,7 +151,7 @@ jobs: - name: Checkout uid2-shared-actions repo uses: actions/checkout@v4 with: - ref: kcc-UID2-6321-reenable-aks-e2e + ref: v3 repository: IABTechLab/uid2-shared-actions path: uid2-shared-actions @@ -207,7 +207,7 @@ jobs: - name: Start AKS cluster id: start_aks_cluster if: ${{ inputs.operator_type == 'aks' }} - uses: IABTechLab/uid2-shared-actions/actions/start_aks_cluster@kcc-UID2-6321-reenable-aks-e2e + uses: IABTechLab/uid2-shared-actions/actions/start_aks_cluster@v3 with: azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} run_id: ${{ github.run_id }} @@ -226,7 +226,7 @@ jobs: - name: Prepare AKS metadata id: prepare_aks_metadata if: ${{ inputs.operator_type == 'aks' }} - uses: IABTechLab/uid2-shared-actions/actions/prepare_aks_metadata@kcc-UID2-6321-reenable-aks-e2e + uses: IABTechLab/uid2-shared-actions/actions/prepare_aks_metadata@v3 with: operator_image_version: ${{ inputs.operator_image_version }} target_environment: ${{ inputs.target_environment }} @@ -292,7 +292,7 @@ jobs: - name: Start AKS private operator id: start_aks_private_operator if: ${{ inputs.operator_type == 'aks' }} - uses: IABTechLab/uid2-shared-actions/actions/start_aks_private_operator@kcc-UID2-6321-reenable-aks-e2e + uses: IABTechLab/uid2-shared-actions/actions/start_aks_private_operator@v3 with: template_file: ${{ steps.prepare_aks_metadata.outputs.template_file }} azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} @@ -377,7 +377,7 @@ jobs: - name: Checkout uid2-shared-actions repo uses: actions/checkout@v4 with: - ref: kcc-UID2-6321-reenable-aks-e2e + ref: v3 repository: IABTechLab/uid2-shared-actions path: uid2-shared-actions @@ -406,7 +406,7 @@ jobs: - name: Stop AKS private operator if: ${{ inputs.operator_type == 'aks' }} - uses: IABTechLab/uid2-shared-actions/actions/stop_aks_private_operator@kcc-UID2-6321-reenable-aks-e2e + uses: IABTechLab/uid2-shared-actions/actions/stop_aks_private_operator@v3 with: azure_credentials: ${{ secrets.AZURE_CREDENTIALS }} run_id: ${{ github.run_id }}