From f2c254a5d5cad4ed1ef9eb0fda6618c0725789e6 Mon Sep 17 00:00:00 2001 From: jyang-broad <85525681+jyang-broad@users.noreply.github.com> Date: Tue, 9 Jul 2024 14:14:31 -0700 Subject: [PATCH] Ddo 3749 v2 update canary tests (#1635) * Revert "Revert "[DDO-3749] use gsm instead of vault" (#1633)" This reverts commit 2648a79818b6629f5fa92e95984fcd37a2be4ed9. * try copy before mount * copy r * copy r complex --- automation/canary-prod-test.sh | 18 +++++++++++++++--- automation/canary_events.json | 1 + automation/complex-prod-workflow-test.sh | 18 +++++++++++++++--- jenkins/jenkins_build.sh | 18 ++++++++++++++---- 4 files changed, 45 insertions(+), 10 deletions(-) create mode 100644 automation/canary_events.json diff --git a/automation/canary-prod-test.sh b/automation/canary-prod-test.sh index b40c72b34d..51bb55af47 100644 --- a/automation/canary-prod-test.sh +++ b/automation/canary-prod-test.sh @@ -5,7 +5,6 @@ set -e set -x ENV=$1 -VAULT_TOKEN=${2:-$(cat $HOME/.vault-token)} WORKING_DIR=${3:-$PWD} NEED_TOKEN=false @@ -17,7 +16,20 @@ else echo "Starting canary test in Production" fi -JSON_CREDS=`docker run --rm -e VAULT_TOKEN=$VAULT_TOKEN -e VAULT_ADDR=https://clotho.broadinstitute.org:8200 broadinstitute/dsde-toolbox vault read -format=json secret/dsde/firecloud/prod/common/canary/firecloud-account.json | jq '.data'` +# the Jenkins config runs gcloud auth outside this script +# we want to copy the global configs into the workspace so we don't affect other jobs that might be running on the node +cp -r ${HOME}/.config/gcloud ${WORKSPACE}/gcloud_config + +DOCKER_ARGS=( + "run" + "--rm" + "-v ${WORKSPACE}/gcloud_config:/root/.config/gcloud" + "google/cloud-sdk" +) + +SECRET_ACCESS_ACCOUNT=jenkins-firecloud@broad-dsp-techops.iam.gserviceaccount.com +# Expand the array of args and pass them to `docker` +JSON_CREDS=$(docker ${DOCKER_ARGS[*]} /bin/bash -c "gcloud config set account ${SECRET_ACCESS_ACCOUNT} && gcloud secrets versions access latest --project broad-dsde-dev --secret firecloud-sa") users=( dumbledore.admin@test.firecloud.org @@ -58,7 +70,7 @@ if [ $ENV = "prod" ]; then do echo $i - sleep 1m + sleep 60 monitorSubmission dumbledore.admin@test.firecloud.org broad-firecloud-dsde CanaryTest $submissionId ((i++)) done diff --git a/automation/canary_events.json b/automation/canary_events.json new file mode 100644 index 0000000000..e04292bd6e --- /dev/null +++ b/automation/canary_events.json @@ -0,0 +1 @@ +[{"eventType":"CanaryTestProd","type":"Workflow","status": "Succeeded","timeToComplete (sec)":"253"}] diff --git a/automation/complex-prod-workflow-test.sh b/automation/complex-prod-workflow-test.sh index 053a746f79..39b55c336b 100644 --- a/automation/complex-prod-workflow-test.sh +++ b/automation/complex-prod-workflow-test.sh @@ -6,7 +6,6 @@ set -e set -x ENV=$1 -VAULT_TOKEN=${2:-$(cat $HOME/.vault-token)} WORKING_DIR=${3:-$PWD} NEED_TOKEN=false @@ -18,7 +17,20 @@ else echo "Starting complex workflow test in Production" fi -JSON_CREDS=`docker run --rm -e VAULT_TOKEN=$VAULT_TOKEN -e VAULT_ADDR=https://clotho.broadinstitute.org:8200 broadinstitute/dsde-toolbox vault read -format=json secret/dsde/firecloud/prod/common/canary/firecloud-account.json | jq '.data'` +# the Jenkins config runs gcloud auth outside this script +# we want to copy the global configs into the workspace so we don't affect other jobs that might be running on the node +cp -r ${HOME}/.config/gcloud ${WORKSPACE}/gcloud_config + +DOCKER_ARGS=( + "run" + "--rm" + "-v ${WORKSPACE}/gcloud_config:/root/.config/gcloud" + "google/cloud-sdk" +) + +SECRET_ACCESS_ACCOUNT=jenkins-firecloud@broad-dsp-techops.iam.gserviceaccount.com +# Expand the array of args and pass them to `docker` +JSON_CREDS=$(docker ${DOCKER_ARGS[*]} /bin/bash -c "gcloud config set account ${SECRET_ACCESS_ACCOUNT} && gcloud secrets versions access latest --project broad-dsde-dev --secret firecloud-sa") users=( dumbledore.admin@test.firecloud.org @@ -59,7 +71,7 @@ if [ $ENV = "prod" ]; then do echo $i - sleep 5m + sleep 300 monitorSubmission dumbledore.admin@test.firecloud.org broad-firecloud-dsde complex-featured-workflow $submissionId ((i++)) done diff --git a/jenkins/jenkins_build.sh b/jenkins/jenkins_build.sh index ef7e2a1589..5d6710dcae 100755 --- a/jenkins/jenkins_build.sh +++ b/jenkins/jenkins_build.sh @@ -4,11 +4,21 @@ set -eux GCR_SVCACCT_VAULT="secret/dsde/dsp-techops/common/dspci-wb-gcr-service-account.json" GCR_REPO_PROJ="broad-dsp-gcr-public" -VAULT_TOKEN=${VAULT_TOKEN:-$(cat /etc/vault-token-dsde)} -docker run --rm -e VAULT_TOKEN=$VAULT_TOKEN \ - broadinstitute/dsde-toolbox:latest vault read --format=json ${GCR_SVCACCT_VAULT} \ - | jq .data > dspci-wb-gcr-service-account.json +gcloud auth activate-service-account --key-file=${DSP_TECHOPS_SVC_ACCT} + +DOCKER_ARGS=( + "run" + "--rm" + "-v ${HOME}/.config/gcloud:/root/.config/gcloud" + "google/cloud-sdk" +) + +SECRET_ACCESS_ACCOUNT=jenkins-firecloud@broad-dsp-techops.iam.gserviceaccount.com +# Expand the array of args and pass them to `docker` +JSON_CREDS=$(docker ${DOCKER_ARGS[*]} /bin/bash -c "gcloud config set account ${SECRET_ACCESS_ACCOUNT} && gcloud secrets versions access latest --project broad-dsp-techops --secret dspci-wb-gcr-service-account") + +echo ${JSON_CREDS} | jq . > dspci-wb-gcr-service-account.json ./scripts/build.sh compile -d push -g gcr.io/broad-dsp-gcr-public/${PROJECT} -k "dspci-wb-gcr-service-account.json"