Skip to content

Rotate IO-Datastores Cluster Credentials #8

Rotate IO-Datastores Cluster Credentials

Rotate IO-Datastores Cluster Credentials #8

# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Rotate IO-Datastores Cluster Credentials
on:
schedule:
- cron: '0 2 1 * *'
workflow_dispatch:
#Setting explicit permissions for the action to avoid the default permissions which are `write-all` in case of pull_request_target event
permissions:
actions: write
pull-requests: read
checks: read
contents: read
deployments: read
id-token: none
issues: read
discussions: read
packages: read
pages: read
repository-projects: read
security-events: read
statuses: read
# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: '${{ github.workflow }} @ ${{ github.event.issue.number || github.sha || github.head_ref || github.ref }}-${{ github.event.schedule || github.event.sender.login }}'
cancel-in-progress: true
env:
GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.GE_ACCESS_TOKEN }}
GRADLE_ENTERPRISE_CACHE_USERNAME: ${{ secrets.GE_CACHE_USERNAME }}
GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GE_CACHE_PASSWORD }}
jobs:
beam_IODatastoresCredentialsRotation:
if: |
github.event_name == 'workflow_dispatch' ||
(github.event_name == 'schedule' && github.repository == 'apache/beam')
runs-on: [self-hosted, ubuntu-20.04, main]
timeout-minutes: 100
name: ${{ matrix.job_name }}
strategy:
matrix:
job_name: ["beam_IODatastoresCredentialsRotation"]
job_phrase: ["N/A"]
steps:
- uses: actions/checkout@v4
- name: Setup repository
uses: ./.github/actions/setup-action
with:
comment_phrase: ${{ matrix.job_phrase }}
github_token: ${{ secrets.GITHUB_TOKEN }}
github_job: ${{ matrix.job_name }}
- name: Setup environment
uses: ./.github/actions/setup-environment-action
- name: Starting credential rotation
run: |
gcloud container clusters update io-datastores --start-credential-rotation --zone=us-central1-a --quiet
- name: Rebuilding the nodes
run: |
gcloud container clusters upgrade io-datastores --node-pool=pool-1 --zone=us-central1-a --quiet
- name: Completing the rotation
run: |
gcloud container clusters update io-datastores --complete-credential-rotation --zone=us-central1-a --quiet
- name: Generate Date
if: failure()
run: |
date=$(date -u +"%Y-%m-%d")
echo "date=$date" >> $GITHUB_ENV
- name: Send email
uses: dawidd6/action-send-mail@v3
if: failure()
with:
server_address: smtp.gmail.com
server_port: 465
secure: true
username: ${{ secrets.ISSUE_REPORT_SENDER_EMAIL_ADDRESS }}
password: ${{ secrets.ISSUE_REPORT_SENDER_EMAIL_PASSWORD }}
subject: Credentials Rotation Failure on IO-Datastores cluster (${{ env.date }})
to: [email protected]
from: [email protected]
body: |
Something went wrong during the automatic credentials rotation for IO-Datastores Cluster, performed at ${{ env.date }}. It may be necessary to check the state of the cluster certificates. For further details refer to the following links:\n * Failing job: https://github.com/apache/beam/actions/workflows/beam_IODatastoresCredentialsRotation.yml \n * Job configuration: https://github.com/apache/beam/blob/master/.github/workflows/beam_IODatastoresCredentialsRotation.yml \n * Cluster URL: https://pantheon.corp.google.com/kubernetes/clusters/details/us-central1-a/io-datastores/details?mods=dataflow_dev&project=apache-beam-testing