mirror of
https://github.com/minio/minio.git
synced 2025-01-25 21:53:16 -05:00
5bd27346ac
Tests if imported service accounts have required access to buckets and objects. Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io> Co-authored-by: Harshavardhana <harsha@minio.io>
162 lines
5.3 KiB
YAML
162 lines
5.3 KiB
YAML
name: IAM integration
|
|
|
|
on:
|
|
pull_request:
|
|
branches:
|
|
- master
|
|
|
|
# This ensures that previous jobs for the PR are canceled when the PR is
|
|
# updated.
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.head_ref }}
|
|
cancel-in-progress: true
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
iam-matrix-test:
|
|
name: "[Go=${{ matrix.go-version }}|ldap=${{ matrix.ldap }}|etcd=${{ matrix.etcd }}|openid=${{ matrix.openid }}]"
|
|
runs-on: ubuntu-latest
|
|
|
|
services:
|
|
openldap:
|
|
image: quay.io/minio/openldap
|
|
ports:
|
|
- "389:389"
|
|
- "636:636"
|
|
env:
|
|
LDAP_ORGANIZATION: "MinIO Inc"
|
|
LDAP_DOMAIN: "min.io"
|
|
LDAP_ADMIN_PASSWORD: "admin"
|
|
etcd:
|
|
image: "quay.io/coreos/etcd:v3.5.1"
|
|
env:
|
|
ETCD_LISTEN_CLIENT_URLS: "http://0.0.0.0:2379"
|
|
ETCD_ADVERTISE_CLIENT_URLS: "http://0.0.0.0:2379"
|
|
ports:
|
|
- "2379:2379"
|
|
options: >-
|
|
--health-cmd "etcdctl endpoint health"
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
openid:
|
|
image: quay.io/minio/dex
|
|
ports:
|
|
- "5556:5556"
|
|
env:
|
|
DEX_LDAP_SERVER: "openldap:389"
|
|
openid2:
|
|
image: quay.io/minio/dex
|
|
ports:
|
|
- "5557:5557"
|
|
env:
|
|
DEX_LDAP_SERVER: "openldap:389"
|
|
DEX_ISSUER: "http://127.0.0.1:5557/dex"
|
|
DEX_WEB_HTTP: "0.0.0.0:5557"
|
|
|
|
strategy:
|
|
# When ldap, etcd or openid vars are empty below, those external servers
|
|
# are turned off - i.e. if ldap="", then ldap server is not enabled for
|
|
# the tests.
|
|
matrix:
|
|
go-version: [1.22.x]
|
|
ldap: ["", "localhost:389"]
|
|
etcd: ["", "http://localhost:2379"]
|
|
openid: ["", "http://127.0.0.1:5556/dex"]
|
|
exclude:
|
|
# exclude combos where all are empty.
|
|
- ldap: ""
|
|
etcd: ""
|
|
openid: ""
|
|
# exclude combos where both ldap and openid IDPs are specified.
|
|
- ldap: "localhost:389"
|
|
openid: "http://127.0.0.1:5556/dex"
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-go@v5
|
|
with:
|
|
go-version: ${{ matrix.go-version }}
|
|
check-latest: true
|
|
- name: Test LDAP/OpenID/Etcd combo
|
|
env:
|
|
_MINIO_LDAP_TEST_SERVER: ${{ matrix.ldap }}
|
|
_MINIO_ETCD_TEST_SERVER: ${{ matrix.etcd }}
|
|
_MINIO_OPENID_TEST_SERVER: ${{ matrix.openid }}
|
|
run: |
|
|
sudo sysctl net.ipv6.conf.all.disable_ipv6=0
|
|
sudo sysctl net.ipv6.conf.default.disable_ipv6=0
|
|
make test-iam
|
|
- name: Test with multiple OpenID providers
|
|
if: matrix.openid == 'http://127.0.0.1:5556/dex'
|
|
env:
|
|
_MINIO_LDAP_TEST_SERVER: ${{ matrix.ldap }}
|
|
_MINIO_ETCD_TEST_SERVER: ${{ matrix.etcd }}
|
|
_MINIO_OPENID_TEST_SERVER: ${{ matrix.openid }}
|
|
_MINIO_OPENID_TEST_SERVER_2: "http://127.0.0.1:5557/dex"
|
|
run: |
|
|
sudo sysctl net.ipv6.conf.all.disable_ipv6=0
|
|
sudo sysctl net.ipv6.conf.default.disable_ipv6=0
|
|
make test-iam
|
|
- name: Test with Access Management Plugin enabled
|
|
env:
|
|
_MINIO_LDAP_TEST_SERVER: ${{ matrix.ldap }}
|
|
_MINIO_ETCD_TEST_SERVER: ${{ matrix.etcd }}
|
|
_MINIO_OPENID_TEST_SERVER: ${{ matrix.openid }}
|
|
_MINIO_POLICY_PLUGIN_TEST_ENDPOINT: "http://127.0.0.1:8080"
|
|
run: |
|
|
sudo sysctl net.ipv6.conf.all.disable_ipv6=0
|
|
sudo sysctl net.ipv6.conf.default.disable_ipv6=0
|
|
go run docs/iam/access-manager-plugin.go &
|
|
make test-iam
|
|
- name: Test MinIO Old Version data to IAM import current version
|
|
if: matrix.ldap == 'ldaphost:389'
|
|
env:
|
|
_MINIO_LDAP_TEST_SERVER: ${{ matrix.ldap }}
|
|
run: |
|
|
make test-iam-ldap-upgrade-import
|
|
- name: Test LDAP for automatic site replication
|
|
if: matrix.ldap == 'localhost:389'
|
|
run: |
|
|
make test-site-replication-ldap
|
|
- name: Test OIDC for automatic site replication
|
|
if: matrix.openid == 'http://127.0.0.1:5556/dex'
|
|
run: |
|
|
make test-site-replication-oidc
|
|
iam-import-with-missing-entities:
|
|
name: Test IAM import in new cluster with missing entities
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-go@v5
|
|
with:
|
|
go-version: ${{ matrix.go-version }}
|
|
check-latest: true
|
|
- name: Checkout minio-iam-testing
|
|
uses: actions/checkout@v4
|
|
with:
|
|
repository: minio/minio-iam-testing
|
|
path: minio-iam-testing
|
|
- name: Test import of IAM artifacts when in fresh cluster there are missing groups etc
|
|
run: |
|
|
make test-iam-import-with-missing-entities
|
|
iam-import-with-openid:
|
|
name: Test IAM import in new cluster with opendid configurations
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: actions/setup-go@v5
|
|
with:
|
|
go-version: ${{ matrix.go-version }}
|
|
check-latest: true
|
|
- name: Checkout minio-iam-testing
|
|
uses: actions/checkout@v4
|
|
with:
|
|
repository: minio/minio-iam-testing
|
|
path: minio-iam-testing
|
|
- name: Test import of IAM artifacts when in fresh cluster with openid configurations
|
|
run: |
|
|
make test-iam-import-with-openid
|