Add support for Azure Cleanroom based CCF #215
Conversation
DomAyre
force-pushed
the
az-cleanroom-2
branch
from
734367f to
7c8b6a6
Compare
. TMP: Use permitted sub . . . Avoid races setting up ccf providers . . . Fix permissions on setup.sh Pre-start jwt issuer to prevent races Run tests sequentially Fix JWT test
DomAyre
force-pushed
the
az-cleanroom-2
branch
from
3f302a7 to
04159d1
Compare
This reverts commit 4c78bea.
This reverts commit d15d9f9.
Run `az-cleanroom-aci` tests in parallel
| on: | ||
| workflow_dispatch: | ||
| schedule: | ||
| - cron: "0 0 * * *" |
There was a problem hiding this comment.
Doing this every night is problematic. Could we do the cleanup on Sunday?
Scenario:
We have large builds/tests. Start a full build/test before shutting down the day to inspect the next morning.
Or maybe we can do cleanup for containers older than e.g. 2 days
There was a problem hiding this comment.
Nightly cleanup is how all of our other repos work, including privacy-sandbox-dev which has about an order of magnitude more expensive builds/tests than this repo. What are you envisioning taking overnight and relying on having something deployed in ACI for that whole time?
There was a problem hiding this comment.
This is a plead for not doing nightly cleanups for any of our repos. At least wait one day so if you come back in the morning you can still inspect the failing tests
There was a problem hiding this comment.
The cleanup is before the nightly testing, so you can inspect the resources deployed by a given failing run for a full work day before it's cleaned up. And of course the logs in actions itself should have a reasonable amount of information to be useful too and that lasts much longer
| source ./scripts/jwt_issuer/up.sh | ||
| pytest -sv \ | ||
| test/system-test/test_${{ inputs.endpoint }}.py \ | ||
| -n ${{ matrix.config.threads }} |
There was a problem hiding this comment.
cool. Can we use -n on our other CI's?
There was a problem hiding this comment.
If by other CI's you mean using the sandbox_local environment, no because it's currently got hardcoded endpoint ports so if you tried to run multiple concurrently they would clash.
| @@ -1,5 +1,5 @@ | |||
| # Core Environment Variables | |||
| export SUBSCRIPTION=85c61f94-8912-4e82-900e-6ab44de9bdf8 | |||
| export SUBSCRIPTION=7ca35580-fc67-469c-91a7-68b38569ca6e | |||
There was a problem hiding this comment.
Shouldn't this be a secret?
There was a problem hiding this comment.
Why? It's just an ID you can't do anything with it without sufficient role based access
Motivation
This allows us to test against a production-like mCCF replacement, and will allow us to validate it against a realistic use case for us
Changes
scripts/az-cleanroom-acidir which installs the extension and brings up the networkconftest.pyfor deploying the networkup.sh(maybeaz cleanroom ccf network down?)Current compromises:
az-cleanroom-acitests in parallel #224 will address this but it's currently blocked onaz cleanroomso keeping separate so CI on this PR passesaz cleanroomdoesn't specify a subject alt name so the service cert isn't usable, so I suggest for now we remove SSL cert verification in the endpoint scripts (i.e. add-k). I will raise an issue with them and when it's fixed we can remove-k