Add integration tests workflow (#539)

*Issue #, if available:*

*Description of changes:* Fork run:
https://github.com/simonmarty/secrets-store-csi-driver-provider-aws/actions/runs/18887954508
(will try to keep this link up to date during review)

Add initial integration test workflow. The workflow triggers on
`pull_request_target` similar to
aws/aws-secretsmanager-agent#136


By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice.

Author: simonmarty

.github/workflows/integ.yml

@@ -0,0 +1,138 @@
+name: Integration Tests
+
+on:
+  workflow_dispatch:
+  push:
+    branches: ["main"]
+  pull_request_target:
+    types: [labeled]
+
+concurrency:
+  # Only run one workflow at a time to avoid hitting the network interface quota
+  group: integration-tests
+  cancel-in-progress: false
+
+jobs:
+  build-docker:
+    name: Build Docker Image
+    if: |
+      github.event_name != 'pull_request_target' ||
+      contains(github.event.pull_request.labels.*.name, 'safe-to-test')
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      matrix:
+        runner: [ubuntu-latest, ubuntu-24.04-arm]
+        include:
+          - os: linux
+          - arch: amd64
+            runner: ubuntu-latest
+          - arch: arm64
+            runner: ubuntu-24.04-arm
+    runs-on: ${{ matrix.runner }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build the Docker image
+        uses: docker/build-push-action@v6
+        with:
+          build-args: LDFLAGS=-X 'github.com/aws/secrets-store-csi-driver-provider-aws/server.Version=fakeversion' -X 'github.com/aws/secrets-store-csi-driver-provider-aws/auth.ProviderVersion=fakeversion' -extldflags '-static'
+          context: .
+          platforms: ${{ matrix.os }}/${{ matrix.arch }}
+          load: true
+          push: true
+          tags: ghcr.io/${{ github.repository_owner }}/test-build:latest-${{ matrix.arch }}-${{ github.run_id }}
+
+      - name: List images
+        run: |
+          docker image ls -a
+  integration-tests:
+    name: Run Integration Tests
+    needs: build-docker
+    if: |
+      github.event_name != 'pull_request_target' ||
+      contains(github.event.pull_request.labels.*.name, 'safe-to-test')
+    permissions:
+      id-token: write
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        runner: [ubuntu-latest, ubuntu-24.04-arm]
+        auth_type: [irsa, pod-identity]
+        include:
+          - os: linux
+          - arch: amd64
+            arch-short: x64
+            runner: ubuntu-latest
+          - arch: arm64
+            arch-short: arm
+            runner: ubuntu-24.04-arm
+    runs-on: ${{ matrix.runner }}
+
+    steps:
+      - name: Setup kubectl
+        uses: azure/setup-kubectl@v4
+
+      - name: Setup Helm
+        uses: azure/setup-helm@v4
+
+      - name: Setup eksctl
+        run: |
+          ARCH=${{ matrix.arch }}
+          PLATFORM=$(uname -s)_$ARCH
+
+          curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_$PLATFORM.tar.gz"
+
+          curl -sL "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_checksums.txt" | grep $PLATFORM | sha256sum --check
+
+          tar -xzf eksctl_$PLATFORM.tar.gz -C /tmp && rm eksctl_$PLATFORM.tar.gz
+
+          sudo install -m 0755 /tmp/eksctl /usr/local/bin && rm /tmp/eksctl
+
+      - run: eksctl version
+
+      - name: Setup Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3"
+
+      - name: Install Python dependencies
+        run: pip install boto3
+
+      - name: Setup Bats and bats libs
+        id: setup-bats
+        uses: bats-core/[email protected]
+
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.sha }}
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: ${{ secrets.ROLE_ARN }}
+          role-session-name: csi-driver-ci-${{ github.run_id }}-${{ matrix.arch }}
+          aws-region: us-west-2
+
+      - name: Run integ tests
+        run: cd tests && ./run-tests.sh ${{ matrix.arch-short }}-${{ matrix.auth_type }}
+        env:
+          POD_IDENTITY_ROLE_ARN: ${{ secrets.POD_IDENTITY_ROLE_ARN }}
+          PRIVREPO: ghcr.io/${{ github.repository_owner }}/test-build:latest-${{ matrix.arch }}-${{ github.run_id }}
+
+      - name: Run cleanup
+        if: always()
+        run: cd tests && ./run-tests.sh clean ${{ matrix.arch-short }}-${{ matrix.auth_type }}

.github/workflows/pr_sync.yml

@@ -0,0 +1,31 @@
+name: Remove safe-to-test label when new commits are pushed
+
+on:
+  pull_request_target:
+    types: [synchronize]
+
+jobs:
+  remove-label:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+      contents: read
+    if: |
+      contains(github.event.pull_request.labels.*.name, 'safe-to-test')
+
+    steps:
+      - name: Remove label
+        run: |
+          echo "Removing label '$LABEL_NAME' from PR #$PR_NUMBER on repo $REPO" 
+          gh_status=$(gh api "repos/$REPO/issues/$PR_NUMBER/labels/$LABEL_NAME" -X DELETE | jq 'if type == "object" then .status else empty end' --raw-output)
+          case $gh_status in
+            "") echo "Label removed" ;;
+            404) echo "Label not found — ignoring" ;;
+            *) echo "unexpected HTTP $gh_status" && exit 1 ;;
+          esac
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          LABEL_NAME: safe-to-test
+          REPO: ${{ github.event.pull_request.base.repo.full_name }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}

Makefile

@@ -1,5 +1,5 @@
 $(eval AWS_REGION=$(shell echo $${REGION:-us-east-1}))
-$(eval REGISTRY_NAME=$(shell echo $${PRIVREPO:-public.ecr.aws/aws-secrets-manager/secrets-store-csi-driver-provider-aws}))
+$(eval REGISTRY_NAME=$(shell echo $${PRIVREPO:-public.ecr.aws/aws-secrets-manager/secrets-store-csi-driver-provider-aws:latest}))
 $(eval REPOBASE=$(shell echo $(REGISTRY_NAME) | cut -f1 -d/))
 
 ifeq ($(REPOBASE), public.ecr.aws)

README.md

@@ -286,7 +286,7 @@ cd secrets-store-csi-driver-provider-aws
 Next, set your region and repository name in bash shell variables to be used later:
 ```bash
 export REGION=<REGION>
-export PRIVREPO=<ACCOUNT>.dkr.ecr.$REGION.amazonaws.com/secrets-store-csi-driver-provider-aws
+export PRIVREPO=<ACCOUNT>.dkr.ecr.$REGION.amazonaws.com/secrets-store-csi-driver-provider-aws:latest
 ```
 Where **&lt;REGION&gt;** is the AWS region in which your Kubernetes cluster is running, and **&lt;ACCOUNT&gt;** is your AWS account Id. Next create your ECR repository if you have not already done so:
 ```bash

deployment/private-installer.yaml

@@ -58,7 +58,7 @@ spec:
       hostNetwork: false
       containers:
         - name: provider-aws-installer
-          image: ${PRIVREPO}:latest
+          image: ${PRIVREPO}
           imagePullPolicy: Always
           args:
               - --provider-volume=/var/run/secrets-store-csi-providers

tests/README.md

@@ -8,23 +8,7 @@
 6. Create the following two IAM roles:
 
 ```bash
-export POD_IDENTITY_X64_ROLE_ARN=$(aws --region "$REGION" --query Role.Arn --output text iam create-role --role-name x64-pod-identity-role --assume-role-policy-document '{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Principal": {
-                "Service": "pods.eks.amazonaws.com"
-            },
-            "Action": [
-                "sts:AssumeRole",
-                "sts:TagSession"
-            ]
-        }
-    ]
-}')
-
-export POD_IDENTITY_ARM_ROLE_ARN=$(aws --region "$REGION" --query Role.Arn --output text iam create-role --role-name arm-pod-identity-role --assume-role-policy-document '{
+export POD_IDENTITY_ROLE_ARN=$(aws --region "$REGION" --query Role.Arn --output text iam create-role --role-name pod-identity-role --assume-role-policy-document '{
     "Version": "2012-10-17",
     "Statement": [
         {
@@ -41,14 +25,14 @@ export POD_IDENTITY_ARM_ROLE_ARN=$(aws --region "$REGION" --query Role.Arn --out
 }')
 ```
 
-7. Attach the following policies to each role, replacing `${ARCH}` with `x64` and `arm` respectively:
+7. Attach the following policies to the role:
 
 ```bash
 aws iam attach-role-policy \
-	--role-name ${ARCH}-pod-identity-role \
+	--role-name pod-identity-role \
 	--policy-arn arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess
 aws iam attach-role-policy \
-	--role-name ${ARCH}-pod-identity-role \
+	--role-name pod-identity-role \
 	--policy-arn arn:aws:iam::aws:policy/SecretsManagerReadWrite
 ```