Run Azure functional tests locally against OS-process Radius#11904
Open
sylvainsf wants to merge 2 commits into
Open
Run Azure functional tests locally against OS-process Radius#11904sylvainsf wants to merge 2 commits into
sylvainsf wants to merge 2 commits into
Conversation
Adds a workflow for running the corerp/cloud Azure functional tests
against a local OS-process Radius stack (`make debug-start`) using the
host's `az login` credentials, with no service-principal/workload-identity
registration required.
Highlights
- New `build/scripts/azure-local-testenv.sh` orchestrator with
`setup`, `run`, `teardown`, `all` sub-commands. `run` and `all` accept
passthrough `go test` flags (e.g. `-run`, `-v`).
- Auto-recovery: `run` rebuilds state from the newest
`radlocal-${USER}-*` resource group when the state file is missing
(e.g. after `make debug-stop`), and re-applies the Azure scope on the
default rad environment that `debug-start` wipes.
- Orphan GC: `teardown --all-orphans` deletes every
`radlocal-${USER}-*` RG and stops the `tf-module-server` port-forward.
- `tf-module-server` bootstrap: deploys the in-cluster nginx test module
server and port-forwards it to `localhost:8999` automatically when not
already reachable.
- Terraform Azure provider falls back to `use_cli = true` when no Azure
credential is registered with UCP (404), letting the host RP's
`az login` session authenticate. CI workload-identity path is
unchanged.
- `start-radius.sh` exports `TERRAFORM_TEST_GLOBAL_DIR` so the RP no
longer tries to write to read-only `/terraform`.
- AWS-required tests skip cleanly via `t.Skip` when AWS env vars are
unset; private-git redis test skips when `GH_TOKEN` is unset.
- `recipe_terraform_test.go` now derives the resource ID from the
active workspace scope so it works against any RG (CI's `kind-radius`
and local debug's `default`).
Tested
Full `corerp/cloud/...` suite green locally:
- PASS: `Test_AzureConnections`, `Test_ACI`, `Test_TerraformRecipe_AzureResourceGroup`
- SKIP: AWS-only tests, `Test_TerraformPrivateGitModule_KubernetesRedis`,
`Test_Storage`/`Test_PersistentVolume` (issue #7853, pre-existing)
Documentation in
`docs/contributing/contributing-code/contributing-code-debugging/radius-os-processes-debugging.md`.
Signed-off-by: Sylvain Niles <sylvainniles@microsoft.com>
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a local-dev workflow to run the corerp/cloud Azure functional tests against an OS-process Radius debug stack using ambient az login credentials (no UCP-registered Azure credential required), plus supporting tweaks to tests, tooling, and docs.
Changes:
- Introduces
build/scripts/azure-local-testenv.sh+ newmake test-functional-azure-local*targets to provision/execute/cleanup an ephemeral Azure test environment. - Updates Terraform Azure provider config generation to fall back to Azure CLI auth (
use_cli = true) when no Radius-managed credential exists (incl. 404 lookup). - Improves local/CI test ergonomics (scope-derived resource IDs, skip behavior when secrets/creds are absent) and documents the workflow.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
test/validation/shared.go |
Adds a local-dev escape hatch env var to bypass UCP credential presence checks in tests. |
test/functional-portable/corerp/cloud/resources/recipe_terraform_test.go |
Uses active workspace scope for resource IDs; skips private-git test when GH_TOKEN is unset. |
test/functional-portable/corerp/cloud/resources/extender_test.go |
Switches AWS env-var precheck from failing to skipping. |
test/createAzureTestResources.bicep |
Parameterizes Cosmos account name to avoid global-name collisions in parallel/local runs. |
pkg/recipes/terraform/config/providers/azure.go |
Treats 404/missing creds as “no creds” and explicitly enables Azure CLI auth fallback. |
docs/contributing/contributing-code/contributing-code-debugging/radius-os-processes-debugging.md |
Documents running DE locally and the new local Azure functional test workflow. |
build/test.mk |
Adds test-functional-azure-local* make targets that wrap the new orchestrator script. |
build/scripts/start-radius.sh |
Sets a writable Terraform global cache dir for OS-process runs. |
build/scripts/ensure-encryption-key.sh |
Ensures the encryption key Secret exists for the k3d debug stack (Helm-less path). |
build/scripts/azure-local-testenv.sh |
New orchestrator for setup/run/teardown of local Azure functional test environment + tf-module-server bootstrap. |
build/debug.mk |
Improves k3d cluster handling; supports reusing an external local Deployment Engine on port 5017; ensures encryption key secret exists. |
Comment on lines
+262
to
+263
| # Pick the newest RG (epoch suffix). RG names are radlocal-<user>-<epoch>. | ||
| rg="$(printf '%s\n' ${matches} | sort -t- -k3 -n | tail -1)" |
Comment on lines
+90
to
+94
| if ! kubectl get ns "${TF_MODULE_SERVER_NS}" >/dev/null 2>&1 \ | ||
| || ! kubectl -n "${TF_MODULE_SERVER_NS}" get deploy tf-module-server >/dev/null 2>&1; then | ||
| log "Deploying tf-module-server into the debug cluster (publish-test-terraform-recipes)..." | ||
| (cd "${REPO_ROOT}" && make publish-test-terraform-recipes >/dev/null) \ | ||
| || { err "make publish-test-terraform-recipes failed"; exit 1; } |
Comment on lines
+402
to
+406
| cmd_all() { | ||
| cmd_setup | ||
| local rc=0 | ||
| if [[ "${AZURE_LOCAL_KEEP_ON_FAILURE:-0}" == "1" || "${AZURE_LOCAL_KEEP_ON_FAILURE:-}" =~ ^[Tt]rue$ ]]; then | ||
| log "AZURE_LOCAL_KEEP_ON_FAILURE is set; teardown will be SKIPPED if tests fail (post-mortem mode)." |
Comment on lines
+172
to
+179
| // When no Radius-managed credentials are registered (e.g. a developer | ||
| // running the RP locally without `rad credential register azure ...`), | ||
| // fall back to the Azure CLI credentials available on the host process. | ||
| // `use_cli = true` is the azurerm provider default but we set it | ||
| // explicitly to make the intent clear in the generated terraform config. | ||
| if credentials == nil { | ||
| configMap[azureUseCLIParam] = true | ||
| return configMap |
Comment on lines
+298
to
+301
| if command -v lsof >/dev/null 2>&1; then \ | ||
| listener_cmd=$$(lsof -nP -iTCP:5017 -sTCP:LISTEN 2>/dev/null | awk 'NR==2 {print $$1}'); \ | ||
| fi; \ | ||
| if [ -n "$$listener_cmd" ] && [ "$$listener_cmd" != "kubectl" ] && curl -s "http://localhost:5017/metrics" > /dev/null 2>&1; then \ |
Comment on lines
+35
to
39
| // Skip the test if the required environment variables are not set | ||
| // (in CI these are provided alongside AWS credentials; locally the | ||
| // AWS feature gate via RequiredFeatures will also skip the test when | ||
| // AWS credentials are not registered with UCP). | ||
| if awsAccountID == "" || awsRegion == "" { |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #11904 +/- ##
==========================================
- Coverage 51.69% 51.69% -0.01%
==========================================
Files 724 724
Lines 45508 45511 +3
==========================================
Hits 23525 23525
- Misses 19763 19765 +2
- Partials 2220 2221 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Radius functional test overviewClick here to see the test run details
Test Status⌛ Building Radius and pushing container images for functional tests... |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds a workflow for running the
corerp/cloudAzure functional tests against a local OS-process Radius stack (make debug-start) using the host'saz logincredentials, with no service-principal/workload-identity registration required.Highlights
build/scripts/azure-local-testenv.shorchestrator withsetup,run,teardown,allsub-commands.runandallaccept passthroughgo testflags (e.g.-run,-v).runrebuilds state from the newestradlocal-${USER}-*resource group when the state file is missing (e.g. aftermake debug-stop), and re-applies the Azure scope on thedefaultrad environment thatdebug-startwipes.teardown --all-orphansdeletes everyradlocal-${USER}-*RG and stops thetf-module-serverport-forward.tf-module-serverbootstrap: deploys the in-cluster nginx test module server and port-forwards it tolocalhost:8999automatically when not already reachable.use_cli = truewhen no Azure credential is registered with UCP (404), letting the host RP'saz loginsession authenticate. CI workload-identity path is unchanged. Seepkg/recipes/terraform/config/providers/azure.go.build/scripts/start-radius.shexportsTERRAFORM_TEST_GLOBAL_DIRso the RP no longer tries to write to read-only/terraform.t.Skipwhen AWS env vars are unset; private-git redis test skips whenGH_TOKENis unset.recipe_terraform_test.gonow derives the resource ID from the active workspace scope so it works against any RG (CI'skind-radiusand local debug'sdefault).Type of change
Auto-generated summary
How tested
Full
corerp/cloud/...suite green locally with the new orchestrator:Test_AzureConnectionsTest_ACITest_TerraformRecipe_AzureResourceGroupTest_AWS_*,Test_Extender_RecipeAWS_LogGroup,Test_AWSRedeploy*)Test_TerraformPrivateGitModule_KubernetesRedisGH_TOKEN)Test_Storage,Test_PersistentVolume./build/scripts/azure-local-testenv.sh run -v # EXIT=0Unit tests for the changed terraform provider package also pass:
go test ./pkg/recipes/terraform/config/providers/... -count=1Documentation
Updated
docs/contributing/contributing-code/contributing-code-debugging/radius-os-processes-debugging.mdwith new sections on:azure-local-testenv.sh run -run …teardown --all-orphanstf-module-serverbootstrap behaviorBackwards compatibility
rad credential register azure …continue to work exactly as before.use_cli = truefallback only activates when UCP returns 404 for the credential lookup (i.e. no credential ever registered).