When creating CI test scripts in GitHub, you sometimes need to use sensitive information like passwords and API Keys. To keep this information safe, GitHub provides a feature called Secrets. Secrets are encrypted environment variables you create in a repository and are available in your workflows.
In this article, you will see how to configure a repository to use Tracetest and GitHub Actions with Secrets to run trace-based tests, keeping your sensitive information safe.
Scenario: Payment Ecosystem
We have a mini Payment ecosystem with 4 APIs to emulate a Payment system, and we want to test it with Tracetest. This system is composed by:
- Gateway API: User-facing API that receives payment orders, protected with Basic Auth.
- Payment Executor API: Executes a payment order after analyzing the customer profile.
- Risk Analysis API: Analyzes a user profile to understand its score.
- Wallet API: Retains data about each user's wallet balance.
These APIs are instrumented with OpenTelemetry SDKs and send data to Jaeger via the OpenTelemetry Collector.
Each one of these APIs has their code specified inside our source code on GitHub (here) inside the services
folder. You can run them together using Docker Compose along with a Tracetest Agent, which we will use to test these services with the following command:
git clone git@github.com:kubeshop/tracetest.git
cd ./tracetest/examples/tracetest-with-github-action-and-secrets
TRACETEST_API_KEY=<your-agent-key> docker compose up
However, to run a test, you need to execute an API call against the Gateway API, which is protected with Basic Auth. This could be troublesome with Tracetest and GitHub Actions, since you don't have this Basic Auth password logged into the test definition and also on GitHub Action execution.
To solve that, you will use a Github Secret to store the Basic Auth credentials, which you can use in our Github Action workflow by adding it to a VariableSet as a secret.
Creating a GitHub Actions Workflow
First you will create a repository in your machine and add it to GitHub. After that you will structure a Github Action Workflow file that will start the API and run the trace-based tests for it.
Creating the API Services GitHub Repo
You need to create a new folder on your machine to store the service code and the repository code. Do this by running the following commands:
# sandbox folder to store our files
mkdir github-actions-test
cd ./github-actions-test
mkdir my-repository
cd ./my-repository
Now, copy the code of the Payment Ecosystem to this repository. Do this by running the following commands:
cd ..
git clone git@github.com:kubeshop/tracetest.git
cp -r ./tracetest/examples/tracetest-with-github-action-and-secrets/services ./my-repository
cd ./my-repository
# remove the .git folder to start a new repository
rm -rf .git
git init
git add .
git commit -m "Initial commit"
Then, create a new repository on GitHub and perform the commands below:
git remote add origin https://github.com/<your-github-user>/<your-github-name>.git
git push origin main
After that, you need to configure a new environment on Tracetest with these instructions and generate an environment token for it (here). Remember to store the API Key generated for the Tracetest Agent and the environment token, as they will be used in the next step.
You need to register three secrets in your GitHub repository using these instructions:
-
TRACETEST_API_KEY
: The API key used by your agent to connect to Tracetest. -
TRACETEST_CLI_TOKEN
: An environment token used by the CI to run a test. -
API_SECRET_PASSWORD
: The password used to authenticate on the Gateway API. For demo purposes, its value issupersecret
.
Creating the GitHub Actions Workflow
Now that you have the repository set, let's create a new Github Actions workflow file in your repository. First, create a new file in the .github/workflows
folder with the following content:
name: Run trace-based tests
on:
# runs on every push to main
push:
branches: [main]
# allows run manually via Actions tab on Github
workflow_dispatch:
env:
TRACETEST_API_KEY: ${{secrets.TRACETEST_API_KEY}}
jobs:
run-trace-based-tests:
name: Run trace based tests for Payment Ecosystem
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
# more steps to add
This file defines a workflow that runs on every push to the main
branch and can be manually triggered via the Actions tab on GitHub. It also establishes an environment variable TRACETEST_API_KEY
that is set to the value of the secret TRACETEST_API_KEY
. The Tracetest Agent defined inside our docker-compose.yml
file will use this value. The file also adds the first step that checks out the repository code into the CI container.
The next step is to install the Tracetest CLI in the CI container with the Tracetest Github Action and configure the CLI. You can do this by adding the following step:
# ...
steps:
# previous steps ...
- name: Configure Tracetest CLI
uses: kubeshop/tracetest-github-action@v1
with:
token: ${{secrets.TRACETEST_CLI_TOKEN}}
# more steps to add
Then, the two following steps will start the APIs locally using Docker Compose and configure the Tracetest Agent to read traces from the Jaeger instance running inside of the Docker Compose network:
# ...
steps:
# previous steps ...
- name: Run APIs locally with docker compose
run: |
docker-compose up -d
docker compose logs -f > /tmp/docker-log &
- name: Configure Tracing Backend
run: |
tracetest datastore apply --file ./tracing-backend.yaml
# more steps to add
Now, you will set up a VariableSet with the id tracetesting-vars
with all variables used in your test context, including the API_SECRET_PASSWORD
secret. This will help Tracetest understand that this variable is a secret and should not be presented in the UI and CLI outputs. You can do this by adding the following step to the workflow file:
# ...
steps:
# previous steps ...
- name: Inject secrets as a variable set in Tracetest
run: |
cat << EOF > vars.yaml
type: VariableSet
spec:
id: tracetesting-vars
name: AuthKeys for test
description: Variables used in basic auth for my API
values:
- key: USER
value: admin
- key: PASSWORD
value: ${{secrets.API_SECRET_PASSWORD}}
type: secret
EOF
tracetest apply variableset --file ./vars.yaml
# more steps to add
Finally, you will run the test using the Tracetest CLI, passing the tracetesting-vars
Variable Set with the --vars
argument and the test file trace-based-test.yaml
that contains the test definition. You can do this by adding the following step to the workflow file:
# ...
steps:
# previous steps ...
- name: Run trace-based tests
run: |
tracetest run test --vars tracetesting-vars --file ./trace-based-test.yaml
# more steps to add
You can run the test by pushing a new commit to the main
branch with:
# assuming that you are on "my-repository" folder
git add .
git commit -m "Add Tracetest Github Action workflow"
git push origin main
After a while, you can go to the "Actions" on GitHub and see the workflow running, as shown below.
Drill down to see the jobs contained in this workflow.
You can also see the execution of this workflow.
Once it's finished, you can see the test results in the Tracetest Web UI by going to your environment on app.tracetest.io and clicking on "Runs.”
Final Remarks
In conclusion, running trace-based tests with GitHub Actions and Secrets offers a secure and efficient way to manage sensitive information while ensuring the reliability of your systems. By following the steps outlined in this article, you can configure your GitHub repository to securely store and use secrets, set up your APIs, and run comprehensive tests with Tracetest.
Would you like to learn more about Tracetest and what it brings to the table? Visit the Tracetest docs and try it out by signing up today!
Also, please feel free to join our Slack Community, give Tracetest a star on GitHub, or schedule a time to chat 1:1.
Top comments (0)