Skip to content

use distroless base image #16

use distroless base image

use distroless base image #16

Workflow file for this run

name: Test Suite
on:
push:
branches: [ "*" ]
paths-ignore:
- 'docs/**'
- 'README.md'
pull_request:
branches: [ "*" ]
paths-ignore:
- 'docs/**'
- 'README.md'
jobs:
build-host-scanner-image:
strategy:
fail-fast: false
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Set image version
id: image-version
run: echo '::set-output name=IMAGE_VERSION::test'
- name: Set image name
id: image-name
run: echo '::set-output name=IMAGE_NAME::quay.io/${{ github.repository_owner }}/host-scanner'
- name: Login to Quay.io
env:
QUAY_PASSWORD: ${{ secrets.QUAYIO_REGISTRY_PASSWORD }}
QUAY_USERNAME: ${{ secrets.QUAYIO_REGISTRY_USERNAME }}
run: docker login -u="${QUAY_USERNAME}" -p="${QUAY_PASSWORD}" quay.io
- name: Build the Docker image
run: |
docker buildx \
build . \
--file build/Dockerfile \
--tag ${{ steps.image-name.outputs.IMAGE_NAME }}:${{ steps.image-version.outputs.IMAGE_VERSION }} \
--tag ${{ steps.image-name.outputs.IMAGE_NAME }}:test \
--build-arg BUILD_VERSION=${{ steps.image-version.outputs.IMAGE_VERSION }} \
--push
env:
CGO_ENABLED: 0
integration-test:
needs: [build-host-scanner-image]
runs-on: ubuntu-latest
steps:
- name: Checkout host-scanner repo
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
- name: Checkout systests repo
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # ratchet:actions/checkout@v3
with:
repository: armosec/system-tests
path: system-tests
- uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # ratchet:actions/setup-python@v4
with:
python-version: '3.8.13'
cache: 'pip'
- name: create env
run: ./create_env.sh
working-directory: system-tests/
- name: Create k8s Kind Cluster
id: kind-cluster-install
uses: helm/kind-action@d08cf6ff1575077dee99962540d77ce91c62387d # ratchet:helm/kind-action@v1.3.0
with:
cluster_name: integration
- name: run integration test
env:
CUSTOMER: ${{ secrets.CUSTOMER }}
USERNAME: ${{ secrets.USERNAME }}
PASSWORD: ${{ secrets.PASSWORD }}
CLIENT_ID: ${{ secrets.CLIENT_ID_PROD }}
SECRET_KEY: ${{ secrets.SECRET_KEY_PROD }}
REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
run: |
source systests_python_env/bin/activate
python3 systest-cli.py \
-t host_scanner_with_hostsensorrule \
-b production \
-c CyberArmorTests \
--duration 3 \
--logger DEBUG \
--kwargs ks_branch=release \
host_scan_yaml=../deployment/host-scanner.yaml
deactivate
working-directory: system-tests/
e2e-test-multi-version-support:
strategy:
fail-fast: false
matrix:
k8s: [
{
name: 'kind',
version: 'v1.25.0',
port: '7825'
},
{
name: 'kind',
version: 'v1.26.0',
port: '7826'
},
{
name: 'kind',
version: 'v1.27.0',
port: '7827'
}
]
needs: [build-host-scanner-image]
runs-on: ubuntu-latest
steps:
- name: Clone host-scanner repository
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Install Kubectl
uses: azure/setup-kubectl@v3
id: install
- name: Install Kind
uses: engineerd/setup-kind@v0.5.0
with:
skipClusterCreation: true
version: v0.18.0
- name: Setup test clusters
run: |
kind create cluster \
--kubeconfig test-${{ matrix.k8s.version }} \
--name test-${{ matrix.k8s.version }} \
--image kindest/node:${{ matrix.k8s.version }}
- name: Install host-scanner
run: |
kubectl apply \
--kubeconfig test-${{ matrix.k8s.version }} \
-f deployment/host-scanner.yaml
- name: Get Namespace
id: namespace
run: |
namespace=$(cat deployment/host-scanner.yaml | grep -oP "(?<=namespace: )(.*)")
echo "NAMESPACE=$namespace" >> $GITHUB_OUTPUT
- name: Wait for host-scanner ready
run: |
sleep 15
kubectl wait \
--for=condition=ready \
pod \
-l name=host-scanner \
--namespace ${{ steps.namespace.outputs.NAMESPACE }} \
--timeout=300s \
--kubeconfig test-${{ matrix.k8s.version }}
- name: Setup Kubernetes port-forward daemon
run: |
kubectl port-forward \
'daemonset/host-scanner' \
${{ matrix.k8s.port }}:7888 \
--namespace=${{ steps.namespace.outputs.NAMESPACE }} \
--kubeconfig=test-${{ matrix.k8s.version }} &
- name: Setup Go
uses: actions/setup-go@v2
with:
go-version: '1.19'
- name: Run e2e tests
working-directory: ./e2e
run: |
go test \
-tags ${{ matrix.k8s.name }} \
-v -ginkgo.v \
-args -port ${{ matrix.k8s.port }}
env:
KUBECONFIG: ../test-${{ matrix.k8s.version }}
# setup AKS cluster to run host-scanner on it
e2e-test-setup-aks:
strategy:
fail-fast: false
env:
ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_AD_TENANT_ID }}
needs: [build-host-scanner-image]
runs-on: ubuntu-latest
steps:
- name: Download terraform scripts
uses: actions/checkout@v3
with:
ref: 'fix/add-conditional-output-to-aks'
repository: armosec/terraform-test-clusters
token: ${{ secrets.GH_TOKEN_TERRAFORM_TEST_CLUSTER }}
- uses: azure/login@v1
with:
creds: '{"clientId":"${{ secrets.AZURE_AD_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_AD_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_AD_TENANT_ID }}"}'
- name: Setup terraform
uses: hashicorp/setup-terraform@v2
- name: terraform Init
run: |
terraform init
working-directory: ./AKS/module_based/
- name: terraform apply
run: |
terraform apply \
-auto-approve \
-var cluster_owner=hs-e2e \
-var resource_group_name=automation-sonar-rg \
-var create_resource_group=0
working-directory: ./AKS/module_based/
- name: Get cluster name
id: cluster_name
run: |
cluster_name=$(terraform-bin output -raw kubernetes_cluster_name)
echo "CLUSTER_NAME=$cluster_name" >> $GITHUB_OUTPUT
working-directory: ./AKS/module_based/
- name: Retrieve aks kubconfig
uses: azure/CLI@v1
with:
inlineScript: |
az aks get-credentials \
--resource-group automation-sonar-rg \
--name ${{ steps.cluster_name.outputs.CLUSTER_NAME }} \
--admin \
--file ./AKS/module_based/test-aks
- name: Set right ownerships
run: |
sudo chown runner:docker test-aks
sudo chown runner:docker terraform.tfstate
working-directory: ./AKS/module_based/
- name: Encrypt kubeconfig files
run: |
gpg \
--batch \
-c \
--symmetric \
--cipher-algo AES256 \
--passphrase "${{ secrets.GPG_PASSPHRASE }}" \
./test-aks
working-directory: ./AKS/module_based/
- uses: actions/upload-artifact@v3
with:
name: kubeconfig-aks
path: |
./AKS/module_based/test-aks.gpg
retention-days: 1
- name: Encrypt tfstate file
run: |
gpg \
--batch \
-c \
--symmetric \
--cipher-algo AES256 \
--passphrase "${{ secrets.GPG_PASSPHRASE }}" \
./terraform.tfstate
working-directory: ./AKS/module_based/
- uses: actions/upload-artifact@v3
with:
name: tfstate-aks
path: |
./AKS/module_based/terraform.tfstate.gpg
retention-days: 1
# setup-eks:
# strategy:
# fail-fast: false
# runs-on: ubuntu-latest
# needs: [build-host-scanner-image]
# setup-gke:
# strategy:
# fail-fast: false
# runs-on: ubuntu-latest
# needs: [build-host-scanner-image]
e2e-test-install-host-scanner:
env:
ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_AD_TENANT_ID }}
strategy:
fail-fast: false
matrix:
k8s: [
{
name: 'aks',
version: 'aks',
port: '7801'
}
]
runs-on: ubuntu-latest
needs: [e2e-test-setup-aks]
steps:
- name: Clone host-scanner repository
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Install Kubectl
uses: azure/setup-kubectl@v3
id: install
- name: Download artifacts
uses: actions/download-artifact@v3
with:
name: kubeconfig-${{ matrix.k8s.version }}
path: ./test-${{ matrix.k8s.version }}
- name: Decrypt files
run: |
gpg \
--quiet \
--batch \
--yes \
--decrypt \
--passphrase "${{ secrets.GPG_PASSPHRASE }}" \
--output test-${{ matrix.k8s.version }}/test-${{ matrix.k8s.version }} \
test-${{ matrix.k8s.version }}/test-${{ matrix.k8s.version }}.gpg
- uses: azure/use-kubelogin@v1
with:
kubelogin-version: 'v0.0.29'
- uses: azure/login@v1
with:
creds: '{"clientId":"${{ secrets.AZURE_AD_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_AD_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_AD_TENANT_ID }}"}'
- name: Convert kubeconfig
run: |
kubelogin convert-kubeconfig -l azurecli
- name: Install host-scanner
run: |
kubectl apply \
--kubeconfig test-${{ matrix.k8s.version }}/test-${{ matrix.k8s.version }} \
-f deployment/host-scanner.yaml
- name: Get Namespace
id: namespace
run: |
namespace=$(cat deployment/host-scanner.yaml | grep -oP "(?<=namespace: )(.*)")
echo "NAMESPACE=$namespace" >> $GITHUB_OUTPUT
- name: Wait for host-scanner ready
run: |
sleep 15
kubectl wait \
--for=condition=ready \
pod \
-l name=host-scanner \
--namespace ${{ steps.namespace.outputs.NAMESPACE }} \
--timeout=300s \
--kubeconfig test-${{ matrix.k8s.version }}/test-${{ matrix.k8s.version }}
e2e-test-run-test-suite:
if: always()
strategy:
max-parallel: 8
fail-fast: false
matrix:
k8s: [
{
name: 'aks',
version: 'aks',
port: '7801'
}
]
runs-on: ubuntu-latest
needs: [e2e-test-install-host-scanner]
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Setup Go
uses: actions/setup-go@v2
with:
go-version: '1.19'
- name: Download artifacts
uses: actions/download-artifact@v3
with:
name: kubeconfig-${{ matrix.k8s.version }}
path: ./test-${{ matrix.k8s.version }}
- name: Decrypt kubeconfig files
run: |
gpg \
--quiet \
--batch \
--yes \
--decrypt \
--passphrase "${{ secrets.GPG_PASSPHRASE }}" \
--output test-${{ matrix.k8s.version }}/test-${{ matrix.k8s.version }} \
test-${{ matrix.k8s.version }}/test-${{ matrix.k8s.version }}.gpg
- name: Get Namespace
id: namespace
run: |
namespace=$(cat deployment/host-scanner.yaml | grep -oP "(?<=namespace: )(.*)")
echo "NAMESPACE=$namespace" >> $GITHUB_OUTPUT
- name: Setup Kubernetes port-forward daemon
run: |
kubectl port-forward \
'daemonset/host-scanner' \
${{ matrix.k8s.port }}:7888 \
--namespace=${{ steps.namespace.outputs.NAMESPACE }} \
--kubeconfig=test-${{ matrix.k8s.version }}/test-${{ matrix.k8s.version }} &
- name: Run e2e tests
working-directory: ./e2e
run: |
go test \
-tags ${{ matrix.k8s.name }} \
-v -ginkgo.v \
-args -port ${{ matrix.k8s.port }}
env:
KUBECONFIG: ../test-${{ matrix.k8s.version }}/test-${{ matrix.k8s.version }}
e2e-test-destroy-aks:
if: always()
strategy:
fail-fast: false
env:
ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_AD_TENANT_ID }}
needs: [e2e-test-run-test-suite]
runs-on: ubuntu-latest
steps:
- name: Download terraform scripts
uses: actions/checkout@v3
with:
ref: 'fix/add-conditional-output-to-aks'
repository: armosec/terraform-test-clusters
token: ${{ secrets.GH_TOKEN_TERRAFORM_TEST_CLUSTER }}
- uses: azure/login@v1
with:
creds: '{"clientId":"${{ secrets.AZURE_AD_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_AD_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_AD_TENANT_ID }}"}'
- name: Setup terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_wrapper: false
- name: Download tfstate artifact
uses: actions/download-artifact@v3
with:
name: tfstate-aks
path: ./AKS/module_based/
- name: Decrypt files
run: |
gpg \
--quiet \
--batch \
--yes \
--decrypt \
--passphrase "${{ secrets.GPG_PASSPHRASE }}" \
--output terraform.tfstate \
terraform.tfstate.gpg
working-directory: ./AKS/module_based/
- name: terraform Init
run: |
terraform init
working-directory: ./AKS/module_based/
- name: terraform destroy
run: |
terraform destroy \
-auto-approve \
-var cluster_owner=hs-e2e \
-var resource_group_name=automation-sonar-rg \
-var create_resource_group=0
working-directory: ./AKS/module_based/