Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CI improvements #927

Merged
merged 6 commits into from
Jan 8, 2025
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 29 additions & 3 deletions k8s/scripts/inspect.sh
Original file line number Diff line number Diff line change
Expand Up @@ -7,18 +7,22 @@
# elevated permissions (sudo).
#
# Usage:
# ./inspect.sh [output_file]
# ./inspect.sh [output_file] [--detailed]
#
# Arguments:
# output_file (Optional) The full path and filename for the generated tarball.
# If not provided, a default filename based on the current date
# and time will be used.
# --detailed (Optional) Acquire detailed debugging information, including logs
petrutlucian94 marked this conversation as resolved.
Show resolved Hide resolved
# from all Kubernetes namespaces.
#
# Example:
# ./inspect.sh /path/to/output.tar.gz
# ./inspect.sh # This will generate a tarball with a default name.
# ./inspect.sh --detailed # Obtain logs from all k8s namespaces.

INSPECT_DUMP=$(pwd)/inspection-report
DETAILED=0

function log_success {
printf -- '\033[32m SUCCESS: \033[0m %s\n' "$1"
Expand Down Expand Up @@ -54,8 +58,11 @@ function collect_args {

function collect_cluster_info {
log_info "Copy k8s cluster-info dump to the final report tarball"
# TODO: add a verbose mode that collects logs from all namespaces (--all-namespaces).
k8s kubectl cluster-info dump --output-directory "$INSPECT_DUMP/cluster-info" &>/dev/null
local FLAGS=""
if [[ "$DETAILED" == "1" ]]; then
FLAGS="--all-namespaces"
fi
k8s kubectl cluster-info dump $FLAGS --output-directory "$INSPECT_DUMP/cluster-info" &>/dev/null
}

function collect_sbom {
Expand Down Expand Up @@ -173,6 +180,25 @@ if [ "$EUID" -ne 0 ]; then
exit 1
fi

POSITIONAL_ARGS=()
while [[ $# -gt 0 ]]; do
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bash is such a beautiful and simple language.

case $1 in
--detailed)
DETAILED=1
shift
;;
-*|--*)
echo "Unknown argument: $1"
exit 1
;;
*)
POSITIONAL_ARGS+=("$1")
shift
;;
esac
done
set -- "${POSITIONAL_ARGS[@]}"

rm -rf "$INSPECT_DUMP"
mkdir -p "$INSPECT_DUMP"

Expand Down
6 changes: 5 additions & 1 deletion tests/integration/tests/conftest.py
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,11 @@ def _generate_inspection_report(h: harness.Harness, instance_id: str):
inspection_path = Path(config.INSPECTION_REPORTS_DIR)
result = h.exec(
instance_id,
["/snap/k8s/current/k8s/scripts/inspect.sh", "/inspection-report.tar.gz"],
[
"/snap/k8s/current/k8s/scripts/inspect.sh",
"--detailed",
"/inspection-report.tar.gz",
],
capture_output=True,
text=True,
check=False,
Expand Down
34 changes: 34 additions & 0 deletions tests/tics-scan.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
#!/usr/bin/env bash

SCRIPT_DIR=$(dirname "$BASH_SOURCE")
petrutlucian94 marked this conversation as resolved.
Show resolved Hide resolved

set -ex
cd "${SCRIPT_DIR}/.."

# Install python dependencies
pip install -r tests/integration/requirements-test.txt
pip install -r tests/integration/requirements-dev.txt
petrutlucian94 marked this conversation as resolved.
Show resolved Hide resolved

cd src/k8s

# TICS requires us to have the test results in cobertura xml format under the
# directory use below
sudo make go.unit
go install github.com/boumenot/gocover-cobertura@latest
gocover-cobertura < coverage.txt > coverage.xml
mkdir -p .coverage
mv ./coverage.xml ./.coverage/

# Install the TICS and staticcheck
go install honnef.co/go/tools/cmd/[email protected]
. <(curl --silent --show-error 'https://canonical.tiobe.com/tiobeweb/TICS/api/public/v1/fapi/installtics/Script?cfg=default&platform=linux&url=https://canonical.tiobe.com/tiobeweb/TICS/')

# We need to have our project built
# We load the dqlite libs here instead of doing through make because TICS
# will try to build parts of the project itself
sudo add-apt-repository -y ppa:dqlite/dev
sudo apt install dqlite-tools-v2 libdqlite1.17-dev
petrutlucian94 marked this conversation as resolved.
Show resolved Hide resolved
sudo make clean
go build -a ./...

TICSQServer -project k8s-snap -tmpdir /tmp/tics -branchdir $HOME/work/k8s-snap/k8s-snap/
petrutlucian94 marked this conversation as resolved.
Show resolved Hide resolved
39 changes: 39 additions & 0 deletions tests/trivy-scan.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
#!/usr/bin/env bash

SCRIPT_DIR=$(dirname "$BASH_SOURCE")

set -ex
cd "${SCRIPT_DIR}/.."

SNAP_PATH="$1"
if [[ ! -f $SNAP_PATH ]]; then
echo "Usage: $0 <snap_path>"
exit 1
fi

# Setup Trivy vulnerability scanner
mkdir -p manual-trivy/sarifs
pushd manual-trivy
VER=$(curl --silent -qI https://github.com/aquasecurity/trivy/releases/latest | awk -F '/' '/^location/ {print substr($NF, 1, length($NF)-1)}');
wget https://github.com/aquasecurity/trivy/releases/download/${VER}/trivy_${VER#v}_Linux-64bit.tar.gz
tar -zxvf ./trivy_${VER#v}_Linux-64bit.tar.gz
popd

# Run Trivy vulnerability scanner in repo mode
./manual-trivy/trivy fs . \
--format sarif \
--db-repository public.ecr.aws/aquasecurity/trivy-db \
--severity "MEDIUM,HIGH,CRITICAL" \
--ignore-unfixed \
> ./manual-trivy/sarifs/trivy-k8s-repo-scan--results.sarif

for var in $(env | grep -o '^TRIVY_[^=]*'); do
unset "$var"
done
cp "${SNAP_PATH}" ./k8s-test.snap
rm -rf ./squashfs-root
unsquashfs k8s-test.snap
./manual-trivy/trivy rootfs ./squashfs-root/ \
--format sarif \
--db-repository public.ecr.aws/aquasecurity/trivy-db \
> ./manual-trivy/sarifs/snap.sarif
Loading