Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[8.12](backport #2356) Upgrade helm to v3.14.2 #2447

Closed
wants to merge 3 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
300 changes: 300 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,300 @@
name: Tests

on:
pull_request_target:
branches:
- main
- "[0-9]+.[0-9]+"
types: [opened, synchronize, reopened]
push:
branches:
- main
- "[0-9]+.[0-9]+"
workflow_dispatch:

concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true

jobs:
init-hermit:
name: Init Hermit Tools
runs-on: ubuntu-22.04
timeout-minutes: 60
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Hermit Environment
uses: ./.github/actions/hermit
with:
init-tools: 'true'

ci-azure:
needs: [ init-hermit ]
name: CIS Azure CI
runs-on: ubuntu-22.04
timeout-minutes: 60
permissions:
contents: "read"
id-token: "write"
steps:
- name: Check out the repo
uses: actions/checkout@v4

- name: Hermit Environment
uses: ./.github/actions/hermit

- name: Run Azure integration tests
uses: ./.github/actions/azure-ci
with:
elk-version: ${{ env.ELK_VERSION }}
azure-client-id: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientId }}
azure-tenant-id: ${{ fromJSON(secrets.AZURE_CREDENTIALS).tenantId }}
azure-client-secret: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientSecret }}

ci-aws:
needs: [ init-hermit ]
name: CIS AWS CI
runs-on: ubuntu-22.04
timeout-minutes: 60
permissions:
contents: "read"
id-token: "write"
steps:
- name: Check out the repo
uses: actions/checkout@v4

- name: Hermit Environment
uses: ./.github/actions/hermit

- name: Run AWS integration tests
uses: ./.github/actions/aws-ci
with:
elk-version: ${{ env.ELK_VERSION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TEST_ACC }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST_ACC }}
aws-account-type: single-account

ci-gcp:
needs: [ init-hermit ]
name: CIS GCP CI
runs-on: ubuntu-22.04
timeout-minutes: 60
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: Check out the repo
uses: actions/checkout@v4

- name: Hermit Environment
uses: ./.github/actions/hermit

- name: Run GCP integration tests
uses: ./.github/actions/gcp-ci
with:
elk-version: ${{ env.ELK_VERSION }}
workload-identity-provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
service-account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
gcp-project-id: 'elastic-security-test'
gcp-account-type: 'single-account'

ci-cnvm:
needs: [ init-hermit ]
name: CNVM CI
runs-on: ubuntu-22.04
timeout-minutes: 30
steps:
- name: Check out the repo
uses: actions/checkout@v4

- name: Hermit Environment
uses: ./.github/actions/hermit

- name: Run CNVM integration tests
uses: ./.github/actions/cnvm-ci
with:
elk-version: ${{ env.ELK_VERSION }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: 'us-east-2'

docker-images:
needs: [ init-hermit ]
name: Build docker images
# Since we build the cloudbeat in the worker's OS and as non static,
# we need to keep the OS version same as elastic-agent docker image base.
# docker run --interactive --tty --rm --entrypoint bash docker.elastic.co/elastic-agent/elastic-agent-complete:8.14.0-SNAPSHOT -c 'cat /etc/os-release'
runs-on: ubuntu-20.04
timeout-minutes: 40
steps:
- name: Free Disk Space (Ubuntu)
uses: jlumbroso/free-disk-space@main
with:
tool-cache: false
android: true
dotnet: true
haskell: true
large-packages: false
docker-images: true
swap-storage: true

- name: Check out the repo
uses: actions/checkout@v4

- name: Hermit Environment
uses: ./.github/actions/hermit

- name: Build docker images
uses: ./.github/actions/docker-images
with:
build-docker-images: 'true'

ci-k8s:
needs: [ init-hermit, docker-images ]
name: ${{ matrix.test-target }}-${{ matrix.kind-config }}
runs-on: ubuntu-22.04
timeout-minutes: 120
strategy:
fail-fast: false
matrix:
include:
- test-target: pre_merge
kind-config: kind-multi
values-file: tests/test_environments/values/ci.yml
- test-target: pre_merge_agent
kind-config: kind-multi
values-file: tests/test_environments/values/ci-sa-agent.yml
- test-target: k8s_file_system_rules
kind-config: kind-test-files
values-file: tests/test_environments/values/ci-test-k8s-files.yml
# - test-target: k8s_object_psp_rules
# kind-config: kind-multi
# values-file: tests/test_environments/values/ci-test-k8s-objects.yml
- test-target: k8s_process_rules
kind-config: kind-test-proc-conf1
values-file: tests/test_environments/values/ci-test-k8s-proc-conf1.yml
- test-target: k8s_process_rules
kind-config: kind-test-proc-conf2
values-file: tests/test_environments/values/ci-test-k8s-proc-conf2.yml
steps:
- name: Free Disk Space (Ubuntu)
uses: jlumbroso/free-disk-space@main
with:
tool-cache: false
android: true
dotnet: true
haskell: true
large-packages: false
docker-images: true
swap-storage: true

- name: Check out the repo
uses: actions/checkout@v4

- name: Hermit Environment
uses: ./.github/actions/hermit

- name: Get docker images
uses: ./.github/actions/docker-images
with:
build-docker-images: 'false'
docker-images-folder: '/tmp/.docker-images'

- name: Run k8s integration tests
uses: ./.github/actions/k8s-ci
with:
kind-config: ${{ matrix.kind-config }}
test-target: ${{ matrix.test-target }}
values-file: ${{ matrix.values-file }}
docker-images-folder: '/tmp/.docker-images'

upload-allure-results:
needs:
- ci-azure
- ci-aws
- ci-gcp
- ci-cnvm
- ci-k8s
name: Upload integration tests results
runs-on: ubuntu-22.04
timeout-minutes: 60
permissions:
pull-requests: write
if: ${{ always() }}
env:
AWS_REGION: "eu-west-1"
ALLURE_S3_BUCKET: "s3://csp-allure-reports/allure_reports/cloudbeat/ci"
S3_BUCKET_ALLURE_REPORT_AP: "http://csp-allure-reports.s3.amazonaws.com/allure_reports/cloudbeat/ci"
steps:
- name: Check out the repo
uses: actions/checkout@v4

- uses: actions/download-artifact@v4
if: ${{ always() }}
with:
pattern: allure-results-ci-*
path: tests/allure/results/
merge-multiple: true

- name: log
if: ${{ always() }}
shell: bash
run: |
ls -lahR tests/allure/results/ || true

- name: Publish allure report
if: ${{ always() }}
uses: andrcuns/[email protected]
env:
GITHUB_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AWS_REGION: ${{ env.AWS_REGION }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
with:
storageType: s3
resultsGlob: "tests/allure/results"
updatePr: actions
collapseSummary: false
summary: suites
summaryTableType: markdown
copyLatest: true
bucket: csp-allure-reports
prefix: allure_reports/cloudbeat/ci/${{ github.event.number }}
ignoreMissingResults: true
debug: false

- name: Allure Summary
if: ${{ success() && github.event_name != 'push' }}
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
curl --fail --show-error --location '${{ env.S3_BUCKET_ALLURE_REPORT_AP }}/${{ github.event.number }}/history/history-trend.json' --output ./history-trend.json
allure_result=./history-trend.json
allure_url=${{ env.S3_BUCKET_ALLURE_REPORT_AP }}/${{ github.event.number }}/index.html

./.ci/scripts/allure-report-summary.sh "$allure_result" "$allure_url"
allure_summary=$(./.ci/scripts/allure-report-summary.sh "$allure_result" "$allure_url")

# saving result into env variable (with multiline handling)
echo "ALLURE_SUMMARY<<EOF" >> $GITHUB_ENV
echo "$allure_summary" >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV

- name: Comment test success result
uses: marocchino/sticky-pull-request-comment@v2
if: ${{ success() && github.event_name != 'push' }}
with:
header: CI Test Results
number: ${{ github.event.number }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
message: |
${{ env.ALLURE_SUMMARY }}

- if: ${{ success() }}
name: Cleanup docker image artifacts
uses: geekyeggo/delete-artifact@v5
with:
name: docker-images
failOnError: false
8 changes: 4 additions & 4 deletions deploy/k8s/fleet-managed-agent.yml
Original file line number Diff line number Diff line change
Expand Up @@ -217,10 +217,10 @@ rules:
- ingresses
- networkpolicies
verbs: ["get", "list", "watch"]
- apiGroups: ["policy"]
resources:
- podsecuritypolicies
verbs: ["get", "list", "watch"]
# - apiGroups: ["policy"]
# resources:
# - podsecuritypolicies
# verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
Expand Down
8 changes: 4 additions & 4 deletions deploy/k8s/standalone-agent.yml
Original file line number Diff line number Diff line change
Expand Up @@ -641,10 +641,10 @@ rules:
- ingresses
- networkpolicies
verbs: ["get", "list", "watch"]
- apiGroups: ["policy"]
resources:
- podsecuritypolicies
verbs: ["get", "list", "watch"]
# - apiGroups: ["policy"]
# resources:
# - podsecuritypolicies
# verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
Expand Down
8 changes: 4 additions & 4 deletions deploy/kustomize/base/role.yml
Original file line number Diff line number Diff line change
Expand Up @@ -58,10 +58,10 @@ rules:
- ingresses
- networkpolicies
verbs: ["get", "list", "watch"]
- apiGroups: ["policy"]
resources:
- podsecuritypolicies
verbs: ["get", "list", "watch"]
# - apiGroups: ["policy"]
# resources:
# - podsecuritypolicies
# verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -248,10 +248,10 @@ rules:
- roles
verbs: ["get", "list", "watch"]
# Needed for cloudbeat
- apiGroups: ["policy"]
resources:
- podsecuritypolicies
verbs: ["get", "list", "watch"]
# - apiGroups: ["policy"]
# resources:
# - podsecuritypolicies
# verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
Expand Down
Loading
Loading