name: ci-test-ubi-ginkgo

on:
  push:
    branches: [main]
    paths:
      - "KubeArmor/**"
      - "tests/**"
      - "protobuf/**"
      - ".github/workflows/ci-test-ginkgo.yml"
      - "pkg/KubeArmorOperator/**"
      - "deployments/helm/**"
  pull_request:
    branches: [main]
    paths:
      - "KubeArmor/**"
      - "tests/**"
      - "protobuf/**"
      - ".github/workflows/ci-test-ginkgo.yml"
      - "pkg/KubeArmorOperator/**"
      - "deployments/helm/**"

# Declare default permissions as read only.
permissions: read-all

jobs:
  build:
    name: Auto-testing Framework / ${{ matrix.os }} / ${{ matrix.runtime }}
    runs-on: ${{ matrix.os }}
    env:
      RUNTIME: ${{ matrix.runtime }}
    strategy:
      fail-fast: false
      matrix:
        os: ["bpflsm"]
        
        runtime: ["crio"]
  

    steps:
      - uses: actions/checkout@v3
        with:
          submodules: true

      - uses: actions/setup-go@v5
        with:
          go-version-file: 'KubeArmor/go.mod'
      
      - name: Check what paths were updated
        uses: dorny/paths-filter@v2
        id: filter
        with:
          filters: |
            controller:
              - 'pkg/KubeArmorController/**'
 
      - name: Install the latest LLVM toolchain
        run: ./.github/workflows/install-llvm.sh

      - name: Compile libbpf
        run: ./.github/workflows/install-libbpf.sh

      - name: Setup a Kubernetes environment
        run: ./.github/workflows/install-k3s.sh

      - name: Generate KubeArmor artifacts
        run: |
          GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/build_kubearmor.sh

      - name: Build Kubearmor-Operator
        working-directory: pkg/KubeArmorOperator
        run: |
          make docker-build
      
      - name: Build KubeArmorController
        if: steps.filter.outputs.controller == 'true'
        run: make -C pkg/KubeArmorController/ docker-build TAG=latest

      - name: Run KubeArmor
        run: |
          docker save kubearmor/kubearmor-init:latest | sudo podman load
          docker save kubearmor/kubearmor-ubi:latest | sudo podman load
          docker save kubearmor/kubearmor-operator:latest | sudo podman load
          docker save kubearmor/kubearmor-snitch:latest | sudo podman load
          
          if [ ${{ steps.filter.outputs.controller }} == 'true' ]; then 
            docker save kubearmor/kubearmor-controller:latest | sudo podman load
          fi          
          
          helm upgrade --install kubearmor-operator ./deployments/helm/KubeArmorOperator -n kubearmor --create-namespace --set kubearmorOperator.image.tag=latest
          kubectl get pods -A
          kubectl wait --for=condition=ready --timeout=5m -n kubearmor pod -l kubearmor-app=kubearmor-operator

          if [[ ${{ steps.filter.outputs.controller }} == 'true' ]]; then
            kubectl apply -f pkg/KubeArmorOperator/config/samples/kubearmor-ubi-test.yaml --dry-run=client -o json | \
            jq '.spec.kubearmorControllerImage.imagePullPolicy = "Never"' | \
            kubectl apply -f -
          else 
            kubectl apply -f pkg/KubeArmorOperator/config/samples/kubearmor-ubi-test.yaml
          fi

          kubectl wait -n kubearmor --timeout=5m --for=jsonpath='{.status.phase}'=Running kubearmorconfigs/kubearmorconfig-test
          kubectl wait --timeout=7m --for=condition=ready pod -l kubearmor-app,kubearmor-app!=kubearmor-snitch,kubearmor-app!=kubearmor-controller -n kubearmor
          kubectl wait --timeout=1m --for=condition=ready pod -l kubearmor-app=kubearmor-controller -n kubearmor
          kubectl get pods -A
      
      - name: Operator may take upto 10 sec to enable TLS, Sleep for 15Sec
        run: |
          sleep 15
      
      - name: Test KubeArmor using Ginkgo
        run: |
          go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
          make
        working-directory: ./tests/k8s_env
        timeout-minutes: 30

      - name: Get karmor sysdump
        if: ${{ failure() }}
        run: |
          kubectl describe pod -n kubearmor -l kubearmor-app=kubearmor
          curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin
          mkdir -p /tmp/kubearmor/ && cd /tmp/kubearmor && karmor sysdump

      - name: Archive log artifacts
        if: ${{ failure() }}
        uses: actions/upload-artifact@v3
        with:
          name: kubearmor.logs
          path: |
            /tmp/kubearmor/
            /tmp/kubearmor.*

      - name: Measure code coverage
        if: ${{ always() }}
        run: |
          go install github.com/modocache/gover@latest
          gover
          go tool cover -func=gover.coverprofile
        working-directory: KubeArmor
        env:
          GOPATH: /home/vagrant/go
      - uses: codecov/codecov-action@v3
        if: ${{ always() }}
        with:
          files: ./KubeArmor/gover.coverprofile
      - name: Run cleanup
        if: ${{ always() }}
        run: ./.github/workflows/cleanup.sh