name: ci-test-ubi-ginkgo on: push: branches: [main] paths: - "KubeArmor/**" - "tests/**" - "protobuf/**" - ".github/workflows/ci-test-ginkgo.yml" - "pkg/KubeArmorOperator/**" - "deployments/helm/**" pull_request: branches: [main] paths: - "KubeArmor/**" - "tests/**" - "protobuf/**" - ".github/workflows/ci-test-ginkgo.yml" - "pkg/KubeArmorOperator/**" - "deployments/helm/**" # Declare default permissions as read only. permissions: read-all jobs: build: name: Auto-testing Framework / ${{ matrix.os }} / ${{ matrix.runtime }} runs-on: ${{ matrix.os }} env: RUNTIME: ${{ matrix.runtime }} strategy: fail-fast: false matrix: os: ["bpflsm"] runtime: ["crio"] steps: - uses: actions/checkout@v3 with: submodules: true - uses: actions/setup-go@v5 with: go-version-file: 'KubeArmor/go.mod' - name: Check what paths were updated uses: dorny/paths-filter@v2 id: filter with: filters: | controller: - 'pkg/KubeArmorController/**' - name: Install the latest LLVM toolchain run: ./.github/workflows/install-llvm.sh - name: Compile libbpf run: ./.github/workflows/install-libbpf.sh - name: Setup a Kubernetes environment run: ./.github/workflows/install-k3s.sh - name: Generate KubeArmor artifacts run: | GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/build_kubearmor.sh - name: Build Kubearmor-Operator working-directory: pkg/KubeArmorOperator run: | make docker-build - name: Build KubeArmorController if: steps.filter.outputs.controller == 'true' run: make -C pkg/KubeArmorController/ docker-build TAG=latest - name: Run KubeArmor run: | docker save kubearmor/kubearmor-init:latest | sudo podman load docker save kubearmor/kubearmor-ubi:latest | sudo podman load docker save kubearmor/kubearmor-operator:latest | sudo podman load docker save kubearmor/kubearmor-snitch:latest | sudo podman load if [ ${{ steps.filter.outputs.controller }} == 'true' ]; then docker save kubearmor/kubearmor-controller:latest | sudo podman load fi helm upgrade --install kubearmor-operator ./deployments/helm/KubeArmorOperator -n kubearmor --create-namespace --set kubearmorOperator.image.tag=latest kubectl get pods -A kubectl wait --for=condition=ready --timeout=5m -n kubearmor pod -l kubearmor-app=kubearmor-operator if [[ ${{ steps.filter.outputs.controller }} == 'true' ]]; then kubectl apply -f pkg/KubeArmorOperator/config/samples/kubearmor-ubi-test.yaml --dry-run=client -o json | \ jq '.spec.kubearmorControllerImage.imagePullPolicy = "Never"' | \ kubectl apply -f - else kubectl apply -f pkg/KubeArmorOperator/config/samples/kubearmor-ubi-test.yaml fi kubectl wait -n kubearmor --timeout=5m --for=jsonpath='{.status.phase}'=Running kubearmorconfigs/kubearmorconfig-test kubectl wait --timeout=7m --for=condition=ready pod -l kubearmor-app,kubearmor-app!=kubearmor-snitch,kubearmor-app!=kubearmor-controller -n kubearmor kubectl wait --timeout=1m --for=condition=ready pod -l kubearmor-app=kubearmor-controller -n kubearmor kubectl get pods -A - name: Operator may take upto 10 sec to enable TLS, Sleep for 15Sec run: | sleep 15 - name: Test KubeArmor using Ginkgo run: | go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo make working-directory: ./tests/k8s_env timeout-minutes: 30 - name: Get karmor sysdump if: ${{ failure() }} run: | kubectl describe pod -n kubearmor -l kubearmor-app=kubearmor curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin mkdir -p /tmp/kubearmor/ && cd /tmp/kubearmor && karmor sysdump - name: Archive log artifacts if: ${{ failure() }} uses: actions/upload-artifact@v3 with: name: kubearmor.logs path: | /tmp/kubearmor/ /tmp/kubearmor.* - name: Measure code coverage if: ${{ always() }} run: | go install github.com/modocache/gover@latest gover go tool cover -func=gover.coverprofile working-directory: KubeArmor env: GOPATH: /home/vagrant/go - uses: codecov/codecov-action@v3 if: ${{ always() }} with: files: ./KubeArmor/gover.coverprofile - name: Run cleanup if: ${{ always() }} run: ./.github/workflows/cleanup.sh