From f61232f299de970d8ac1880b8d67401a5be26bde Mon Sep 17 00:00:00 2001 From: Shlomo Heigh Date: Tue, 14 May 2024 14:38:57 -0400 Subject: [PATCH] Use Helm chart and add test command --- .github/workflows/self-test.yaml | 12 ++++++++++-- action.yml | 24 ++++++++++++------------ generate.sh | 25 +++++++++++++++++++++++++ install.sh | 7 +++++-- self-test/test.sh | 17 +++++++++++++++++ setup.sh | 15 +++++++++++---- test.sh | 6 ++++++ wait.sh | 4 ---- 8 files changed, 86 insertions(+), 24 deletions(-) create mode 100755 self-test/test.sh create mode 100755 test.sh delete mode 100755 wait.sh diff --git a/.github/workflows/self-test.yaml b/.github/workflows/self-test.yaml index 71dd77b..87a1ec8 100644 --- a/.github/workflows/self-test.yaml +++ b/.github/workflows/self-test.yaml @@ -15,9 +15,17 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + + - name: Checkout nginx helm chart + uses: actions/checkout@v4 + with: + repository: helm/examples + path: charts/examples + ref: main - name: Test VEX Generation uses: ./ with: - deployment-file: "https://k8s.io/examples/application/deployment.yaml" - ready-condition: "kubectl wait --for=condition=ready pod -l app=nginx --timeout=300s" + helm-chart-path: "charts/examples/charts/hello-world" + ready-condition: "kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=hello-world --timeout=300s" + test-command: "self-test/test.sh" diff --git a/action.yml b/action.yml index 8dd86ff..1dcc643 100644 --- a/action.yml +++ b/action.yml @@ -1,15 +1,15 @@ name: "Generate VEX with Kubescape" description: "Generate VEX with Kubescape" inputs: - deployment-file: - description: "Path / URL to the deployment file" + helm-chart-path: + description: "Path to Helm chart to test" required: true ready-condition: description: "Condition to wait for before collecting VEX info" - required: true - wait-time: - description: "Time to wait (in seconds) before collecting VEX info, after the ready-condition is met" - default: "300" + required: false + test-command: + description: "Command to run to test the deployment" + required: false runs: using: "composite" @@ -18,17 +18,17 @@ runs: run: $GITHUB_ACTION_PATH/setup.sh shell: bash - - name: "Install deployment" + - name: "Install Helm Chart" env: - DEPLOYMENT_FILE: ${{ inputs.deployment-file }} + HELM_CHART_PATH: ${{ inputs.helm-chart-path }} READY_CONDITION: ${{ inputs.ready-condition }} run: $GITHUB_ACTION_PATH/install.sh shell: bash - - name: "Wait for deployment to be ready" - env: - WAIT_TIME: ${{ inputs.wait-time }} - run: $GITHUB_ACTION_PATH/wait.sh + - name: "Run tests" + env: + TEST_COMMAND: ${{ inputs.test-command }} + run: $GITHUB_ACTION_PATH/test.sh shell: bash - name: "Generate VEX" diff --git a/generate.sh b/generate.sh index 40b6e07..724cbff 100755 --- a/generate.sh +++ b/generate.sh @@ -1,6 +1,31 @@ #!/usr/bin/env bash set -x +timeout=300 +start_time=$SECONDS +while [[ -z $(kubectl -n kubescape get openvulnerabilityexchangecontainers.spdx.softwarecomposition.kubescape.io) ]]; do + echo "Waiting for VEX generation..." + sleep 10 + if [[ $((SECONDS - start_time)) -gt $timeout ]]; then + echo "Timeout reached. Exiting..." + + # Loop through all pods in the kubescape namespace and print the logs + for pod in $(kubectl -n kubescape get pods -o jsonpath='{.items[*].metadata.name}'); do + echo "Logs for $pod:" + kubectl -n kubescape logs "$pod" + done + + break + fi +done + +echo "Saving VEX results..." kubectl -n kubescape get openvulnerabilityexchangecontainer \ "$(kubectl -n kubescape get openvulnerabilityexchangecontainer -o jsonpath='{.items[0].metadata.name}')" \ -o jsonpath='{.spec}' > vex.json + +echo "Affected:" +jq "." vex.json | grep -c "\"affected\"" + +echo "Not affected:" +jq "." vex.json | grep -c "\"not_affected\"" diff --git a/install.sh b/install.sh index e06585c..75ae09e 100755 --- a/install.sh +++ b/install.sh @@ -1,5 +1,8 @@ #!/usr/bin/env bash set -x -kubectl apply -f "$DEPLOYMENT_FILE" -$READY_CONDITION +helm install "$HELM_CHART_PATH" --wait --timeout 300s --generate-name + +if [[ -n "$READY_CONDITION" ]]; then + $READY_CONDITION +fi diff --git a/self-test/test.sh b/self-test/test.sh new file mode 100755 index 0000000..338d065 --- /dev/null +++ b/self-test/test.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash +set -x + +# Get the pod name and container port of the test application +POD_NAME=$(kubectl get pods -l "app.kubernetes.io/name=hello-world" -o jsonpath="{.items[0].metadata.name}") +CONTAINER_PORT=$(kubectl get pod "$POD_NAME" -o jsonpath="{.spec.containers[0].ports[0].containerPort}") +# Expose the test app on localhost +kubectl port-forward "$POD_NAME" 8080:"$CONTAINER_PORT" & +sleep 5 +# Test the application by sending a request to it a number of times +for _ in {1..10}; do + # Prints just the status code + curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:8080 + echo +done +# Stop the port-forwarding +kill %1 diff --git a/setup.sh b/setup.sh index a62e1e9..ee96518 100755 --- a/setup.sh +++ b/setup.sh @@ -15,8 +15,15 @@ sudo ./get_helm.sh # Install Kubescape helm repo add kubescape https://kubescape.github.io/helm-charts/ helm repo update -helm upgrade --install kubescape kubescape/kubescape-operator -n kubescape --create-namespace --set clusterName="$(kubectl config current-context)" --set capabilities.vexGeneration=enable +helm upgrade --install kubescape kubescape/kubescape-operator -n kubescape --create-namespace \ + --set clusterName="$(kubectl config current-context)" \ + --set capabilities.vexGeneration=enable \ + --set nodeAgent.config.learningPeriod=1m \ + --set nodeAgent.config.updatePeriod=1m \ + --set logger.level=debug \ + --wait # Wait for the pod to be ready -sleep 15 -kubectl get pods -n kubescape -kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=node-agent -n kubescape --timeout=300s +sleep 5 +kubectl -n kubescape wait --for=condition=ready pod -l app.kubernetes.io/name=node-agent --timeout=300s +kubectl -n kubescape wait --for=condition=ready pod -l app.kubernetes.io/name=storage --timeout=300s +echo "Kubescape is ready" \ No newline at end of file diff --git a/test.sh b/test.sh new file mode 100755 index 0000000..49fa45c --- /dev/null +++ b/test.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash +set -x + +if [[ -n "$TEST_COMMAND" ]]; then + $TEST_COMMAND +fi diff --git a/wait.sh b/wait.sh deleted file mode 100755 index cbac680..0000000 --- a/wait.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/env bash -set -x - -sleep "$WAIT_TIME"