ci: generate seccomp profile within pipeline

[alegrey91]

This PR introduces the ability of generating seccomp profiles within the pipeline.
This will be helpful in case some user wants to secure his capsule installation by leveraging the power of seccomp.

To do so, capsule container image is built replacing the base image with the one provided by harpoon. This will allow the execution of capsule through harpoon.
Then, set up a Kubernetes cluster using kind with a shared folder that is used to retrieve the metadata generated by harpoon during the e2e tests execution.
Capsule image is consequently installed on the cluster with a customized values file from helm, and the e2e could start.
Once finished, the results are merged with the tracing of the unit tests (handled by harpoon).
This generates the seccomp profile tailored for capsule, which is going to be uploaded with the other artifacts in the upcoming releases.

[netlify]

✅ Deploy Preview for capsule-documentation canceled.

Name	Link
🔨 Latest commit	f24d2f1
🔍 Latest deploy log	https://app.netlify.com/sites/capsule-documentation/deploys/67a473946e8924000889ef25

[oliverbaehler]

Hey @alegrey91 great tool, hope we can get you gain some traction as example. I have requested changes regarding the chart

[oliverbaehler]

Not a big fan of this, we should try to install binaries into the project's bin/ folder, i am assuming this is going to install harpoon at system level. Since it,s go, can't we make a target like the other binary dependencies:

HARPOON = $(shell pwd)/bin/harpoon
HARPOON_VERSION = v0.9.4
harpoon:
	$(call go-install-tool,$(HARPOON),github.com/alegrey91/harpoon@$(HARPOON_VERSION))

[alegrey91]

Hi @oliverbaehler, unfortunately I don't think we can currently use go install with harpoon.
The project has a complex toolchain that requires a separated compilation of the ebpf object.
About the installation directory, I think this is fine, I can set the location through the install script.

[alegrey91]

Hello @oliverbaehler, I'm having a problem with the Test charts pipeline.
It's failing due to my values file ci/tracing-values.yaml because this specific configuration needs kind to be configured with an extraMount (see hack/kind-cluster.yml). Without this cluster config, the chart is unable to mount the volumes specified within the values file.
What can we do to fix it?

[alegrey91]

Hello @oliverbaehler, I'm having a problem with the Test charts pipeline. It's failing due to my values file ci/tracing-values.yaml because this specific configuration needs kind to be configured with an extraMount (see hack/kind-cluster.yml). Without this cluster config, the chart is unable to mount the volumes specified within the values file. What can we do to fix it?

I'm thinking about a possible solution for that. Since the ci/tracing-values.yaml is not a "production" values file, we could skip its test with ct and create a dedicated workflow to generate seccomp profiles for each PR. This way we will check its validity every time a new PR is coming. Integrate it with ct is quite hard because there are several pre-requirements:

• build the custom capsule image with harpoon within the container
• create a kind cluster with a custom configuration to share folders with the container

[oliverbaehler]

@alegrey91 can you grant me access to your fork?

[alegrey91]

@alegrey91 can you grant me access to your fork?

You should have access now.

[oliverbaehler]

@alegrey91 I can't invest more time into this, sorry. I heave reconciled your targets and simplified the approach. It should now work better.

[alegrey91]

@oliverbaehler any reasons why the other workflows are not starting anymore?

[oliverbaehler]

@alegrey91 conflicts?

[alegrey91]

@oliverbaehler ready for review.
thanks for the fixes :)
P.s. the seccomp ci is currently failing due to the docker hub pull rate limit 😅
You could re-run it separately and should work.

[oliverbaehler]

Final changes, sowy :3

[alegrey91]

@oliverbaehler can you please re-run the CI?