-
Notifications
You must be signed in to change notification settings - Fork 12
365 lines (357 loc) · 14.5 KB
/
integration_test.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
# Copyright 2024 Canonical Ltd.
# See LICENSE file for licensing details.
name: Integration tests
on:
workflow_call:
inputs:
builder-runner-label:
description: Label for building the charm
type: string
default: ubuntu-latest
charmcraft-channel:
description: Charmcraft channel to use for the integration test
type: string
default: latest/stable
charmcraft-ref:
description: Used in conjunction with charmcraft-repository to pull and build charmcraft from source instead of using snapstore version.
type: string
default: ""
charmcraft-repository:
description: Pull and build charmcraft from source instead of using snapstore version (this means that the `charmcraft-channel` input will be ignored).
type: string
default: ""
channel:
description: Actions operator provider channel as per https://github.com/charmed-kubernetes/actions-operator#usage
type: string
default: latest/stable
charm-directory:
type: string
description: The directory for the charm under the working-directory
default: "."
extra-arguments:
description: Additional arguments to pass to the integration test execution
type: string
extra-test-matrix:
description: |
Aditional mapping to lists of matrices to be applied on top of series and modules matrix in JSON format, i.e. '{"extras":["foo","bar"]}'.
Each mapping will be injected into the matrix section of the integration-test.
type: string
default: "{}"
juju-channel:
description: Actions operator juju channel as per https://github.com/charmed-kubernetes/actions-operator#usage
type: string
default: 2.9/stable
identifier:
type: string
description: >-
Identifier for the integration test job: This is used to distinguish between multiple integration test jobs
running within the same workflow. It is recommended to set this identifier to the job name.
default: ""
load-test-enabled:
type: boolean
description: Whether load testing is enabled
default: false
load-test-run-args:
type: string
description: Command line arguments for the load test execution
default: ""
modules:
description: List of testing modules to run the tests in JSON format, i.e. '["foo", "bar"]'. Each element will be passed to pytest through tox as -k argument
type: string
default: '[""]'
pre-run-script:
description: Path to the bash script to be run before the integration tests
type: string
provider:
description: Actions operator provider as per https://github.com/charmed-kubernetes/actions-operator#usage
type: string
default: microk8s
rockcraft-channel:
description: Rockcraft channel to use for the integration test
type: string
default: latest/stable
rockcraft-ref:
description: Used in conjunction with rockcraft-repository to pull and build rockcraft from source instead of using snapstore version.
type: string
default: ""
rockcraft-repository:
description: Pull and build rockcraft from source instead of using snapstore version (this means that the rockcraft-channel input will be ignored).
type: string
default: ""
rockcraft-enable-security-nesting:
description: Set security.nesting=true on the rockcraft lxc project to allow for nested containers.
type: boolean
default: false
microk8s-addons:
description: Microk8s provider add-ons override. A minimum set of addons (the defaults) must be enabled.
type: string
default: "dns ingress rbac storage"
self-hosted-runner:
type: boolean
description: Whether to use self-hosted runners to run the jobs.
default: false
self-hosted-runner-arch:
type: string
description: Architecture to use on self-hosted runners to run the jobs.
default: "x64"
self-hosted-runner-label:
type: string
description: Label for selecting the self-hosted runners.
default: "large"
series:
description: List of series to run the tests in JSON format, i.e. '["jammy", "focal"]'. Each element will be passed to pytest through tox as --series argument
type: string
default: '[""]'
setup-devstack-swift:
description: Use setup-devstack-swift action to prepare a swift server for testing.
type: boolean
default: false
test-timeout:
description: Timeout in minutes for the integration test.
type: number
default: 360
test-tox-env:
description: The tox environment name for the integration test.
type: string
default: "integration"
tmate-debug:
description: Use tmate debugging session on integration test failure.
type: boolean
default: false
tmate-timeout:
description: Timeout in minutes to keep tmate debugging session.
type: number
default: 30
trivy-fs-config:
type: string
description: Trivy YAML configuration for fs testing that is checked in as part of the repo
trivy-fs-enabled:
type: boolean
description: Whether Trivy testing of type fs is enabled
default: false
trivy-fs-ref:
type: string
description: Target directory to do the Trivy testing
default: "."
trivy-image-config:
type: string
description: Trivy YAML configuration for image testing that is checked in as part of the repo
trivy-severity-config:
type: string
description: Trivy severity configuration for image testing
default: "CRITICAL,HIGH"
upload-image:
type: string
description: >-
Can be either 'artifact' or 'registry', which determines the method by which images used
in integration tests are uploaded. If set to 'artifact', the images will be uploaded as GitHub
action artifacts. If set to 'registry', the images will be uploaded to ghcr.
If this parameter is not specified, the default behavior is to use 'artifact' for pull requests
originating from forked repositories, and 'registry' for all other cases.
default: ""
working-directory:
type: string
description: The working directory for jobs
default: "./"
zap-auth-header:
description: If this is defined then its value will be added as a header to all of the ZAP requests
type: string
zap-auth-header-value:
description: If this is defined then its value will be used as the header name to all of the ZAP requests
type: string
zap-before-command:
description: Command to run before ZAP testing
type: string
zap-cmd-options:
description: Options to be used by ZAP
type: string
default: "-T 60"
zap-enabled:
type: boolean
description: Whether ZAP testing is enabled
default: false
zap-target:
description: If this is not set, the unit IP address will be used as ZAP target
type: string
zap-target-port:
description: ZAP target port
type: string
default: '80'
zap-target-protocol:
description: ZAP target protocol
type: string
default: "http"
zap-rules-file-name:
description: Rules file to ignore any alerts from the ZAP scan
type: string
env:
REGISTRY: ghcr.io
OWNER: ${{ github.repository_owner }}
jobs:
plan:
name: Plan
runs-on: ${{ inputs.builder-runner-label }}
outputs:
plan: ${{ steps.plan.outputs.plan }}
steps:
- uses: actions/[email protected]
- uses: canonical/operator-workflows/internal/plan@main
id: plan
with:
identifier: ${{ inputs.identifier }}
upload-image: ${{ inputs.upload-image }}
working-directory: ${{ inputs.working-directory }}
build:
name: Build ${{ matrix.build.type }} (${{ matrix.build.name }})
needs: [ plan ]
runs-on: ${{ inputs.builder-runner-label }}
strategy:
matrix:
build: ${{ fromJSON(needs.plan.outputs.plan).build }}
steps:
- uses: canonical/[email protected]
- name: Set LXC security nesting
if: ${{ inputs.rockcraft-enable-security-nesting }}
run: |
lxc profile set default security.nesting true
- uses: actions/checkout@v4
- uses: canonical/operator-workflows/internal/build@main
id: build
with:
build-plan: ${{ toJSON(matrix.build) }}
charmcraft-channel: ${{ inputs.charmcraft-channel }}
charmcraft-ref: ${{ inputs.charmcraft-ref }}
charmcraft-repository: ${{ inputs.charmcraft-repository }}
github-token: ${{ secrets.GITHUB_TOKEN }}
rockcraft-channel: ${{ inputs.rockcraft-channel }}
rockcraft-ref: ${{ inputs.rockcraft-ref }}
rockcraft-repository: ${{ inputs.rockcraft-repository }}
plan-scan:
name: Plan Image Scanning
runs-on: ${{ inputs.builder-runner-label }}
needs: [ plan, build ]
outputs:
scans: ${{ steps.plan-scan.outputs.scans }}
steps:
- uses: canonical/operator-workflows/internal/plan-scan@main
id: plan-scan
with:
plan: ${{ needs.plan.outputs.plan }}
scan:
name: Scan Image (${{ matrix.scan.file }})
runs-on: ${{ inputs.builder-runner-label }}
needs: [ plan-scan ]
if: ${{ needs.plan-scan.outputs.scans != '[]' }}
strategy:
matrix:
scan: ${{ fromJSON(needs.plan-scan.outputs.scans) }}
steps:
- uses: actions/[email protected]
- name: Change directory
run: |
TEMP_DIR=$(mktemp -d)
cp -rp ./${{ inputs.working-directory }}/. $TEMP_DIR
rm -rf .* * || :
cp -rp $TEMP_DIR/. .
rm -rf $TEMP_DIR
ls -lah
- uses: actions/[email protected]
if: matrix.scan.artifact != ''
with:
name: ${{ matrix.scan.artifact }}
- if: endsWith( matrix.scan.file, '.rock')
run: |
skopeo copy oci-archive:${{ matrix.scan.file }} docker-archive:${{ matrix.scan.file }}.tar
mv ${{ matrix.scan.file }}.tar ${{ matrix.scan.file }}
- uses: docker/[email protected]
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- if: matrix.scan.image != ''
run: |
docker image pull ${{ matrix.scan.image }}
docker image save -o ${{ matrix.scan.file }} ${{ matrix.scan.image }}
- name: Run Github Trivy Image Action
uses: aquasecurity/[email protected]
with:
input: ${{ matrix.scan.file }}
trivy-config: ${{ inputs.trivy-image-config }}
exit-code: '1'
severity: ${{ inputs.trivy-severity-config }}
env:
TRIVY_DISABLE_VEX_NOTICE: true
- name: Check trivyignore
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.46.0
if [ -f ".trivyignore" ]
then
output=$(trivy image $ROCK_IMAGE --severity ${{ inputs.trivy-severity-config }} -q -f json --ignorefile "" | jq -r '.Results[].Vulnerabilities[].VulnerabilityID' 2>/dev/null || echo "No vulnerabilities found")
line=0
while read CVE;
do
line=$(( line + 1 ))
if [[ "$output" != *"$CVE"* ]] && [[ ! "$CVE" =~ ^#.* ]]
then
echo "::notice file=.trivyignore,line=${line}::$CVE not present anymore, can be safely removed."
fi
done < .trivyignore
fi
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
ROCK_IMAGE: ${{ env.IMAGE_REF }}
integration-test:
name: Integration tests
uses: ./.github/workflows/integration_test_run.yaml
needs: [ plan, build ]
if: always() && needs.plan.result == 'success' && (needs.build.result == 'success' || toJSON(fromJSON(needs.plan.outputs.plan).build) == '[]')
secrets: inherit
with:
channel: ${{ inputs.channel }}
charmcraft-ref: ${{ inputs.charmcraft-ref }}
charmcraft-repository: ${{ inputs.charmcraft-repository }}
extra-arguments: ${{ inputs.extra-arguments }}
extra-test-matrix: ${{ inputs.extra-test-matrix }}
juju-channel: ${{ inputs.juju-channel }}
load-test-enabled: ${{ inputs.load-test-enabled }}
load-test-run-args: ${{ inputs.load-test-run-args }}
microk8s-addons: ${{ inputs.microk8s-addons }}
modules: ${{ inputs.modules }}
owner: ${{ github.repository_owner }}
plan: ${{ needs.plan.outputs.plan }}
pre-run-script: ${{ inputs.pre-run-script }}
provider: ${{ inputs.provider }}
registry: ghcr.io
self-hosted-runner-arch: ${{ inputs.self-hosted-runner-arch }}
self-hosted-runner-label: ${{ inputs.self-hosted-runner-label }}
self-hosted-runner: ${{ inputs.self-hosted-runner }}
series: ${{ inputs.series }}
setup-devstack-swift: ${{ inputs.setup-devstack-swift }}
test-timeout: ${{ inputs.test-timeout }}
test-tox-env: ${{ inputs.test-tox-env }}
tmate-debug: ${{ inputs.tmate-debug }}
tmate-timeout: ${{ inputs.tmate-timeout }}
trivy-fs-config: ${{ inputs.trivy-fs-config }}
trivy-fs-enabled: ${{ inputs.trivy-fs-enabled }}
trivy-fs-ref: ${{ inputs.trivy-fs-ref }}
working-directory: ${{ inputs.working-directory }}
zap-auth-header-value: ${{ inputs.zap-auth-header-value }}
zap-auth-header: ${{ inputs.zap-auth-header }}
zap-before-command: ${{ inputs.zap-before-command }}
zap-cmd-options: ${{ inputs.zap-cmd-options }}
zap-enabled: ${{ inputs.zap-enabled }}
zap-rules-file-name: ${{ inputs.zap-rules-file-name }}
zap-target-port: ${{ inputs.zap-target-port }}
zap-target-protocol: ${{ inputs.zap-target-protocol }}
zap-target: ${{ inputs.zap-target }}
required_status_checks:
name: Required Integration Test Status Checks
runs-on: ${{ inputs.builder-runner-label }}
needs:
- integration-test
if: always() && !cancelled()
timeout-minutes: 5
steps:
- run: |
[ '${{ needs.integration-test.result }}' = 'success' ] || (echo integration-test failed && false)