-
Notifications
You must be signed in to change notification settings - Fork 42
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Bump helm * Disable PSP feature leave rules * Bumping elastic-agent-autodiscover * Lint fixes * Linter empty space * Commenting out CI tests and removing codeblocks from core code * Comment out EKS PSP * Remove imports from CI tests * Update rules coverage (cherry picked from commit 0029a1a) # Conflicts: # .github/workflows/ci.yml # go.mod # go.sum # resources/fetching/fetchers/k8s/kube_fetcher_test.go # resources/fetching/fetchers/k8s/kube_provider.go # security-policies/RULES.md # tests/product/tests/data/k8s/k8s_object_cases.py # tests/product/tests/data/k8s_object/eks_k8s_object_test_cases.py # tests/test_environments/k8s-objects-all-cases.yml
- Loading branch information
1 parent
76f28c3
commit 7e53359
Showing
18 changed files
with
1,190 additions
and
101 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,300 @@ | ||
| name: Tests | ||
|
|
||
| on: | ||
| pull_request_target: | ||
| branches: | ||
| - main | ||
| - "[0-9]+.[0-9]+" | ||
| types: [opened, synchronize, reopened] | ||
| push: | ||
| branches: | ||
| - main | ||
| - "[0-9]+.[0-9]+" | ||
| workflow_dispatch: | ||
|
|
||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| init-hermit: | ||
| name: Init Hermit Tools | ||
| runs-on: ubuntu-22.04 | ||
| timeout-minutes: 60 | ||
| steps: | ||
| - name: Check out the repo | ||
| uses: actions/checkout@v4 | ||
| - name: Hermit Environment | ||
| uses: ./.github/actions/hermit | ||
| with: | ||
| init-tools: 'true' | ||
|
|
||
| ci-azure: | ||
| needs: [ init-hermit ] | ||
| name: CIS Azure CI | ||
| runs-on: ubuntu-22.04 | ||
| timeout-minutes: 60 | ||
| permissions: | ||
| contents: "read" | ||
| id-token: "write" | ||
| steps: | ||
| - name: Check out the repo | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Hermit Environment | ||
| uses: ./.github/actions/hermit | ||
|
|
||
| - name: Run Azure integration tests | ||
| uses: ./.github/actions/azure-ci | ||
| with: | ||
| elk-version: ${{ env.ELK_VERSION }} | ||
| azure-client-id: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientId }} | ||
| azure-tenant-id: ${{ fromJSON(secrets.AZURE_CREDENTIALS).tenantId }} | ||
| azure-client-secret: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientSecret }} | ||
|
|
||
| ci-aws: | ||
| needs: [ init-hermit ] | ||
| name: CIS AWS CI | ||
| runs-on: ubuntu-22.04 | ||
| timeout-minutes: 60 | ||
| permissions: | ||
| contents: "read" | ||
| id-token: "write" | ||
| steps: | ||
| - name: Check out the repo | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Hermit Environment | ||
| uses: ./.github/actions/hermit | ||
|
|
||
| - name: Run AWS integration tests | ||
| uses: ./.github/actions/aws-ci | ||
| with: | ||
| elk-version: ${{ env.ELK_VERSION }} | ||
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TEST_ACC }} | ||
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST_ACC }} | ||
| aws-account-type: single-account | ||
|
|
||
| ci-gcp: | ||
| needs: [ init-hermit ] | ||
| name: CIS GCP CI | ||
| runs-on: ubuntu-22.04 | ||
| timeout-minutes: 60 | ||
| permissions: | ||
| contents: 'read' | ||
| id-token: 'write' | ||
| steps: | ||
| - name: Check out the repo | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Hermit Environment | ||
| uses: ./.github/actions/hermit | ||
|
|
||
| - name: Run GCP integration tests | ||
| uses: ./.github/actions/gcp-ci | ||
| with: | ||
| elk-version: ${{ env.ELK_VERSION }} | ||
| workload-identity-provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} | ||
| service-account: ${{ secrets.GCP_SERVICE_ACCOUNT }} | ||
| gcp-project-id: 'elastic-security-test' | ||
| gcp-account-type: 'single-account' | ||
|
|
||
| ci-cnvm: | ||
| needs: [ init-hermit ] | ||
| name: CNVM CI | ||
| runs-on: ubuntu-22.04 | ||
| timeout-minutes: 30 | ||
| steps: | ||
| - name: Check out the repo | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Hermit Environment | ||
| uses: ./.github/actions/hermit | ||
|
|
||
| - name: Run CNVM integration tests | ||
| uses: ./.github/actions/cnvm-ci | ||
| with: | ||
| elk-version: ${{ env.ELK_VERSION }} | ||
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| aws-region: 'us-east-2' | ||
|
|
||
| docker-images: | ||
| needs: [ init-hermit ] | ||
| name: Build docker images | ||
| # Since we build the cloudbeat in the worker's OS and as non static, | ||
| # we need to keep the OS version same as elastic-agent docker image base. | ||
| # docker run --interactive --tty --rm --entrypoint bash docker.elastic.co/elastic-agent/elastic-agent-complete:8.14.0-SNAPSHOT -c 'cat /etc/os-release' | ||
| runs-on: ubuntu-20.04 | ||
| timeout-minutes: 40 | ||
| steps: | ||
| - name: Free Disk Space (Ubuntu) | ||
| uses: jlumbroso/free-disk-space@main | ||
| with: | ||
| tool-cache: false | ||
| android: true | ||
| dotnet: true | ||
| haskell: true | ||
| large-packages: false | ||
| docker-images: true | ||
| swap-storage: true | ||
|
|
||
| - name: Check out the repo | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Hermit Environment | ||
| uses: ./.github/actions/hermit | ||
|
|
||
| - name: Build docker images | ||
| uses: ./.github/actions/docker-images | ||
| with: | ||
| build-docker-images: 'true' | ||
|
|
||
| ci-k8s: | ||
| needs: [ init-hermit, docker-images ] | ||
| name: ${{ matrix.test-target }}-${{ matrix.kind-config }} | ||
| runs-on: ubuntu-22.04 | ||
| timeout-minutes: 120 | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| include: | ||
| - test-target: pre_merge | ||
| kind-config: kind-multi | ||
| values-file: tests/test_environments/values/ci.yml | ||
| - test-target: pre_merge_agent | ||
| kind-config: kind-multi | ||
| values-file: tests/test_environments/values/ci-sa-agent.yml | ||
| - test-target: k8s_file_system_rules | ||
| kind-config: kind-test-files | ||
| values-file: tests/test_environments/values/ci-test-k8s-files.yml | ||
| # - test-target: k8s_object_psp_rules | ||
| # kind-config: kind-multi | ||
| # values-file: tests/test_environments/values/ci-test-k8s-objects.yml | ||
| - test-target: k8s_process_rules | ||
| kind-config: kind-test-proc-conf1 | ||
| values-file: tests/test_environments/values/ci-test-k8s-proc-conf1.yml | ||
| - test-target: k8s_process_rules | ||
| kind-config: kind-test-proc-conf2 | ||
| values-file: tests/test_environments/values/ci-test-k8s-proc-conf2.yml | ||
| steps: | ||
| - name: Free Disk Space (Ubuntu) | ||
| uses: jlumbroso/free-disk-space@main | ||
| with: | ||
| tool-cache: false | ||
| android: true | ||
| dotnet: true | ||
| haskell: true | ||
| large-packages: false | ||
| docker-images: true | ||
| swap-storage: true | ||
|
|
||
| - name: Check out the repo | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Hermit Environment | ||
| uses: ./.github/actions/hermit | ||
|
|
||
| - name: Get docker images | ||
| uses: ./.github/actions/docker-images | ||
| with: | ||
| build-docker-images: 'false' | ||
| docker-images-folder: '/tmp/.docker-images' | ||
|
|
||
| - name: Run k8s integration tests | ||
| uses: ./.github/actions/k8s-ci | ||
| with: | ||
| kind-config: ${{ matrix.kind-config }} | ||
| test-target: ${{ matrix.test-target }} | ||
| values-file: ${{ matrix.values-file }} | ||
| docker-images-folder: '/tmp/.docker-images' | ||
|
|
||
| upload-allure-results: | ||
| needs: | ||
| - ci-azure | ||
| - ci-aws | ||
| - ci-gcp | ||
| - ci-cnvm | ||
| - ci-k8s | ||
| name: Upload integration tests results | ||
| runs-on: ubuntu-22.04 | ||
| timeout-minutes: 60 | ||
| permissions: | ||
| pull-requests: write | ||
| if: ${{ always() }} | ||
| env: | ||
| AWS_REGION: "eu-west-1" | ||
| ALLURE_S3_BUCKET: "s3://csp-allure-reports/allure_reports/cloudbeat/ci" | ||
| S3_BUCKET_ALLURE_REPORT_AP: "http://csp-allure-reports.s3.amazonaws.com/allure_reports/cloudbeat/ci" | ||
| steps: | ||
| - name: Check out the repo | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - uses: actions/download-artifact@v4 | ||
| if: ${{ always() }} | ||
| with: | ||
| pattern: allure-results-ci-* | ||
| path: tests/allure/results/ | ||
| merge-multiple: true | ||
|
|
||
| - name: log | ||
| if: ${{ always() }} | ||
| shell: bash | ||
| run: | | ||
| ls -lahR tests/allure/results/ || true | ||
| - name: Publish allure report | ||
| if: ${{ always() }} | ||
| uses: andrcuns/[email protected] | ||
| env: | ||
| GITHUB_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| AWS_REGION: ${{ env.AWS_REGION }} | ||
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| with: | ||
| storageType: s3 | ||
| resultsGlob: "tests/allure/results" | ||
| updatePr: actions | ||
| collapseSummary: false | ||
| summary: suites | ||
| summaryTableType: markdown | ||
| copyLatest: true | ||
| bucket: csp-allure-reports | ||
| prefix: allure_reports/cloudbeat/ci/${{ github.event.number }} | ||
| ignoreMissingResults: true | ||
| debug: false | ||
|
|
||
| - name: Allure Summary | ||
| if: ${{ success() && github.event_name != 'push' }} | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| curl --fail --show-error --location '${{ env.S3_BUCKET_ALLURE_REPORT_AP }}/${{ github.event.number }}/history/history-trend.json' --output ./history-trend.json | ||
| allure_result=./history-trend.json | ||
| allure_url=${{ env.S3_BUCKET_ALLURE_REPORT_AP }}/${{ github.event.number }}/index.html | ||
| ./.ci/scripts/allure-report-summary.sh "$allure_result" "$allure_url" | ||
| allure_summary=$(./.ci/scripts/allure-report-summary.sh "$allure_result" "$allure_url") | ||
| # saving result into env variable (with multiline handling) | ||
| echo "ALLURE_SUMMARY<<EOF" >> $GITHUB_ENV | ||
| echo "$allure_summary" >> $GITHUB_ENV | ||
| echo "EOF" >> $GITHUB_ENV | ||
| - name: Comment test success result | ||
| uses: marocchino/sticky-pull-request-comment@v2 | ||
| if: ${{ success() && github.event_name != 'push' }} | ||
| with: | ||
| header: CI Test Results | ||
| number: ${{ github.event.number }} | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| message: | | ||
| ${{ env.ALLURE_SUMMARY }} | ||
| - if: ${{ success() }} | ||
| name: Cleanup docker image artifacts | ||
| uses: geekyeggo/delete-artifact@v5 | ||
| with: | ||
| name: docker-images | ||
| failOnError: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.