diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d2cc5325..e1cea561 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -143,38 +143,3 @@ jobs: uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - run: shellcheck $(find scripts/ -name '*.sh') - - airgap-e2e-test: - name: Airgap E2E test - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - - name: Run registry - run: | - export CONTAINER_ID=$(docker run -d -p 5000:5000 --name registry registry:2) - echo "CONTAINER_ID=${CONTAINER_ID}" >> $GITHUB_ENV - - name: Install kwctl - run: cargo install --locked --path . - - name: Save policies - run: ./scripts/kubewarden-save-policies.sh --policies-list tests/data/airgap/policies.txt --policies policies.tar.gz - - name: Remove policies from store - run: | - kwctl rm registry://ghcr.io/kubewarden/tests/pod-privileged:v0.1.9 - kwctl rm https://github.com/kubewarden/pod-privileged-policy/releases/download/v0.1.6/policy.wasm - - name: Load policies - run: | - ./scripts/kubewarden-load-policies.sh \ - --policies policies.tar.gz \ - --policies-list tests/data/airgap/policies.txt \ - --registry localhost:5000 \ - --sources-path tests/data/airgap/insecure.yml - - name: Verify policies in local registry - run: | - kwctl pull registry://localhost:5000/kubewarden/tests/pod-privileged:v0.1.9 \ - --sources-path tests/data/airgap/insecure.yml - kwctl pull registry://localhost:5000/kubewarden/pod-privileged-policy/releases/download/v0.1.6/policy.wasm \ - --sources-path tests/data/airgap/insecure.yml - - name: Clean up - delete registry - if: always() - run: | - docker rm -f ${{ env.CONTAINER_ID }} diff --git a/scripts/kubewarden-load-policies.sh b/scripts/kubewarden-load-policies.sh index cc269046..de431d59 100755 --- a/scripts/kubewarden-load-policies.sh +++ b/scripts/kubewarden-load-policies.sh @@ -1,6 +1,7 @@ -#!/bin/bash +#!/usr/bin/env bash set -euo pipefail +kwctl="${KWCTL_CMD:-kwctl}" policies="kubewarden-policies.tar.gz" list="kubewarden-policies.txt" @@ -16,9 +17,9 @@ usage () { pushPolicy() { newPolicyUrl=$1 if [[ -n $sourcesPath ]]; then - kwctl push "$policy" "$newPolicyUrl" --sources-path "$sourcesPath" + $kwctl push "$policy" "$newPolicyUrl" --sources-path "$sourcesPath" else - kwctl push "$policy" "$newPolicyUrl" + $kwctl push "$policy" "$newPolicyUrl" fi } @@ -60,7 +61,7 @@ if [[ -z ${registry:-} ]]; then exit 1 fi -kwctl load --input "${policies}" +$kwctl load --input "${policies}" policies=() while read -r policy; do @@ -83,4 +84,4 @@ for policy in "${policies[@]}"; do newPolicyUrl="registry://$registry/${oldPolicyUrl#*/}" pushPolicy "$newPolicyUrl" fi -done \ No newline at end of file +done diff --git a/scripts/kubewarden-save-policies.sh b/scripts/kubewarden-save-policies.sh index 38505eea..4dc4d9ea 100755 --- a/scripts/kubewarden-save-policies.sh +++ b/scripts/kubewarden-save-policies.sh @@ -1,6 +1,7 @@ -#!/bin/bash +#!/usr/bin/env bash set -euo pipefail +kwctl="${KWCTL_CMD:-kwctl}" policies="kubewarden-policies.tar.gz" list="kubewarden-policies.txt" @@ -41,7 +42,7 @@ fi pulled=() while IFS= read -r i; do [ -z "${i}" ] && continue - if kwctl pull "${i}" > /dev/null 2>&1; then + if $kwctl pull "${i}" > /dev/null 2>&1; then echo "Policy pull success: ${i}" pulled+=("${i}") else @@ -50,5 +51,5 @@ while IFS= read -r i; do done < "${list}" echo "Creating ${policies} with ${#pulled[@]} policies" -kwctl save "${pulled[@]}" --output "${policies}" +$kwctl save "${pulled[@]}" --output "${policies}" diff --git a/tests/airgap.rs b/tests/airgap.rs new file mode 100644 index 00000000..2e1ec410 --- /dev/null +++ b/tests/airgap.rs @@ -0,0 +1,111 @@ +use assert_cmd::Command; +use std::path::{Path, PathBuf}; +use tempfile::tempdir; +use testcontainers::{clients, core::WaitFor}; + +mod common; + +#[test] +fn test_airgap() { + let tempdir = tempdir().unwrap(); + let project_root = PathBuf::from(env!("CARGO_MANIFEST_DIR")); + + // Run registry + let docker = clients::Cli::default(); + let registry_image = testcontainers::GenericImage::new("docker.io/library/registry", "2") + .with_wait_for(WaitFor::message_on_stderr("listening on ")); + let testcontainer = docker.run(registry_image); + let port = testcontainer.get_host_port_ipv4(5000); + + // Save policies + let mut save_policies_script = setup_airgap_script_command( + &project_root.join("scripts/kubewarden-save-policies.sh"), + tempdir.path(), + ); + save_policies_script + .arg("--policies-list") + .arg(project_root.join("tests/data/airgap/policies.txt")) + .arg("--policies") + .arg(tempdir.path().join("policies.tar.gz")) + .assert() + .success(); + + // Remove policies from store + let mut kwctl = common::setup_command(tempdir.path()); + kwctl + .arg("rm") + .arg("registry://ghcr.io/kubewarden/tests/pod-privileged:v0.1.9") + .assert() + .success(); + + let mut kwctl = common::setup_command(tempdir.path()); + kwctl + .arg("rm") + .arg("https://github.com/kubewarden/pod-privileged-policy/releases/download/v0.1.6/policy.wasm") + .assert() + .success(); + + // Create sources.yml + let sources_yaml = format!( + r#" + insecure_sources: + - "localhost:{}" + "#, + port + ); + std::fs::write(tempdir.path().join("sources.yml"), sources_yaml).unwrap(); + + // Load policies + let mut load_policies_script = setup_airgap_script_command( + &project_root.join("scripts/kubewarden-load-policies.sh"), + tempdir.path(), + ); + load_policies_script + .arg("--policies") + .arg(tempdir.path().join("policies.tar.gz")) + .arg("--policies-list") + .arg(project_root.join("tests/data/airgap/policies.txt")) + .arg("--registry") + .arg(format!("localhost:{}", port)) + .arg("--sources-path") + .arg(tempdir.path().join("sources.yml")) + .assert() + .success(); + + // Verify policies in local registry + let mut kwctl = common::setup_command(tempdir.path()); + kwctl + .arg("pull") + .arg(format!( + "registry://localhost:{}/kubewarden/tests/pod-privileged:v0.1.9", + port + )) + .arg("--sources-path") + .arg(tempdir.path().join("sources.yml")) + .assert() + .success(); + + let mut kwctl = common::setup_command(tempdir.path()); + kwctl + .arg("pull") + .arg(format!( + "registry://localhost:{}/kubewarden/pod-privileged-policy/releases/download/v0.1.6/policy.wasm ", + port + )) + .arg("--sources-path") + .arg(tempdir.path().join("sources.yml")) + .assert() + .success(); +} + +fn setup_airgap_script_command(script: &Path, tempdir: &Path) -> Command { + let mut cmd = Command::new(script); + + cmd.current_dir(tempdir) + .env("XDG_CONFIG_HOME", tempdir.join(".config")) + .env("XDG_CACHE_HOME", tempdir.join(".cache")) + .env("XDG_DATA_HOME", tempdir.join(".local/share")) + .env("KWCTL_CMD", env!("CARGO_BIN_EXE_kwctl")); + + cmd +} diff --git a/tests/common/mod.rs b/tests/common/mod.rs index 7cf5d848..bfb55b9c 100644 --- a/tests/common/mod.rs +++ b/tests/common/mod.rs @@ -2,6 +2,7 @@ use std::path::Path; use assert_cmd::Command; +#[allow(dead_code)] pub fn setup_command(path: &Path) -> Command { let mut cmd = Command::cargo_bin("kwctl").unwrap(); @@ -13,6 +14,7 @@ pub fn setup_command(path: &Path) -> Command { cmd } +#[allow(dead_code)] pub fn test_data(path: &str) -> String { Path::new(env!("CARGO_MANIFEST_DIR")) .join("tests") diff --git a/tests/data/airgap/insecure.yml b/tests/data/airgap/insecure.yml deleted file mode 100644 index 6311068a..00000000 --- a/tests/data/airgap/insecure.yml +++ /dev/null @@ -1,2 +0,0 @@ -insecure_sources: - - localhost:5000 diff --git a/tests/secure_supply_chain_e2e.rs b/tests/secure_supply_chain_e2e.rs index ac30c16a..60015a44 100644 --- a/tests/secure_supply_chain_e2e.rs +++ b/tests/secure_supply_chain_e2e.rs @@ -5,7 +5,7 @@ use rstest::rstest; use std::{fs, path::Path}; use tempfile::tempdir; -pub mod common; +mod common; fn cosign_initialize(path: &Path) { let mut cmd = Command::new("cosign");