ci: add initial integration tests

.github/workflows/.reusable-integration-test.yml

@@ -29,13 +29,210 @@ env:
   IMAGEPULLSECRET: dockerconfigjson-ghcr
 
 jobs:
-  do-nothing:
+  integration-test:
     name: functional
     runs-on: ubuntu-latest
     if: inputs.skip != 'all'
     #    permissions:  #TODO: reactivate for non-private
     #      packages: read
+    env:
+      IMAGE: ${{ inputs.build_image_repository }}
+      TAG: ${{ inputs.build_tag }}
+    strategy:
+      fail-fast: false
+      matrix:
+        integration-test-arg:
+          [
+            "basic",
+          ]
     steps:
-      - name: Do nothing
+      - name: Checkout code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Login with registry
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ${{ inputs.build_registry }}
+          username: ${{ inputs.repo_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install yq
         run: |
-          sleep 1
+          sudo snap install yq
+      - uses: ./.github/actions/k8s-version-config
+        name: Setup k8s cluster
+        with:
+          k8s-version: v1.25
+      - name: Run test
+        run: |
+          bash tests/integration/main.sh "${{ matrix.integration-test-arg }}"
+      - name: Display semgr8s configuration
+        if: always()
+        run: |
+          echo "::group::values.yaml"
+          yq e '... comments=""' charts/semgr8s/values.yaml
+          echo "::endgroup::"
+      - name: Display k8s state if integration test failed
+        if: failure()
+        run: |
+          kubectl describe deployments.apps -n semgr8ns -lapp.kubernetes.io/name=semgr8s
+          kubectl describe pods -n semgr8ns -lapp.kubernetes.io/name=semgr8s
+      - name: Display logs if integration test failed
+        if: failure()
+        run: |
+          kubectl logs -n semgr8ns -lapp.kubernetes.io/name=semgr8s --prefix=true --tail=-1
+
+  optional-integration-test:
+    name: optional
+    runs-on: ubuntu-latest
+    if: |
+      inputs.skip != 'non-required' &&
+      inputs.skip != 'all'
+    #    permissions:  #TODO: reactivate for non-private
+    #      packages: read
+    env:
+      IMAGE: ${{ inputs.build_image_repository }}
+      TAG: ${{ inputs.build_tag }}
+    strategy:
+      fail-fast: false
+      matrix:
+        integration-test-arg:
+          [
+            "basic",
+          ]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Login with registry
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ${{ inputs.build_registry }}
+          username: ${{ inputs.repo_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install yq
+        run: |
+          sudo snap install yq
+      - uses: ./.github/actions/k8s-version-config
+        name: Setup k8s cluster
+        with:
+          k8s-version: v1.25
+      - name: Run test
+        run: |
+          bash tests/integration/integration-test.sh "${{ matrix.integration-test-arg }}"
+      - name: Display semgr8s configuration
+        if: always()
+        run: |
+          echo "::group::values.yaml"
+          yq e '... comments=""' charts/semgr8s/values.yaml
+          echo "::endgroup::"
+      - name: Display k8s state if integration test failed
+        if: failure()
+        run: |
+          kubectl describe deployments.apps -n semgr8ns -lapp.kubernetes.io/name=semgr8s
+          kubectl describe pods -n semgr8ns -lapp.kubernetes.io/name=semgr8s
+      - name: Display logs if integration test failed
+        if: failure()
+        run: |
+          kubectl logs -n semgr8ns -lapp.kubernetes.io/name=semgr8s --prefix=true --tail=-1
+
+  k8s-versions:
+    name: k8s versions
+    runs-on: ubuntu-latest
+    if: inputs.skip != 'all'
+    #    permissions:  #TODO: reactivate for non-private
+    #      packages: read
+    env:
+      IMAGE: ${{ inputs.build_image_repository }}
+      TAG: ${{ inputs.build_tag }}
+    strategy:
+      fail-fast: false
+      matrix:
+        k8s-version: [
+            "v1.25",
+            "v1.26",
+            "v1.27",
+            "v1.28",
+          ]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Login with registry
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ${{ inputs.build_registry }}
+          username: ${{ inputs.repo_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install yq
+        run: |
+          sudo snap install yq
+      - uses: ./.github/actions/k8s-version-config
+        name: Setup k8s cluster
+        with:
+          k8s-version: ${{ matrix.k8s-version }}
+      - name: Run pre-config and workload integration tests
+        run: |
+          bash tests/integration/integration-test.sh "pre-and-workload"
+      - name: Display k8s state and logs if integration test failed
+        if: failure()
+        run: |
+          kubectl describe deployments.apps -n semgr8ns -lapp.kubernetes.io/name=semgr8s
+          kubectl describe pods -n semgr8ns -lapp.kubernetes.io/name=semgr8s
+          kubectl logs -n semgr8ns -lapp.kubernetes.io/name=semgr8s --prefix=true --tail=-1
+      - name: Display semgr8s configuration
+        if: always()
+        run: |
+          echo "::group::values.yaml"
+          yq e '... comments=""' charts/semgr8s/values.yaml
+          echo "::endgroup::"
+
+  optional-k8s-versions:
+    name: optional k8s versions
+    runs-on: ubuntu-latest
+    if: |
+      inputs.skip != 'non-required' &&
+      inputs.skip != 'all'
+    #    permissions:  #TODO: reactivate for non-private
+    #      packages: read
+    env:
+      IMAGE: ${{ inputs.build_image_repository }}
+      TAG: ${{ inputs.build_tag }}
+    strategy:
+      fail-fast: false
+      matrix:
+        k8s-version: [
+            "v1.20",
+            "v1.21",
+            "v1.22",
+            "v1.23",
+            "v1.24",
+          ]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Login with registry
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ${{ inputs.build_registry }}
+          username: ${{ inputs.repo_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install yq
+        run: |
+          sudo snap install yq
+      - uses: ./.github/actions/k8s-version-config
+        name: Setup k8s cluster
+        with:
+          k8s-version: ${{ matrix.k8s-version }}
+      - name: Run pre-config and workload integration tests
+        run: |
+          bash tests/integration/integration-test.sh "pre-and-workload"
+      - name: Display k8s state and logs if integration test failed
+        if: failure()
+        run: |
+          kubectl describe deployments.apps -n semgr8ns -lapp.kubernetes.io/name=semgr8s
+          kubectl describe pods -n semgr8ns -lapp.kubernetes.io/name=semgr8s
+          kubectl logs -n semgr8ns -lapp.kubernetes.io/name=semgr8s --prefix=true --tail=-1
+      - name: Display semgr8s configuration
+        if: always()
+        run: |
+          echo "::group::values.yaml"
+          yq e '... comments=""' charts/semgr8s/values.yaml
+          echo "::endgroup::"
+

.github/workflows/push.yml

@@ -25,5 +25,5 @@ jobs:
       skip_sast: 'non-required'
       skip_sca: 'non-required'
       skip_docs: 'none'
-      skip_integration_tests: 'non-required'
+      skip_integration_tests: 'none'
       output_type: 'sarif'

Makefile

@@ -26,7 +26,7 @@ install:
 	@echo "####################"
 	@echo "## $(@)"
 	@echo "####################"
-	helm install semgr8s charts/semgr8s --create-namespace --namespace $(ns)
+	helm install semgr8s charts/semgr8s --atomic --create-namespace --namespace $(ns)
 
 .PHONY:uninstall
 uninstall:
@@ -48,10 +48,10 @@ test:
 	@echo "####################"
 	@echo "## $(@)"
 	@echo "####################"
-	-kubectl create -f tests/
+	-kubectl create -f tests/demo
 	@echo
 	-kubectl get pods -n test-semgr8s-passing
 	@echo
 	-kubectl get pods -n test-semgr8s-failing
 	@echo
-	-kubectl delete -f tests/
+	-kubectl delete -f tests/demo

charts/semgr8s/templates/webhook.yaml

@@ -38,7 +38,7 @@ webhooks:
           - "*"
         operations:
           - CREATE
-        resources: ["pods"]
+          - UPDATE
     clientConfig:
       service:
         name: {{ include "semgr8s.serviceName" . }}

tests/failing_deployment.yaml → tests/demo/failing_deployment.yaml

@@ -33,7 +33,7 @@ spec:
         drop:
           - ALL
       privileged: true
-      readOnlyRootFilesystem: false
+      readOnlyRootFilesystem: true
       runAsNonRoot: true
 ---
 apiVersion: v1
@@ -52,5 +52,5 @@ spec:
         drop:
           - ALL
       privileged: false
-      readOnlyRootFilesystem: false
+      readOnlyRootFilesystem: true
   hostNetwork: true

tests/integration/data/00_namespaces.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: validatedns
+  labels:
+    semgr8s/validation: enabled
+    use: semgr8s-integration-test
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ignoredns
+  labels:
+    use: semgr8s-integration-test

tests/integration/data/20_compliant_pod.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: compliant-pod
+  namespace: validatedns
+spec:
+  containers:
+  - image: busybox
+    name: compliant-pod
+    command: ["/bin/sh", "-ec", "sleep 1000"]
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - ALL
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+      runAsUser: 10001  # remove when using openshift or OKD 4
+      runAsGroup: 20001  # remove when using openshift or OKD 4
+      seccompProfile:  # remove when using Kubernetes prior v1.19, openshift or OKD 4
+        type: RuntimeDefault  # remove when using Kubernetes prior v1.19, openshift or OKD 4

tests/integration/data/40_nosc_pod.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nosc-pod
+  namespace: validatedns
+  labels:
+    use: semgr8s-integration-test
+spec:
+  containers:
+  - image: busybox
+    name: nosc-pod
+    command: ["/bin/sh", "-ec", "sleep 1000"]

tests/integration/data/41_privileged_pod.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: privileged-pod
+  namespace: validatedns
+  labels:
+    use: semgr8s-integration-test
+spec:
+  containers:
+  - image: busybox
+    name: privileged-pod
+    command: ["/bin/sh", "-ec", "sleep 1000"]
+    securityContext:
+      allowPrivilegeEscalation: true
+      capabilities:
+        drop:
+          - ALL
+      privileged: true
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true

tests/integration/data/42_hostnetwork_pod.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: hostnetwork-pod
+  namespace: validatedns
+  labels:
+    use: semgr8s-integration-test
+spec:
+  containers:
+  - image: busybox
+    name: hostnetwork-pod
+    command: ["/bin/sh", "-ec", "sleep 1000"]
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - ALL
+      privileged: false
+      readOnlyRootFilesystem: true
+  hostNetwork: true