sse-secure-systems · phbelitz · Nov 25, 2024
diff --git a/.github/actions/alerting-endpoint/action.yml b/.github/actions/alerting-endpoint/action.yml
diff --git a/.github/actions/integration-test/action.yaml b/.github/actions/integration-test/action.yaml
@@ -0,0 +1,121 @@
+name: Integration test
+description: |
+  Run integration tests on a k3s cluster.
+inputs:
+  registry:
+    description: "Docker registry to pull the image from"
+    required: true
+  username:
+    description: "Username for the Docker registry"
+    required: true
+  image:
+    description: "Image to pull from the registry"
+    required: true
+  tag:
+    description: "Tag of the image to pull"
+    required: true
+  k8s-version:
+    description: "Kubernetes version to install"
+    required: true
+  test:
+    description: "Test to run"
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Install required packages
+      run: |
+        sudo snap install yq
+        sudo apt update
+        sudo apt install bash -y
+      shell: bash
+    - name: Setup k3s ${{ inputs.k8s-version }}
+      run: |
+        curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL="${{ inputs.k8s-version }}" sh -s -
+      shell: bash
+    # By providing a kubeconfig owned by the current user with 600 permissions,
+    # kubectl becomes usable without sudo, and helm won't emit warnings about
+    # bloated access to group/world.
+    - name: Prepare a kubeconfig in ~/.kube/config
+      run: |
+        mkdir -p ~/.kube
+        sudo cat /etc/rancher/k3s/k3s.yaml > "$HOME/.kube/config"
+        chmod 600 "$HOME/.kube/config"
+        echo "KUBECONFIG=$HOME/.kube/config" >> $GITHUB_ENV
+      shell: bash
+    - name: Setup Helm
+      run: |
+        curl -sf https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
+      shell: bash
+    - name: Wait for coredns, metrics server, traefik
+      run: |
+        # Wait for a few seconds to allow deployments spin up
+        sleep 10
+        kubectl rollout status --watch --timeout 300s deployment/coredns -n kube-system
+        kubectl rollout status --watch --timeout 300s deployment/metrics-server -n kube-system
+        kubectl wait --for=condition=complete --timeout=300s job/helm-install-traefik-crd -n kube-system || true
+        kubectl wait --for=condition=complete --timeout=300s job/helm-install-traefik -n kube-system || true
+        kubectl rollout status --watch --timeout 300s deployment/traefik -n kube-system
+      shell: bash
+    - name: Get IP
+      id: get_ip
+      run: |
+        if [ "${{ inputs.test }}" == "alerting" ]; then
+          CONTAINER=$(docker container ls --no-trunc --format "{{json . }}" | jq ' . | select(.Image|match("alerting-endpoint"))')
+          CONTAINER_ID=$(echo ${CONTAINER} | jq -r .ID)
+          CONTAINER_NETWORK=$(echo ${CONTAINER} | jq -r .Networks)
+          SEARCH_PATH=.[0].NetworkSettings.Networks."${CONTAINER_NETWORK}".IPAddress
+          IP=$(docker container inspect ${CONTAINER_ID} | jq -r ${SEARCH_PATH})
+        else
+          IP=""
+        fi
+        echo IP=${IP} >> ${GITHUB_OUTPUT}
+      shell: bash
+    - name: Run test
+      run: |
+        bash test/integration/main.sh "${{ inputs.test }}"
+      env:
+        ALERTING_ENDPOINT_IP: ${{ steps.get_ip.outputs.ip }}
+      shell: bash
+    - name: Display Connaisseur configuration
+      if: always()
+      run: |
+        out=$(yq e '... comments=""' charts/connaisseur/values.yaml)
+        echo "::group::values.yaml"
+        echo "${out}" | yq
+        echo "::endgroup::"
+        echo "<details><summary>values.yaml</summary>" >> ${GITHUB_STEP_SUMMARY}
+        echo "<pre lang=\"yaml\"><code>${out}</code></pre>" >> ${GITHUB_STEP_SUMMARY}
+        echo "</details>" >> ${GITHUB_STEP_SUMMARY}
+      shell: bash
+    - name: Display k8s state if integration test failed
+      if: failure()
+      run: |
+        deploy_out=$(kubectl describe deployments.apps -n connaisseur -lapp.kubernetes.io/name=connaisseur)
+        if [ -n "${deploy_out}" ]; then
+          echo "${deploy_out}"
+          echo "<details><summary>connaisseur deployment</summary>" >> ${GITHUB_STEP_SUMMARY}
+          echo "<pre lang=\"yaml\"><code>${deploy_out}</code></pre>" >> ${GITHUB_STEP_SUMMARY}
+          echo "</details>" >> ${GITHUB_STEP_SUMMARY}
+        fi
+
+        pod_out=$(kubectl describe pods -n connaisseur -lapp.kubernetes.io/name=connaisseur)
+        if [ -n "${pod_out}" ]; then
+          echo "${pod_out}"
+          echo "<details><summary>connaisseur pods</summary>" >> ${GITHUB_STEP_SUMMARY}
+          echo "<pre lang=\"yaml\"><code>${pod_out}</code></pre>" >> ${GITHUB_STEP_SUMMARY}
+          echo "</details>" >> ${GITHUB_STEP_SUMMARY}
+        fi
+      shell: bash
+    - name: Display logs if integration test failed
+      if: failure()
+      run: |
+        logs_out=$(kubectl logs -n connaisseur -lapp.kubernetes.io/name=connaisseur --prefix=true --tail=-1)
+        if [ -n "${logs_out}" ]; then
+          echo "${logs_out}"
+          echo "<details><summary>connaisseur logs</summary>" >> ${GITHUB_STEP_SUMMARY}
+          echo "<pre lang=\"bash\"><code>${logs_out}</code></pre>" >> ${GITHUB_STEP_SUMMARY}
+          echo "</details>" >> ${GITHUB_STEP_SUMMARY}
+        fi
+      shell: bash
diff --git a/.github/actions/k3s-cluster/action.yaml b/.github/actions/k3s-cluster/action.yaml
diff --git a/.github/actions/k8s-version-config/action.yaml b/.github/actions/k8s-version-config/action.yaml
diff --git a/.github/actions/notary-server-ip/action.yml b/.github/actions/notary-server-ip/action.yml
diff --git a/.github/actions/notary-service/action.yaml b/.github/actions/notary-service/action.yaml
@@ -0,0 +1,41 @@
+name: notary-service
+description: 'Sets up a notary service (signer or server)'
+inputs:
+  service:
+    description: "Which kind of service is to be started (signer or server)"
+    required: true
+  port_map:
+    description: "The port mapping for the service container"
+    required: true
+  add_host:
+    description: "What additional hosts to add to the service"
+    required: false
+outputs:
+  ip:
+    description: "IP address of the notary service"
+    value: ${{ steps.get_service_ip.outputs.service_ip }}
+runs:
+  using: composite
+  steps:
+    - name: Setup service
+      run: |
+        DOCKER_ARGS='-d -p ${{ inputs.port_map }} -v ./test/integration/self-hosted-notary/notary-service-container/${{ inputs.service }}:/etc/docker/notary-${{ inputs.service }}'
+        SERVICE_ARGS='-config=/etc/docker/notary-${{ inputs.service }}/config.json'
+
+        if [[ "${{ inputs.service }}" == "server" ]]; then
+          DOCKER_ARGS=${DOCKER_ARGS}' --add-host notary.signer:${{ inputs.add_host }}'
+          SERVICE_ARGS=${SERVICE_ARGS}' -logf=json'
+        fi
+
+        docker run ${DOCKER_ARGS} notary:${{ inputs.service }} ${SERVICE_ARGS}
+      shell: bash
+    - name: Get IP
+      id: get_service_ip
+      run: |
+        NOTARY_CONTAINER=$(docker container ls --no-trunc --format "{{json . }}" | jq ' . | select(.Image|match("notary:${{ inputs.service }}"))')
+        NOTARY_CONTAINER_ID=$(echo ${NOTARY_CONTAINER} | jq -r .ID)
+        NOTARY_CONTAINER_NETWORK=$(echo ${NOTARY_CONTAINER} | jq -r .Networks)
+        NOTARY_SEARCH_PATH=.[0].NetworkSettings.Networks."${NOTARY_CONTAINER_NETWORK}".IPAddress
+        NOTARY_IP=$(docker container inspect ${NOTARY_CONTAINER_ID} | jq -r ${NOTARY_SEARCH_PATH})
+        echo service_ip=${NOTARY_IP} >> ${GITHUB_OUTPUT}
+      shell: bash
diff --git a/.github/actions/notary-signer-ip/action.yaml b/.github/actions/notary-signer-ip/action.yaml
diff --git a/.github/actions/setup-notary/action.yaml b/.github/actions/setup-notary/action.yaml