From 4af521d0e13bbe2f375eee0a064ea24f31d8c2e4 Mon Sep 17 00:00:00 2001 From: Ivan Milchev Date: Tue, 27 Dec 2022 13:39:00 +0100 Subject: [PATCH 1/2] enable cnspec by default and cleanup extra test logic Signed-off-by: Ivan Milchev --- .github/workflows/cloud-tests.yaml | 6 +- .github/workflows/integration-tests.yaml | 4 +- config/manager/manager.yaml | 2 + tests/framework/installer/installer.go | 26 -------- tests/framework/installer/settings.go | 10 --- tests/framework/utils/audit_config.go | 20 +++--- tests/integration/audit_config_base_suite.go | 5 -- tests/integration/audit_config_cnspec_test.go | 63 ------------------- .../audit_config_namespace_test.go | 8 +-- tests/integration/audit_config_test.go | 12 ++-- .../integration/audit_config_upgrade_test.go | 2 +- tests/integration/e2e_test.go | 2 +- 12 files changed, 29 insertions(+), 131 deletions(-) delete mode 100644 tests/integration/audit_config_cnspec_test.go diff --git a/.github/workflows/cloud-tests.yaml b/.github/workflows/cloud-tests.yaml index 9cd06567f..8fe82e604 100644 --- a/.github/workflows/cloud-tests.yaml +++ b/.github/workflows/cloud-tests.yaml @@ -5,11 +5,11 @@ on: - cron: '0 23 * * 0' workflow_dispatch: inputs: - mondooClientImageTag: + cnspecImageTag: required: true type: string default: edge-latest-rootless - description: The image tag to use for the mondoo client image + description: The image tag to use for the cnspec image mondooOperatorImageTag: required: true type: string @@ -35,7 +35,7 @@ on: env: MONDOO_OPERATOR_IMAGE_TAG: ${{ github.event.inputs.mondooOperatorImageTag || 'main' }} - MONDOO_CLIENT_IMAGE_TAG: ${{ github.event.inputs.mondooClientImageTag || 'edge-latest-rootless' }} + CNSPEC_IMAGE_TAG: ${{ github.event.inputs.cnspecImageTag || 'edge-latest-rootless' }} jobs: aks-integration-test: diff --git a/.github/workflows/integration-tests.yaml b/.github/workflows/integration-tests.yaml index ef8770500..ef480509f 100644 --- a/.github/workflows/integration-tests.yaml +++ b/.github/workflows/integration-tests.yaml @@ -2,7 +2,7 @@ name: Integration tests on: workflow_call: inputs: - mondooClientImageTag: + cnspecImageTag: required: true type: string useEdge: @@ -16,7 +16,7 @@ on: required: true env: - MONDOO_CLIENT_IMAGE_TAG: ${{ github.event.inputs.mondooClientImageTag }} + CNSPEC_IMAGE_TAG: ${{ github.event.inputs.cnspecImageTag }} # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token permissions: diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 5988c098b..125765dd3 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -43,6 +43,8 @@ spec: env: - name: FEATURE_ENABLE_GARBAGE_COLLECTION value: "1" + - name: FEATURE_ENABLE_CNSPEC + value: "1" image: controller:latest imagePullPolicy: IfNotPresent name: manager diff --git a/tests/framework/installer/installer.go b/tests/framework/installer/installer.go index 1ddb1c191..874a7991e 100644 --- a/tests/framework/installer/installer.go +++ b/tests/framework/installer/installer.go @@ -14,10 +14,8 @@ import ( "go.mondoo.com/mondoo-operator/pkg/utils/k8s" "go.mondoo.com/mondoo-operator/tests/framework/utils" "go.uber.org/zap" - appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/types" ) const ( @@ -93,30 +91,6 @@ func (i *MondooInstaller) InstallOperator() error { return err } - // Set the cnspec feature flag for the operator if cnspec is enabled - if i.Settings.enableCnspec { - zap.S().Info("cnspec enabled for test suite") - ctx := context.Background() - - err := i.K8sHelper.ExecuteWithRetries(func() (bool, error) { - dep := &appsv1.Deployment{} - if err := i.K8sHelper.Clientset.Get(ctx, types.NamespacedName{Namespace: i.Settings.Namespace, Name: "mondoo-operator-controller-manager"}, dep); err != nil { - zap.S().Warnf("failed to get mondoo-operator-controller-manager deployment: %v", err) - return false, nil - } - - dep.Spec.Template.Spec.Containers[0].Env = append(dep.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{Name: "FEATURE_ENABLE_CNSPEC", Value: "1"}) - if err := i.K8sHelper.Clientset.Update(ctx, dep); err != nil { - zap.S().Warnf("failed to update mondoo-operator-controller-manager deployment: %v", err) - return false, nil - } - return true, nil - }) - if err != nil { - return err - } - } - watchLabel := "app.kubernetes.io/name=mondoo-operator" if !i.K8sHelper.IsPodReady(watchLabel, i.Settings.Namespace) { return fmt.Errorf("mondoo operator is not in a ready state") diff --git a/tests/framework/installer/settings.go b/tests/framework/installer/settings.go index e7a81acff..4bb88e11f 100644 --- a/tests/framework/installer/settings.go +++ b/tests/framework/installer/settings.go @@ -12,16 +12,6 @@ type Settings struct { Namespace string token string installRelease bool - enableCnspec bool -} - -func (s Settings) EnableCnspec() Settings { - s.enableCnspec = true - return s -} - -func (s Settings) GetEnableCnspec() bool { - return s.enableCnspec } func (s Settings) SetToken(token string) Settings { diff --git a/tests/framework/utils/audit_config.go b/tests/framework/utils/audit_config.go index db24cca4e..1b749e0fc 100644 --- a/tests/framework/utils/audit_config.go +++ b/tests/framework/utils/audit_config.go @@ -12,17 +12,17 @@ import ( ) const ( - MondooClientSecret = "mondoo-client" - MondooTokenSecret = "mondoo-token" - MondooClientImageTagEnvVar = "MONDOO_CLIENT_IMAGE_TAG" + MondooClientSecret = "mondoo-client" + MondooTokenSecret = "mondoo-token" + CnspecImageTagEnvVar = "CNSPEC_IMAGE_TAG" ) -var mondooClientImageTag = "" +var cnspecImageTag = "" func init() { - imageTag, ok := os.LookupEnv(MondooClientImageTagEnvVar) + imageTag, ok := os.LookupEnv(CnspecImageTagEnvVar) if ok { - mondooClientImageTag = imageTag + cnspecImageTag = imageTag } } @@ -30,7 +30,7 @@ func init() { // make sure a test passes (e.g. setting the correct secret name). Values which have defaults are not set. // This means that using this function in unit tests might result in strange behavior. For unit tests use // DefaultAuditConfig instead. -func DefaultAuditConfigMinimal(ns string, workloads, nodes, admission, enableCnspec, consoleIntegration bool) mondoov2.MondooAuditConfig { +func DefaultAuditConfigMinimal(ns string, workloads, nodes, admission, consoleIntegration bool) mondoov2.MondooAuditConfig { auditConfig := mondoov2.MondooAuditConfig{ ObjectMeta: v1.ObjectMeta{ Name: "mondoo-client", @@ -47,9 +47,9 @@ func DefaultAuditConfigMinimal(ns string, workloads, nodes, admission, enableCns } // cnspec doesn't get edge releases at the moment, so we cannot test that - if mondooClientImageTag != "" && !enableCnspec { - auditConfig.Spec.Scanner.Image.Tag = mondooClientImageTag - zap.S().Infof("Using image %s:%s for mondoo-client", mondoo.MondooClientImage, mondooClientImageTag) + if cnspecImageTag != "" { + auditConfig.Spec.Scanner.Image.Tag = cnspecImageTag + zap.S().Infof("Using image %s:%s for mondoo-client", mondoo.MondooClientImage, cnspecImageTag) } return auditConfig diff --git a/tests/integration/audit_config_base_suite.go b/tests/integration/audit_config_base_suite.go index 262757386..28824ab9e 100644 --- a/tests/integration/audit_config_base_suite.go +++ b/tests/integration/audit_config_base_suite.go @@ -49,7 +49,6 @@ type AuditConfigBaseSuite struct { testCluster *TestCluster auditConfig mondoov2.MondooAuditConfig installRelease bool - enableCnspec bool } func (s *AuditConfigBaseSuite) SetupSuite() { @@ -59,10 +58,6 @@ func (s *AuditConfigBaseSuite) SetupSuite() { settings = installer.NewReleaseSettings() } - if s.enableCnspec { - settings = settings.EnableCnspec() - } - s.testCluster = StartTestCluster(s.ctx, settings, s.T) } diff --git a/tests/integration/audit_config_cnspec_test.go b/tests/integration/audit_config_cnspec_test.go deleted file mode 100644 index 108a19513..000000000 --- a/tests/integration/audit_config_cnspec_test.go +++ /dev/null @@ -1,63 +0,0 @@ -package integration - -import ( - "testing" - - "github.com/stretchr/testify/suite" - "go.mondoo.com/mondoo-operator/api/v1alpha2" - "go.mondoo.com/mondoo-operator/tests/framework/utils" - "go.uber.org/zap" - "k8s.io/utils/pointer" -) - -type AuditConfigCnspecSuite struct { - AuditConfigBaseSuite -} - -func (s *AuditConfigCnspecSuite) TestReconcile_AllDisabled() { - auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, false, false, s.testCluster.Settings.GetEnableCnspec(), false) - s.testMondooAuditConfigAllDisabled(auditConfig) -} - -func (s *AuditConfigCnspecSuite) TestReconcile_KubernetesResources() { - auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, true, false, false, s.testCluster.Settings.GetEnableCnspec(), false) - auditConfig.Spec.KubernetesResources.ContainerImageScanning = true - s.testMondooAuditConfigKubernetesResources(auditConfig) -} - -func (s *AuditConfigCnspecSuite) TestReconcile_Nodes() { - auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, true, false, s.testCluster.Settings.GetEnableCnspec(), false) - s.testMondooAuditConfigNodes(auditConfig) -} - -func (s *AuditConfigCnspecSuite) TestReconcile_AdmissionPermissive() { - auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, false, true, s.testCluster.Settings.GetEnableCnspec(), false) - s.testMondooAuditConfigAdmission(auditConfig) -} - -func (s *AuditConfigCnspecSuite) TestReconcile_AdmissionEnforcing() { - auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, false, true, s.testCluster.Settings.GetEnableCnspec(), false) - auditConfig.Spec.Admission.Mode = v1alpha2.Enforcing - s.testMondooAuditConfigAdmission(auditConfig) -} - -func (s *AuditConfigCnspecSuite) TestReconcile_AdmissionEnforcingScaleDownScanApi() { - auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, false, true, s.testCluster.Settings.GetEnableCnspec(), false) - auditConfig.Spec.Admission.Mode = v1alpha2.Enforcing - auditConfig.Spec.Admission.Replicas = pointer.Int32(1) - auditConfig.Spec.Scanner.Replicas = pointer.Int32(1) - s.testMondooAuditConfigAdmissionScaleDownScanApi(auditConfig) -} - -func TestAuditConfigCnspecSuite(t *testing.T) { - s := new(AuditConfigCnspecSuite) - s.enableCnspec = true - defer func(s *AuditConfigCnspecSuite) { - HandlePanics(recover(), func() { - if err := s.testCluster.UninstallOperator(); err != nil { - zap.S().Errorf("Failed to uninstall Mondoo operator. %v", err) - } - }, s.T) - }(s) - suite.Run(t, s) -} diff --git a/tests/integration/audit_config_namespace_test.go b/tests/integration/audit_config_namespace_test.go index 71f1be163..043015057 100644 --- a/tests/integration/audit_config_namespace_test.go +++ b/tests/integration/audit_config_namespace_test.go @@ -76,27 +76,27 @@ func (s *AuditConfigCustomNamespaceSuite) TearDownSuite() { } func (s *AuditConfigCustomNamespaceSuite) TestReconcile_KubernetesResources() { - auditConfig := utils.DefaultAuditConfigMinimal(s.ns.Name, true, false, false, s.testCluster.Settings.GetEnableCnspec(), false) + auditConfig := utils.DefaultAuditConfigMinimal(s.ns.Name, true, false, false, false) auditConfig.Spec.KubernetesResources.ContainerImageScanning = true auditConfig.Spec.Scanner.ServiceAccountName = s.sa.Name s.testMondooAuditConfigKubernetesResources(auditConfig) } func (s *AuditConfigCustomNamespaceSuite) TestReconcile_Nodes() { - auditConfig := utils.DefaultAuditConfigMinimal(s.ns.Name, false, true, false, s.testCluster.Settings.GetEnableCnspec(), false) + auditConfig := utils.DefaultAuditConfigMinimal(s.ns.Name, false, true, false, false) auditConfig.Spec.Scanner.ServiceAccountName = s.sa.Name s.testMondooAuditConfigNodes(auditConfig) } func (s *AuditConfigCustomNamespaceSuite) TestReconcile_Admission() { - auditConfig := utils.DefaultAuditConfigMinimal(s.ns.Name, false, false, true, s.testCluster.Settings.GetEnableCnspec(), false) + auditConfig := utils.DefaultAuditConfigMinimal(s.ns.Name, false, false, true, false) auditConfig.Spec.Scanner.ServiceAccountName = s.sa.Name auditConfig.Spec.Admission.ServiceAccountName = s.webhookServiceAccount.Name s.testMondooAuditConfigAdmission(auditConfig) } func (s *AuditConfigCustomNamespaceSuite) TestReconcile_AdmissionMissingSA() { - auditConfig := utils.DefaultAuditConfigMinimal(s.ns.Name, false, false, true, s.testCluster.Settings.GetEnableCnspec(), false) + auditConfig := utils.DefaultAuditConfigMinimal(s.ns.Name, false, false, true, false) auditConfig.Spec.Scanner.ServiceAccountName = "missing-serviceaccount" auditConfig.Spec.Admission.ServiceAccountName = s.webhookServiceAccount.Name s.testMondooAuditConfigAdmissionMissingSA(auditConfig) diff --git a/tests/integration/audit_config_test.go b/tests/integration/audit_config_test.go index cd4894724..164c221bb 100644 --- a/tests/integration/audit_config_test.go +++ b/tests/integration/audit_config_test.go @@ -15,34 +15,34 @@ type AuditConfigSuite struct { } func (s *AuditConfigSuite) TestReconcile_AllDisabled() { - auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, false, false, s.testCluster.Settings.GetEnableCnspec(), false) + auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, false, false, false) s.testMondooAuditConfigAllDisabled(auditConfig) } func (s *AuditConfigSuite) TestReconcile_KubernetesResources() { - auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, true, false, false, s.testCluster.Settings.GetEnableCnspec(), false) + auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, true, false, false, false) auditConfig.Spec.KubernetesResources.ContainerImageScanning = true s.testMondooAuditConfigKubernetesResources(auditConfig) } func (s *AuditConfigSuite) TestReconcile_Nodes() { - auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, true, false, s.testCluster.Settings.GetEnableCnspec(), false) + auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, true, false, false) s.testMondooAuditConfigNodes(auditConfig) } func (s *AuditConfigSuite) TestReconcile_AdmissionPermissive() { - auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, false, true, s.testCluster.Settings.GetEnableCnspec(), false) + auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, false, true, false) s.testMondooAuditConfigAdmission(auditConfig) } func (s *AuditConfigSuite) TestReconcile_AdmissionEnforcing() { - auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, false, true, s.testCluster.Settings.GetEnableCnspec(), false) + auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, false, true, false) auditConfig.Spec.Admission.Mode = v1alpha2.Enforcing s.testMondooAuditConfigAdmission(auditConfig) } func (s *AuditConfigSuite) TestReconcile_AdmissionEnforcingScaleDownScanApi() { - auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, false, true, s.testCluster.Settings.GetEnableCnspec(), false) + auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, false, true, false) auditConfig.Spec.Admission.Mode = v1alpha2.Enforcing auditConfig.Spec.Admission.Replicas = pointer.Int32(1) auditConfig.Spec.Scanner.Replicas = pointer.Int32(1) diff --git a/tests/integration/audit_config_upgrade_test.go b/tests/integration/audit_config_upgrade_test.go index 42943717c..6350e8211 100644 --- a/tests/integration/audit_config_upgrade_test.go +++ b/tests/integration/audit_config_upgrade_test.go @@ -24,7 +24,7 @@ func (s *AuditConfigUpgradeSuite) TearDownSuite() { } func (s *AuditConfigUpgradeSuite) TestUpgradePreviousReleaseToLatest() { - auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, true, true, true, s.testCluster.Settings.GetEnableCnspec(), false) + auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, true, true, true, false) s.testUpgradePreviousReleaseToLatest(auditConfig) } diff --git a/tests/integration/e2e_test.go b/tests/integration/e2e_test.go index 8318de16b..dc55f3bbd 100644 --- a/tests/integration/e2e_test.go +++ b/tests/integration/e2e_test.go @@ -109,7 +109,7 @@ func (s *E2eTestSuite) AfterTest(suiteName, testName string) { } func (s *E2eTestSuite) TestE2e_NodeScan() { - auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, true, false, s.testCluster.Settings.GetEnableCnspec(), true) + auditConfig := utils.DefaultAuditConfigMinimal(s.testCluster.Settings.Namespace, false, true, false, true) s.testMondooAuditConfigNodes(auditConfig) From e772eda4bda47dc2d22e1461ef97a6cd22e46f6d Mon Sep 17 00:00:00 2001 From: Ivan Milchev Date: Tue, 27 Dec 2022 14:06:52 +0100 Subject: [PATCH 2/2] fix workflow references Signed-off-by: Ivan Milchev --- .github/workflows/edge-integration-tests.yaml | 6 +++--- .github/workflows/tests-forks.yaml | 2 +- .github/workflows/tests.yaml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/edge-integration-tests.yaml b/.github/workflows/edge-integration-tests.yaml index c110094c8..4f15c084a 100644 --- a/.github/workflows/edge-integration-tests.yaml +++ b/.github/workflows/edge-integration-tests.yaml @@ -2,8 +2,8 @@ name: Edge integration tests on: workflow_dispatch: inputs: - mondooClientImageTag: - description: "The Mondoo client image tag to be used for the integration tests" + cnspecImageTag: + description: "The cnspec image tag to be used for the integration tests" required: true type: string @@ -11,7 +11,7 @@ jobs: integration-tests: uses: ./.github/workflows/integration-tests.yaml with: - mondooClientImageTag: ${{ github.event.inputs.mondooClientImageTag }} + cnspecImageTag: ${{ github.event.inputs.cnspecImageTag }} useEdge: true secrets: inherit \ No newline at end of file diff --git a/.github/workflows/tests-forks.yaml b/.github/workflows/tests-forks.yaml index 9e6269cb5..b43a68a80 100644 --- a/.github/workflows/tests-forks.yaml +++ b/.github/workflows/tests-forks.yaml @@ -54,5 +54,5 @@ jobs: if: needs.unit-tests.result == 'success' uses: ./.github/workflows/integration-tests.yaml with: - mondooClientImageTag: "" + cnspecImageTag: "" secrets: inherit \ No newline at end of file diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 85e1543ce..8cc193e88 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -30,5 +30,5 @@ jobs: if: needs.unit-tests.result == 'success' uses: ./.github/workflows/integration-tests.yaml with: - mondooClientImageTag: "" + cnspecImageTag: "" secrets: inherit \ No newline at end of file