From 2e2b9b5df95e6cf2d9ce9654a25f34a7ef54f2a0 Mon Sep 17 00:00:00 2001 From: mrjoelkamp Date: Mon, 10 Jun 2024 12:50:26 -0500 Subject: [PATCH] fix: add token to build_test --- .github/workflows/workflow.yaml | 28 ++++++++++++++++++---- test/bats/test.bats | 42 ++++++++++++++++----------------- 2 files changed, 44 insertions(+), 26 deletions(-) diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index 7b67dc1..76222db 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -28,10 +28,18 @@ jobs: with: egress-policy: audit - - name: Set up Go 1.19 + - name: Generate GitHub App Token + id: app-token + uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1.10.1 + with: + app-id: ${{ vars.DOCKER_READ_APP_ID }} + private-key: ${{ secrets.DOCKER_READ_APP_PRIVATE_KEY }} + repositories: "attest,attest-external-data-provider" + + - name: Set up Go 1.22 uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: - go-version: 1.19 + go-version: 1.22 - name: Check out code into the Go module directory uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 @@ -40,7 +48,8 @@ jobs: - name: golangci-lint uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1 with: - version: v1.50.0 + version: v1.59 + github-token: ${{ steps.app-token.outputs.token }} helm_build_test: name: "[Helm] Build and Test" @@ -54,14 +63,22 @@ jobs: with: egress-policy: audit - - name: Set up Go 1.19 + - name: Set up Go 1.22 uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: - go-version: 1.19 + go-version: 1.22 - name: Check out code into the Go module directory uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - name: Generate GitHub App Token + id: app-token + uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1.10.1 + with: + app-id: ${{ vars.DOCKER_READ_APP_ID }} + private-key: ${{ secrets.DOCKER_READ_APP_PRIVATE_KEY }} + repositories: "attest,attest-external-data-provider" + - name: Bootstrap e2e env: KIND_VERSION: 0.17.0 @@ -91,6 +108,7 @@ jobs: - name: Build and install attest-external-data-provider run: | ./scripts/generate-tls-cert.sh + export GITHUB_TOKEN=${{ steps.app-token.outputs.token }} make docker-buildx kind-load-image helm install attest-provider charts/external-data-provider \ --set provider.tls.caBundle="$(cat certs/ca.crt | base64 | tr -d '\n\r')" \ diff --git a/test/bats/test.bats b/test/bats/test.bats index a83cf85..d5fb168 100644 --- a/test/bats/test.bats +++ b/test/bats/test.bats @@ -19,33 +19,33 @@ teardown_file() { wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl -n ${GATEKEEPER_NAMESPACE} wait --for=condition=Ready --timeout=60s pod -l control-plane=audit-controller" } -@test "external-data-provider is running" { - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl -n ${GATEKEEPER_NAMESPACE} wait --for=condition=Ready --timeout=60s pod -l run=external-data-provider" +@test "attest-provider is running" { + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl -n ${GATEKEEPER_NAMESPACE} wait --for=condition=Ready --timeout=60s pod -l run=attest-provider" } -@test "external data validation" { - run kubectl apply -f validation/external-data-provider-constraint-template.yaml +@test "attest validation" { + run kubectl apply -f validation/attest-constraint-template.yaml assert_success - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced constrainttemplate k8sexternaldatavalidation" + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced constrainttemplate k8sattestexternaldata" - run kubectl apply -f validation/external-data-provider-constraint.yaml + run kubectl apply -f validation/attest-constraint.yaml assert_success - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced k8sexternaldatavalidation deny-images-with-invalid-suffix" + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced k8sattestexternaldata deny-images-that-fail-policy" - run kubectl run nginx --image=error_nginx --dry-run=server - # should deny pod admission if the image name has an "error_" prefix + run kubectl run nginx --image=nginx --dry-run=server + # should deny pod admission if the image doesn't pass policy assert_failure - assert_match 'error_nginx' "${output}" - assert_match 'error_nginx_invalid' "${output}" + assert_match 'admit: false' "${output}" } -@test "external data mutation" { - run kubectl apply -f mutation/external-data-provider-mutation.yaml - assert_success - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "mutator_enforced Assign append-valid-suffix-to-image" - - run kubectl run nginx --image=nginx --dry-run=server --output json - assert_success - # should mutate the image field by appending "_valid" suffix - assert_match "nginx_valid" "$(jq -r '.spec.containers[0].image' <<< ${output})" -} +# TODO: write mutating webhook policy +#@test "attest mutation" { +# run kubectl apply -f mutation/external-data-provider-mutation.yaml +# assert_success +# wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "mutator_enforced Assign append-valid-suffix-to-image" +# +# run kubectl run nginx --image=nginx --dry-run=server --output json +# assert_success +# # should mutate the image field by appending "_valid" suffix +# assert_match "nginx_valid" "$(jq -r '.spec.containers[0].image' <<< ${output})" +#}