ci/jjb/shell/bluval.sh

   1 #!/usr/bin/env bash
   2
   3 # Ensure we fail the job if any steps fail
   4 # Disable 'globbing'
   5 set -eux -o pipefail
   6
   7 function clone_icn {
   8     echo "[ICN] Downloading ICN"
   9     git clone "https://gerrit.akraino.org/r/icn" ${WORKSPACE}/icn
  10 }
  11
  12 function create_sut {
  13     trap destroy_sut EXIT
  14
  15     echo "[ICN] Bringing up test cluster"
  16     pushd ${WORKSPACE}/icn
  17     # TODO Improve VM performance by only using cores on the same node
  18     #sed -i -e '/^\s\+libvirt.cpus/!b' -e "h;s/\S.*/libvirt.cpuset = '0-21,44-65'/;H;g" Vagrantfile
  19     ./tools/vagrant/destroy.rb
  20     vagrant up --no-parallel
  21     vagrant ssh jump -c "
  22 set -exuf
  23 cd /icn
  24 sudo su -c 'make jump_server vm_cluster'
  25 "
  26     popd
  27 }
  28
  29 function destroy_sut {
  30     pushd ${WORKSPACE}/icn
  31     ./tools/vagrant/destroy.rb
  32     popd
  33 }
  34
  35 function install_jenkins_identity_into_sut {
  36     echo "[ICN] Installing jenkins identity into test cluster"
  37     cp ${WORKSPACE}/icn/deploy/site/vm/id_rsa site-vm-rsa
  38     chmod 0600 site-vm-rsa
  39     ssh-keygen -f ${CLUSTER_SSH_KEY} -y > ${CLUSTER_SSH_KEY}.pub
  40     ssh-copy-id -i ${CLUSTER_SSH_KEY} -f ${CLUSTER_SSH_USER}@${CLUSTER_MASTER_IP} -o IdentityFile=site-vm-rsa -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
  41 }
  42
  43 function patch_validation {
  44     echo "[ICN] Patching validation repository"
  45     # The conformance (sonobuoy) test is not required by the security
  46     # scan, the service CIDR needs to be specified for inside-a-pod
  47     # kube-hunter scanning, and a recent kube-hunter is needed to
  48     # support K8s 1.21
  49     cat <<'EOF' | patch -p1
  50 diff --git a/bluval/bluval-icn.yaml b/bluval/bluval-icn.yaml
  51 index 9d190bc..0b0e5fa 100644
  52 --- a/bluval/bluval-icn.yaml
  53 +++ b/bluval/bluval-icn.yaml
  54 @@ -15,10 +15,6 @@ blueprint:
  55              optional: "False"
  56
  57      k8s: &k8s
  58 -        -
  59 -            name: conformance
  60 -            what: conformance
  61 -            optional: "False"
  62          -
  63              name: kube-hunter
  64              what: kube-hunter
  65 diff --git a/bluval/volumes.yaml b/bluval/volumes.yaml
  66 index 6c48e65..dc0ea87 100644
  67 --- a/bluval/volumes.yaml
  68 +++ b/bluval/volumes.yaml
  69 @@ -46,6 +46,9 @@ volumes:
  70      openrc:
  71          local: ''
  72          target: '/root/openrc'
  73 +    oval_ubuntu_20:
  74 +        local: ''
  75 +        target: '/opt/akraino/validation/tests/os/vuls/oval_ubuntu_20.sqlite3'
  76
  77  # parameters that will be passed to the container at each layer
  78  layers:
  79 @@ -54,6 +57,7 @@ layers:
  80          - custom_variables_file
  81          - blueprint_dir
  82          - results_dir
  83 +        - oval_ubuntu_20
  84      hardware:
  85          - ssh_key_dir
  86      os:
  87 diff --git a/tests/k8s/kube-hunter/job.yaml b/tests/k8s/kube-hunter/job.yaml
  88 index 62079c5..0638a48 100644
  89 --- a/tests/k8s/kube-hunter/job.yaml
  90 +++ b/tests/k8s/kube-hunter/job.yaml
  91 @@ -26,6 +26,6 @@ spec:
  92        - name: kube-hunter
  93          image: {{ image }}
  94          command: ["kube-hunter"]
  95 -        args: ["--pod"]
  96 +        args: ["--cidr", "10.244.0.0/18", "--pod"]
  97        restartPolicy: Never
  98    backoffLimit: 4
  99 diff --git a/tests/variables.yaml b/tests/variables.yaml
 100 index fa3fe71..d642c2c 100644
 101 --- a/tests/variables.yaml
 102 +++ b/tests/variables.yaml
 103 @@ -82,3 +82,7 @@ dns_domain: cluster.local                     # cluster's DNS domain
 104  # NONE, WARN, INFO, DEBUG, and TRACE.
 105  # Default is INFO
 106  loglevel: INFO
 107 +
 108 +kube_hunter:
 109 +  path: 'aquasec'
 110 +  name: 'kube-hunter:0.6.5'
 111 EOF
 112 }
 113
 114 function download_oval_ubuntu_20 {
 115     echo "[ICN] Downloading OVAL for Ubuntu 20"
 116     mkdir -p ${WORKSPACE}/vuls
 117     docker run --rm --net=host -v ${WORKSPACE}/vuls:/opt/akraino/validation/tests/os/vuls akraino/validation:os-amd64-latest /bin/sh -c '/root/go/bin/goval-dictionary fetch-ubuntu -dbpath /opt/akraino/validation/tests/os/vuls/oval_ubuntu_20.sqlite3 20'
 118 }
 119
 120 function run_validation {
 121     echo "[ICN] Downloading run_bluval.sh from upstream ci-management"
 122     wget --read-timeout=10 --timeout=10 --waitretry=10 -t 10 https://raw.githubusercontent.com/akraino-edge-stack/ci-management/master/jjb/shell/run_bluval.sh
 123
 124     echo "[ICN] Patching run_bluval.sh"
 125     cat <<'EOF' | patch -p3
 126 diff --git a/jjb/shell/run_bluval.sh b/jjb/shell/run_bluval.sh
 127 index 75d20eb..dbfad03 100755
 128 --- a/jjb/shell/run_bluval.sh
 129 +++ b/jjb/shell/run_bluval.sh
 130 @@ -148,6 +148,7 @@
 131      -e "/custom_variables_file/{n; s@local: ''@local: '$cwd/tests/variables.yaml'@}" \
 132      -e "/blueprint_dir/{n; s@local: ''@local: '$cwd/bluval/'@}" \
 133      -e "/results_dir/{n; s@local: ''@local: '$results_dir'@}" \
 134 +    -e "/oval_ubuntu_20/{n; s@local: ''@local: '$cwd/vuls/oval_ubuntu_20.sqlite3'@}" \
 135      "$volumes_path"
 136
 137  if [ -n "$ssh_key" ]
 138 @@ -177,6 +178,7 @@
 139  then
 140      options+=" -P"
 141  fi
 142 +options+=" -t amd64-latest"
 143
 144  set +e
 145  if python3 --version > /dev/null; then
 146 @@ -209,4 +211,3 @@
 147      rm results.zip
 148  fi
 149
 150 -rm -f ~/.netrc
 151 EOF
 152
 153     echo "[ICN] Executing run_bluval.sh"
 154     /bin/bash run_bluval.sh
 155 }
 156
 157 clone_icn
 158 create_sut
 159 install_jenkins_identity_into_sut
 160 download_oval_ubuntu_20
 161 patch_validation
 162 run_validation