3 # Ensure we fail the job if any steps fail
8 echo "[ICN] Downloading ICN"
9 git clone "https://gerrit.akraino.org/r/icn" ${WORKSPACE}/icn
15 echo "[ICN] Bringing up test cluster"
16 pushd ${WORKSPACE}/icn
17 # TODO Improve VM performance by only using cores on the same node
18 #sed -i -e '/^\s\+libvirt.cpus/!b' -e "h;s/\S.*/libvirt.cpuset = '0-21,44-65'/;H;g" Vagrantfile
19 ./tools/vagrant/destroy.rb
20 vagrant up --no-parallel
24 sudo su -c 'make jump_server vm_cluster'
29 function destroy_sut {
30 pushd ${WORKSPACE}/icn
31 ./tools/vagrant/destroy.rb
35 function install_jenkins_identity_into_sut {
36 echo "[ICN] Installing jenkins identity into test cluster"
37 cp ${WORKSPACE}/icn/deploy/site/vm/id_rsa site-vm-rsa
38 chmod 0600 site-vm-rsa
39 ssh-keygen -f ${CLUSTER_SSH_KEY} -y > ${CLUSTER_SSH_KEY}.pub
40 ssh-copy-id -i ${CLUSTER_SSH_KEY} -f ${CLUSTER_SSH_USER}@${CLUSTER_MASTER_IP} -o IdentityFile=site-vm-rsa -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
43 function patch_validation {
44 echo "[ICN] Patching validation repository"
45 # The conformance (sonobuoy) test is not required by the security
46 # scan, the service CIDR needs to be specified for inside-a-pod
47 # kube-hunter scanning, and a recent kube-hunter is needed to
49 cat <<'EOF' | patch -p1
50 diff --git a/bluval/bluval-icn.yaml b/bluval/bluval-icn.yaml
51 index 9d190bc..0b0e5fa 100644
52 --- a/bluval/bluval-icn.yaml
53 +++ b/bluval/bluval-icn.yaml
54 @@ -15,10 +15,6 @@ blueprint:
65 diff --git a/bluval/volumes.yaml b/bluval/volumes.yaml
66 index 6c48e65..dc0ea87 100644
67 --- a/bluval/volumes.yaml
68 +++ b/bluval/volumes.yaml
69 @@ -46,6 +46,9 @@ volumes:
72 target: '/root/openrc'
75 + target: '/opt/akraino/validation/tests/os/vuls/oval_ubuntu_20.sqlite3'
77 # parameters that will be passed to the container at each layer
79 @@ -54,6 +57,7 @@ layers:
80 - custom_variables_file
87 diff --git a/tests/k8s/kube-hunter/job.yaml b/tests/k8s/kube-hunter/job.yaml
88 index 62079c5..0638a48 100644
89 --- a/tests/k8s/kube-hunter/job.yaml
90 +++ b/tests/k8s/kube-hunter/job.yaml
91 @@ -26,6 +26,6 @@ spec:
94 command: ["kube-hunter"]
96 + args: ["--cidr", "10.244.0.0/18", "--pod"]
99 diff --git a/tests/variables.yaml b/tests/variables.yaml
100 index fa3fe71..d642c2c 100644
101 --- a/tests/variables.yaml
102 +++ b/tests/variables.yaml
103 @@ -82,3 +82,7 @@ dns_domain: cluster.local # cluster's DNS domain
104 # NONE, WARN, INFO, DEBUG, and TRACE.
110 + name: 'kube-hunter:0.6.5'
114 function download_oval_ubuntu_20 {
115 echo "[ICN] Downloading OVAL for Ubuntu 20"
116 mkdir -p ${WORKSPACE}/vuls
117 docker run --rm --net=host -v ${WORKSPACE}/vuls:/opt/akraino/validation/tests/os/vuls akraino/validation:os-amd64-latest /bin/sh -c '/root/go/bin/goval-dictionary fetch-ubuntu -dbpath /opt/akraino/validation/tests/os/vuls/oval_ubuntu_20.sqlite3 20'
120 function run_validation {
121 echo "[ICN] Downloading run_bluval.sh from upstream ci-management"
122 wget --read-timeout=10 --timeout=10 --waitretry=10 -t 10 https://raw.githubusercontent.com/akraino-edge-stack/ci-management/master/jjb/shell/run_bluval.sh
124 echo "[ICN] Patching run_bluval.sh"
125 cat <<'EOF' | patch -p3
126 diff --git a/jjb/shell/run_bluval.sh b/jjb/shell/run_bluval.sh
127 index 75d20eb..dbfad03 100755
128 --- a/jjb/shell/run_bluval.sh
129 +++ b/jjb/shell/run_bluval.sh
131 -e "/custom_variables_file/{n; s@local: ''@local: '$cwd/tests/variables.yaml'@}" \
132 -e "/blueprint_dir/{n; s@local: ''@local: '$cwd/bluval/'@}" \
133 -e "/results_dir/{n; s@local: ''@local: '$results_dir'@}" \
134 + -e "/oval_ubuntu_20/{n; s@local: ''@local: '$cwd/vuls/oval_ubuntu_20.sqlite3'@}" \
142 +options+=" -t amd64-latest"
145 if python3 --version > /dev/null; then
153 echo "[ICN] Executing run_bluval.sh"
154 /bin/bash run_bluval.sh
159 install_jenkins_identity_into_sut
160 download_oval_ubuntu_20