-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
6b9f14f
commit dcf045a
Showing
40 changed files
with
1,132 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -17,6 +17,9 @@ RUN mkdir -p /tmp/go/bin $GOCACHE \ | |
|
||
# Install dependencies required by test cases and debugging | ||
RUN apt-get update && apt-get install -y jq vim libreadline-dev | ||
RUN apt-get -y install podman | ||
|
||
|
||
|
||
# Install Chainsaw e2e testing tool | ||
RUN go install github.com/kyverno/[email protected] | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
apiVersion: operator.openshift.io/v1 | ||
kind: RunOnceDurationOverride | ||
metadata: | ||
name: cluster | ||
spec: | ||
runOnceDurationOverride: | ||
spec: | ||
activeDeadlineSeconds: 3600 |
10 changes: 10 additions & 0 deletions
10
tests/dast/rapid-lca/oobt_test_data/v5-none-oobt-template.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
config: | ||
configVersion: 5 | ||
|
||
# `application` contains data related to the application, not to the scans. | ||
application: | ||
shortName: "oobttest" | ||
|
||
scanners: | ||
generic_trivy: | ||
inline: "trivy k8s --kubeconfig=/home/rapidast/.kube/config -n openshift-operator-lifecycle-manager pod --severity=HIGH,CRITICAL --scanners=misconfig --report all --format json" | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
import os | ||
import subprocess | ||
import random | ||
|
||
import subprocess | ||
import re | ||
|
||
|
||
RAPIDAST_IMAGE = "quay.io/redhatproductsecurity/rapidast:2.5.0" | ||
def get_vpn_ip_address(): | ||
try: | ||
ip_output = subprocess.check_output(['ip', 'addr']).decode('utf-8') | ||
# Use regular expression to extract IP addresses | ||
ip_addresses = re.findall(r'10.64.\d+\.\d+', ip_output) | ||
|
||
# Currently return the first IP address | ||
# TODO: fix if there are multiple IP addresses and it causes an issue | ||
|
||
return ip_addresses[0] | ||
except subprocess.CalledProcessError as e: | ||
return f"Error: {e}" | ||
|
||
def test_oobt_basic(): | ||
# 1. place kubeconfig in the TEST_DATA_DIR directory | ||
|
||
TEST_DATA_DIR = "oobt_test_data" | ||
RAPIDAST_CFG_FILE = "v5-none-oobt-template.yaml" | ||
|
||
port = random.randint(10000, 30000) | ||
ipaddr = get_vpn_ip_address() | ||
|
||
# create a rapidast config | ||
sed_cmd = f"sed 's/-p <port> -i <ipaddr>/-p {port} -i {ipaddr}/' {TEST_DATA_DIR}/{RAPIDAST_CFG_FILE} > rapidast_runtime_cfg.yaml" | ||
os.system(sed_cmd) | ||
|
||
# prep for testing | ||
os.system(f"chmod 666 {TEST_DATA_DIR}/kubeconfig") | ||
if not os.path.exists("results"): | ||
os.makedirs("results") | ||
os.system("podman unshare chown 1000 results") | ||
|
||
# Run the command and capture stdout | ||
command = f"podman run -it --rm -v ./{TEST_DATA_DIR}/kubeconfig:/home/rapidast/.kube/config:Z -v ./results:/opt/rapidast/results:Z -v $PWD:/test:Z -p {port}:{port} {RAPIDAST_IMAGE} rapidast.py --config /test/rapidast_runtime_cfg.yaml" | ||
print(command) | ||
This comment has been minimized.
Sorry, something went wrong. |
||
|
||
process = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) | ||
stdout, stderr = process.communicate() | ||
# print(stdout) | ||
This comment has been minimized.
Sorry, something went wrong. |
||
print("test completed. See the results directory") | ||
|
||
if __name__ == "__main__": | ||
test_oobt_basic() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
apiVersion: project.openshift.io/v1 | ||
kind: Project | ||
metadata: | ||
labels: | ||
kubernetes.io/metadata.name: rapidast-nrop | ||
pod-security.kubernetes.io/audit: privileged | ||
pod-security.kubernetes.io/enforce: privileged | ||
pod-security.kubernetes.io/warn: privileged | ||
security.openshift.io/scc.podSecurityLabelSync: "false" | ||
name: rapidast-nrop | ||
spec: | ||
finalizers: | ||
- kubernetes | ||
status: | ||
phase: Active |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
apiVersion: v1 | ||
kind: Namespace | ||
metadata: | ||
name: rapidast-nrop | ||
labels: | ||
security.openshift.io/scc.podSecurityLabelSync: "false" | ||
pod-security.kubernetes.io/enforce: "privileged" | ||
pod-security.kubernetes.io/audit: "privileged" | ||
pod-security.kubernetes.io/warn: "privileged" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: privileged-sa | ||
namespace: rapidast-nrop | ||
|
||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: rapidast-nrop-binding | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: system:openshift:scc:privileged | ||
subjects: | ||
- kind: ServiceAccount | ||
name: privileged-sa | ||
namespace: rapidast-nrop | ||
|
||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: rapidast-nrop-cluster-admin | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: cluster-admin | ||
subjects: | ||
- kind: ServiceAccount | ||
name: privileged-sa | ||
namespace: rapidast-nrop |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: privileged-sa | ||
namespace: rapidast-nrop | ||
|
||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: rapidast-nrop-binding | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: system:openshift:scc:privileged | ||
subjects: | ||
- kind: ServiceAccount | ||
name: privileged-sa | ||
namespace: rapidast-nrop | ||
|
||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: rapidast-nrop-cluster-admin | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: cluster-admin | ||
subjects: | ||
- kind: ServiceAccount | ||
name: privileged-sa | ||
namespace: rapidast-nrop |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: rapidast-configmap | ||
namespace: rapidast-nrop |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
apiVersion: kuttl.dev/v1beta1 | ||
kind: TestStep | ||
commands: | ||
- script: ./create_rapidast_configmap.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
apiVersion: batch/v1 | ||
kind: Job | ||
metadata: | ||
name: rapidast-job | ||
namespace: rapidast-nrop | ||
status: | ||
succeeded: 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
--- | ||
apiVersion: v1 | ||
kind: PersistentVolumeClaim | ||
metadata: | ||
name: rapidast-pvc | ||
namespace: rapidast-nrop | ||
spec: | ||
accessModes: | ||
- ReadWriteOnce | ||
resources: | ||
requests: | ||
storage: 1Gi | ||
volumeMode: Filesystem | ||
|
||
--- | ||
apiVersion: batch/v1 | ||
kind: Job | ||
metadata: | ||
name: rapidast-job | ||
namespace: rapidast-nrop | ||
spec: | ||
backoffLimit: 3 | ||
completionMode: NonIndexed | ||
completions: 1 | ||
parallelism: 1 | ||
suspend: false | ||
template: | ||
metadata: | ||
labels: | ||
job-name: rapidast-job | ||
name: rapidast-job | ||
spec: | ||
serviceAccount: privileged-sa | ||
serviceAccountName: privileged-sa | ||
containers: | ||
- command: | ||
- sh | ||
- -c | ||
- rapidast.py --log-level debug --config | ||
/helm/config/rapidastconfig.yaml && find /opt/rapidast/results/nrop | ||
-name zap-report.json -exec cat {} \; | ||
image: quay.io/redhatproductsecurity/rapidast:latest | ||
imagePullPolicy: Always | ||
name: rapidast-chart | ||
resources: {} | ||
securityContext: | ||
privileged: true | ||
terminationMessagePath: /dev/termination-log | ||
terminationMessagePolicy: File | ||
volumeMounts: | ||
- mountPath: /helm/config | ||
name: config-volume | ||
- mountPath: /opt/rapidast/results/ | ||
name: results-volume | ||
dnsPolicy: ClusterFirst | ||
restartPolicy: Never | ||
schedulerName: default-scheduler | ||
terminationGracePeriodSeconds: 30 | ||
volumes: | ||
- configMap: | ||
defaultMode: 420 | ||
name: rapidast-configmap | ||
name: config-volume | ||
- name: results-volume | ||
persistentVolumeClaim: null | ||
claimName: rapidast-pvc |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
apiVersion: kuttl.dev/v1beta1 | ||
kind: TestAssert | ||
timeout: 180 | ||
commands: | ||
- script: ./tests/e2e-rh-sdl/rapidast-nrop/results.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
apiVersion: chainsaw.kyverno.io/v1alpha1 | ||
kind: Test | ||
metadata: | ||
creationTimestamp: null | ||
name: rapidast-nrop | ||
spec: | ||
steps: | ||
- name: step-00 | ||
try: | ||
- apply: | ||
file: 00-create-project.yaml | ||
- assert: | ||
file: 00-assert.yaml | ||
- name: step-01 | ||
try: | ||
- apply: | ||
file: 01-create-sa.yaml | ||
- assert: | ||
file: 01-assert.yaml | ||
- name: step-02 | ||
try: | ||
- script: | ||
timeout: 30s | ||
content: ./create_rapidast_configmap.sh | ||
- assert: | ||
file: 02-assert.yaml | ||
- name: step-03 | ||
try: | ||
- apply: | ||
file: 03-rapidast-job.yaml | ||
- assert: | ||
file: 03-assert.yaml | ||
- name: step-04 | ||
try: | ||
- script: | ||
timeout: 6m | ||
content: ./results.sh | ||
finally: | ||
- command: | ||
timeout: 1m | ||
entrypoint: oc | ||
args: | ||
- -n | ||
- rapidast-nrop | ||
- delete | ||
- pod | ||
- rapiterm-nrop | ||
- command: | ||
timeout: 1m | ||
entrypoint: oc | ||
args: | ||
- -n | ||
- rapidast-nrop | ||
- delete | ||
- pod | ||
- --selector=batch.kubernetes.io/job-name=rapidast-job |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
#!/bin/bash | ||
|
||
nrop_token=$(oc create token privileged-sa -n rapidast-nrop) | ||
|
||
# Define the content for the ConfigMap | ||
configmap_content=$(cat <<EOF | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: rapidast-configmap | ||
namespace: rapidast-nrop | ||
data: | ||
rapidastconfig.yaml: | | ||
config: | ||
configVersion: 4 | ||
application: | ||
shortName: "nrop" | ||
url: "https://kubernetes.default.svc" | ||
general: | ||
authentication: | ||
type: "http_header" | ||
parameters: | ||
name: "Authorization" | ||
value: "Bearer ${nrop_token}" | ||
container: | ||
type: "none" | ||
scanners: | ||
zap: | ||
apiScan: | ||
apis: | ||
apiUrl: "https://kubernetes.default.svc/openapi/v3/apis/nrop.openshift.io/v1alpha1" | ||
passiveScan: | ||
disabledRules: "2,10015,10027,10096,10024,10054" | ||
activeScan: | ||
policy: "Operator-scan" | ||
miscOptions: | ||
enableUI: False | ||
updateAddons: False | ||
EOF | ||
) | ||
|
||
# Create the ConfigMap | ||
echo "$configmap_content" | oc -n rapidast-nrop create -f - | ||
|
Oops, something went wrong.
I believe this line is meant for debugging? if so, we can either improve it, or remove it.