Skip to content

chore: adding vap testing #2029

chore: adding vap testing

chore: adding vap testing #2029

Workflow file for this run

name: CI
on:
push:
paths-ignore:
- ".github/workflows/website.yaml"
- "website/**"
branches: [master]
pull_request:
paths-ignore:
- ".github/workflows/website.yaml"
- "website/**"
branches: [master]
permissions:
contents: read
jobs:
website_script_unit_test:
runs-on: ubuntu-latest
name: "Test scripts"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Unit test
run: |
make unit-test
generate:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Generate templates and docs
run: |
make generate generate-website-docs generate-artifacthub-artifacts
git diff --exit-code || (echo "Please run 'make generate generate-website-docs generate-artifacthub-artifacts' to generate the templates and docs" && exit 1)
- name: Validation
run: |
make validate
build:
needs: generate
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ "ubuntu-latest", "macos-latest" ]
opa: [ "v0.44.0", "v0.57.1" ]
name: Unit test on ${{ matrix.os }} opa ${{ matrix.opa }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- run: |
binary=$([[ "$OSTYPE" == "darwin"* ]] && echo "opa_darwin_amd64" || echo "opa_linux_amd64")
sudo curl -L -o /usr/local/bin/opa https://github.com/open-policy-agent/opa/releases/download/${{ matrix.opa }}/$binary
sudo chmod +x /usr/local/bin/opa
sh test.sh
build_test:
needs: generate
runs-on: ubuntu-latest
strategy:
matrix:
gatekeeper: [ "3.17.1", "3.18.1" ]
engine: [ "cel", "rego"]
name: "Integration test on Gatekeeper ${{ matrix.gatekeeper }} for ${{ matrix.engine }} policies"
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Check out code into the Go module directory
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Bootstrap integration test
run: |
mkdir -p $GITHUB_WORKSPACE/bin
echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
make integration-bootstrap
make deploy GATEKEEPER_VERSION=${{ matrix.gatekeeper }} POLICY_ENGINE=${{ matrix.engine }}
- name: Run integration test
run: |
make test-integration POLICY_ENGINE=${{ matrix.engine }}
- name: Save logs
run: |
kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-controller.json
kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit.json
- name: Upload artifacts
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
if: ${{ always() }}
with:
name: logs-int-test-${{ matrix.gatekeeper }}-${{ matrix.engine }}
path: |
logs-*.json
build_test_VAP:
needs: generate
runs-on: ubuntu-latest
strategy:
matrix:
gatekeeper: [ "3.17.1", "3.18.1" ]
name: "Integration test on Gatekeeper ${{ matrix.gatekeeper }} with VAP"
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Check out code into the Go module directory
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Bootstrap integration test
run: |
mkdir -p $GITHUB_WORKSPACE/bin
echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
make integration-bootstrap
make deploy GATEKEEPER_VERSION=${{ matrix.gatekeeper }} ENABLE_VAP=true
- name: Run integration test
run: |
make test-integration ENABLE_VAP=true
- name: Save logs
run: |
kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-controller.json
kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit.json
- name: Upload artifacts
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
if: ${{ always() }}
with:
name: logs-int-test-${{ matrix.gatekeeper }}-with-vap
path: |
logs-*.json
require_suites:
runs-on: ubuntu-latest
name: "Require a suite.yaml file alongside every template.yaml"
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Run script
run: |
make require-suites
require_sync:
runs-on: ubuntu-latest
name: "Require a sync.yaml file and metadata.gatekeeper.sh/requires-sync-data annotation for every template.yaml using data.inventory"
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Run script
run: |
make require-sync
gator-verify:
runs-on: ubuntu-latest
strategy:
matrix:
engine: [ "cel", "rego" ]
gatekeeper: [ "3.17.1", "3.18.1" ]
name: "Verify assertions in suite.yaml files for ${{ matrix.engine }} policies"
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- run: |
make verify-gator-dockerized POLICY_ENGINE=${{ matrix.engine }} GATOR_VERSION=${{ matrix.gatekeeper }}