test: validate sysdig integration

Author: minsiyang

test/common/config.spec.ts

@@ -48,6 +48,8 @@ describe('extractNamespaceName()', () => {
     ) => {
       if (clusterNameEnvVar) {
         process.env.SNYK_CLUSTER_NAME = clusterNameEnvVar;
+        process.env.SNYK_SYSDIG_ENDPOINT = 'https://api/v1/images/';
+        process.env.SNYK_SYSDIG_TOKEN = '1432gtrhtrw32raf';
       }
 
       const consoleSpy = jest.spyOn(console, 'log').mockReturnValue();
@@ -73,5 +75,15 @@ describe('extractNamespaceName()', () => {
     expect(config.SKIP_K8S_JOBS).toEqual(false);
     expect(config.WORKERS_COUNT).toEqual(10);
     expect(config.SKOPEO_COMPRESSION_LEVEL).toEqual(6);
+    expect(config.SYSDIG_ENDPOINT).toEqual('https://api/v1/images/');
+    expect(config.SYSDIG_TOKEN).toEqual('1432gtrhtrw32raf');
+    delete process.env.SNYK_SYSDIG_ENDPOINT;
+    delete process.env.SNYK_SYSDIG_TOKEN;
+  });
+
+  it('cannot load sysdig API and JWT values if it is not enabled', () => {
+    const { config } = require('../../src/common/config');
+    expect(config.SYSDIG_ENDPOINT).toBeUndefined();
+    expect(config.SYSDIG_TOKEN).toBeUndefined();
   });
 });

test/setup/deployers/helm.ts

@@ -39,7 +39,8 @@ async function deployKubernetesMonitor(
       '--set volumes.projected.serviceAccountToken=true ' +
       '--set securityContext.fsGroup=65534 ' +
       '--set skopeo.compression.level=1 ' +
-      '--set workers.count=5 ',
+      '--set workers.count=5 ' +
+      '--set sysdig.enabled=true ',
   );
   console.log(
     `Deployed ${imageOptions.nameAndTag} with pull policy ${imageOptions.pullPolicy}`,

test/setup/index.ts

@@ -159,7 +159,7 @@ export async function deployMonitor(): Promise<string> {
     const imageNameAndTag = getEnvVariableOrDefault(
       'KUBERNETES_MONITOR_IMAGE_NAME_AND_TAG',
       // the default, determined by ./script/build-image.sh
-      'snyk/kubernetes-monitor:local',
+      'snyk/kubernetes-monitor-private-fork:local',
     );
 
     console.log(

test/setup/platforms/eks.ts

@@ -60,7 +60,7 @@ export async function loadImageInCluster(
     throw new Error('aws ecr get-login-password returned an unexpected output');
   }
 
-  const targetImage = `${ecrURL}/snyk/kubernetes-monitor:local`;
+  const targetImage = `${ecrURL}/snyk/kubernetes-monitor-private-fork:local`;
 
   await exec(`docker tag ${imageNameAndTag} ${targetImage}`);
   await exec(`docker push ${targetImage}`);

test/unit/data-scraper/scrape-data.spec.ts

@@ -0,0 +1,115 @@
+import nock from 'nock';
+
+import { config } from '../../../src/common/config';
+import { scrapeData } from '../../../src/data-scraper';
+import * as transmitterTypes from '../../../src/transmitter/types';
+
+describe('dataScraper()', () => {
+  beforeAll(() => {
+    config.SYSDIG_ENDPOINT = 'https://sysdig';
+    config.SYSDIG_TOKEN = 'token123';
+  });
+
+  afterAll(() => {
+    delete config.SYSDIG_ENDPOINT;
+    delete config.SYSDIG_TOKEN;
+  });
+
+  it('correctly sends data to kubernetes-upstream', async (jestDoneCallback) => {
+    const bodyWithToken = {
+      data: [
+        {
+          imageID: 'something',
+          namespace: 'sysdig',
+          workloadName: 'workload',
+          workloadKind: 'Deployment',
+          container: 'box',
+          packages: [],
+        },
+      ],
+      page: {
+        returned: 10,
+        next: 'xxx',
+      },
+    };
+    const bodyNoToken = {
+      data: [
+        {
+          imageID: 'something',
+          namespace: 'sysdig',
+          workloadName: 'workload',
+          workloadKind: 'Deployment',
+          container: 'box',
+          packages: [],
+        },
+      ],
+      page: {
+        returned: 10,
+        next: '',
+      },
+    };
+    const expectedHeader = 'Bearer token123';
+    nock('https://sysdig', { reqheaders: { authorization: expectedHeader } })
+      .get('/v1/runtimeimages?limit=10&cursor=')
+      .times(1)
+      .reply(200, bodyWithToken);
+
+    nock('https://sysdig', { reqheaders: { authorization: expectedHeader } })
+      .get('/v1/runtimeimages?limit=10&cursor=xxx')
+      .times(1)
+      .reply(200, bodyNoToken);
+
+    nock('https://kubernetes-upstream.snyk.io')
+      .post('/api/v1/runtime-results')
+      .times(1)
+      .reply(200, (uri, requestBody: transmitterTypes.IRuntimeDataPayload) => {
+        try {
+          expect(requestBody).toEqual<transmitterTypes.IRuntimeDataPayload>({
+            identity: {
+              type: 'sysdig',
+            },
+            target: {
+              userLocator: expect.any(String),
+              cluster: 'Default cluster',
+              agentId: expect.any(String),
+            },
+            facts: [
+              {
+                type: 'loadedPackages',
+                data: bodyWithToken.data,
+              },
+            ],
+          });
+        } catch (error) {
+          jestDoneCallback(error);
+        }
+      })
+      .post('/api/v1/runtime-results')
+      .times(1)
+      .reply(200, (uri, requestBody: transmitterTypes.IRuntimeDataPayload) => {
+        try {
+          expect(requestBody).toEqual<transmitterTypes.IRuntimeDataPayload>({
+            identity: {
+              type: 'sysdig',
+            },
+            target: {
+              userLocator: expect.any(String),
+              cluster: 'Default cluster',
+              agentId: expect.any(String),
+            },
+            facts: [
+              {
+                type: 'loadedPackages',
+                data: bodyNoToken.data,
+              },
+            ],
+          });
+          jestDoneCallback();
+        } catch (error) {
+          jestDoneCallback(error);
+        }
+      });
+
+    await scrapeData();
+  });
+});

test/unit/supervisor/pod-watch-handler-caches.spec.ts

@@ -2,7 +2,6 @@ import * as async from 'async';
 import * as fs from 'fs';
 import sleep from 'sleep-promise';
 import * as YAML from 'yaml';
-
 // NOTE: Very important that the mock is set up before application code is imported!
 let pushCallCount = 0;
 const asyncQueueSpy = jest

test/unit/transmitter-payload.spec.ts

@@ -9,6 +9,8 @@ import {
   IDeleteWorkloadPayload,
   IImageLocator,
   ILocalWorkloadLocator,
+  IRuntimeDataPayload,
+  IRuntimeImage,
   IWorkload,
   IWorkloadLocator,
   IWorkloadMetadata,
@@ -208,4 +210,92 @@ describe('transmitter payload tests', () => {
       type: 'wl-type',
     });
   });
+
+  test.concurrent('constructRuntimeData happy flow', async () => {
+    const runtimeDataPayload = payload.constructRuntimeData([
+      {
+        imageID: 'something',
+        namespace: 'sysdig',
+        workloadName: 'workload',
+        workloadKind: 'deployment',
+        container: 'box',
+        packages: [],
+      },
+    ]);
+    expect(runtimeDataPayload).toEqual<IRuntimeDataPayload>({
+      identity: {
+        type: 'sysdig',
+      },
+      target: {
+        userLocator: expect.any(String),
+        cluster: 'Default cluster',
+        agentId: expect.any(String),
+      },
+      facts: [
+        {
+          type: 'loadedPackages',
+          data: [
+            {
+              imageID: 'something',
+              namespace: 'sysdig',
+              workloadName: 'workload',
+              workloadKind: 'Deployment',
+              container: 'box',
+              packages: [],
+            },
+          ],
+        },
+      ],
+    });
+  });
+
+  test.concurrent(
+    'constructRuntimeData with excluded namespace happy flow',
+    async () => {
+      config.EXCLUDED_NAMESPACES = ['test'];
+      const runtimeDataPayload = payload.constructRuntimeData([
+        {
+          imageID: 'something',
+          namespace: 'sysdig',
+          workloadName: 'workload',
+          workloadKind: 'deployment',
+          container: 'box',
+          packages: [],
+        },
+        {
+          imageID: 'something',
+          namespace: 'test',
+          workloadName: 'workload',
+          workloadKind: 'deployment',
+          container: 'box',
+          packages: [],
+        },
+      ]);
+      expect(runtimeDataPayload).toEqual<IRuntimeDataPayload>({
+        identity: {
+          type: 'sysdig',
+        },
+        target: {
+          userLocator: expect.any(String),
+          cluster: 'Default cluster',
+          agentId: expect.any(String),
+        },
+        facts: [
+          {
+            type: 'loadedPackages',
+            data: [
+              {
+                imageID: 'something',
+                namespace: 'sysdig',
+                workloadName: 'workload',
+                workloadKind: 'Deployment',
+                container: 'box',
+                packages: [],
+              },
+            ],
+          },
+        ],
+      });
+    },
+  );
 });