Merge pull request #310 from snyk/feat/include_openshift_support

agranado2k · web-flow · commit 53e3a5526b1f · 2020-01-31T13:43:47.000Z
feat: include integration test support for OpenShift env
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -222,6 +222,32 @@ jobs:
             fi
           when: on_fail
 
+  openshift4_integration_tests:
+    <<: *default_machine_config
+    steps:
+      - checkout
+      - run:
+          name: INTEGRATION TESTS OpenShift 4
+          command: |
+            export NVM_DIR="/opt/circleci/.nvm" &&
+            [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" &&
+            nvm install v10 &&
+            npm install &&
+            docker login --username ${DOCKERHUB_USER} --password ${DOCKERHUB_PASSWORD} &&
+            export IMAGE_TAG=$([[ "$CIRCLE_BRANCH" == "staging" ]] && echo "staging-candidate" || echo "discardable") &&
+            export KUBERNETES_MONITOR_IMAGE_NAME_AND_TAG=snyk/kubernetes-monitor:${IMAGE_TAG}-${CIRCLE_SHA1} &&
+            docker pull ${KUBERNETES_MONITOR_IMAGE_NAME_AND_TAG} &&
+            .circleci/do-exclusively --branch staging npm run test:integration:openshift4
+      - run:
+          name: Notify Slack on failure
+          command: |
+            if [[ "$CIRCLE_BRANCH" == "staging" ]]; then
+              ./scripts/slack-notify-failure.sh "staging-openshift4-integration-tests-${CIRCLE_SHA1}"
+            else
+              echo "Current branch is $CIRCLE_BRANCH so skipping notifying Slack"
+            fi
+          when: on_fail
+
 ######################## MERGE TO STAGING ########################
   tag_and_push:
     <<: *default_container_config
@@ -350,6 +376,10 @@ workflows:
           requires:
             - build_image
           <<: *staging_branch_only_filter
+      - openshift4_integration_tests:
+          requires:
+            - build_image
+          <<: *staging_branch_only_filter
       - package_manager_test_apk:
           requires:
             - build_image
diff --git a/package.json b/package.json
@@ -10,6 +10,7 @@
     "test:integration": "TEST_PLATFORM=kind CREATE_CLUSTER=true tap test/integration/kubernetes.test.ts --timeout=1200",
     "test:integration:kind": "TEST_PLATFORM=kind CREATE_CLUSTER=true tap test/integration/kubernetes.test.ts --timeout=1200",
     "test:integration:eks": "TEST_PLATFORM=eks CREATE_CLUSTER=false tap test/integration/kubernetes.test.ts --timeout=1200",
+    "test:integration:openshift4": "TEST_PLATFORM=openshift4 CREATE_CLUSTER=false tap test/integration/kubernetes.test.ts --timeout=1200",
     "test:coverage": "npm run test:unit -- --coverage",
     "test:watch": "tsc-watch --onSuccess 'npm run test:unit'",
     "test:apk": "TEST_PLATFORM=kind CREATE_CLUSTER=true PACKAGE_MANAGER=apk tap test/integration/package-manager.test.ts --timeout=7200",
diff --git a/snyk-monitor-deployment.yaml b/snyk-monitor-deployment.yaml
@@ -56,6 +56,8 @@ spec:
                 optional: true
           - name: SNYK_MONITOR_VERSION
             value: IMAGE_TAG_OVERRIDE_WHEN_PUBLISHING
+          - name: HOME
+            value: /srv/app
         resources:
           requests:
             cpu: '250m'
diff --git a/src/common/process.ts b/src/common/process.ts
@@ -16,6 +16,7 @@ export function exec(bin: string, ...processArgs: IProcessArgument[]):
   // For example, that process doesn't need to know secrets like our integrationId!
   const env = {
     PATH: process.env.PATH,
+    HOME: process.env.HOME,
   };
 
   const allArguments = processArgs.map((arg) => arg.body);
diff --git a/test/README.md b/test/README.md
@@ -69,6 +69,17 @@ This test runs whenever we commit to our `staging` branch, and at the moment may
 
 Run with `npm run test:integration:eks`.
 
+### OpenShift 4 ###
+
+OpenShift 4 is Red Hat platform and helps us ensure we support not only the generic Kubernetes API, but also specifically OpenShift 4.
+
+This test uses an existing Google Cloud Platform (GCP) account with an existing OpenShift 4 cluster, and as such has a few more prerequisites:
+- OpenShift 4 environment variables: `OPEN_SHIFT_4_USER_PASSWORD` and `OPEN_SHIFT_4_CLUSTER_URL` are used to authenticate against the OpenShift 4 cluster in GCP account.
+
+This test runs whenever we commit to our `staging` branch, and at the moment may only run once concurrently since it uses the same cluster.
+
+Run with `npm run test:integration:openshift4`.
+
 ### Package Managers ###
 
 These tests attempt to provide some more thorough coverage for our scans of specific package manager: APK, APT and RPM.
diff --git a/test/helpers/deployment.ts b/test/helpers/deployment.ts
@@ -1,6 +1,9 @@
 import * as tap from 'tap';
 import { V1Deployment } from '@kubernetes/client-node';
 
+const OPENSHIFT4 = "openshift4";
+const testPlatform = process.env['TEST_PLATFORM'] || 'kind';
+
 export function validateSecureConfiguration(test: tap, deployment: V1Deployment) {
   if (
     !deployment.spec ||
@@ -42,16 +45,19 @@ export function validateSecureConfiguration(test: tap, deployment: V1Deployment)
   tap.ok(securityContext.allowPrivilegeEscalation === false, 'must explicitly set allowPrivilegeEscalation to false');
   tap.ok(securityContext.privileged === false, 'must explicitly set privileged to false');
   tap.ok(securityContext.runAsNonRoot === true, 'must explicitly set runAsNonRoot to true');
-  tap.ok(
-    securityContext.runAsUser !== undefined &&
-      securityContext.runAsUser >= 10001,
-    'must explicitly set runAsUser to be 10001 or greater',
-  );
-  tap.ok(
-    securityContext.runAsGroup !== undefined &&
-      securityContext.runAsGroup >= 10001,
-    'must explicitly set runAsGroup to be 10001 or greater',
-  );
+
+  if (testPlatform !== OPENSHIFT4) {
+    tap.ok(
+      securityContext.runAsUser !== undefined &&
+        securityContext.runAsUser >= 10001,
+      'must explicitly set runAsUser to be 10001 or greater',
+    );
+    tap.ok(
+      securityContext.runAsGroup !== undefined &&
+        securityContext.runAsGroup >= 10001,
+      'must explicitly set runAsGroup to be 10001 or greater',
+    );
+  }
 }
 
 export function validateVolumeMounts(test: tap, deployment: V1Deployment) {
diff --git a/test/setup/index.ts b/test/setup/index.ts
@@ -6,6 +6,7 @@ import platforms from './platforms';
 import * as kubectl from '../helpers/kubectl';
 import * as waiters from './waiters';
 
+const OPENSHIFT4 = "openshift4";
 const testPlatform = process.env['TEST_PLATFORM'] || 'kind';
 const createCluster = process.env['CREATE_CLUSTER'] === 'true';
 
@@ -27,6 +28,7 @@ function createTestYamlDeployment(
   integrationId: string,
   imageNameAndTag: string,
   imagePullPolicy: string,
+  platform: string,
 ): void {
   console.log('Creating test deployment...');
   const originalDeploymentYaml = readFileSync('./snyk-monitor-deployment.yaml', 'utf8');
@@ -53,6 +55,11 @@ function createTestYamlDeployment(
     value: 'https://kubernetes-upstream.dev.snyk.io',
   };
 
+  if (platform === OPENSHIFT4) {
+    delete deployment.spec.template.spec.containers[0].securityContext.runAsUser;
+    delete deployment.spec.template.spec.containers[0].securityContext.runAsGroup;
+  }
+
   writeFileSync(newYamlPath, stringify(deployment));
   console.log('Created test deployment');
 }
@@ -109,6 +116,7 @@ async function createSecretForGcrIoAccess(): Promise<void> {
 async function installKubernetesMonitor(
   imageNameAndTag: string,
   imagePullPolicy: string,
+  platform: string,
   ): Promise<string> {
   const namespace = 'snyk-monitor';
   await kubectl.createNamespace(namespace);
@@ -122,7 +130,7 @@ async function installKubernetesMonitor(
   });
 
   const testYaml = 'snyk-monitor-test-deployment.yaml';
-  createTestYamlDeployment(testYaml, integrationId, imageNameAndTag, imagePullPolicy);
+  createTestYamlDeployment(testYaml, integrationId, imageNameAndTag, imagePullPolicy, platform);
 
   await kubectl.applyK8sYaml('./snyk-monitor-cluster-permissions.yaml');
   await kubectl.applyK8sYaml('./snyk-monitor-test-deployment.yaml');
@@ -154,7 +162,7 @@ export async function deployMonitor(): Promise<string> {
     // TODO: hack, rewrite this
     const imagePullPolicy = testPlatform === 'kind' ? 'Never' : 'Always';
 
-    const integrationId = await installKubernetesMonitor(remoteImageName, imagePullPolicy);
+    const integrationId = await installKubernetesMonitor(remoteImageName, imagePullPolicy, testPlatform);
     await waiters.waitForMonitorToBeReady();
     console.log(`Deployed the snyk-monitor with integration ID ${integrationId}`);
     return integrationId;
diff --git a/test/setup/platforms/index.ts b/test/setup/platforms/index.ts
@@ -1,5 +1,6 @@
 import * as kind from './kind';
 import * as eks from './eks';
+import * as openshift4 from './openshift4';
 
 interface IPlatformSetup {
   // create a Kubernetes cluster
@@ -30,7 +31,16 @@ const eksSetup: IPlatformSetup = {
   clean: eks.clean,
 };
 
+const openshift4Setup: IPlatformSetup = {
+  create: openshift4.createCluster,
+  loadImage: openshift4.loadImageInCluster,
+  delete: openshift4.deleteCluster,
+  config: openshift4.exportKubeConfig,
+  clean: openshift4.clean,
+};
+
 export default {
   kind: kindSetup,
   eks: eksSetup,
+  openshift4: openshift4Setup,
 };
diff --git a/test/setup/platforms/openshift4.ts b/test/setup/platforms/openshift4.ts
@@ -0,0 +1,75 @@
+import { exec } from 'child-process-promise';
+import * as kubectl from '../../helpers/kubectl';
+import { accessSync, chmodSync, constants, writeFileSync } from 'fs';
+import { platform, tmpdir } from 'os';
+import { resolve } from 'path';
+import * as needle from 'needle';
+
+export async function createCluster(): Promise<void> {
+  throw new Error('Not implemented');
+}
+
+export async function deleteCluster(): Promise<void> {
+  throw new Error('Not implemented');
+}
+
+export async function exportKubeConfig(): Promise<void> {
+  await installOpenShiftCli(normalizePlatform(platform()), version());
+  const userPassword = process.env['OPEN_SHIFT_4_USER_PASSWORD'];
+  const clusterURL = process.env['OPEN_SHIFT_4_CLUSTER_URL'];
+  const cmd = `./oc login -u kubeadmin -p ${userPassword} ${clusterURL} --insecure-skip-tls-verify=true --kubeconfig ./kubeconfig`;
+
+  await exec(cmd);
+  process.env.KUBECONFIG = './kubeconfig';
+}
+
+export async function loadImageInCluster(imageNameAndTag: string): Promise<string> {
+  return imageNameAndTag;
+}
+
+export async function clean(): Promise<void> {
+  await exportKubeConfig();
+  await Promise.all([
+    kubectl.deleteNamespace('services'),
+    kubectl.deleteNamespace('snyk-monitor'),
+  ]);
+}
+
+async function installOpenShiftCli(osDistro: string, version: string): Promise<void> {
+  try {
+    accessSync(resolve(process.cwd(), 'oc'), constants.R_OK);
+  } catch (error) {
+    console.log('Downloading OpenShift OC...');
+
+    const ocpURL = constructCliDownloadUrl(osDistro, version);
+    const bodyData = null;
+    // eslint-disable-next-line @typescript-eslint/camelcase
+    const requestOptions = { follow_max: 2 };
+    await needle('get',
+      ocpURL,
+      bodyData,
+      requestOptions,
+    ).then( async (response) => {
+      writeFileSync(`${tmpdir()}/openshift-client`, response.body);
+      await exec(`tar -xzvf ${tmpdir()}/openshift-client -C ${tmpdir()}`);
+      await exec(`cp ${tmpdir()}/oc .`);
+      chmodSync('oc', 0o755); // rwxr-xr-x
+    });
+
+    console.log('OpenShift OC downloaded and installed!');
+  }
+}
+
+function constructCliDownloadUrl(platform: string, version: string): string {
+  return `https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/openshift-client-${platform}-${version}.tar.gz`;
+}
+
+function version(): string {
+  return "4.3.0";
+}
+
+function normalizePlatform(platform: string): string {
+  if (platform === "darwin") platform = "mac";
+
+  return platform;
+}
