|
| 1 | +name: e2e-harbor-integration |
| 2 | + |
| 3 | +on: |
| 4 | + workflow_dispatch: |
| 5 | + pull_request: |
| 6 | + branches: |
| 7 | + - master |
| 8 | + |
| 9 | +jobs: |
| 10 | + e2e-test: |
| 11 | + runs-on: ubuntu-latest |
| 12 | + defaults: |
| 13 | + run: |
| 14 | + shell: nix develop --command bash -v {0} |
| 15 | + timeout-minutes: 60 |
| 16 | + |
| 17 | + steps: |
| 18 | + - name: Checkout |
| 19 | + uses: actions/checkout@v4 |
| 20 | + |
| 21 | + - name: Install nix |
| 22 | + uses: DeterminateSystems/nix-installer-action@main |
| 23 | + |
| 24 | + - name: Start Minikube (Docker driver) |
| 25 | + id: minikube |
| 26 | + run: | |
| 27 | + minikube start --driver=docker --cpus=2 --memory=2G --force |
| 28 | + echo "ip=$(minikube ip)" >> "$GITHUB_OUTPUT" |
| 29 | +
|
| 30 | + - name: Helm repos |
| 31 | + run: | |
| 32 | + helm repo add bitnami https://charts.bitnami.com/bitnami |
| 33 | + helm repo add sysdig https://charts.sysdig.com |
| 34 | + helm repo update |
| 35 | +
|
| 36 | + - name: Install Harbor (NodePort) |
| 37 | + id: harbor |
| 38 | + env: |
| 39 | + MINIKUBE_IP: ${{ steps.minikube.outputs.ip }} |
| 40 | + run: | |
| 41 | + HARBOR_URL="https://${MINIKUBE_IP}:30003" |
| 42 | +
|
| 43 | + helm install harbor bitnami/harbor \ |
| 44 | + --namespace harbor \ |
| 45 | + --create-namespace \ |
| 46 | + --set service.type=NodePort \ |
| 47 | + --set service.nodePorts.http=30002 \ |
| 48 | + --set service.nodePorts.https=30003 \ |
| 49 | + --set externalURL="${HARBOR_URL}" |
| 50 | +
|
| 51 | + HARBOR_USERNAME=admin |
| 52 | + HARBOR_PASSWORD=$(kubectl get secret -n harbor harbor-core-envvars -o jsonpath='{.data.HARBOR_ADMIN_PASSWORD}' | base64 -d) |
| 53 | + echo "::add-mask::${HARBOR_PASSWORD}" |
| 54 | +
|
| 55 | + echo "url=${HARBOR_URL}" >> "$GITHUB_OUTPUT" |
| 56 | + echo "username=${HARBOR_USERNAME}" >> "$GITHUB_OUTPUT" |
| 57 | + echo "password=${HARBOR_PASSWORD}" >> "$GITHUB_OUTPUT" |
| 58 | +
|
| 59 | + - name: Build adapter image with Nix |
| 60 | + run: nix build .#harbor-adapter-docker |
| 61 | + |
| 62 | + - name: Load image into Docker & Minikube |
| 63 | + id: image_in_docker |
| 64 | + run: | |
| 65 | + PULL_STRING=$(docker load -i ./result -q | tail -n1 | cut -d: -f2- | tr -d ' ') |
| 66 | + REPOSITORY=$(echo "${PULL_STRING}" | cut -d: -f1) |
| 67 | + TAG=$(echo "${PULL_STRING}" | cut -d: -f2) |
| 68 | +
|
| 69 | + echo "pull_string=${PULL_STRING}" >> "$GITHUB_OUTPUT" |
| 70 | + echo "repository=${REPOSITORY}" >> "$GITHUB_OUTPUT" |
| 71 | + echo "tag=${TAG}" >> "$GITHUB_OUTPUT" |
| 72 | +
|
| 73 | + - name: Load image into Minikube |
| 74 | + env: |
| 75 | + PULL_STRING: ${{ steps.image_in_docker.outputs.pull_string }} |
| 76 | + run: | |
| 77 | + minikube image load "${PULL_STRING}" |
| 78 | +
|
| 79 | + - name: Deploy Sysdig Harbor scanner (use local image) |
| 80 | + env: |
| 81 | + REPOSITORY: ${{ steps.image_in_docker.outputs.repository }} |
| 82 | + TAG: ${{ steps.image_in_docker.outputs.tag }} |
| 83 | + SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }} |
| 84 | + SECURE_URL: ${{ secrets.SECURE_URL }} |
| 85 | + run: | |
| 86 | + helm install harbor-scanner-sysdig-secure sysdig/harbor-scanner-sysdig-secure \ |
| 87 | + --wait \ |
| 88 | + --timeout 300s \ |
| 89 | + --namespace harbor \ |
| 90 | + --create-namespace \ |
| 91 | + --set image.repository=$REPOSITORY \ |
| 92 | + --set image.tag=$TAG \ |
| 93 | + --set image.pullPolicy=Never \ |
| 94 | + --set sysdig.secure.apiToken="$SECURE_API_TOKEN" \ |
| 95 | + --set sysdig.secure.url="$SECURE_URL" \ |
| 96 | + --set cliScanning.image="quay.io/sysdig/sysdig-cli-scanner:1.22.6" |
| 97 | +
|
| 98 | + - name: Wait for Harbor to be ready |
| 99 | + run: | |
| 100 | + kubectl wait --for=condition=ready pod -l app.kubernetes.io/instance=harbor -n harbor --timeout=600s |
| 101 | + kubectl get pods -n harbor -o wide |
| 102 | +
|
| 103 | + - name: Log in with harbor-cli |
| 104 | + env: |
| 105 | + HARBOR_URL: ${{ steps.harbor.outputs.url }} |
| 106 | + HARBOR_USERNAME: ${{ steps.harbor.outputs.username }} |
| 107 | + HARBOR_PASSWORD: ${{ steps.harbor.outputs.password }} |
| 108 | + run: | |
| 109 | + harbor login "$HARBOR_URL" --username "$HARBOR_USERNAME" --password "$HARBOR_PASSWORD" |
| 110 | +
|
| 111 | + - name: Register scanner via Harbor API and set as default |
| 112 | + run: | |
| 113 | + harbor scanner create \ |
| 114 | + --name "Sysdig-Local" \ |
| 115 | + --description "Sysdig Scanner" \ |
| 116 | + --url "http://harbor-scanner-sysdig-secure.harbor.svc.cluster.local:5000" \ |
| 117 | + --skip-cert-verification \ |
| 118 | + --auth None |
| 119 | +
|
| 120 | + harbor scanner set-default "Sysdig-Local" |
| 121 | +
|
| 122 | + - name: Push sample image |
| 123 | + id: image_in_harbor |
| 124 | + env: |
| 125 | + MINIKUBE_IP: ${{ steps.minikube.outputs.ip }} |
| 126 | + HARBOR_URL: ${{ steps.harbor.outputs.url }} |
| 127 | + HARBOR_USERNAME: ${{ steps.harbor.outputs.username }} |
| 128 | + HARBOR_PASSWORD: ${{ steps.harbor.outputs.password }} |
| 129 | + run: | |
| 130 | + REPO="alpine" |
| 131 | + PROJECT="library" |
| 132 | + NEW_TAG="test" |
| 133 | +
|
| 134 | + skopeo \ |
| 135 | + --policy <(echo '{"default":[{"type":"insecureAcceptAnything"}]}') \ |
| 136 | + copy "docker://${REPO}:latest" \ |
| 137 | + "docker://${MINIKUBE_IP}:30003/${PROJECT}/${REPO}:${NEW_TAG}" \ |
| 138 | + --dest-tls-verify=false \ |
| 139 | + --dest-creds="${HARBOR_USERNAME}:${HARBOR_PASSWORD}" |
| 140 | +
|
| 141 | + DIGEST=$(harbor artifact list "${PROJECT}"/"${REPO}" -o json | jq -r .Payload[].digest) |
| 142 | +
|
| 143 | + echo "repo=${REPO}" >> "$GITHUB_OUTPUT" |
| 144 | + echo "project=${PROJECT}" >> "$GITHUB_OUTPUT" |
| 145 | + echo "tag=${NEW_TAG}" >> "$GITHUB_OUTPUT" |
| 146 | + echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT" |
| 147 | +
|
| 148 | + - name: Trigger scan |
| 149 | + env: |
| 150 | + PROJECT: ${{ steps.image_in_harbor.outputs.project }} |
| 151 | + REPO: ${{ steps.image_in_harbor.outputs.repo }} |
| 152 | + DIGEST: ${{ steps.image_in_harbor.outputs.digest }} |
| 153 | + run: | |
| 154 | + harbor artifact scan start "${PROJECT}/${REPO}@${DIGEST}" -v |
| 155 | +
|
| 156 | + - name: Fetch logs from CLI Scanner |
| 157 | + run: | |
| 158 | + for i in {1..6}; do kubectl get pods -n harbor -l created-by=harbor-scanner-sysdig-secure -o name | grep -q . && break; sleep 5; done |
| 159 | + kubectl wait -n harbor --for=condition=ContainersReady pod -l created-by=harbor-scanner-sysdig-secure --timeout=300s |
| 160 | + kubectl logs -n harbor -l created-by=harbor-scanner-sysdig-secure --follow |
| 161 | +
|
| 162 | + - name: Check if Vulnerability report is generated in Harbor |
| 163 | + env: |
| 164 | + PROJECT: ${{ steps.image_in_harbor.outputs.project }} |
| 165 | + REPO: ${{ steps.image_in_harbor.outputs.repo }} |
| 166 | + DIGEST: ${{ steps.image_in_harbor.outputs.digest }} |
| 167 | + HARBOR_USERNAME: ${{ steps.harbor.outputs.username }} |
| 168 | + HARBOR_PASSWORD: ${{ steps.harbor.outputs.password }} |
| 169 | + HARBOR_URL: ${{ steps.harbor.outputs.url }} |
| 170 | + run: | |
| 171 | + for i in $(seq 1 30); do |
| 172 | + REPORT=$( |
| 173 | + curl -sk -u "$HARBOR_USERNAME:$HARBOR_PASSWORD" \ |
| 174 | + -H 'Accept: application/json' \ |
| 175 | + "${HARBOR_URL}/api/v2.0/projects/${PROJECT}/repositories/${REPO}/artifacts/${DIGEST}/additions/vulnerabilities" |
| 176 | + ) |
| 177 | +
|
| 178 | + GENERATED_AT=$(echo "$REPORT" | jq -r '."application/vnd.security.vulnerability.report; version=1.1".generated_at') |
| 179 | +
|
| 180 | + if [ -n "$GENERATED_AT" ] && [ "$GENERATED_AT" != "null" ]; then |
| 181 | + echo "Scan completed successfully, vulnerability report is available ✅" |
| 182 | + echo "Report details: $REPORT" |
| 183 | + exit 0 |
| 184 | + else |
| 185 | + echo "Polling attempt ${i}/30: Vulnerability report not yet available." |
| 186 | + fi |
| 187 | +
|
| 188 | + sleep 10 |
| 189 | + done |
| 190 | +
|
| 191 | + echo "Scan did not complete in time ❌" |
| 192 | + exit 1 |
| 193 | + - name: Delete cluster |
| 194 | + if: always() |
| 195 | + run: | |
| 196 | + minikube delete || true |
0 commit comments