Update current feature

k8s-school · Apr 24, 2024 · 85ef678 · 85ef678
1 parent e873433
commit 85ef678
Show file tree

Hide file tree

Showing 16 changed files with 229 additions and 101 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,42 @@
+---
+name: "Integration tests"
+on:
+  push:
+  pull_request:
+    branches:
+      - master
+jobs:
+  build_image:
+    name: Build k8s-toolbox desk
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Build image
+        run: |
+          ./_desk/build-image.sh
+      - name: Login to DockerHub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+      - name: Push images to container registry
+        run: |
+          ./_desk/push-image.sh
+  utest:
+    name: Run unit tests
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: '^1.20.3'
+      - run: go version
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Run unit tests
+        run: |
+          go test ./...
+      - name: Build and install k8s-toolbox
+        run: |
+          go install .
+
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -6,23 +6,6 @@ on:
     branches:
       - master
 jobs:
-  build_image:
-    name: Build k8s-toolbox desk
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-      - name: Build image
-        run: |
-          ./_desk/build-image.sh
-      - name: Login to DockerHub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.REGISTRY_USERNAME }}
-          password: ${{ secrets.REGISTRY_TOKEN }}
-      - name: Push images to container registry
-        run: |
-          ./_desk/push-image.sh
   check_cni:
     strategy:
       matrix:
@@ -48,12 +31,12 @@ jobs:
           kubectl get nodes
       - name: Start nginx
         run: |
-          ./itest/run-nginx.sh
+          ./e2e/run-nginx.sh
       - name: Test nginx
         run: |
-          ./itest/test-nginx.sh
-  check_argo:
-    name: Install olm and argo on k8s
+          ./e2e/test-nginx.sh
+  check_audit_log:
+    name: Enable audit log on k8s api server
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/setup-go@v3
@@ -85,3 +68,22 @@ jobs:
       - name: Install argo-workflows
         run: |
           ktbx install argowf
+          check_argo:
+            name: Install olm and argo on k8s
+            runs-on: ubuntu-22.04
+            steps:
+              - uses: actions/setup-go@v3
+                with:
+                  go-version: '^1.20.3'
+              - run: go version
+              - name: Checkout code
+                uses: actions/checkout@v2
+              - name: Build and install k8s-toolbox
+                run: |
+                  go install .
+              - name: Install k8s using kind
+                run: |
+                  ktbx install kind
+                  ktbx create --single
+                  kubectl get pods -n kube-system
+                  kubectl get nodes
diff --git a/dot-config.example b/dot-config.example
@@ -7,7 +7,7 @@ kind:
   # Sets "127.0.0.1" as an extra Subject Alternative Names (SANs) for the API Server signing certificate.
   # See https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta3/#kubeadm-k8s-io-v1beta3-APIServer
   # Usefull to access API server through a ssh tunnel
-  localcertsans: false
+  localCertSans: false
 
   # Use calico CNI instead of kindnet
   # cni: calico

diff --git a/e2e/audit-policy.yaml b/e2e/audit-policy.yaml
@@ -0,0 +1,4 @@
+apiVersion: audit.k8s.io/v1
+kind: Policy
+rules:
+- level: Metadata
diff --git a/e2e/dot-config-audit b/e2e/dot-config-audit
@@ -0,0 +1 @@
+../utest/dot-config-audit
diff --git a/itest/launch.sh → e2e/launch.sh b/itest/launch.sh → e2e/launch.sh
diff --git a/itest/run-nginx.sh → e2e/run-nginx.sh b/itest/run-nginx.sh → e2e/run-nginx.sh
diff --git a/itest/test-nginx.sh → e2e/test-nginx.sh b/itest/test-nginx.sh → e2e/test-nginx.sh
diff --git a/go.mod b/go.mod
@@ -9,6 +9,7 @@ require (
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/viper v1.17.0
 	github.com/stretchr/testify v1.8.4
+	golang.org/x/exp v0.0.0-20230905200255-921286631fa9
 	gopkg.in/yaml.v2 v2.4.0
 )
 
@@ -29,7 +30,6 @@ require (
 	github.com/subosito/gotenv v1.6.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
-	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
 	golang.org/x/sys v0.12.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect

diff --git a/go.sum b/go.sum
@@ -128,8 +128,6 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
-github.com/k8s-school/ciux v0.0.0-20231027090133-1e529512f7a0 h1:w+EetWslmntWl6SUrA8kTh9nPxDUb4PnfTt/LA3r9fs=
-github.com/k8s-school/ciux v0.0.0-20231027090133-1e529512f7a0/go.mod h1:vjAa3fPJMK33ipXTTO5xk9p3aOeyPFyrSKUCvbQTARk=
 github.com/k8s-school/ciux v0.0.1-rc8 h1:hjUH5DBto789gctykGdDnHcP56IE2OQWRO5AfNsoNgA=
 github.com/k8s-school/ciux v0.0.1-rc8/go.mod h1:tYTluY140iLb34FHbEuzukJUhCIE9mBpkprNk0cfjG8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=

diff --git a/internal/config.go b/internal/config.go
@@ -22,9 +22,10 @@ const Kind string = "kind"
 const KindConfigFile string = "/tmp/kind-config.yaml"
 
 type KtbxConfig struct {
-	ExtraMountPath  string `mapstructure:"extramountpath" default:""`
-	LocalCertSANs   bool   `mapstructure:"localcertsans" default:"false"`
-	PrivateRegistry string `mapstructure:"privateregistry" default:""`
+	AuditPolicy     string `mapstructure:"auditPolicy" default:""`
+	ExtraMountPath  string `mapstructure:"extraMountPath" default:""`
+	LocalCertSANs   bool   `mapstructure:"localCertSans" default:"false"`
+	PrivateRegistry string `mapstructure:"privateRegistry" default:""`
 	Cni             string `mapstructure:"cni" default:""`
 	Workers         uint   `mapstructure:"workers" default:"3"`
 }

diff --git a/internal/config_test.go b/internal/config_test.go
@@ -7,19 +7,19 @@ import (
 	"testing"
 
 	"github.com/spf13/viper"
-	"github.com/stretchr/testify/assert"
+	require "github.com/stretchr/testify/assert"
 )
 
 func setupSuite(tb testing.TB) func(tb testing.TB) {
 	log.Println("setup suite")
 
-	assert := assert.New(tb)
+	require := require.New(tb)
 	wd, err := os.Getwd()
-	assert.NoError(err)
+	require.NoError(err)
 	parent := filepath.Dir(wd)
-	ktbxConfigFile := filepath.Join(parent, "dot-config.example")
+	ktbxConfigFile := filepath.Join(parent, "utest", "dot-config-audit")
 	err = os.Setenv("KTBXCONFIG", ktbxConfigFile)
-	assert.NoError(err)
+	require.NoError(err)
 
 	// Return a function to teardown the test
 	return func(tb testing.TB) {
@@ -31,11 +31,12 @@ func TestReadConfig(t *testing.T) {
 	teardownSuite := setupSuite(t)
 	defer teardownSuite(t)
 
-	assert := assert.New(t)
+	require := require.New(t)
 	ReadConfig()
-	assert.Equal(
+	require.Equal(
 		map[string]interface{}(
 			map[string]interface{}{
+				"auditpolicy":     "/tmp/audit-policy.yaml",
 				"extramountpath":  "/media",
 				"localcertsans":   false,
 				"privateregistry": "docker-registry.docker-registry:5000",
@@ -47,11 +48,49 @@ func TestGetConfig(t *testing.T) {
 	teardownSuite := setupSuite(t)
 	defer teardownSuite(t)
 
-	assert := assert.New(t)
+	require := require.New(t)
 	ReadConfig()
 	c := GetConfig()
 	t.Logf("Config: %+v", c)
-	assert.Equal(uint(1), c.Workers)
-	assert.Equal("", c.Cni)
+	require.Equal(uint(1), c.Workers)
+	require.Equal("", c.Cni)
 
 }
+func TestGenerateKindConfigFile(t *testing.T) {
+	teardownSuite := setupSuite(t)
+	defer teardownSuite(t)
+
+	require := require.New(t)
+
+	// Create a temporary directory for the test
+	tmpDir, err := os.MkdirTemp("/tmp", "kind-config")
+	require.NoError(err)
+	defer os.RemoveAll(tmpDir)
+
+	// Create a sample KtbxConfig
+	config := KtbxConfig{
+		Workers:         1,
+		Cni:             "calico",
+		AuditPolicy:     "/tmp/audit-policy.yaml",
+		ExtraMountPath:  "/tmp/extra-mount-path",
+		LocalCertSANs:   true,
+		PrivateRegistry: "docker-registry.docker-registry:5000",
+	}
+
+	// Call the GenerateKindConfigFile function
+	GenerateKindConfigFile(config)
+
+	// Read the contents of the generated file
+	fileContents, err := os.ReadFile(KindConfigFile)
+	require.NoError(err)
+
+	// Assert the expected file contents
+	wd, err := os.Getwd()
+	require.NoError(err)
+	parent := filepath.Dir(wd)
+	expectedKindConfigFile := filepath.Join(parent, "utest", "kind-config.yaml")
+
+	expectedContents, err := os.ReadFile(expectedKindConfigFile)
+	require.NoError(err)
+	require.Equal(string(expectedContents), string(fileContents))
+}
diff --git a/release.sh b/release.sh
diff --git a/resources/kind-config.yaml b/resources/kind-config.yaml
@@ -12,26 +12,48 @@ networking:
   disableDefaultCNI: true # disable kindnet
   podSubnet: "192.168.0.0/16"
 {{- end }}
-kubeadmConfigPatches:
-- |
-  apiVersion: kubeadm.k8s.io/v1beta2
-  kind: ClusterConfiguration
-  metadata:
-    name: config
-  apiServer:
-    extraArgs:
-      enable-admission-plugins: NodeRestriction,ResourceQuota
-	{{- if .LocalCertSANs }}
-    certSANs:
-      - "127.0.0.1"
-	{{- end }}
 nodes:
 - role: control-plane
+  kubeadmConfigPatches:
+  - |
+    apiVersion: kubeadm.k8s.io/v1beta3
+    kind: ClusterConfiguration
+    metadata:
+      name: config
+    apiServer:
+      extraArgs:
+        enable-admission-plugins: NodeRestriction,ResourceQuota
+    {{- if .AuditPolicy }}
+        # enable auditing flags on the API server
+        audit-log-path: /var/log/kubernetes/kube-apiserver-audit.log
+        audit-policy-file: /etc/kubernetes/policies/audit-policy.yaml
+      # mount new files / directories on the control plane
+      extraVolumes:
+        - name: audit-policies
+          hostPath: /etc/kubernetes/policies
+          mountPath: /etc/kubernetes/policies
+          readOnly: true
+          pathType: "DirectoryOrCreate"
+        - name: "audit-logs"
+          hostPath: "/var/log/kubernetes"
+          mountPath: "/var/log/kubernetes"
+          readOnly: false
+          pathType: DirectoryOrCreate
+    {{- end }}
+    {{- if .LocalCertSANs }}
+      certSANs:
+        - "127.0.0.1"
+	{{- end }}
   extraMounts:
   {{- if .ExtraMountPath }}
   - hostPath: {{ .ExtraMountPath }}
     containerPath: /mnt/extra
   {{- end }}
+  {{- if .AuditPolicy }}
+  - hostPath: {{ .AuditPolicy }}
+    containerPath: /etc/kubernetes/policies/audit-policy.yaml
+    readOnly: true
+  {{- end }}
 {{- range $val := Iterate .Workers }}
 - role: worker
   extraMounts:

diff --git a/utest/dot-config-audit b/utest/dot-config-audit
@@ -0,0 +1,21 @@
+# Used by unit tests
+kind:
+
+  auditPolicy: /tmp/audit-policy.yaml
+
+  # Use host directory to share data between host and kind node
+  # host directory will be mounted on /mnt/extra on each node
+  extraMountPath: /media
+
+  # Sets "127.0.0.1" as an extra Subject Alternative Names (SANs) for the API Server signing certificate.
+  # See https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta3/#kubeadm-k8s-io-v1beta3-APIServer
+  # Usefull to access API server through a ssh tunnel
+  localCertSans: false
+
+  # Use calico CNI instead of kindnet
+  # cni: calico
+  # Number of worker nodes
+  workers: 1
+
+  # Use an private registry with insecure_skip_verify tls mode
+  privateRegistry: "docker-registry.docker-registry:5000"