(chore) Fix flakey tests:

- move CI installation method to helm
- cleanup deployments after each suite
- increase ginkgo verbosity to find out why each test flakes
- move some syscall test to syscalls suite from ksp

Signed-off-by: Rudraksh Pareek <rudraksh@accuknox.com>

.github/workflows/ci-latest-release.yml

@@ -57,11 +57,11 @@ jobs:
 
       - name: Deploy KubeArmor into Kubernetes
         run: |
-          sed -i 's/kubearmor\/kubearmor:latest/kubearmor\/kubearmor:${{ steps.vars.outputs.tag }}/g' ./KubeArmor/build/kubearmor-test-docker.yaml
-          sed -i 's/kubearmor\/kubearmor-init:latest/kubearmor\/kubearmor-init:${{ steps.vars.outputs.tag }}/g' ./KubeArmor/build/kubearmor-test-docker.yaml
-          kubectl apply -f deployments/CRD
-          kubectl apply -f ./KubeArmor/build/kubearmor-test-docker.yaml
-          kubectl wait --for=condition=ready --timeout=5m -n kube-system pod -l kubearmor-app=kubearmor
+          helm upgrade --install kubearmor ./deployments/helm \
+          --values ./KubeArmor/build/kubearmor-helm-test-values.yaml \
+          -n kube-system;
+
+          kubectl wait --for=condition=ready --timeout=5m -n kube-system pod -l kubearmor-app
 
       - name: Test KubeArmor using Ginkgo
         run: |

.github/workflows/ci-test-controllers.yml

@@ -1,31 +1,61 @@
 name: ci-test-controllers
 
 on:
-  push:
-    branches:
-      - "main"
-    paths:
-      - "pkg/**"
   pull_request:
     branches:
       - "main"
     paths:
       - "pkg/**"
+      - ".github/workflows/ci-test-controllers.yml"
 
 jobs:
-  kubearmor-controller-build:
-    name: Build and Deploy KubeArmorController
-    defaults:
-      run:
-        working-directory: ./pkg/KubeArmorController
+  kubearmor-controller-test:
+    name: Build and Test KubeArmorController Using Ginkgo
     runs-on: ubuntu-20.04
-    timeout-minutes: 20
+    timeout-minutes: 30
     steps:
       - uses: actions/setup-go@v3
         with:
           go-version: "v1.20"
 
       - uses: actions/checkout@v3
 
+      - name: Setup a Kubernetes environment
+        run: ./.github/workflows/install-k3s.sh
+
       - name: Build KubeArmorController
-        run: make docker-build TAG=latest
+        run: make -C pkg/KubeArmorController/ docker-build TAG=latest
+
+      - name: Install KubeArmor Latest and KubeArmorController using Helm
+        run: |
+          # install kubearmor latest and controller built in this PR
+          helm upgrade --install kubearmor ./deployments/helm \
+          --values ./KubeArmor/build/kubearmor-helm-test-values.yaml \
+          --set kubearmorController.imagePullPolicy=Never \
+          --set kubearmor.imagePullPolicy=Always \
+          --set kubearmor.image.tag=latest \
+          -n kube-system;
+          kubectl wait --for=condition=ready --timeout=5m -n kube-system pod -l kubearmor-app
+          kubectl get pods -A
+
+      - name: Test KubeArmor using Ginkgo
+        run: |
+          go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
+          make -C tests/
+        timeout-minutes: 20
+
+      - name: Get karmor sysdump
+        if: ${{ failure() }}
+        run: |
+          kubectl describe pod -n kube-system -l kubearmor-app=kubearmor
+          curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin
+          mkdir -p /tmp/kubearmor/ && cd /tmp/kubearmor && karmor sysdump
+
+      - name: Archive log artifacts
+        if: ${{ failure() }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: kubearmor.logs
+          path: |
+            /tmp/kubearmor/
+            /tmp/kubearmor.*

.github/workflows/ci-test-ginkgo.yml

@@ -45,28 +45,31 @@ jobs:
       - name: Setup a Kubernetes environment
         run: ./.github/workflows/install-k3s.sh
 
-      - name: Install KubeArmor Controller
-        run: ./.github/workflows/install-kubearmor-controller.sh
-
       - name: Generate KubeArmor artifacts
         run: |
           GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/build_kubearmor.sh
 
       - name: Run KubeArmor
         run: |
-          kubectl apply -f deployments/CRD
           if [ ${{ matrix.runtime }} == "containerd" ]; then
             docker save kubearmor/kubearmor-init:latest | sudo k3s ctr images import -
             docker save kubearmor/kubearmor:latest | sudo k3s ctr images import -
-            kubectl apply -f ./KubeArmor/build/kubearmor-test-k3s.yaml
+
+            helm upgrade --install kubearmor ./deployments/helm \
+            --values ./KubeArmor/build/kubearmor-helm-test-values.yaml \
+            --set environment.name=k3s \
+            -n kube-system;
           else
             if [ ${{ matrix.runtime }} == "crio" ]; then
               sudo podman pull docker-daemon:kubearmor/kubearmor-init:latest
               sudo podman pull docker-daemon:kubearmor/kubearmor:latest
             fi
-            kubectl apply -f ./KubeArmor/build/kubearmor-test-${{ matrix.runtime }}.yaml
+            helm upgrade --install kubearmor ./deployments/helm \
+            --values ./KubeArmor/build/kubearmor-helm-test-values.yaml \
+            --set environment.name=${{ matrix.runtime }} \
+            -n kube-system;
           fi
-          kubectl wait --for=condition=ready --timeout=5m -n kube-system pod -l kubearmor-app=kubearmor
+          kubectl wait --for=condition=ready --timeout=5m -n kube-system pod -l kubearmor-app
           kubectl get pods -A
 
       - name: Test KubeArmor using Ginkgo

KubeArmor/build/kubearmor-helm-test-values.yaml

@@ -2,16 +2,27 @@ kubearmorRelay:
   enabled: true
   image:
     tag: latest
+
 kubearmorInit:
   image:
     tag: latest
   imagePullPolicy: Never
+
+# we pull the latest controller image by default
 kubearmorController:
   image:
     tag: latest
-  imagePullPolicy: Never
+  imagePullPolicy: Always
+
 environment:
   name: docker
+
+kubearmorConfigMap:
+  defaultFilePosture: block
+  defaultCapabilitiesPosture: block
+  defaultNetworkPosture: block
+  visibility: process,file,network
+
 kubearmor:
   image:
     tag: latest