diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index f562543..10f21d1 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -10,6 +10,7 @@ on: - 'cmd/**' - 'go.*' - 'Dockerfile' + - 'test/**' - '!helm/Chart.yaml' - '!helm/README.md' - '!helm/test/**' @@ -26,28 +27,27 @@ jobs: fail-fast: false matrix: include: - - PLATFORM: amd64 + - ARCH: amd64 RUNNER: self-hosted-amd64-1cpu - - PLATFORM: aarch64 + - ARCH: arm64 RUNNER: self-hosted-arm64-1cpu outputs: helm_args: ${{ steps.compute_helm_args.outputs.helm_args }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Build run: | IMAGE="wallarm/sidecar-controller" - make build TAG=${GITHUB_SHA} IMAGE=${IMAGE} PLATFORMS=linux/${{ matrix.PLATFORM }} BUILDX_ARGS=--load - mkdir artifacts - docker save -o artifacts/docker-image-${{ matrix.PLATFORM }}.tar ${IMAGE}:${GITHUB_SHA} + make build TAG=1.0.0-dev IMAGE=${IMAGE} PLATFORMS=linux/${{ matrix.ARCH }} BUILDX_ARGS=--load + docker save -o sidecar-${{ matrix.ARCH }}.tar ${IMAGE}:1.0.0-dev - name: Save artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: - name: docker-artifact - path: artifacts/docker-image-${{ matrix.PLATFORM }}.tar + name: sidecar-${{ matrix.ARCH }}.tar + path: sidecar-${{ matrix.ARCH }}.tar retention-days: 1 - name: Compute Helm arguments @@ -56,6 +56,7 @@ jobs: run: | HELM_ARGS="--set controller.image.tag=${GITHUB_SHA}" echo "helm_args=${HELM_ARGS}" >> $GITHUB_OUTPUT + test: name: Test needs: build @@ -71,3 +72,76 @@ jobs: run_ct: true helm_args: ${{ needs.build.outputs.helm_args }} load_artifact: true + + smoke-test: + name: Smoke + runs-on: ${{ matrix.RUNNER }} + needs: build + strategy: + fail-fast: false + matrix: + k8s: [v1.23.13, v1.27.1] + ARCH: [amd64, arm64] + INJECTION_STRATEGY: [single, split] + include: + - ARCH: amd64 + RUNNER: self-hosted-amd64-2cpu + - ARCH: arm64 + RUNNER: self-hosted-arm64-2cpu + env: + KIND_CLUSTER_NAME: kind-${{ matrix.k8s }} + KUBECONFIG: $HOME/.kube/kind-config-${{ matrix.k8s }} + steps: + - name: Import secrets + uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0 + id: secrets + with: + exportEnv: false + url: ${{ secrets.VAULT_URL }} + role: ${{ secrets.VAULT_ROLE }} + method: kubernetes + path: kubernetes-ci + secrets: | + kv-gitlab-ci/data/github/ingress api_token ; + kv-gitlab-ci/data/github/ingress api_host ; + kv-gitlab-ci/data/github/ingress api_preset ; + kv-gitlab-ci/data/github/ingress user_token ; + kv-gitlab-ci/data/github/ingress webhook_uuid ; + kv-gitlab-ci/data/github/ingress webhook_api_key ; + kv-gitlab-ci/data/github/shared/allure allure_token ; + kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds token_name ; + kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds token_secret ; + + - name: Checkout + uses: actions/checkout@v4 + + - name: Load cache + uses: actions/download-artifact@v4 + with: + name: sidecar-${{ matrix.ARCH }}.tar + + - name: Load images + run: docker load -i sidecar-${{ matrix.ARCH }}.tar + + - name: Create cluster + run: kind create cluster --image=kindest/node:${{ matrix.k8s }} + + - name: Run smoke tests + env: + SKIP_CLUSTER_CREATION: true + SKIP_IMAGE_CREATION: true + WALLARM_API_TOKEN: ${{ steps.secrets.outputs.api_token }} + WALLARM_API_HOST: ${{ steps.secrets.outputs.api_host }} + WALLARM_API_PRESET: ${{ steps.secrets.outputs.api_preset }} + USER_TOKEN: ${{ steps.secrets.outputs.user_token }} + SMOKE_REGISTRY_TOKEN: ${{ steps.secrets.outputs.token_name }} + SMOKE_REGISTRY_SECRET: ${{ steps.secrets.outputs.token_secret }} + WEBHOOK_API_KEY: ${{ steps.secrets.outputs.webhook_api_key }} + WEBHOOK_UUID: ${{ steps.secrets.outputs.webhook_uuid }} + ALLURE_UPLOAD_REPORT: true + ALLURE_GENERATE_REPORT: true + ALLURE_TOKEN: ${{ steps.secrets.outputs.allure_token }} + ALLURE_ENVIRONMENT_K8S: ${{ matrix.k8s }} + ALLURE_ENVIRONMENT_ARCH: ${{ matrix.ARCH }} + run: | + make kind-smoke-test \ No newline at end of file diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index cb5d23e..d20a9fa 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -135,8 +135,8 @@ jobs: PLATFORM: [ amd64 ] RUNNER: [ self-hosted-amd64-1cpu ] include: - - { kubeVersion: 1.19.16, PLATFORM: aarch64, RUNNER: self-hosted-arm64-1cpu } - - { kubeVersion: 1.25.3, PLATFORM: aarch64, RUNNER: self-hosted-arm64-1cpu } + - { kubeVersion: 1.19.16, PLATFORM: arm64, RUNNER: self-hosted-arm64-1cpu } + - { kubeVersion: 1.25.3, PLATFORM: arm64, RUNNER: self-hosted-arm64-1cpu } steps: - name: Import secrets uses: hashicorp/vault-action@130d1f5f4fe645bb6c83e4225c04d64cfb62de6e # v2.5.0 diff --git a/AIO_BASE b/AIO_BASE new file mode 100644 index 0000000..0e2ec73 --- /dev/null +++ b/AIO_BASE @@ -0,0 +1 @@ +4.10.2-rc1 \ No newline at end of file diff --git a/Makefile b/Makefile index 67d13f6..b9639ba 100644 --- a/Makefile +++ b/Makefile @@ -6,7 +6,7 @@ ifndef CI PLATFORMS?=linux/amd64 BUILDX_ARGS?=--load else - PLATFORMS?=linux/amd64,linux/aarch64 + PLATFORMS?=linux/amd64,linux/arm64 BUILDX_ARGS?=--push endif @@ -18,6 +18,8 @@ IMAGE ?= wallarm/sidecar-controller CONTROLLER_IMAGE = $(IMAGE):$(TAG) COMMIT_SHA ?= git-$(shell git rev-parse --short HEAD) ALPINE_VERSION = 3.18 +INJECTION_STRATEGY ?= single +REGISTRY ?= wallarm ### Contribution routines ### @@ -116,7 +118,7 @@ setup_buildx: --use build: setup_buildx - @docker buildx build \ + docker buildx build \ --file Dockerfile \ --platform=$(PLATFORMS) \ --build-arg ALPINE_VERSION="$(ALPINE_VERSION)" \ @@ -132,6 +134,17 @@ dive: .PHONY: build push rmi dive +### Test +### + +.PHONY: smoke-test +smoke-test: ## Run smoke tests (expects access to a working Kubernetes cluster). + @test/smoke/run-smoke-suite.sh + +.PHONY: kind-smoke-test +kind-smoke-test: ## Run smoke tests using kind. + @test/smoke/run.sh + ### Cluster routines ### TARBALL := .tmp.image.tar diff --git a/test/smoke/run-smoke-suite.sh b/test/smoke/run-smoke-suite.sh new file mode 100755 index 0000000..effaf80 --- /dev/null +++ b/test/smoke/run-smoke-suite.sh @@ -0,0 +1,239 @@ +#!/bin/bash + +if [[ -n "${DEBUG}" ]]; then + set -x +fi + +set -o errexit +set -o nounset +set -o pipefail + +export KIND_CLUSTER_NAME=${KIND_CLUSTER_NAME:-ingress-smoke-test} +export KUBECONFIG="${KUBECONFIG:-$HOME/.kube/kind-config-$KIND_CLUSTER_NAME}" + +# Variables required for pulling Docker image with pytest +SMOKE_REGISTRY_NAME="${SMOKE_REGISTRY_NAME:-dkr.wallarm.com}" +SMOKE_IMAGE_PULL_SECRET_NAME="pytest-registry-creds" + +SMOKE_IMAGE_NAME="${SMOKE_IMAGE_NAME:-dkr.wallarm.com/tests/smoke-tests}" +SMOKE_IMAGE_TAG="${SMOKE_IMAGE_TAG:-latest}" + +# Allure related variables +ALLURE_ENDPOINT="${ALLURE_ENDPOINT:-https://allure.wallarm.com}" +ALLURE_PROJECT_ID=${ALLURE_PROJECT_ID:-10} +ALLURE_RESULTS="${ALLURE_RESULTS:-/tests/_out/allure_report}" +ALLURE_UPLOAD_REPORT="${ALLURE_UPLOAD_REPORT:-false}" +ALLURE_GENERATE_REPORT="${ALLURE_GENERATE_REPORT:-false}" + +# Pytest related variables +CLIENT_ID="${CLIENT_ID:-5}" +WALLARM_API_CA_VERIFY="${WALLARM_API_CA_VERIFY:-true}" +WALLARM_API_HOST="${WALLARM_API_HOST:-api.wallarm.com}" +WALLARM_API_PRESET="${WALLARM_API_PRESET:-eu1}" +NODE_BASE_URL="${NODE_BASE_URL:-http://workload.default.svc.cluster.local}" +PYTEST_ARGS=$(echo "${PYTEST_ARGS:---allure-features=Node}" | xargs) +PYTEST_WORKERS="${PYTEST_WORKERS:-10}" +#TODO We need it here just to don't let test fail. Remove this variable when test will be fixed. +HOSTNAME_OLD_NODE="smoke-tests-old-node" + +NODE_VERSION=$(< "${CURDIR}/AIO_BASE" awk -F'[-.]' '{print $1"."$2"."$3}') +echo "AiO Node version: ${NODE_VERSION}" + +function clean_allure_report() { + [[ "$ALLURE_GENERATE_REPORT" == false && -d "allure_report" ]] && rm -rf allure_report/* 2>/dev/null || true +} + +function get_logs_and_fail() { + get_logs + extra_debug_logs + clean_allure_report + exit 1 +} + +function get_logs() { + echo "#################################" + echo "###### Init container logs ######" + echo "#################################" + kubectl logs -l "app.kubernetes.io/component=controller" -c addnode --tail=-1 + echo -e "#################################\n" + + echo "#######################################" + echo "###### Controller container logs ######" + echo "#######################################" + kubectl logs -l "app.kubernetes.io/component=controller" -c controller --tail=-1 + echo -e "#######################################\n" + + echo "#################################" + echo "###### Cron container logs ######" + echo "#################################" + kubectl logs -l "app.kubernetes.io/component=controller" -c cron --tail=-1 + echo -e "#################################\n" + + echo "###################################" + echo "###### API-WF container logs ######" + echo "###################################" + kubectl logs -l "app.kubernetes.io/component=controller" -c api-firewall --tail=-1 || true + echo -e "####################################\n" + + echo "####################################################" + echo "###### List directory /opt/wallarm/etc/wallarm #####" + echo "####################################################" + kubectl exec "${POD}" -c controller -- sh -c "ls -laht /opt/wallarm/etc/wallarm && cat /opt/wallarm/etc/wallarm/node.yaml" || true + echo -e "#####################################################\n" + + echo "############################################" + echo "###### List directory /var/lib/nginx/wallarm" + echo "############################################" + kubectl exec "${POD}" -c controller -- sh -c "ls -laht /opt/wallarm/var/lib/nginx/wallarm && ls -laht /opt/wallarm/var/lib/nginx/wallarm/shm" || true + echo -e "############################################\n" + + echo "############################################################" + echo "###### List directory /opt/wallarm/var/lib/wallarm-acl #####" + echo "############################################################" + kubectl exec "${POD}" -c controller -- sh -c "ls -laht /opt/wallarm/var/lib/wallarm-acl" || true + echo -e "############################################################\n" + + echo "##################################################" + echo "###### TARANTOOL Pod - Cron container logs ######" + echo "##################################################" + kubectl logs -l "app.kubernetes.io/component=controller-wallarm-tarantool" -c cron --tail=-1 + echo -e "##################################################\n" + + echo "######################################################" + echo "###### TARANTOOL Pod - Tarantool container logs ######" + echo "######################################################" + kubectl logs -l "app.kubernetes.io/component=controller-wallarm-tarantool" -c tarantool --tail=-1 + echo -e "######################################################\n" +} + + +function extra_debug_logs { + echo "############################################" + echo "###### Extra cluster debug info ############" + echo "############################################" + + echo "Grepping cluster OOMKilled events..." + kubectl get events -A | grep -i OOMKill || true + + echo "Displaying pods state in default namespace..." + kubectl get pods + +} + +declare -a mandatory +mandatory=( + CLIENT_ID + USER_TOKEN + # SMOKE_REGISTRY_TOKEN + # SMOKE_REGISTRY_SECRET +) + +missing=false +for var in "${mandatory[@]}"; do + if [[ -z "${!var:-}" ]]; then + echo "Environment variable $var must be set" + missing=true + fi +done + +if [ "$missing" = true ]; then + exit 1 +fi + +if [[ "${CI:-false}" == "false" ]]; then + trap 'kubectl delete pod pytest --now --ignore-not-found' EXIT ERR + # Colorize pytest output if run locally + EXEC_ARGS="--tty --stdin" +else + EXEC_ARGS="--tty" +fi + +if ! kubectl get secret "${SMOKE_IMAGE_PULL_SECRET_NAME}" &> /dev/null; then + echo "Creating secret with pytest registry credentials ..." + kubectl create secret docker-registry ${SMOKE_IMAGE_PULL_SECRET_NAME} \ + --docker-server="${SMOKE_REGISTRY_NAME}" \ + --docker-username="${SMOKE_REGISTRY_TOKEN}" \ + --docker-password="${SMOKE_REGISTRY_SECRET}" \ + --docker-email=docker-pull@unexists.unexists +fi + +echo "Retrieving Wallarm Node UUID ..." +POD=$(kubectl get pod -l app=workload -o=name | cut -d/ -f 2) +NODE_UUID=$(kubectl exec "${POD}" -c sidecar-proxy -- cat /opt/wallarm/etc/wallarm/node.yaml | grep uuid | awk '{print $2}' | xargs) +if [[ -z "${NODE_UUID}" ]]; then + echo "Failed to retrieve Wallarm Node UUID" + get_logs_and_fail +fi +echo "Node UUID: ${NODE_UUID}" + +RAND_NUM="${RANDOM}${RANDOM}${RANDOM}" +RAND_NUM=${RAND_NUM:0:10} + +echo "Deploying pytest pod ..." + +kubectl apply -f - << EOF +apiVersion: v1 +kind: Pod +metadata: + name: pytest +spec: + terminationGracePeriodSeconds: 0 + restartPolicy: Never + imagePullSecrets: + - name: "${SMOKE_IMAGE_PULL_SECRET_NAME}" + containers: + - command: [sleep, infinity] + env: + - {name: NODE_BASE_URL, value: "${NODE_BASE_URL}"} + - {name: NODE_UUID, value: "${NODE_UUID}"} + - {name: WALLARM_API_HOST, value: "${WALLARM_API_HOST}"} + - {name: WALLARM_API_PRESET, value: "${WALLARM_API_PRESET}"} + - {name: API_CA_VERIFY, value: "${WALLARM_API_CA_VERIFY}"} + - {name: CLIENT_ID, value: "${CLIENT_ID}"} + - {name: USER_TOKEN, value: "${USER_TOKEN}"} + - {name: HOSTNAME_OLD_NODE, value: "${HOSTNAME_OLD_NODE}"} + - {name: WEBHOOK_UUID, value: "${WEBHOOK_UUID}"} + - {name: WEBHOOK_API_KEY, value: "${WEBHOOK_API_KEY}"} + - {name: ALLURE_ENVIRONMENT_K8S, value: "${ALLURE_ENVIRONMENT_K8S:-}"} + - {name: ALLURE_ENVIRONMENT_ARCH, value: "${ALLURE_ENVIRONMENT_ARCH:-}"} + - {name: ALLURE_ENDPOINT, value: "${ALLURE_ENDPOINT}"} + - {name: ALLURE_PROJECT_ID, value: "${ALLURE_PROJECT_ID}"} + - {name: ALLURE_TOKEN, value: "${ALLURE_TOKEN:-}"} + - {name: ALLURE_RESULTS, value: "${ALLURE_RESULTS}"} + - {name: NODE_VERSION, value: "${NODE_VERSION:-}"} + - name: ALLURE_LAUNCH_TAGS + value: > + USER:${GITHUB_ACTOR:-local}, + WORKFLOW:${GITHUB_WORKFLOW:-local}, + RUN_ID:${GITHUB_RUN_ID:-local}, + BRANCH:${GITHUB_REF_NAME:-local}, + JOB:${GITHUB_JOB:-local}, + K8S:${ALLURE_ENVIRONMENT_K8S:-}, + ARCH:${ALLURE_ENVIRONMENT_ARCH:-} + - name: ALLURE_LAUNCH_NAME + value: > + ${GITHUB_WORKFLOW:-local}-${GITHUB_RUN_ID:-local}-${GITHUB_JOB:-local}- + ${ALLURE_ENVIRONMENT_K8S:-}-${ALLURE_ENVIRONMENT_ARCH:-} + image: "${SMOKE_IMAGE_NAME}:${SMOKE_IMAGE_TAG}" + imagePullPolicy: IfNotPresent + name: pytest + volumeMounts: + - {mountPath: /tests/_out/allure_report, name: allure-report, readOnly: false} + volumes: + - name: allure-report + hostPath: {path: /allure_report, type: DirectoryOrCreate} +EOF + +echo "Waiting for all pods ready ..." +sleep 10 +kubectl wait --for=condition=Ready pods --all --timeout=300s + +echo "Run smoke tests ..." +GITHUB_VARS=$(env | awk -F '=' '/^GITHUB_/ {vars = vars $1 "=" $2 " ";} END {print vars}') +RUN_TESTS=$([ "$ALLURE_UPLOAD_REPORT" = "true" ] && echo "allurectl watch --job-uid ${RAND_NUM} -- pytest" || echo "pytest") + +EXEC_CMD="env $GITHUB_VARS $RUN_TESTS -n ${PYTEST_WORKERS} ${PYTEST_ARGS}" +# shellcheck disable=SC2086 +kubectl exec pytest ${EXEC_ARGS} -- ${EXEC_CMD} || get_logs_and_fail +extra_debug_logs +clean_allure_report \ No newline at end of file diff --git a/test/smoke/run.sh b/test/smoke/run.sh new file mode 100755 index 0000000..35b5990 --- /dev/null +++ b/test/smoke/run.sh @@ -0,0 +1,155 @@ +#!/bin/bash + +# Copyright 2019 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +KIND_LOG_LEVEL="1" + +if ! [ -z $DEBUG ]; then + set -x + KIND_LOG_LEVEL="6" +fi + +export TAG=1.0.0-dev +export ARCH=${ARCH:-amd64} + +export KIND_CLUSTER_NAME=${KIND_CLUSTER_NAME:-sidecar-smoke-test} +export KUBECONFIG="${KUBECONFIG:-$HOME/.kube/kind-config-$KIND_CLUSTER_NAME}" + +export WALLARM_API_HOST="${WALLARM_API_HOST:-api.wallarm.com}" +export WALLARM_API_CA_VERIFY="${WALLARM_API_CA_VERIFY:-true}" +export SMOKE_IMAGE_NAME="${SMOKE_IMAGE_NAME:-dkr.wallarm.com/tests/smoke-tests}" +export SMOKE_IMAGE_TAG="${SMOKE_IMAGE_TAG:-latest}" +export INJECTION_STRATEGY="${INJECTION_STRATEGY:-single}" + +K8S_VERSION=${K8S_VERSION:-v1.25.8} + +set -o errexit +set -o nounset +set -o pipefail + +cleanup() { + if [[ "${KUBETEST_IN_DOCKER:-}" == "true" ]]; then + kind "export" logs --name ${KIND_CLUSTER_NAME} "${ARTIFACTS}/logs" || true + fi + if [[ "${CI:-}" == "true" ]]; then + kind delete cluster \ + --verbosity=${KIND_LOG_LEVEL} \ + --name ${KIND_CLUSTER_NAME} + fi +} + +trap cleanup EXIT ERR + +[[ "${CI:-}" == "true" ]] && unset KUBERNETES_SERVICE_HOST + +declare -a mandatory +mandatory=( + WALLARM_API_TOKEN +) + +missing=false +for var in "${mandatory[@]}"; do + if [[ -z "${!var:-}" ]]; then + echo "Environment variable $var must be set" + missing=true + fi +done + +if [ "$missing" = true ]; then + exit 1 +fi + +if ! command -v kind --version &> /dev/null; then + echo "kind is not installed. Use the package manager or visit the official site https://kind.sigs.k8s.io/" + exit 1 +fi + +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +if [ "${SKIP_CLUSTER_CREATION:-false}" = "false" ]; then + if kind get clusters | grep -q "${KIND_CLUSTER_NAME}"; then + echo "[test-env] Kubernetes cluster ${KIND_CLUSTER_NAME} already exists. Using existing cluster ..." + else + echo "[test-env] creating Kubernetes cluster with kind" + kind create cluster \ + --verbosity=${KIND_LOG_LEVEL} \ + --name ${KIND_CLUSTER_NAME} \ + --retain \ + --image "kindest/node:${K8S_VERSION}" \ + --config=<(cat << EOF +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +nodes: + - role: control-plane + extraPortMappings: + - containerPort: 30000 + hostPort: 8080 + protocol: TCP + extraMounts: + - hostPath: "${CURDIR}/allure_report" + containerPath: /allure_report +EOF +) + + echo "Kubernetes cluster:" + kubectl get nodes -o wide + fi +fi + +if [ "${SKIP_IMAGE_CREATION:-false}" = "false" ]; then + echo "[test-env] building sidecar image..." + make -C "${DIR}"/../../ build +fi + +# If this variable is set to 'true' we use public images instead local build. +if [ "${SKIP_IMAGE_LOADING:-false}" = "false" ]; then + echo "[test-env] copying ${REGISTRY}/sidecar-controller:${TAG} image to cluster..." + kind load docker-image --name="${KIND_CLUSTER_NAME}" "${REGISTRY}/sidecar-controller:${TAG}" +else + TAG=$(cat "${CURDIR}/TAG") + export TAG +fi + +echo "[test-env] installing Helm chart using TAG=${TAG} ..." + +cat << EOF | helm upgrade --install sidecar-controller "${DIR}/../../helm" --wait --values - +config: + sidecar: + image: + pullPolicy: "Always" + containers: + proxy: + readinessProbe: + initialDelaySeconds: 30 + nginx: + realIpHeader: "X-Real-IP" + setRealIpFrom: + - 0.0.0.0/0 + wallarm: + fallback: "off" + api: + token: ${WALLARM_API_TOKEN} + host: ${WALLARM_API_HOST} + injectionStrategy: + schema: ${INJECTION_STRATEGY} +EOF + +kubectl wait --for=condition=Ready pods --all --timeout=120s + +echo "[test-env] deploying test workload ..." +kubectl apply -f "${DIR}"/workload.yaml +kubectl wait --for=condition=Ready pods --all --timeout=120s + +echo "[test-env] running smoke tests suite ..." +make -C "${DIR}"/../../ smoke-test \ No newline at end of file diff --git a/test/smoke/workload.yaml b/test/smoke/workload.yaml new file mode 100644 index 0000000..bf8f604 --- /dev/null +++ b/test/smoke/workload.yaml @@ -0,0 +1,149 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: workload +data: + nginx.conf: | + user nginx; + worker_processes 3; + error_log /var/log/nginx/error.log; + events { + worker_connections 10240; + } + http { + log_format main '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $bytes_sent ' + '"$http_referer" "$http_user_agent" "$gzip_ratio"'; + access_log /var/log/nginx/access.log main; + server { + listen 80; + server_name _; + + location / { + return 200; + } + + # Location for API discovery test + location /api-discovery-test { + add_header Api-Discovery-Header "Hello, I am header!"; + return 200 '{"json_response": "Hello, I am json"}'; + default_type application/json; + } + # Location for Blocking Tor Source Type + location /blocking-by-tor-test { + add_header Block-by-Tor "Hello, I am header!"; + return 200 '{"json_response": "Hello, I am json"}'; + default_type application/json; + } + # Some mocks for test_api_abuse_prevention.py + location /.git { + if ($http_custom_id) { + return 400; + } + return 200; + } + location /wallarm-application/admin { + return 401; + } + location /api/v2 { + if ($http_custom_id) { + return 502; + } + return 200; + } + location /smoke-auto-forced-browsing/ { + return 404; + } + } + } +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: sidecar-config +data: + sidecar-include.conf : | + location /wallarm-mode/monitoring { + wallarm_mode monitoring; + proxy_pass http://127.0.0.1:80; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + # Endpoint for `test_api_abuse_prevention.py` (and any other test, that uses non-default APP_ID) + location /wallarm-application/ { + wallarm_application $http_custom_id; + proxy_pass http://127.0.0.1:80; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + } + + location /api-discovery-test { + wallarm_application $http_custom_id; + proxy_pass http://127.0.0.1:80; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location /blocking-by-tor-test { + wallarm_application $http_custom_id; + proxy_pass http://127.0.0.1:80; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: workload +spec: + selector: + matchLabels: + app: workload + replicas: 1 + template: + metadata: + labels: + app: workload + wallarm-sidecar: enabled + annotations: + sidecar.wallarm.io/wallarm-mode: "block" + sidecar.wallarm.io/proxy-extra-volumes: '[{"name": "nginx-http-extra-config", "configMap": {"name": "sidecar-config"}}]' + sidecar.wallarm.io/proxy-extra-volume-mounts: '[{"name": "nginx-http-extra-config", "mountPath": "/nginx_include/sidecar-config.conf", "subPath": "sidecar-include.conf"}]' + sidecar.wallarm.io/nginx-server-include: "['/nginx_include/sidecar-config.conf']" + spec: + containers: + - name: nginx + image: nginx:stable-alpine + ports: + - containerPort: 80 + volumeMounts: + - name: config + mountPath: /etc/nginx + readOnly: true + volumes: + - name: config + configMap: + name: workload + items: + - key: nginx.conf + path: nginx.conf +--- +apiVersion: v1 +kind: Service +metadata: + name: workload +spec: + type: NodePort + ports: + - port: 80 + targetPort: 80 + nodePort: 30000 + selector: + app: workload \ No newline at end of file