Skip to content

[Backport 1.30-strict] Prioritize SNAP_CURRENT in containerd paths (#4710) #5042

[Backport 1.30-strict] Prioritize SNAP_CURRENT in containerd paths (#4710)

[Backport 1.30-strict] Prioritize SNAP_CURRENT in containerd paths (#4710) #5042

Workflow file for this run

name: Build and test MicroK8s snap
on:
- pull_request
jobs:
build:
name: Create snap package
runs-on: ubuntu-20.04
steps:
- name: Checking out repo
uses: actions/checkout@v4
- name: Install lxd
run: |
sudo lxd init --auto
sudo usermod --append --groups lxd $USER
sg lxd -c 'lxc version'
- name: Install snapcraft
run: |
sudo snap install snapcraft --classic
- name: Install snapd from candidate
run: |
# TODO(neoaggelos): revert this after latest/beta is working again
sudo snap refresh snapd --channel=latest/stable
- name: Build snap
run: |
sg lxd -c 'snapcraft --use-lxd'
sudo mv microk8s*.snap microk8s.snap
- name: Uploading snap
uses: actions/upload-artifact@v3
with:
name: microk8s.snap
path: microk8s.snap
test-upgrade:
name: Upgrade path test
runs-on: ubuntu-20.04
needs: build
steps:
- name: Checking out repo
uses: actions/checkout@v4
- name: Install test dependencies
run: |
set -x
sudo apt-get install python3-setuptools
sudo pip3 install --upgrade pip
sudo pip3 install -U pytest sh
sudo apt-get -y install open-iscsi
sudo systemctl enable iscsid
- name: Fetch snap
uses: actions/[email protected]
with:
name: microk8s.snap
path: build
- name: Running upgrade path test
run: |
sudo -E STRICT="yes" UPGRADE_MICROK8S_FROM=1.30-strict/edge UPGRADE_MICROK8S_TO=$PWD/build/microk8s.snap pytest -s ./tests/test-upgrade-path.py
test-addons-core:
name: Test core addons
runs-on: ubuntu-20.04
needs: build
steps:
- name: Checking out repo
uses: actions/checkout@v4
- name: Install test dependencies
run: |
set -x
sudo apt-get install python3-setuptools
sudo pip3 install --upgrade pip
sudo pip3 install -U pytest sh
sudo apt-get -y install open-iscsi
sudo systemctl enable iscsid
- name: Fetch snap
uses: actions/[email protected]
with:
name: microk8s.snap
path: build
- name: Running addons tests in strict mode
run: |
set -x
sudo snap install build/microk8s.snap --dangerous
sudo /snap/microk8s/current/connect-all-interfaces.sh
sudo microk8s status --wait-ready --timeout 300
./tests/smoke-test.sh
export UNDER_TIME_PRESSURE="True"
export STRICT="yes"
sudo -E bash -c "cd /var/snap/microk8s/common/addons/core/tests; pytest -s -ra test-addons.py"
test-addons-community:
name: Test community addons
runs-on: ubuntu-20.04
needs: build
steps:
- name: Checking out repo
uses: actions/checkout@v4
- name: Install test dependencies
run: |
set -x
sudo apt-get install python3-setuptools
sudo pip3 install --upgrade pip
sudo pip3 install -U pytest sh
sudo apt-get -y install open-iscsi
sudo systemctl enable iscsid
- name: Fetch snap
uses: actions/[email protected]
with:
name: microk8s.snap
path: build
# - name: Setup tmate session
# uses: mxschmitt/action-tmate@v3
- name: Running addons tests
run: |
set -x
sudo snap install build/microk8s.snap --classic --dangerous
sudo /snap/microk8s/current/connect-all-interfaces.sh
sudo microk8s status --wait-ready --timeout 300
sudo microk8s enable community
export UNDER_TIME_PRESSURE="True"
export STRICT="yes"
sudo -E bash -c "cd /var/snap/microk8s/common/addons/community/; pytest -s -ra ./tests/"
test-addons-core-upgrade:
name: Test core addons upgrade
runs-on: ubuntu-20.04
needs: build
steps:
- name: Checking out repo
uses: actions/checkout@v4
# - name: Setup tmate session
# uses: mxschmitt/action-tmate@v3
- name: Install test dependencies
run: |
set -x
sudo apt-get install python3-setuptools
sudo pip3 install --upgrade pip
sudo pip3 install -U pytest sh
sudo apt-get -y install open-iscsi
sudo systemctl enable iscsid
- name: Fetch snap
uses: actions/[email protected]
with:
name: microk8s.snap
path: build
- name: Running upgrade tests
run: |
set -x
export UNDER_TIME_PRESSURE="True"
export STRICT="yes"
sudo -E bash -c "UPGRADE_MICROK8S_FROM=1.30-strict/edge UPGRADE_MICROK8S_TO=$PWD/build/microk8s.snap pytest -s ./tests/test-upgrade.py"
test-cluster-agent:
name: Cluster agent health check
runs-on: ubuntu-20.04
needs: build
steps:
- name: Checking out repo
uses: actions/checkout@v4
- name: Install test dependencies
run: |
set -x
sudo apt-get install python3-setuptools
sudo pip3 install --upgrade pip
sudo pip3 install -U pytest sh requests
- name: Fetch snap
uses: actions/[email protected]
with:
name: microk8s.snap
path: build
- name: Running cluster agent health check
run: |
set -x
sudo snap install build/microk8s.snap --classic --dangerous
sudo /snap/microk8s/current/connect-all-interfaces.sh
sudo -E bash -c "pytest -s ./tests/test-cluster-agent.py"
test-airgap:
name: Test airgap installation
runs-on: ubuntu-20.04
needs: build
steps:
- name: Checking out repo
uses: actions/checkout@v4
- name: Fetch snap
uses: actions/[email protected]
with:
name: microk8s.snap
path: build
- name: Initialize LXD
run: |
sudo lxd init --auto
sudo lxc network set lxdbr0 ipv6.address=none
sudo usermod --append --groups lxd $USER
sg lxd -c 'lxc version'
- name: Run airgap tests
run: |
sudo -E bash -x -c "./tests/libs/airgap.sh --distro ubuntu:20.04 --channel $PWD/build/microk8s.snap"
security-scan:
name: Security scan
runs-on: ubuntu-20.04
needs: build
steps:
- name: Checking out repo
uses: actions/checkout@v4
- name: Fetch snap
uses: actions/[email protected]
with:
name: microk8s.snap
path: build
- name: Setup Trivy vulnerability scanner
run: |
mkdir -p sarifs
VER=$(curl --silent -qI https://github.com/aquasecurity/trivy/releases/latest | awk -F '/' '/^location/ {print substr($NF, 1, length($NF)-1)}');
wget https://github.com/aquasecurity/trivy/releases/download/${VER}/trivy_${VER#v}_Linux-64bit.tar.gz
tar -zxvf ./trivy_${VER#v}_Linux-64bit.tar.gz
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
ignore-unfixed: true
format: "sarif"
output: "trivy-microk8s-repo-scan--results.sarif"
severity: "CRITICAL"
- name: Gather Trivy repo scan results
run: |
cp trivy-microk8s-repo-scan--results.sarif ./sarifs/
- name: Run Trivy vulnerability scanner on images
run: |
for i in $(cat ./build-scripts/images.txt) ; do
name=$(echo $i | awk -F ':|/' '{print $(NF-1)}')
./trivy image $i --format sarif > sarifs/$name.sarif
done
- name: Run Trivy vulnerability scanner on the snap
run: |
cp build/microk8s.snap .
unsquashfs microk8s.snap
./trivy rootfs ./squashfs-root/ --format sarif > sarifs/snap.sarif
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "sarifs"