From 1ceabad09097fb032615430c5a5d8dee896dce8f Mon Sep 17 00:00:00 2001
From: Markus Walker <markus.walker.25@gmail.com>
Date: Thu, 5 Sep 2024 16:02:54 -0700
Subject: [PATCH] Update hardening action to include YAML and bash scripts

---
 tests/v2/actions/hardening/k3s/audit.yaml     |  4 ++
 .../v2/actions/hardening/k3s/harden_nodes.go  | 16 +++++---
 .../actions/hardening/rke1/account-update.sh  |  6 +++
 .../hardening/rke1/account-update.yaml        |  5 +++
 .../v2/actions/hardening/rke1/harden_nodes.go | 32 ++++++++++------
 .../actions/hardening/rke2/account-update.sh  |  6 +++
 .../hardening/rke2/account-update.yaml        |  5 +++
 .../v2/actions/hardening/rke2/harden_nodes.go | 37 +++++++++++++------
 8 files changed, 81 insertions(+), 30 deletions(-)
 create mode 100644 tests/v2/actions/hardening/k3s/audit.yaml
 create mode 100755 tests/v2/actions/hardening/rke1/account-update.sh
 create mode 100644 tests/v2/actions/hardening/rke1/account-update.yaml
 create mode 100755 tests/v2/actions/hardening/rke2/account-update.sh
 create mode 100644 tests/v2/actions/hardening/rke2/account-update.yaml

diff --git a/tests/v2/actions/hardening/k3s/audit.yaml b/tests/v2/actions/hardening/k3s/audit.yaml
new file mode 100644
index 00000000000..9ec0d3c11a0
--- /dev/null
+++ b/tests/v2/actions/hardening/k3s/audit.yaml
@@ -0,0 +1,4 @@
+apiVersion: audit.k8s.io/v1
+kind: Policy
+rules:
+- level: Metadata
\ No newline at end of file
diff --git a/tests/v2/actions/hardening/k3s/harden_nodes.go b/tests/v2/actions/hardening/k3s/harden_nodes.go
index ba4d8abd8db..33e293fe894 100644
--- a/tests/v2/actions/hardening/k3s/harden_nodes.go
+++ b/tests/v2/actions/hardening/k3s/harden_nodes.go
@@ -1,6 +1,8 @@
 package k3s
 
 import (
+	"os/user"
+	"path/filepath"
 	"strings"
 
 	"github.com/rancher/shepherd/pkg/nodes"
@@ -41,12 +43,14 @@ func HardenK3SNodes(nodes []*nodes.Node, nodeRoles []string, kubeVersion string)
 		}
 
 		if strings.Contains(nodeRoles[key], "--controlplane") {
-			_, err = node.ExecuteCommand(`sudo bash -c 'cat << EOF > /home/` + node.SSHUser + `/audit.yaml
-apiVersion: audit.k8s.io/v1
-kind: Policy
-rules:
-- level: Metadata
-EOF'`)
+			logrus.Infof("Copying over files to node %s", node.NodeID)
+			user, err := user.Current()
+			if err != nil {
+				return nil
+			}
+
+			dirPath := filepath.Join(user.HomeDir, "go/src/github.com/rancher/rancher/tests/v2/actions/hardening/k3s")
+			err = node.SCPFileToNode(dirPath+"/audit.yaml", "/home/"+node.SSHUser+"/audit.yaml")
 			if err != nil {
 				return err
 			}
diff --git a/tests/v2/actions/hardening/rke1/account-update.sh b/tests/v2/actions/hardening/rke1/account-update.sh
new file mode 100755
index 00000000000..ae4773db438
--- /dev/null
+++ b/tests/v2/actions/hardening/rke1/account-update.sh
@@ -0,0 +1,6 @@
+#!/bin/bash -e
+
+for namespace in $(kubectl get namespaces -A -o=jsonpath="{.items[*]['metadata.name']}"); do
+  echo -n "Patching namespace $namespace - "; 
+  kubectl patch serviceaccount default -n ${namespace} -p "$(cat account_update.yaml)"; 
+done
\ No newline at end of file
diff --git a/tests/v2/actions/hardening/rke1/account-update.yaml b/tests/v2/actions/hardening/rke1/account-update.yaml
new file mode 100644
index 00000000000..7176ccb9928
--- /dev/null
+++ b/tests/v2/actions/hardening/rke1/account-update.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: default
+automountServiceAccountToken: false
\ No newline at end of file
diff --git a/tests/v2/actions/hardening/rke1/harden_nodes.go b/tests/v2/actions/hardening/rke1/harden_nodes.go
index 9967b971d0f..e6f059078dc 100644
--- a/tests/v2/actions/hardening/rke1/harden_nodes.go
+++ b/tests/v2/actions/hardening/rke1/harden_nodes.go
@@ -1,6 +1,8 @@
 package rke1
 
 import (
+	"os/user"
+	"path/filepath"
 	"strings"
 
 	"github.com/rancher/shepherd/pkg/nodes"
@@ -69,23 +71,29 @@ func PostRKE1HardeningConfig(nodes []*nodes.Node, nodeRoles []string) error {
 		}
 
 		if strings.Contains(nodeRoles[key], "--controlplane") {
-			_, err := node.ExecuteCommand(`sudo bash -c 'cat << EOF > /home/` + node.SSHUser + `/account-update.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: default
-automountServiceAccountToken: false
-EOF'`)
+			logrus.Infof("Copying over files to node %s", node.NodeID)
+			user, err := user.Current()
+			if err != nil {
+				return nil
+			}
+
+			dirPath := filepath.Join(user.HomeDir, "go/src/github.com/rancher/rancher/tests/v2/actions/hardening/rke1")
+			err = node.SCPFileToNode(dirPath+"/account-update.yaml", "/home/"+node.SSHUser+"/account-update.yaml")
+			if err != nil {
+				return err
+			}
+
+			err = node.SCPFileToNode(dirPath+"/account-update.sh", "/home/"+node.SSHUser+"/account-update.sh")
 			if err != nil {
 				return err
 			}
 
-			command := `for namespace in $(kubectl get namespaces -A -o=jsonpath="{.items[*]['metadata.name']}"); do 
-							echo -n "Patching namespace $namespace - "; 
-							kubectl patch serviceaccount default -n ${namespace} -p "$(cat /home/` + node.SSHUser + `/account_update.yaml)"; 
-						done`
+			_, err = node.ExecuteCommand("sudo bash -c 'chmod +x /home/" + node.SSHUser + "/account-update.sh'")
+			if err != nil {
+				return err
+			}
 
-			_, err = node.ExecuteCommand("sudo bash -c '" + command + "'")
+			_, err = node.ExecuteCommand("sudo bash -c '/home/" + node.SSHUser + "/account-update.sh'")
 			if err != nil {
 				return err
 			}
diff --git a/tests/v2/actions/hardening/rke2/account-update.sh b/tests/v2/actions/hardening/rke2/account-update.sh
new file mode 100755
index 00000000000..e723d0fe145
--- /dev/null
+++ b/tests/v2/actions/hardening/rke2/account-update.sh
@@ -0,0 +1,6 @@
+#!/bin/bash -e
+
+for namespace in $(kubectl get namespaces -A -o=jsonpath="{.items[*]['metadata.name']}"); do
+  echo -n "Patching namespace $namespace - "
+  kubectl patch serviceaccount default -n ${namespace} -p "$(cat /var/lib/rancher/rke2/server/account-update.yaml)"
+done
\ No newline at end of file
diff --git a/tests/v2/actions/hardening/rke2/account-update.yaml b/tests/v2/actions/hardening/rke2/account-update.yaml
new file mode 100644
index 00000000000..7176ccb9928
--- /dev/null
+++ b/tests/v2/actions/hardening/rke2/account-update.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: default
+automountServiceAccountToken: false
\ No newline at end of file
diff --git a/tests/v2/actions/hardening/rke2/harden_nodes.go b/tests/v2/actions/hardening/rke2/harden_nodes.go
index 1ae0abd3f18..2912d246a01 100644
--- a/tests/v2/actions/hardening/rke2/harden_nodes.go
+++ b/tests/v2/actions/hardening/rke2/harden_nodes.go
@@ -1,6 +1,8 @@
 package rke2
 
 import (
+	"os/user"
+	"path/filepath"
 	"strings"
 
 	"github.com/rancher/shepherd/pkg/nodes"
@@ -55,13 +57,19 @@ func HardenRKE2Nodes(nodes []*nodes.Node, nodeRoles []string) error {
 func PostRKE2HardeningConfig(nodes []*nodes.Node, nodeRoles []string) error {
 	for key, node := range nodes {
 		if strings.Contains(nodeRoles[key], "--controlplane") {
-			_, err := node.ExecuteCommand(`sudo bash -c 'cat << EOF > /home/` + node.SSHUser + `/account-update.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: default
-automountServiceAccountToken: false
-EOF'`)
+			logrus.Infof("Copying over files to node %s", node.NodeID)
+			user, err := user.Current()
+			if err != nil {
+				return nil
+			}
+
+			dirPath := filepath.Join(user.HomeDir, "go/src/github.com/rancher/rancher/tests/v2/actions/hardening/rke2")
+			err = node.SCPFileToNode(dirPath+"/account-update.yaml", "/home/"+node.SSHUser+"/account-update.yaml")
+			if err != nil {
+				return err
+			}
+
+			err = node.SCPFileToNode(dirPath+"/account-update.sh", "/home/"+node.SSHUser+"/account-update.sh")
 			if err != nil {
 				return err
 			}
@@ -71,12 +79,17 @@ EOF'`)
 				return err
 			}
 
-			command := `for namespace in $(kubectl get namespaces -A -o=jsonpath="{.items[*]['metadata.name']}"); do 
-    						echo -n "Patching namespace $namespace - "; 
-    						kubectl patch serviceaccount default -n ${namespace} -p "$(cat /var/lib/rancher/rke2/server/account-update.yaml)"; 
-						done`
+			_, err = node.ExecuteCommand("sudo bash -c 'mv /home/" + node.SSHUser + "/account-update.sh /var/lib/rancher/rke2/server/account-update.sh'")
+			if err != nil {
+				return err
+			}
+
+			_, err = node.ExecuteCommand("sudo bash -c 'chmod +x /var/lib/rancher/rke2/server/account-update.sh'")
+			if err != nil {
+				return err
+			}
 
-			_, err = node.ExecuteCommand("sudo bash -c '" + command + "'")
+			_, err = node.ExecuteCommand("sudo bash -c 'export KUBECONFIG=/etc/rancher/rke2/rke2.yaml && /var/lib/rancher/rke2/server/account-update.sh'")
 			if err != nil {
 				return err
 			}