Add test matrix to include different buildkit connectors

This is just a way to test all the connection helpers using the existing test harness. Ideally the patch tests are refactored into use go and we can more easily manage mutliple parallel environments from one runner. Signed-off-by: Brian Goff <[email protected]>
project-copacetic · Aug 11, 2023 · c115acf · c115acf
1 parent bf6308d
commit c115acf
Show file tree

Hide file tree

Showing 9 changed files with 195 additions and 47 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -81,16 +81,13 @@ jobs:
       - name: Load test cases for patch testing
         id: load-tests
         shell: bash
-        run: |
-          json="$(cat .github/workflows/test-images.json)"
-          json="${json//[$'\n'$'\r']/''}"
-          echo "include=$json" >> $GITHUB_OUTPUT
+        run: echo "include=$(.github/workflows/generate-matrix.sh)" | tee -a "${GITHUB_OUTPUT}"
     outputs:
       include: ${{ steps.load-tests.outputs.include }}
 
   test-patch:
     needs: build
-    name: Test patch ${{ matrix.image }}:${{ matrix.tag }}
+    name: Test patch ${{matrix.mode }} ${{ matrix.image }}:${{ matrix.tag }}
     runs-on: ubuntu-latest
     timeout-minutes: 10
     permissions: read-all
@@ -99,6 +96,15 @@ jobs:
       matrix:
         include: ${{ fromJson(needs.build.outputs.include) }}
     steps:
+      - name: Download copa from build artifacts
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: copa_edge_linux_amd64.tar.gz
+      - name: Check out code
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - name: Install required tools
+        shell: bash
+        run: ./scripts/ci/download-tooling.sh
       - name: Download copa from build artifacts
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
@@ -108,48 +114,14 @@ jobs:
         run: |
           tar xzf copa_edge_linux_amd64.tar.gz
           ./copa --version
-      - name: Install required tools
-        shell: bash
-        run: |
-          curl -sfL https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.deb -o trivy.deb \
-            && sudo dpkg -i trivy.deb \
-            && rm trivy.deb
-          curl -sfL https://github.com/moby/buildkit/releases/download/v${BUILDKIT_VERSION}/buildkit-v${BUILDKIT_VERSION}.linux-amd64.tar.gz -o buildkit.tar.gz \
-            && sudo tar -zxvf buildkit.tar.gz -C /usr/local/ \
-            && rm buildkit.tar.gz
-      - name: Create Trivy ignore policy
-        shell: bash
-        run: |
-          cat <<EOF >>trivy_ignore.rego
-          package trivy
-
-          import data.lib.trivy
-
-          default ignore = false
-
-          ignore_vulnerability_ids := {
-            # centos 7.6.1810
-            # bind-license package version "9.11.4-26.P2.el7_9.14" does not exist
-            "CVE-2023-2828"
-          }
-
-          ignore {
-            input.VulnerabilityID == ignore_vulnerability_ids[_]
-          }
-          EOF
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
       - name: Run functional test
         shell: bash
         run: |
-          echo "[INFO]: Patching ${{ matrix.distro }} image with: ${{ matrix.description }}"
-
-          echo "[INFO]: Scanning image with trivy ..."
-          trivy image --vuln-type os --ignore-unfixed --scanners vuln -f json -o scan.json "${{ matrix.image }}:${{ matrix.tag }}@${{ matrix.digest }}" --exit-on-eol 1 --ignore-policy trivy_ignore.rego
-
-          echo "[INFO]: Start buildkitd in the background ..."
-          docker run --net=host --detach --rm --privileged -p 127.0.0.1:8888:8888/tcp --name buildkitd --entrypoint buildkitd moby/buildkit:v${{ env.BUILDKIT_VERSION }} --addr tcp://0.0.0.0:8888
-
-          echo "[INFO]: Run copa on target ..."
-          ./copa patch -i "${{ matrix.image }}:${{ matrix.tag }}@${{ matrix.digest }}" -r scan.json -t "${{ matrix.tag }}-patched" -a tcp://127.0.0.1:8888 --timeout 10m
-
-          echo "[INFO]: Rescanning patched image with same vuln DB ..."
-          trivy image --vuln-type os --ignore-unfixed --skip-db-update --scanners vuln "${{ matrix.image }}:${{ matrix.tag }}-patched" --exit-code 1 --exit-on-eol 1 --ignore-policy trivy_ignore.rego
+            echo "[INFO]: Patching ${{ matrix.distro }} image with: ${{ matrix.description}}"
+            COPA="$(pwd)/copa" ./scripts/ci/run-functional-tests.sh
+        env:
+          TEST_BUILDKIT_MODE: ${{ matrix.mode }}
+          IMAGE_REF: ${{ matrix.image }}:${{ matrix.tag }}@${{ matrix.digest }}
+
diff --git a/.github/workflows/generate-matrix.sh b/.github/workflows/generate-matrix.sh
@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+set -eu -o pipefail
+
+SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
+
+# Collect all the modes into a bash array
+modes=()
+for i in scripts/ci/setup/*; do
+    base="${i##*/}"
+    for j in "${i}"/*; do
+        modes+=(${base}/${j##*/})
+    done
+done
+
+
+tmp="$(mktemp -d)"
+trap "rm -rf ${tmp}" EXIT
+
+input="${SCRIPT_DIR}/test-images.json"
+
+# The input from `test-images.json` is an array of objects.
+# For every mode we need a copy of every object in the `test-images.json` with a mode field (and mode value) set on it.
+# This effectively turns `[{"foo": "bar"}]` into `[{"foo": "bar", "mode": "mode1"}, {"foo": "bar", "mode": "mode2"}]`
+# Ideally jq would be able to do this all in one shot but I haven't found a way to do that (it probably can, just haven't figured out the incantation).
+# Instead we need to write a tempfile for every mode with the mode injected into every object in the array, then at the end we'll use jq to slurp all that into one array
+#
+# Example of what this for-loop would look like:
+# input json: [{"foo": "bar"}]
+# modes: ["mode1", "mode2"]
+# Results:
+#   $TMPDIR/$TMPFILE1: [{"foo": "bar", "mode": "mode1"}]
+#   $TMPDIR/$TMPFILE2: [{"foo": "bar", "mode": "mode2"}]
+for mode in ${modes[@]}; do
+    jq --arg mode "${mode}" 'map(.+{mode: $mode})' "${input}"  > "$(mktemp --tmpdir="${tmp}")"
+done
+
+jq_args=""
+
+if [ -v CI ] && [ "${CI}" = "true" ]; then
+    # We are running in CI where we need this to be a single line so use `-c` to compact the output json
+    # Otherwise its nice to be able to see the non-compact version when running locally
+    jq_args+=" -c"
+fi
+
+# Taking the example from above, this would exand into:
+#   jq -s '. | flatten' $TMPDIR/$TMPFILE1 $TMPDIR/$TMPFILE2
+# The `-s` option for jq tells jq to read each file and insert the objects in those files into an array.
+# So the input for is an array of an array of objects: [ [{...}], [{...}] ]
+# We need it to be a flat array, so use `add` to concatenate each array
+jq ${jq_args} -s 'add' "${tmp}"/*
diff --git a/scripts/ci/download-tooling.sh b/scripts/ci/download-tooling.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+set -eu -o pipefail
+
+curl -sfL https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.deb -o trivy.deb
+sudo dpkg -i trivy.deb
+rm trivy.deb
+
+curl -sfL https://github.com/moby/buildkit/releases/download/v${BUILDKIT_VERSION}/buildkit-v${BUILDKIT_VERSION}.linux-amd64.tar.gz -o buildkit.tar.gz
+sudo tar -zxvf buildkit.tar.gz -C /usr/local/
+rm buildkit.tar.gz
diff --git a/scripts/ci/run-functional-tests.sh b/scripts/ci/run-functional-tests.sh
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+set -eu -o pipefail
+
+SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
+
+: "${TEST_BUILDKIT_MODE:="direct/tcp"}"
+: "${COPA:=copa}"
+: "${COPA_FLAGS:=}"
+
+IMAGE_NAMED_TAGGED="${IMAGE_REF%@*}"
+IMAGE_TAG_ONLY="${IMAGE_NAMED_TAGGED#*:}"
+IMAGE_NAME_ONLY="${IMAGE_NAMED_TAGGED%:*}"
+: "${IMAGE_TAG_PATCHED:="${IMAGE_TAG_ONLY}-patched"}"
+
+echo "[INFO]: Buildkit mode: ${TEST_BUILDKIT_MODE}"
+echo "[INFO]: Image to patch: ${IMAGE_REF}"
+echo "[INFO]: Patched image tag: ${IMAGE_TAG_PATCHED}"
+
+echo "[INFO]: Scanning image with trivy ..."
+trivy image --vuln-type os --ignore-unfixed --scanners vuln -f json -o scan.json "${IMAGE_REF}" --exit-on-eol 1 --ignore-policy "${SCRIPT_DIR}/trivy_ignore.rego"
+echo "[INFO]: Setting up buildkit with mode ${TEST_BUILDKIT_MODE} ..."
+
+if [ ! -f "${SCRIPT_DIR}/setup/${TEST_BUILDKIT_MODE}" ]; then
+    echo "[ERROR]: Unknown mode: ${TEST_BUILDKIT_MODE}" >&2
+    exit 1
+fi
+
+. "${SCRIPT_DIR}/setup/${TEST_BUILDKIT_MODE}"
+
+echo "[INFO]: Run copa on target ..."
+if [ -v COPA_BUILDKIT_ADDR ] && [ -n "${COPA_BUILDKIT_ADDR}" ]; then
+    COPA_FLAGS+="-a ${COPA_BUILDKIT_ADDR}"
+fi
+"${COPA}" patch -i "${IMAGE_REF}" -r scan.json -t "${IMAGE_TAG_PATCHED}" --timeout 20m ${COPA_FLAGS}
+
+echo "[INFO]: Rescanning patched image with same vuln DB ..."
+trivy image --vuln-type os --ignore-unfixed --skip-db-update --scanners vuln "${IMAGE_NAME_ONLY}:${IMAGE_TAG_PATCHED}" --exit-code 1 --exit-on-eol 1 --ignore-policy "${SCRIPT_DIR}/trivy_ignore.rego"
diff --git a/scripts/ci/setup/buildx/default b/scripts/ci/setup/buildx/default
@@ -0,0 +1,5 @@
+#!/usr/bin/env sh
+
+docker buildx create --use
+docker buildx inspect --bootstrap
+export COPA_BUILDKIT_ADDR="buildx://"
diff --git a/scripts/ci/setup/buildx/named b/scripts/ci/setup/buildx/named
@@ -0,0 +1,5 @@
+#!/usr/bin/env sh
+
+docker buildx create --name testpatch
+docker buildx inspect --bootstrap testpatch
+export COPA_BUILDKIT_ADDR="buildx://testpatch"
diff --git a/scripts/ci/setup/direct/tcp b/scripts/ci/setup/direct/tcp
@@ -0,0 +1,24 @@
+#!/usr/bin/env sh
+
+
+: "${BUILDKIT_PORT:=30321}"
+: "${BUILDKIT_VERSION=0.12.0}"
+
+_buildkit_direct_tcp_id="$(docker run --detach --rm --privileged -p 127.0.0.1::${BUILDKIT_PORT}/tcp  --entrypoint buildkitd "moby/buildkit:v$BUILDKIT_VERSION" --addr tcp://0.0.0.0:${BUILDKIT_PORT})"
+_buildkitd_tcp_addr="$(docker port ${_buildkit_direct_tcp_id} ${BUILDKIT_PORT})"
+export COPA_BUILDKIT_ADDR="tcp://${_buildkitd_tcp_addr}"
+
+_cleanup() {
+    docker rm -f "${_buildkit_direct_tcp_id}"
+}
+
+trap '_cleanup' EXIT
+
+_check_buildkitd_tcp() {
+    buildctl --addr ${COPA_BUILDKIT_ADDR} debug info
+}
+
+echo "[INFO] Wait for buildkitd to be ready @ ${COPA_BUILDKIT_ADDR}"
+while ! _check_buildkitd_tcp; do
+    sleep 1
+done
diff --git a/scripts/ci/setup/docker/custom-unix b/scripts/ci/setup/docker/custom-unix
@@ -0,0 +1,31 @@
+#!/usr/bin/env sh
+
+# dockerd requires containerd snapshotter support to be enabled otherwise required features for buildkit are disabled.
+docker build -t dind -<<EOF
+FROM docker:24.0-dind
+RUN mkdir -p /etc/docker && echo '{"features": { "containerd-snapshotter": true }}' > /etc/docker/daemon.json
+ENTRYPOINT ["dockerd"]
+EOF
+
+: "${DOCKER_DIND_VOLUME:="copa-docker-dind"}"
+
+sock_dir="$(mktemp -d)"
+
+docker_custom_unix_id="$(docker run -d --privileged --mount=type=bind,source="${sock_dir}",target=/run --mount=type=volume,source="${DOCKER_DIND_VOLUME}",target=/var/lib/docker dind --group "$(id -g)")"
+
+_cleanup() {
+    docker rm -f "$docker_custom_unix_id"
+    sudo rm -rf "${sock_dir}"
+}
+
+trap '_cleanup' EXIT
+
+_check_docker_dind() {
+    docker -H "unix://${sock_dir}/docker.sock" info
+}
+
+while ! _check_docker_dind; do
+    check_docker_dind || sleep 1
+done
+
+export COPA_BUILDKIT_ADDR="docker://unix://${sock_dir}/docker.sock"
diff --git a/scripts/ci/trivy_ignore.rego b/scripts/ci/trivy_ignore.rego
@@ -0,0 +1,11 @@
+package trivy
+
+import data.lib.trivy
+
+default ignore = false
+
+ignore_vulnerability_ids := {
+    # centos 7.6.1810
+    # bind-license package version "9.11.4-26.P2.el7_9.14" does not exist
+    "CVE-2023-2828"
+}