Skip to content

Commit

Permalink
Implement compliance content testing on ROSA
Browse files Browse the repository at this point in the history 
We've made some changes to the Compliance Operator so that it supports
running on managed offerings. This commit wires up testing CIS and
PCI-DSS node profiles on ROSA so that we can assess the compliance
posture of those profiles on the platform.

The following related PRs need to land before this change will wire
things up appropriately:

  ComplianceAsCode/content#12004
  ComplianceAsCode/ocp4e2e#41
  • Loading branch information
@rhmdnd
rhmdnd committed May 23, 2024
1 parent b952596 commit 1f452c3
Show file tree
Hide file tree
Showing 2 changed files with 235 additions and 0 deletions.
69 changes: 69 additions & 0 deletions ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master__4.15.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,12 @@
base_images:
cli-ocm:
name: cli-ocm
namespace: ci
tag: latest
rosa-aws-cli:
name: rosa-aws-cli
namespace: ci
tag: release
build_root:
image_stream_tag:
name: release
Expand Down Expand Up @@ -492,6 +501,66 @@ tests:
requests:
cpu: 100m
workflow: ipi-aws
- always_run: false
as: e2e-rosa-ocp4-cis-node
steps:
cluster_profile: quay-aws
env:
BYO_OIDC: "true"
CHANNEL_GROUP: stable
OCM_LOGIN_ENV: integration
OPENSHIFT_VERSION: 4.15.8
REGION: us-east-2
test:
- as: test
cli: latest
commands: |
export PROFILE=cis-node
export PRODUCT=ocp4
export component=ocp4-content-ds
export ROOT_DIR=$PWD
git clone https://github.com/ComplianceAsCode/ocp4e2e.git ocp4e2e
pushd ocp4e2e
go test -v -timeout 120m github.com/ComplianceAsCode/ocp4e2e -profile="$PROFILE" -product="$PRODUCT" -content-image="$CONTENT_IMAGE" -platform=rosa -bypass-remediations=true
dependencies:
- env: CONTENT_IMAGE
name: ocp4-content-ds
from: src
resources:
requests:
cpu: 100m
- ref: ipi-install-rbac
workflow: rosa-aws-sts-hcp
- always_run: false
as: e2e-rosa-ocp4-pci-dss-node
steps:
cluster_profile: quay-aws
env:
BYO_OIDC: "true"
CHANNEL_GROUP: stable
OCM_LOGIN_ENV: integration
OPENSHIFT_VERSION: 4.15.8
REGION: us-east-2
test:
- as: test
cli: latest
commands: |
export PROFILE=pci-dss-node
export PRODUCT=ocp4
export component=ocp4-content-ds
export ROOT_DIR=$PWD
git clone https://github.com/ComplianceAsCode/ocp4e2e.git ocp4e2e
pushd ocp4e2e
go test -v -timeout 120m github.com/ComplianceAsCode/ocp4e2e -profile="$PROFILE" -product="$PRODUCT" -content-image="$CONTENT_IMAGE" -platform=rosa -bypass-remediations=true
dependencies:
- env: CONTENT_IMAGE
name: ocp4-content-ds
from: src
resources:
requests:
cpu: 100m
- ref: ipi-install-rbac
workflow: rosa-aws-sts-hcp
- as: e2e-aws-rhcos4-e8-weekly
cron: 0 22 * * 3,6
steps:
Expand Down
166 changes: 166 additions & 0 deletions ci-operator/jobs/ComplianceAsCode/content/ComplianceAsCode-content-master-presubmits.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3353,6 +3353,172 @@ presubmits:
secret:
secretName: result-aggregator
trigger: (?m)^/test( | .* )(4.15-e2e-aws-rhcos4-stig|remaining-required),?($|\s.*)
- agent: kubernetes
always_run: false
branches:
- ^master$
- ^master-
cluster: build05
context: ci/prow/4.15-e2e-rosa-ocp4-cis-node
decorate: true
decoration_config:
skip_cloning: true
labels:
ci-operator.openshift.io/cloud: aws
ci-operator.openshift.io/cloud-cluster-profile: quay-aws
ci-operator.openshift.io/variant: "4.15"
ci.openshift.io/generator: prowgen
job-release: "4.15"
pj-rehearse.openshift.io/can-be-rehearsed: "true"
name: pull-ci-ComplianceAsCode-content-master-4.15-e2e-rosa-ocp4-cis-node
rerun_command: /test 4.15-e2e-rosa-ocp4-cis-node
spec:
containers:
- args:
- --gcs-upload-secret=/secrets/gcs/service-account.json
- --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
- --lease-server-credentials-file=/etc/boskos/credentials
- --report-credentials-file=/etc/report/credentials
- --secret-dir=/secrets/ci-pull-credentials
- --secret-dir=/usr/local/e2e-rosa-ocp4-cis-node-cluster-profile
- --target=e2e-rosa-ocp4-cis-node
- --variant=4.15
command:
- ci-operator
image: ci-operator:latest
imagePullPolicy: Always
name: ""
resources:
requests:
cpu: 10m
volumeMounts:
- mountPath: /etc/boskos
name: boskos
readOnly: true
- mountPath: /secrets/ci-pull-credentials
name: ci-pull-credentials
readOnly: true
- mountPath: /usr/local/e2e-rosa-ocp4-cis-node-cluster-profile
name: cluster-profile
- mountPath: /secrets/gcs
name: gcs-credentials
readOnly: true
- mountPath: /secrets/manifest-tool
name: manifest-tool-local-pusher
readOnly: true
- mountPath: /etc/pull-secret
name: pull-secret
readOnly: true
- mountPath: /etc/report
name: result-aggregator
readOnly: true
serviceAccountName: ci-operator
volumes:
- name: boskos
secret:
items:
- key: credentials
path: credentials
secretName: boskos-credentials
- name: ci-pull-credentials
secret:
secretName: ci-pull-credentials
- name: cluster-profile
secret:
secretName: cluster-secrets-quay-aws
- name: manifest-tool-local-pusher
secret:
secretName: manifest-tool-local-pusher
- name: pull-secret
secret:
secretName: registry-pull-credentials
- name: result-aggregator
secret:
secretName: result-aggregator
trigger: (?m)^/test( | .* )(4.15-e2e-rosa-ocp4-cis-node|remaining-required),?($|\s.*)
- agent: kubernetes
always_run: false
branches:
- ^master$
- ^master-
cluster: build05
context: ci/prow/4.15-e2e-rosa-ocp4-pci-dss-node
decorate: true
decoration_config:
skip_cloning: true
labels:
ci-operator.openshift.io/cloud: aws
ci-operator.openshift.io/cloud-cluster-profile: quay-aws
ci-operator.openshift.io/variant: "4.15"
ci.openshift.io/generator: prowgen
job-release: "4.15"
pj-rehearse.openshift.io/can-be-rehearsed: "true"
name: pull-ci-ComplianceAsCode-content-master-4.15-e2e-rosa-ocp4-pci-dss-node
rerun_command: /test 4.15-e2e-rosa-ocp4-pci-dss-node
spec:
containers:
- args:
- --gcs-upload-secret=/secrets/gcs/service-account.json
- --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
- --lease-server-credentials-file=/etc/boskos/credentials
- --report-credentials-file=/etc/report/credentials
- --secret-dir=/secrets/ci-pull-credentials
- --secret-dir=/usr/local/e2e-rosa-ocp4-pci-dss-node-cluster-profile
- --target=e2e-rosa-ocp4-pci-dss-node
- --variant=4.15
command:
- ci-operator
image: ci-operator:latest
imagePullPolicy: Always
name: ""
resources:
requests:
cpu: 10m
volumeMounts:
- mountPath: /etc/boskos
name: boskos
readOnly: true
- mountPath: /secrets/ci-pull-credentials
name: ci-pull-credentials
readOnly: true
- mountPath: /usr/local/e2e-rosa-ocp4-pci-dss-node-cluster-profile
name: cluster-profile
- mountPath: /secrets/gcs
name: gcs-credentials
readOnly: true
- mountPath: /secrets/manifest-tool
name: manifest-tool-local-pusher
readOnly: true
- mountPath: /etc/pull-secret
name: pull-secret
readOnly: true
- mountPath: /etc/report
name: result-aggregator
readOnly: true
serviceAccountName: ci-operator
volumes:
- name: boskos
secret:
items:
- key: credentials
path: credentials
secretName: boskos-credentials
- name: ci-pull-credentials
secret:
secretName: ci-pull-credentials
- name: cluster-profile
secret:
secretName: cluster-secrets-quay-aws
- name: manifest-tool-local-pusher
secret:
secretName: manifest-tool-local-pusher
- name: pull-secret
secret:
secretName: registry-pull-credentials
- name: result-aggregator
secret:
secretName: result-aggregator
trigger: (?m)^/test( | .* )(4.15-e2e-rosa-ocp4-pci-dss-node|remaining-required),?($|\s.*)
- agent: kubernetes
always_run: true
branches:
Expand Down

0 comments on commit 1f452c3

Please sign in to comment.