From 1f452c33d130680f12e371aafbc291d7d6b1f52d Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragsta@redhat.com>
Date: Fri, 17 May 2024 08:52:39 -0500
Subject: [PATCH] Implement compliance content testing on ROSA

We've made some changes to the Compliance Operator so that it supports
running on managed offerings. This commit wires up testing CIS and
PCI-DSS node profiles on ROSA so that we can assess the compliance
posture of those profiles on the platform.

The following related PRs need to land before this change will wire
things up appropriately:

  https://github.com/ComplianceAsCode/content/pull/12004
  https://github.com/ComplianceAsCode/ocp4e2e/pull/41
---
 ...ComplianceAsCode-content-master__4.15.yaml |  69 ++++++++
 ...ianceAsCode-content-master-presubmits.yaml | 166 ++++++++++++++++++
 2 files changed, 235 insertions(+)

diff --git a/ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master__4.15.yaml b/ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master__4.15.yaml
index 6a5ea21614422..fe7c76afbb34b 100644
--- a/ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master__4.15.yaml
+++ b/ci-operator/config/ComplianceAsCode/content/ComplianceAsCode-content-master__4.15.yaml
@@ -1,3 +1,12 @@
+base_images:
+  cli-ocm:
+    name: cli-ocm
+    namespace: ci
+    tag: latest
+  rosa-aws-cli:
+    name: rosa-aws-cli
+    namespace: ci
+    tag: release
 build_root:
   image_stream_tag:
     name: release
@@ -492,6 +501,66 @@ tests:
         requests:
           cpu: 100m
     workflow: ipi-aws
+- always_run: false
+  as: e2e-rosa-ocp4-cis-node
+  steps:
+    cluster_profile: quay-aws
+    env:
+      BYO_OIDC: "true"
+      CHANNEL_GROUP: stable
+      OCM_LOGIN_ENV: integration
+      OPENSHIFT_VERSION: 4.15.8
+      REGION: us-east-2
+    test:
+    - as: test
+      cli: latest
+      commands: |
+        export PROFILE=cis-node
+        export PRODUCT=ocp4
+        export component=ocp4-content-ds
+        export ROOT_DIR=$PWD
+        git clone https://github.com/ComplianceAsCode/ocp4e2e.git ocp4e2e
+        pushd ocp4e2e
+        go test -v -timeout 120m github.com/ComplianceAsCode/ocp4e2e -profile="$PROFILE" -product="$PRODUCT" -content-image="$CONTENT_IMAGE" -platform=rosa -bypass-remediations=true
+      dependencies:
+      - env: CONTENT_IMAGE
+        name: ocp4-content-ds
+      from: src
+      resources:
+        requests:
+          cpu: 100m
+    - ref: ipi-install-rbac
+    workflow: rosa-aws-sts-hcp
+- always_run: false
+  as: e2e-rosa-ocp4-pci-dss-node
+  steps:
+    cluster_profile: quay-aws
+    env:
+      BYO_OIDC: "true"
+      CHANNEL_GROUP: stable
+      OCM_LOGIN_ENV: integration
+      OPENSHIFT_VERSION: 4.15.8
+      REGION: us-east-2
+    test:
+    - as: test
+      cli: latest
+      commands: |
+        export PROFILE=pci-dss-node
+        export PRODUCT=ocp4
+        export component=ocp4-content-ds
+        export ROOT_DIR=$PWD
+        git clone https://github.com/ComplianceAsCode/ocp4e2e.git ocp4e2e
+        pushd ocp4e2e
+        go test -v -timeout 120m github.com/ComplianceAsCode/ocp4e2e -profile="$PROFILE" -product="$PRODUCT" -content-image="$CONTENT_IMAGE" -platform=rosa -bypass-remediations=true
+      dependencies:
+      - env: CONTENT_IMAGE
+        name: ocp4-content-ds
+      from: src
+      resources:
+        requests:
+          cpu: 100m
+    - ref: ipi-install-rbac
+    workflow: rosa-aws-sts-hcp
 - as: e2e-aws-rhcos4-e8-weekly
   cron: 0 22 * * 3,6
   steps:
diff --git a/ci-operator/jobs/ComplianceAsCode/content/ComplianceAsCode-content-master-presubmits.yaml b/ci-operator/jobs/ComplianceAsCode/content/ComplianceAsCode-content-master-presubmits.yaml
index 61db10a1f39f2..93bae70f58f96 100644
--- a/ci-operator/jobs/ComplianceAsCode/content/ComplianceAsCode-content-master-presubmits.yaml
+++ b/ci-operator/jobs/ComplianceAsCode/content/ComplianceAsCode-content-master-presubmits.yaml
@@ -3353,6 +3353,172 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )(4.15-e2e-aws-rhcos4-stig|remaining-required),?($|\s.*)
+  - agent: kubernetes
+    always_run: false
+    branches:
+    - ^master$
+    - ^master-
+    cluster: build05
+    context: ci/prow/4.15-e2e-rosa-ocp4-cis-node
+    decorate: true
+    decoration_config:
+      skip_cloning: true
+    labels:
+      ci-operator.openshift.io/cloud: aws
+      ci-operator.openshift.io/cloud-cluster-profile: quay-aws
+      ci-operator.openshift.io/variant: "4.15"
+      ci.openshift.io/generator: prowgen
+      job-release: "4.15"
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-ComplianceAsCode-content-master-4.15-e2e-rosa-ocp4-cis-node
+    rerun_command: /test 4.15-e2e-rosa-ocp4-cis-node
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --secret-dir=/usr/local/e2e-rosa-ocp4-cis-node-cluster-profile
+        - --target=e2e-rosa-ocp4-cis-node
+        - --variant=4.15
+        command:
+        - ci-operator
+        image: ci-operator:latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /usr/local/e2e-rosa-ocp4-cis-node-cluster-profile
+          name: cluster-profile
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: cluster-profile
+        secret:
+          secretName: cluster-secrets-quay-aws
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )(4.15-e2e-rosa-ocp4-cis-node|remaining-required),?($|\s.*)
+  - agent: kubernetes
+    always_run: false
+    branches:
+    - ^master$
+    - ^master-
+    cluster: build05
+    context: ci/prow/4.15-e2e-rosa-ocp4-pci-dss-node
+    decorate: true
+    decoration_config:
+      skip_cloning: true
+    labels:
+      ci-operator.openshift.io/cloud: aws
+      ci-operator.openshift.io/cloud-cluster-profile: quay-aws
+      ci-operator.openshift.io/variant: "4.15"
+      ci.openshift.io/generator: prowgen
+      job-release: "4.15"
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-ComplianceAsCode-content-master-4.15-e2e-rosa-ocp4-pci-dss-node
+    rerun_command: /test 4.15-e2e-rosa-ocp4-pci-dss-node
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --secret-dir=/usr/local/e2e-rosa-ocp4-pci-dss-node-cluster-profile
+        - --target=e2e-rosa-ocp4-pci-dss-node
+        - --variant=4.15
+        command:
+        - ci-operator
+        image: ci-operator:latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /usr/local/e2e-rosa-ocp4-pci-dss-node-cluster-profile
+          name: cluster-profile
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: cluster-profile
+        secret:
+          secretName: cluster-secrets-quay-aws
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )(4.15-e2e-rosa-ocp4-pci-dss-node|remaining-required),?($|\s.*)
   - agent: kubernetes
     always_run: true
     branches: