CI improvements (#927)

* Add "--detailed" inspect.sh flag

The "inspect.sh" script currently retrieves logs from the
kube-system and default namespaces, which sometimes isn't enough
to identify cluster problems.

We're adding a "--detailed" setting that will collect logs from
all namespaces. This won't be the default since the logs may
contain sensitive user information.

* Move Trivy and Tics tests to separate scripts

We're moving the Trivy and Tics test logic to separate scripts,
simplifying the GH workflows and allowing these tests to be invoked
locally.

k8s/scripts/inspect.sh

@@ -7,18 +7,24 @@
 # elevated permissions (sudo).
 #
 # Usage:
-#   ./inspect.sh [output_file]
+#   ./inspect.sh [output_file] [--all-namespaces]
 #
 # Arguments:
-#   output_file  (Optional) The full path and filename for the generated tarball.
-#                If not provided, a default filename based on the current date
-#                and time will be used.
+#   output_file        (Optional) The full path and filename for the generated tarball.
+#                      If not provided, a default filename based on the current date
+#                      and time will be used.
+#   --all-namespaces   (Optional) Acquire detailed debugging information, including logs
+#                      from all Kubernetes namespaces.
 #
 # Example:
 #   ./inspect.sh /path/to/output.tar.gz
 #   ./inspect.sh  # This will generate a tarball with a default name.
+#   ./inspect.sh --all-namespaces  # Obtain logs from all k8s namespaces.
 
 INSPECT_DUMP=$(pwd)/inspection-report
+# We won't fetch all namespaces by default to avoid logging potentially sensitive
+# user data.
+ALL_NAMESPACES=0
 
 function log_success {
   printf -- '\033[32m SUCCESS: \033[0m %s\n' "$1"
@@ -54,8 +60,11 @@ function collect_args {
 
 function collect_cluster_info {
   log_info "Copy k8s cluster-info dump to the final report tarball"
-  # TODO: add a verbose mode that collects logs from all namespaces (--all-namespaces).
-  k8s kubectl cluster-info dump --output-directory "$INSPECT_DUMP/cluster-info" &>/dev/null
+  local FLAGS=""
+  if [[ "$ALL_NAMESPACES" == "1" ]]; then
+    FLAGS="--all-namespaces"
+  fi
+  k8s kubectl cluster-info dump $FLAGS --output-directory "$INSPECT_DUMP/cluster-info" &>/dev/null
 }
 
 function collect_sbom {
@@ -200,6 +209,25 @@ if [ "$EUID" -ne 0 ]; then
   exit 1
 fi
 
+POSITIONAL_ARGS=()
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    --all-namespaces)
+      ALL_NAMESPACES=1
+      shift
+      ;;
+    -*|--*)
+      echo "Unknown argument: $1"
+      exit 1
+      ;;
+    *)
+      POSITIONAL_ARGS+=("$1")
+      shift
+      ;;
+  esac
+done
+set -- "${POSITIONAL_ARGS[@]}"
+
 rm -rf "$INSPECT_DUMP"
 mkdir -p "$INSPECT_DUMP"
 

tests/integration/tests/conftest.py

@@ -54,7 +54,11 @@ def _generate_inspection_report(h: harness.Harness, instance_id: str):
     inspection_path = Path(config.INSPECTION_REPORTS_DIR)
     result = h.exec(
         instance_id,
-        ["/snap/k8s/current/k8s/scripts/inspect.sh", "/inspection-report.tar.gz"],
+        [
+            "/snap/k8s/current/k8s/scripts/inspect.sh",
+            "--all-namespaces",
+            "/inspection-report.tar.gz",
+        ],
         capture_output=True,
         text=True,
         check=False,

tests/tics-scan.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+SCRIPT_DIR=$(realpath $(dirname "$BASH_SOURCE"))
+
+set -ex
+cd "${SCRIPT_DIR}/.."
+
+sudo apt-get update
+sudo apt-get install -y python3-venv
+python3 -m venv .venv/tics
+source .venv/tics/bin/activate
+
+# Install python dependencies
+pip install -r tests/integration/requirements-test.txt
+pip install -r tests/integration/requirements-dev.txt
+
+cd src/k8s
+
+# TICS requires us to have the test results in cobertura xml format under the
+# directory use below
+sudo make go.unit
+go install github.com/boumenot/gocover-cobertura@latest
+gocover-cobertura < coverage.txt > coverage.xml
+mkdir -p .coverage
+mv ./coverage.xml ./.coverage/
+
+# Install the TICS and staticcheck
+go install honnef.co/go/tools/cmd/[email protected]
+. <(curl --silent --show-error 'https://canonical.tiobe.com/tiobeweb/TICS/api/public/v1/fapi/installtics/Script?cfg=default&platform=linux&url=https://canonical.tiobe.com/tiobeweb/TICS/')
+
+# We need to have our project built
+# We load the dqlite libs here instead of doing through make because TICS
+# will try to build parts of the project itself
+sudo add-apt-repository -y ppa:dqlite/dev
+sudo apt-get install -y dqlite-tools-v2 libdqlite1.17-dev
+sudo make clean
+go build -a ./...
+
+TICSQServer -project k8s-snap -tmpdir /tmp/tics -branchdir $SCRIPT_DIR/..

tests/trivy-scan.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+SCRIPT_DIR=$(realpath $(dirname "$BASH_SOURCE"))
+
+set -ex
+cd "${SCRIPT_DIR}/.."
+
+SNAP_PATH="$1"
+if [[ ! -f $SNAP_PATH ]]; then
+  echo "Usage: $0 <snap_path>"
+  exit 1
+fi
+
+# Setup Trivy vulnerability scanner
+mkdir -p manual-trivy/sarifs
+pushd manual-trivy
+VER=$(curl --silent -qI https://github.com/aquasecurity/trivy/releases/latest | awk -F '/' '/^location/ {print  substr($NF, 1, length($NF)-1)}');
+wget https://github.com/aquasecurity/trivy/releases/download/${VER}/trivy_${VER#v}_Linux-64bit.tar.gz
+tar -zxvf ./trivy_${VER#v}_Linux-64bit.tar.gz
+popd
+
+# Run Trivy vulnerability scanner in repo mode
+./manual-trivy/trivy fs . \
+  --format sarif \
+  --db-repository public.ecr.aws/aquasecurity/trivy-db \
+  --severity "MEDIUM,HIGH,CRITICAL" \
+  --ignore-unfixed \
+  > ./manual-trivy/sarifs/trivy-k8s-repo-scan--results.sarif
+
+for var in $(env | grep -o '^TRIVY_[^=]*'); do
+  unset "$var"
+done
+cp "${SNAP_PATH}" ./k8s-test.snap
+rm -rf ./squashfs-root
+unsquashfs k8s-test.snap
+./manual-trivy/trivy rootfs ./squashfs-root/ \
+  --format sarif \
+  --db-repository public.ecr.aws/aquasecurity/trivy-db \
+  > ./manual-trivy/sarifs/snap.sarif