You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
k3s/tests/e2e/vagrantdefaults.rb

135 lines
5.8 KiB

def defaultOSConfigure(vm)
box = vm.box.to_s
if box.include?("ubuntu")
vm.provision "Set DNS", type: "shell", inline: "netplan set ethernets.eth0.nameservers.addresses=[8.8.8.8,1.1.1.1]; netplan apply", run: 'once'
elsif box.include?("Leap") || box.include?("Tumbleweed")
vm.provision "Install apparmor-parser", type: "shell", inline: "zypper install -y apparmor-parser"
elsif box.include?("rocky") || box.include?("centos")
vm.provision "Disable firewall", type: "shell", inline: "systemctl stop firewalld"
elsif box.include?("alpine")
vm.provision "Install tools", type: "shell", inline: "apk add coreutils"
elsif box.include?("microos")
# Add stuff here, but we always need to reload at the end
vm.provision 'reload', run: 'once'
end
end
# getInstallType is used to control which version of k3s to install
# To install a specific version, set release_version to the version number
# To install a specific commit, set release_version to the commit SHA
# To install the latest commit from a branch, leave release_version empty
# and set release_channel to "commit" and set branch to the branch name
def getInstallType(vm, release_version, branch, release_channel='')
if release_version == "skip"
install_type = "INSTALL_K3S_SKIP_DOWNLOAD=true"
elsif !release_version.empty? && release_version.start_with?("v1")
return "INSTALL_K3S_VERSION=#{release_version}"
elsif !release_version.empty?
return "INSTALL_K3S_COMMIT=#{release_version}"
elsif !release_channel.empty? && release_channel != "commit"
return "INSTALL_K3S_CHANNEL=#{release_channel}"
else
jqInstall(vm)
scripts_location = Dir.exist?("./scripts") ? "./scripts" : "../scripts"
# Grabs the last 5 commit SHA's from the given branch, then purges any commits that do not have a passing CI build
# MicroOS requires it not be in a /tmp/ or other root system folder
vm.provision "Get latest commit", type: "shell", path: scripts_location +"/latest_commit.sh", env: {GH_TOKEN:ENV['GH_TOKEN']}, args: [branch, "/tmp/k3s_commits"]
return "INSTALL_K3S_COMMIT=$(head\ -n\ 1\ /tmp/k3s_commits)"
end
end
def addCoverageDir(vm, role, gocover)
if gocover.empty?
return
end
service = role.include?("agent") ? "k3s-agent" : "k3s"
script = <<~SHELL
mkdir -p /tmp/k3scov
echo -e 'GOCOVERDIR=/tmp/k3scov' >> /etc/default/#{service}
systemctl daemon-reload
SHELL
vm.provision "go coverage", type: "shell", inline: script
end
def getHardenedArg(vm, hardened, scripts_location)
if hardened.empty?
return ""
end
hardened_arg = <<~HARD
protect-kernel-defaults: true
secrets-encryption: true
kube-controller-manager-arg:
- 'terminated-pod-gc-threshold=10'
kubelet-arg:
- 'streaming-connection-idle-timeout=5m'
- 'make-iptables-util-chains=true'
- 'event-qps=0'
- "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
kube-apiserver-arg:
- 'audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log'
- 'audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'
- 'audit-log-maxage=30'
- 'audit-log-maxbackup=10'
- 'audit-log-maxsize=100'
HARD
if hardened == "psa" || hardened == "true"
vm.provision "Set kernel parameters", type: "shell", path: scripts_location + "/harden.sh", args: [ "psa" ]
hardened_arg += " - 'admission-control-config-file=/var/lib/rancher/k3s/server/psa.yaml'"
elsif hardened == "psp"
vm.provision "Set kernel parameters", type: "shell", path: scripts_location + "/harden.sh"
hardened_arg += " - 'enable-admission-plugins=NodeRestriction,NamespaceLifecycle,ServiceAccount,PodSecurityPolicy'"
else
puts "Invalid E2E_HARDENED option"
exit 1
end
if vm.box.to_s.include?("ubuntu")
vm.provision "Install kube-bench", type: "shell", inline: <<-SHELL
export KBV=0.8.0
curl -L "https://github.com/aquasecurity/kube-bench/releases/download/v${KBV}/kube-bench_${KBV}_linux_amd64.deb" -o "kube-bench_${KBV}_linux_amd64.deb"
dpkg -i "./kube-bench_${KBV}_linux_amd64.deb"
SHELL
end
return hardened_arg
end
def jqInstall(vm)
box = vm.box.to_s
if box.include?("ubuntu")
vm.provision "Install jq", type: "shell", inline: "apt install -y jq"
elsif box.include?("Leap") || box.include?("Tumbleweed")
vm.provision "Install jq", type: "shell", inline: "zypper install -y jq"
elsif box.include?("rocky")
vm.provision "Install jq", type: "shell", inline: "dnf install -y jq"
elsif box.include?("centos")
vm.provision "Install jq", type: "shell", inline: "yum install -y jq"
elsif box.include?("alpine")
vm.provision "Install jq", type: "shell", inline: "apk add coreutils"
elsif box.include?("microos")
vm.provision "Install jq", type: "shell", inline: "transactional-update pkg install -y jq"
vm.provision 'reload', run: 'once'
end
end
def dockerInstall(vm)
vm.provider "libvirt" do |v|
v.memory = NODE_MEMORY + 1024
end
vm.provider "virtualbox" do |v|
v.memory = NODE_MEMORY + 1024
end
box = vm.box.to_s
if box.include?("ubuntu")
vm.provision "shell", inline: "apt update; apt install -y docker.io"
elsif box.include?("Leap")
vm.provision "shell", inline: "zypper install -y docker apparmor-parser"
elsif box.include?("microos")
vm.provision "shell", inline: "transactional-update pkg install -y docker apparmor-parser"
vm.provision 'docker-reload', type: 'reload', run: 'once'
vm.provision "shell", inline: "systemctl enable --now docker"
elsif box.include?("rocky")
vm.provision "shell", inline: "dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo"
vm.provision "shell", inline: "dnf install -y docker-ce"
end
end