From 3d2a54c9a6d80d9327d061200e55eb1fe69716b9 Mon Sep 17 00:00:00 2001 From: Evgeny Slutsky Date: Mon, 23 Feb 2026 10:10:21 +0100 Subject: [PATCH] introduce tls-scanner test to optional suite Signed-off-by: Evgeny Slutsky --- .../cluster-reader-clusterrole.yaml | 41 ++++++ test/suites/optional/tls-scanner.robot | 124 ++++++++++++++++++ 2 files changed, 165 insertions(+) create mode 100644 test/assets/tls-scanner/cluster-reader-clusterrole.yaml create mode 100644 test/suites/optional/tls-scanner.robot diff --git a/test/assets/tls-scanner/cluster-reader-clusterrole.yaml b/test/assets/tls-scanner/cluster-reader-clusterrole.yaml new file mode 100644 index 0000000000..b7804c4cad --- /dev/null +++ b/test/assets/tls-scanner/cluster-reader-clusterrole.yaml @@ -0,0 +1,41 @@ +# ClusterRole equivalent to OpenShift's cluster-reader for MicroShift. +# MicroShift does not ship this role; tls-scanner deploy.sh expects it. +# Read-only (get, list, watch) on core and common resources. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cluster-reader +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints + - namespaces + - nodes + - persistentvolumeclaims + - pods + - podtemplates + - replicationcontrollers + - resourcequotas + - services + - persistentvolumes + verbs: [get, list, watch] +- apiGroups: ["apps"] + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: [get, list, watch] +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: [get, list, watch] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: [get, list, watch] diff --git a/test/suites/optional/tls-scanner.robot b/test/suites/optional/tls-scanner.robot new file mode 100644 index 0000000000..77677ba9b8 --- /dev/null +++ b/test/suites/optional/tls-scanner.robot @@ -0,0 +1,124 @@ +*** Settings *** +Documentation Test tls-scanner tool with MicroShift host-based scanning. +... Clones openshift/tls-scanner, deploys the scanner job with +... scanner-job-microshift.yaml.template and SCAN_MODE=host, +... waits for completion, and collects results. +... See: https://github.com/openshift/tls-scanner + +Library OperatingSystem +Library Process +Library String +Resource ../../resources/common.resource +Resource ../../resources/kubeconfig.resource +Resource ../../resources/oc.resource + +Suite Setup Setup Suite With Namespace +Suite Teardown Teardown Suite With Namespace + +Test Tags tls-scanner security optional + + +*** Variables *** +# Set by Suite Setup (common.resource / kubeconfig.resource): +${NAMESPACE} default +${KUBECONFIG} ${EMPTY} +# External: full tag of the scanner image to use (e.g. quay.io/my-org/tls-scanner:latest) +${SCANNER_IMAGE} registry.ci.openshift.org/ocp/4.22:tls-scanner-tool + +${TLS_SCANNER_REPO} https://github.com/openshift/tls-scanner + +${TLS_SCANNER_DIR} ${EMPTY} +${TLS_SCANNER_JOB_NAME} tls-scanner-job +${JOB_WAIT_TIMEOUT} 10min +${CLUSTER_READER_MANIFEST} ./assets/tls-scanner/cluster-reader-clusterrole.yaml + + +*** Test Cases *** +TLS Scanner Host Scan Completes And Produces Artifacts + [Documentation] Clone tls-scanner, verify scanner image is available, + ... deploy the scan job in host mode for MicroShift, wait for completion, + ... and collect results (results.json, results.csv, scan.log). + [Setup] Run Keywords + ... Check Required Scanner Variables + ... Clone TLS Scanner Repo + ... Ensure Cluster Reader Role Exists + Deploy TLS Scanner Job + Copy Scan Results Artifacts + + [Teardown] Run Keywords + ... Cleanup TLS Scanner Job + ... Ensure Cluster Reader Role Deleted + + +*** Keywords *** +Check Required Scanner Variables + [Documentation] Fail if SCANNER_IMAGE is not set. + Should Not Be Empty ${SCANNER_IMAGE} + ... SCANNER_IMAGE must be set (full image tag, e.g. quay.io/my-org/tls-scanner:latest) + +Ensure Cluster Reader Role Exists + [Documentation] Create cluster-reader ClusterRole for MicroShift (not shipped by default). + ... deploy.sh expects this OpenShift role to exist for the scanner ServiceAccount. + Oc Apply -f ${CLUSTER_READER_MANIFEST} + +Ensure Cluster Reader Role Deleted + [Documentation] Delete cluster-reader ClusterRole for MicroShift (not shipped by default). + ${result}= Run Keyword And Ignore Error Process.Run Process oc delete clusterrole cluster-reader + ... cwd=${TLS_SCANNER_DIR} + ... env:KUBECONFIG=${KUBECONFIG} + + Should Be Equal As Integers ${result.rc} 0 msg=Failed to delete cluster-reader ClusterRole + +Clone TLS Scanner Repo + [Documentation] Clone openshift/tls-scanner into a temporary directory. + ${rand}= Generate Random String 8 [LOWER] + VAR ${workdir}= /tmp/tls-scanner-${rand} + Create Directory ${workdir} + VAR ${TLS_SCANNER_DIR}= ${workdir} scope=SUITE + ${result}= Process.Run Process git clone --depth 1 ${TLS_SCANNER_REPO} . + ... cwd=${TLS_SCANNER_DIR} shell=True timeout=120s + Should Be Equal As Integers ${result.rc} 0 msg=Failed to clone tls-scanner repo + +Deploy TLS Scanner Job + [Documentation] Deploy the scanner job using MicroShift host template and SCAN_MODE=host. + ${result}= Process.Run Process bash -c 'bash -x ./deploy.sh deploy 2>&1' + ... cwd=${TLS_SCANNER_DIR} + ... env:KUBECONFIG=${KUBECONFIG} + ... env:SCANNER_IMAGE=${SCANNER_IMAGE} + ... env:NAMESPACE=${NAMESPACE} + ... env:JOB_TEMPLATE_FILE=scanner-job-microshift.yaml.template + ... env:SCAN_MODE=host + ... env:OUTPUTDIR=${OUTPUTDIR} + ... shell=True timeout=${JOB_WAIT_TIMEOUT} stdout=${OUTPUTDIR}/tls-scanner-std.log + Log ${result.stdout} + Log ${result.stderr} + Should Be Equal As Integers ${result.rc} 0 msg=Failed to deploy tls-scanner job + OperatingSystem.File Should Exist ${TLS_SCANNER_DIR}/artifacts/results.json + ${size}= OperatingSystem.Get File Size ${TLS_SCANNER_DIR}/artifacts/results.json + Should Be True ${size} > 0 msg=results.json is missing or empty + +Copy Scan Results Artifacts + [Documentation] Copy content of ${TLS_SCANNER_DIR}/artifacts to ${OUTPUTDIR}/tls-scanner-artifacts. + VAR ${dest}= ${OUTPUTDIR}/tls-scanner-artifacts + Create Directory ${dest} + OperatingSystem.Directory Should Exist ${TLS_SCANNER_DIR}/artifacts + ${files}= OperatingSystem.List Files In Directory ${TLS_SCANNER_DIR}/artifacts + ${count}= Get Length ${files} + Should Be True ${count} > 0 msg=No artifacts produced by tls-scanner + FOR ${f} IN @{files} + Copy File ${TLS_SCANNER_DIR}/artifacts/${f} ${dest}/ + END + Log Copied scan results to ${dest}/ + +Cleanup TLS Scanner Job + [Documentation] Remove the scanner job and RBAC via deploy.sh cleanup. + ${result}= Run Keyword And Ignore Error Process.Run Process ./deploy.sh cleanup + ... cwd=${TLS_SCANNER_DIR} + ... env:KUBECONFIG=${KUBECONFIG} + ... env:NAMESPACE=${NAMESPACE} + ... shell=True timeout=60s + IF "${result[0]}" == "PASS" Log TLS scanner job cleanup completed + Remove Directory ${TLS_SCANNER_DIR} recursive=True + IF '${TLS_SCANNER_DIR}' != '' + Run Keyword And Ignore Error Remove Directory ${TLS_SCANNER_DIR} recursive=True + END