kubearmor · navin772 · Aug 29, 2024 · Aug 29, 2024 · Sep 18, 2024 · Oct 18, 2024
diff --git a/.github/workflows/ci-merge-coverage.yaml b/.github/workflows/ci-merge-coverage.yaml
@@ -2,20 +2,27 @@ name: ci-merge-coverage
 
 on:
   workflow_run:
-    workflows: [ci-test-ginkgo]
+    workflows: [ci-test-ginkgo, ci-test-systemd]
     types:
       - completed
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   merge-coverage-files:
     name: Download and merge files
     runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: true
+
       - name: Check if all required workflows completed successfully
         id: check-workflows
         run: |
-          workflows=("ci-test-ginkgo")
+          workflows=("ci-test-ginkgo" "ci-test-systemd")
           all_completed=true
 
           commit_sha=$(git rev-parse HEAD)
@@ -43,10 +50,6 @@ jobs:
           fi
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - uses: actions/checkout@v3
-        with:
-          submodules: true
 
       - uses: actions/setup-go@v5
         with:
@@ -62,6 +65,16 @@ jobs:
           name_is_regexp: true
           search_artifacts: true
 
+      - name: Download systemd coverage files from ci-test-systemd
+        if: ${{ env.ci-test-systemd_status == 'success' }}
+        uses: dawidd6/action-download-artifact@v6
+        with:
+          workflow: ci-test-systemd.yml
+          name: coverage.*
+          path: KubeArmor/
+          name_is_regexp: true
+          search_artifacts: true
+
       - uses: codecov/codecov-action@v4
         with:
-          token: ${{ secrets.CODECOV_TOKEN }}
+          token: ${{ secrets.CODECOV_TOKEN }}
diff --git a/.github/workflows/ci-test-systemd.yml b/.github/workflows/ci-test-systemd.yml
@@ -22,7 +22,11 @@ permissions: read-all
 jobs:
   build:
     name: Test KubeArmor in Systemd Mode
-    runs-on: ubuntu-20.04
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, bpflsm]
+    timeout-minutes: 60
     steps:
       - uses: actions/checkout@v3
         with:
@@ -44,6 +48,14 @@ jobs:
           install-only: true
           version: v1.25.0
 
+      - name: Install protoc-gen-go
+        if: ${{ matrix.os == 'bpflsm' }}
+        run: |
+          go install google.golang.org/protobuf/cmd/protoc-gen-go@latest
+          go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
+        env:
+          GOPATH: /home/vagrant/go
+
       - name: Build Systemd Release
         run: make local-release
         working-directory: KubeArmor
@@ -52,6 +64,21 @@ jobs:
         run: sudo apt install -y ./dist/kubearmor*amd64.deb
         working-directory: KubeArmor
 
+      - name: Compile test binary
+        run: go test -covermode=atomic -coverpkg=./... -c . -o kubearmor-test
+        working-directory: KubeArmor
+
+      - name: Replace with test binary
+        run: |
+          sudo mkdir -p /coverage
+          sudo rm /opt/kubearmor/kubearmor
+          sudo cp kubearmor-test /opt/kubearmor/
+          ls -l /opt/kubearmor/
+          sudo sed -i 's|ExecStart=/opt/kubearmor/kubearmor|ExecStart=/opt/kubearmor/kubearmor-test -test.coverprofile=/coverage/coverage_systemd.out|' /lib/systemd/system/kubearmor.service
+          sudo systemctl daemon-reload
+          sudo systemctl restart kubearmor.service
+        working-directory: KubeArmor
+
       - name: Check journalctl
         run: sudo journalctl -u kubearmor --no-pager
 
@@ -61,5 +88,40 @@ jobs:
           make
         working-directory: ./tests/nonk8s_env
         timeout-minutes: 30
-
-
+
+      - name: Kill kubearmor process and copy coverage file
+        run: |
+          sudo systemctl stop kubearmor
+          sleep 15
+          for i in {1..24}; do
+            if [ -f /coverage/coverage_systemd.out ]; then
+              sudo cp /coverage/coverage_systemd.out coverage_systemd_${{ matrix.os }}.out
+              break
+            fi
+            sleep 5
+          done
+        working-directory: KubeArmor
+
+      - name: Measure code coverage
+        if: ${{ always() }}
+        run: |
+          ls -l
+          go tool cover -func coverage_systemd_${{ matrix.os }}.out
+        working-directory: KubeArmor
+        env:
+          GOPATH: ${{ matrix.os == 'bpflsm' && '/home/vagrant/go' || '/home/runner/go' }}
+
+      - name: Save coverage file
+        if: ${{ always() }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-systemd-${{ matrix.os }}
+          path: KubeArmor/coverage_systemd_${{ matrix.os }}.out
+
+      - name: Run cleanup
+        if: ${{ always() && matrix.os == 'bpflsm' }}
+        run: |
+          sudo systemctl disable kubearmor.service
+          sudo rm -rf /opt/kubearmor/
+          sudo apt-get --purge remove -y kubearmor
+          sudo systemctl daemon-reload
diff --git a/tests/nonk8s_env/hsp/hsp_suite_test.go b/tests/nonk8s_env/hsp/hsp_suite_test.go
@@ -0,0 +1,16 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2024 Authors of KubeArmor
+
+package hsp_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestHsp(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Hsp Suite")
+}