From e206119b198c4eba368319fcda84fad211d9e82a Mon Sep 17 00:00:00 2001
From: weizhoublue <45163302+weizhoublue@users.noreply.github.com>
Date: Mon, 25 Nov 2024 20:20:24 +0800
Subject: [PATCH] Fix TOOMANYREQUESTS failure in Trivy Action

Signed-off-by: tao.yang <tao.yang@daocloud.io>
---
 .github/workflows/auto-upgrade-ci.yaml  | 14 +++++++--
 .github/workflows/build-image-ci.yaml   |  4 +--
 .github/workflows/e2e-init.yaml         | 35 +++++++++++++++++++++--
 .github/workflows/trivy-scan-image.yaml | 38 ++++++++++++-------------
 Makefile                                |  1 -
 test/Makefile                           |  5 ++--
 6 files changed, 68 insertions(+), 29 deletions(-)

diff --git a/.github/workflows/auto-upgrade-ci.yaml b/.github/workflows/auto-upgrade-ci.yaml
index a0239d0691..552f997e7f 100644
--- a/.github/workflows/auto-upgrade-ci.yaml
+++ b/.github/workflows/auto-upgrade-ci.yaml
@@ -247,8 +247,13 @@ jobs:
           for ITEM in $TAR_FILES ; do
               IMAGE_NAME=${ITEM%*.tar}
               echo ${IMAGE_NAME}
-              cat test/.download/${ITEM} | docker import - ${IMAGE_NAME}:${{ needs.call_build_old_ci_image.outputs.imageTag }}
+              docker load -i test/.download/${ITEM}
+              echo "list docker images" && docker images
+              ITEM_IMAGE_ID=$(docker images | grep ${IMAGE_NAME%*-race}| grep ${{ needs.call_build_old_ci_image.outputs.imageTag }} | awk '{print $3}')
+              docker tag ${ITEM_IMAGE_ID} ${IMAGE_NAME}:${{ needs.call_build_old_ci_image.outputs.imageTag }}
           done
+          echo "list all docker images"
+          docker images
 
       - name: Prepare
         id: prepare
@@ -326,8 +331,13 @@ jobs:
           for ITEM in $TAR_FILES ; do
               IMAGE_NAME=${ITEM%*.tar}
               echo ${IMAGE_NAME}
-              cat test/.download/${ITEM} | docker import - ${IMAGE_NAME}:${{ needs.call_build_new_ci_image.outputs.imageTag }}
+              docker load -i test/.download/${ITEM}
+              echo "list docker images" && docker images
+              ITEM_IMAGE_ID=$(docker images | grep ${IMAGE_NAME%*-race}| grep ${{ needs.call_build_new_ci_image.outputs.imageTag }} | awk '{print $3}')
+              docker tag ${ITEM_IMAGE_ID} ${IMAGE_NAME}:${{ needs.call_build_new_ci_image.outputs.imageTag }}
           done
+          echo "list all docker images"
+          docker images
 
       - name: Upgrade to version ${{ needs.get_ref.outputs.new_version }}
         id: upgrade
diff --git a/.github/workflows/build-image-ci.yaml b/.github/workflows/build-image-ci.yaml
index 6b0447bf2d..9ce89fde22 100644
--- a/.github/workflows/build-image-ci.yaml
+++ b/.github/workflows/build-image-ci.yaml
@@ -182,7 +182,7 @@ jobs:
           # docker cache after the workflow "Image CI Cache Cleaner" was terminated.
           push: ${{ env.push }}
           platforms: linux/amd64
-          outputs: type=tar,dest=/tmp/${{ matrix.name }}-race.tar
+          outputs: type=docker,dest=/tmp/${{ matrix.name }}-race.tar
           github-token: ${{ secrets.WELAN_PAT }}
           tags: |
             ${{ env.ONLINE_REGISTER }}/${{ github.repository }}/${{ matrix.name }}-ci:${{ env.tag }}-race
@@ -231,7 +231,7 @@ jobs:
           push: ${{ env.push }}
           platforms: linux/amd64
           github-token: ${{ secrets.WELAN_PAT }}
-          outputs: type=tar,dest=/tmp/${{ matrix.name }}-race.tar
+          outputs: type=docker,dest=/tmp/${{ matrix.name }}-race.tar
           tags: |
             ${{ env.ONLINE_REGISTER }}/${{ github.repository }}/${{ matrix.name }}-ci:${{ env.tag }}-race
           build-args: |
diff --git a/.github/workflows/e2e-init.yaml b/.github/workflows/e2e-init.yaml
index 607e257766..9ed35ab8a1 100644
--- a/.github/workflows/e2e-init.yaml
+++ b/.github/workflows/e2e-init.yaml
@@ -128,8 +128,13 @@ jobs:
           for ITEM in $TAR_FILES ; do
               IMAGE_NAME=${ITEM%*.tar}
               echo ${IMAGE_NAME}
-              cat test/.download/${ITEM} | docker import - ${IMAGE_NAME}:${{ inputs.image_tag }}
+              docker load -i test/.download/${ITEM}
+              echo "list docker images" && docker images
+              ITEM_IMAGE_ID=$(docker images | grep ${IMAGE_NAME%*-race}| grep ${{ inputs.image_tag }} | awk '{print $3}')
+              docker tag ${ITEM_IMAGE_ID} ${IMAGE_NAME}:${{ inputs.image_tag }}
           done
+          echo "list all docker images"
+          docker images
 
       # test against commit version
       # https://github.com/kubernetes-sigs/kind/issues/2863
@@ -163,7 +168,33 @@ jobs:
                 -e INSTALL_KDOCTOR=true \
                 -e INSTALL_OVS=${INSTALL_OVS_VALUE} \
                 -e INSTALL_RDMA=true \
-                -e INSTALL_SRIOV=true
+                -e INSTALL_SRIOV=true || RESULT=1
+            if ((RESULT==0)) ; then
+              echo "RUN_SETUP_KIND_CLUSTER_PASS=true" >> $GITHUB_ENV
+            else
+              echo "RUN_SETUP_KIND_CLUSTER_PASS=false" >> $GITHUB_ENV
+            fi
+            if [ -f "test/e2edebugLog.txt" ] ; then
+              echo "UPLOAD_SETUP_KIND_CLUSTER_LOG=true" >> $GITHUB_ENV
+            else
+              echo "UPLOAD_SETUP_KIND_CLUSTER_LOG=false" >> $GITHUB_ENV
+            fi
+
+      - name: Upload Setup Kind Cluster log
+        if: ${{ env.RUN_SETUP_KIND_CLUSTER_PASS == 'false' && env.UPLOAD_SETUP_KIND_CLUSTER_LOG == 'true' }}
+        uses: actions/upload-artifact@v3.1.3
+        with:
+          name: ${{ inputs.os }}-${{ inputs.ip_family }}-${{ matrix.e2e_test_mode }}-${{ inputs.k8s_version }}-setupkind.txt
+          path: test/e2edebugLog.txt
+          retention-days: 7
+
+      - name: Show Setup Kind Cluster Result
+        run: |
+          if ${{ env.RUN_SETUP_KIND_CLUSTER_PASS == 'true' }} ;then
+              exit 0
+          else
+              exit 1
+          fi
 
       - name: Run e2e Test
         id: run_e2e
diff --git a/.github/workflows/trivy-scan-image.yaml b/.github/workflows/trivy-scan-image.yaml
index 19e9bbdd7f..a2f3d9068b 100644
--- a/.github/workflows/trivy-scan-image.yaml
+++ b/.github/workflows/trivy-scan-image.yaml
@@ -35,24 +35,22 @@ jobs:
           name: image-tar-spiderpool-controller
           path: test/.download
 
-      - name: Load And Scan Images
-        run: |
-          TAR_FILES=` ls test/.download `
-          echo $TAR_FILES
-          for ITEM in $TAR_FILES ; do
-              IMAGE_NAME=${ITEM%*.tar}
-              echo ${IMAGE_NAME}
-              cat test/.download/${ITEM} | docker import - ${IMAGE_NAME}:${{ inputs.image_tag }}
-              echo "---------trivy checkout image ${IMAGE_NAME}:${{ inputs.image_tag }} --------------------"
-              make lint_image_trivy -e IMAGE_NAME=${IMAGE_NAME}:${{ inputs.image_tag }}  \
-                  || { echo "RUN_IMAGE_TRIVY_FAIL=true" >> $GITHUB_ENV ; echo "error, image ${IMAGE_NAME}:${{ inputs.image_tag }} is bad" ; }
-          done
+      - name: List downloaded files
+        run: ls -al test/.download
 
-      - name: Show Trivy Scan Report
-        run: |
-          if [ "${{ env.RUN_IMAGE_TRIVY_FAIL }}" == "true" ] ; then
-              echo "error, image is not secure, see detail on Step 'Load And Scan Images' "
-              exit 1
-          else
-              exit 0
-          fi
+      # https://github.com/aquasecurity/trivy-action/issues/389
+      - name: load and scan spiderpool-agent image
+        uses: aquasecurity/trivy-action@0.28.0
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db
+        with:
+          input: test/.download/spiderpool-agent-race.tar
+          severity: 'CRITICAL,HIGH'
+
+      - name: load and scan spiderpool-controller image
+        uses: aquasecurity/trivy-action@0.28.0
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db
+        with:
+          input: test/.download/spiderpool-controller-race.tar
+          severity: 'CRITICAL,HIGH'
diff --git a/Makefile b/Makefile
index 589301a99a..b7dee8351f 100644
--- a/Makefile
+++ b/Makefile
@@ -501,4 +501,3 @@ lint_chart_trivy:
 .PHONY: build-chart
 build-chart:
 	@ cd charts ; make
-
diff --git a/test/Makefile b/test/Makefile
index fc83229b2b..ea2c9af57f 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -227,7 +227,8 @@ setup_kurise:
 				docker pull $${IMAGE} ; \
 				kind load docker-image $${IMAGE} --name $(E2E_CLUSTER_NAME);	\
 			done; \
-			helm install kruise openkruise/kruise --kubeconfig $(E2E_KUBECONFIG) --wait --debug --set manager.image.repository=$(E2E_OPENKRUISE_IMAGE)
+			helm upgrade --install kruise openkruise/kruise --wait --timeout 20m --debug --set manager.image.repository=$(E2E_OPENKRUISE_IMAGE) \
+			    --kubeconfig $(E2E_KUBECONFIG) || { KIND_CLUSTER_NAME=$(E2E_CLUSTER_NAME) ./scripts/debugEnv.sh $(E2E_KUBECONFIG) "detail" "$(E2E_LOG_FILE)" ; exit 1 ; } ; \
 
 .PHONY: setup_spiderpool
 setup_spiderpool:
@@ -386,7 +387,7 @@ setup_spiderpool:
 			-n $(RELEASE_NAMESPACE)  \
 			$${HELM_OPTION}  \
 			$(E2E_HELM_ADDITIONAL_OPTIONS) \
-			--kubeconfig $(E2E_KUBECONFIG)  || { KIND_CLUSTER_NAME=$(E2E_CLUSTER_NAME) ./scripts/debugEnv.sh $(E2E_KUBECONFIG) "detail"   ; exit 1 ; } ; \
+			--kubeconfig $(E2E_KUBECONFIG)  || { KIND_CLUSTER_NAME=$(E2E_CLUSTER_NAME) ./scripts/debugEnv.sh $(E2E_KUBECONFIG) "detail" "$(E2E_LOG_FILE)" ; exit 1 ; } ; \
 		if [ "$(INSTALL_SRIOV)" == "true" ] ; then \
 		    echo "label node for sriov operator " ; \
 		    kubectl --kubeconfig $(E2E_KUBECONFIG) get node | sed '1d' | awk '{print $$1}' | xargs -n 1 -i kubectl --kubeconfig $(E2E_KUBECONFIG) label node {}  node-role.kubernetes.io/worker="" ; \