Merge pull request #5204 from inspec/cw/add-tk-testing

Reinstate resource testing on supported platforms using Test-Kitchen
2024-11-10 15:14:23 +00:00 · 2021-05-03 17:01:30 -04:00 · 2021-05-03 17:01:30 -04:00 · fa485a0fdd
commit fa485a0fdd
parent dde2017bec e9c82c62de
12 changed files with 155 additions and 178 deletions
--- a/.expeditor/config.yml
+++ b/.expeditor/config.yml
@ -40,6 +40,7 @@ pipelines:
 - integration/resources:
    description: Test core resources with test-kitchen.
    definition: .expeditor/integration.resources.yml
+    trigger: pull_request
 # This breaks expeditor as it does not yet exist
 # - integration/libraries:
 #    description: Integration with plugins, gems, resource packs.
--- a/.expeditor/integration.resources.yml
+++ b/.expeditor/integration.resources.yml
@ -1 +1,21 @@
-#
+---
+expeditor:
+  defaults:
+    buildkite:
+      timeout_in_minutes: 60
+      retry:
+        automatic:
+          limit: 1
+
+steps:
+  - label: Resource-Platform Tests
+    command:
+      - RAKE_TASK=test:kitchen /workdir/.expeditor/buildkite/verify.sh
+    expeditor:
+      executor:
+        docker:
+          environment:
+            - CONCURRENCY: 3
+            - DOCKER: 1
+            - KITCHEN_YAML: kitchen.dokken.yml
+          image: ruby:2.7
--- a/13
+++ b/13
@ -48,3 +48,16 @@ end
 group :deploy do
  gem "inquirer"
 end
+
+# Only include Test Kitchen support if we are on Ruby 2.7 or higher
+# as chef-zero support requires Ruby 2.6
+# See https://github.com/inspec/inspec/pull/5341
+if Gem.ruby_version >= Gem::Version.new("2.7.0")
+  group :kitchen do
+    gem "berkshelf"
+    gem "test-kitchen", ">= 2.8"
+    gem "kitchen-inspec", ">= 2.0"
+    gem "kitchen-dokken", ">= 2.11"
+    gem "git"
+  end
+end
--- a/4
+++ b/4
@ -255,14 +255,14 @@ namespace :test do
  # Inject a prerequisite task
  task unit: [:accept_license]

-  task :integration, [:os] do |task, args|
+  task :kitchen, [:os] do |task, args|
    concurrency = ENV["CONCURRENCY"] || 1
    os = args[:os] || ENV["OS"] || ""
    ENV["DOCKER"] = "true" if ENV["docker"].nil?
    sh("bundle exec kitchen test -c #{concurrency} #{os}")
  end
  # Inject a prerequisite task
-  task integration: [:accept_license]
+  task kitchen: [:accept_license]

  task :ssh, [:target] do |_t, args|
    tests_path = File.join(File.dirname(__FILE__), "test", "integration", "test", "integration", "default")
--- a/dev-docs/integration-testing.md
+++ b/dev-docs/integration-testing.md
@ -2,7 +2,7 @@

 ## Introduction

-Chef InSpec uses Test Kitchen for its integration testing. Our current testing uses Docker as our backend. You should install and have Docker running befor you run any tests.
+Chef InSpec uses Test Kitchen for its integration testing. Our current testing uses Docker (kitchen-dokken) as our backend. You should install and have Docker running before you run any tests.

 ### How to run specific integrations

@ -23,8 +23,6 @@ bundle exec rake test:integration[default-ubuntu-1604]

 We run the test/integration/default profile at the end of each integration test in the verify stage. This confirms that our current code is compatible with test kitchen.

-### Audit Testing
+### Why no audit cookbook testing?

-For Audit cookbook testing Chef InSpec sets up some special hooks. The integration rake command will bundle up the current checkout into a gem which is passed along to test kitchen in the os_prepare cookbook. When this cookbook is run it will install the local inspec gem. Audit will then use this gem accordingly when running in the post chef-client validators. The .kitchen.yml is setup to export the audit report to a json file which we look for and confirm the structure in the test/integration/default/controls/audit_spec.rb file.
-
-In the validation file we confirm that the file was created from audit and that the structure looks correct. We also validate that the inspec ran with audit is the same that the current branch is using. This validates that audit did not use a older version for some reason.
+Audit cookbook testing is handled in the audit cookbook repo. In addition, the audit cookbook restricts which InSpec gem can be installed, forcing the installation from Rubygems for Chef clients 15+. Since we need to test with the from-source inspec gem, we can't use that approach. Instead, we don't test using audit cookbook here.
--- a/kitchen.dokken.yml
+++ b/kitchen.dokken.yml
@ -0,0 +1,101 @@
+---
+driver:
+  name: dokken
+  chef_version: :latest
+  privileged: true # because Docker and SystemD/Upstart
+
+transport:
+  name: dokken
+
+provisioner:
+  name: dokken
+
+verifier:
+  name: inspec
+  sudo: true
+
+# Test against every supported target platform for which we have a dokken image.
+# If we don't have a dokken image, see kitchen.chef.yml for Vagrant-based testing.
+# Try to keep this list up to date!
+# Visit https://hub.docker.com/search and https://github.com/test-kitchen/dokken-images to search for new images
+platforms:
+
+- name: amazonlinux-2
+  driver:
+    image: dokken/amazonlinux-2
+    pid_one_command: /usr/lib/systemd/systemd
+
+- name: centos-7
+  driver:
+    image: dokken/centos-7
+    pid_one_command: /usr/lib/systemd/systemd
+- name: centos-8
+  driver:
+    image: dokken/centos-8
+    pid_one_command: /usr/lib/systemd/systemd
+
+- name: debian-9
+  driver:
+    image: dokken/debian-9
+    pid_one_command: /bin/systemd
+    intermediate_instructions:
+      - RUN /usr/bin/apt-get update -y
+- name: debian-10
+  driver:
+    image: dokken/debian-10
+    pid_one_command: /bin/systemd
+    intermediate_instructions:
+      - RUN /usr/bin/apt-get update -y
+
+- name: fedora-latest
+  driver:
+    image: dokken/fedora-latest
+    pid_one_command: /usr/lib/systemd/systemd
+
+- name: oraclelinux-7
+  driver:
+    image: dokken/oraclelinux-7
+    pid_one_command: /usr/lib/systemd/systemd
+- name: oraclelinux-8
+  driver:
+    image: dokken/oraclelinux-8
+    pid_one_command: /usr/lib/systemd/systemd
+
+- name: opensuse-leap
+  driver:
+    image: dokken/opensuse-leap-15
+    pid_one_command: /bin/systemd
+
+- name: ubuntu-18.04
+  driver:
+    image: dokken/ubuntu-18.04
+    pid_one_command: /bin/systemd
+    intermediate_instructions:
+      - RUN /usr/bin/apt-get update -y
+- name: ubuntu-20.04
+  driver:
+    image: dokken/ubuntu-20.04
+    pid_one_command: /bin/systemd
+    intermediate_instructions:
+      - RUN /usr/bin/apt-get update -y
+
+suites:
+- name: resources
+  run_list:
+  - recipe[os_prepare]
+  verifier:
+    inspec_tests:
+      # TODO - split these out into core, database, unix, and windows resources
+      - test/kitchen/policies/default
+  attributes:
+    osprepare:
+      docker: true
+      application: false
+
+# These are planned for the future
+# Suites which exercise resources that exercise databases
+# - name: resources-database
+# Unix-only resources
+# - name: resources-unix
+# Windows-only resources
+# - name: resources-windows
--- a/kitchen.yml
+++ b/kitchen.yml
@ -1,122 +0,0 @@
---
-driver:
-  name: dokken
-  chef_version: 14.12.9
-  privileged: true # because Docker and SystemD/Upstart
-
-transport:
-  name: dokken
-
-lifecycle:
-  pre_converge:
-    - local: cd inspec-bin && gem build inspec-core-bin.gemspec --output ../test/kitchen/cookbooks/install_inspec/files/inspec-core-bin.gem
-    - local: gem build inspec-core.gemspec --output test/kitchen/cookbooks/install_inspec/files/inspec-core.gem
-
-provisioner:
-  name: dokken
-  client_rb:
-    data_collector.server_url: <%= ENV['COLLECTOR_URL'] %>
-    data_collector.token: <%= ENV['COLLECTOR_TOKEN'] %>
-    ssl_verify_mode: :verify_none
-    verify_api_cert: false
-
-verifier:
-  name: inspec
-  sudo: true
-
-platforms:
- name: amazonlinux
-  driver:
-    image: dokken/amazonlinux
-    pid_one_command: /sbin/init
-
- name: amazonlinux-2
-  driver:
-    image: dokken/amazonlinux-2
-    pid_one_command: /usr/lib/systemd/systemd
-
- name: centos-6
-  driver:
-    image: dokken/centos-6
-    pid_one_command: /sbin/init
-
- name: centos-7
-  driver:
-    image: dokken/centos-7
-    pid_one_command: /usr/lib/systemd/systemd
-
- name: debian-9
-  driver:
-    image: dokken/debian-9
-    pid_one_command: /bin/systemd
-    intermediate_instructions:
-      - RUN /usr/bin/apt-get update -y
-
- name: debian-10
-  driver:
-    image: dokken/debian-10
-    pid_one_command: /bin/systemd
-    intermediate_instructions:
-      - RUN /usr/bin/apt-get update -y
-
- name: fedora-29
-  driver:
-    image: dokken/fedora-29
-    pid_one_command: /usr/lib/systemd/systemd
-
- name: oraclelinux-6
-  driver:
-    image: dokken/oraclelinux-6
-    pid_one_command: /sbin/init
-
- name: oraclelinux-7
-  driver:
-    image: dokken/oraclelinux-7
-    pid_one_command: /usr/lib/systemd/systemd
-
- name: opensuse-leap
-  driver:
-    image: dokken/opensuse-leap-42
-    pid_one_command: /bin/systemd
-
- name: ubuntu-16.04
-  driver:
-    image: dokken/ubuntu-16.04
-    pid_one_command: /bin/systemd
-    intermediate_instructions:
-      - RUN /usr/bin/apt-get update -y
-
- name: ubuntu-18.04
-  driver:
-    image: dokken/ubuntu-18.04
-    pid_one_command: /bin/systemd
-    intermediate_instructions:
-      - RUN /usr/bin/apt-get update -y
-
-suites:
- name: resources-core
-  run_list:
-  - recipe[os_prepare]
-  - recipe[audit]
-  verifier:
-    inspec_tests:
-      - test/kitchen/policies/resources-core
-  attributes:
-    audit:
-      attributes:
-        audit_attribute: 'Attribute Override!'
-      insecure: true
-      reporter: ['json-file','chef-automate']
-      fetcher: 'chef-automate'
-      json_file:
-        location: /tmp/json_export.json
-      profiles:
-        - name: integration
-          url: https://github.com/inspec/inspec-integration-profile/archive/master.zip
-    osprepare:
-      docker: true
-      application: false
-
- name: resources-database
- name: resources-unix
- name: resources-windows
--- a/test/kitchen/cookbooks/install_inspec/recipes/default.rb
+++ b/test/kitchen/cookbooks/install_inspec/recipes/default.rb
@ -8,10 +8,15 @@ cookbook_file "/root/inspec-core-bin.gem" do
  action :create
 end

+# Must explicitly remove then re-install as it has an executable file
+# conflict with the incoming package
+chef_gem "inspec-core" do
+  action :remove
+end

 chef_gem "inspec-core" do
  source "/root/inspec-core.gem"
-  action :upgrade
+  action :install
 end

 chef_gem "inspec-core-bin" do
--- a/test/kitchen/cookbooks/os_prepare/recipes/default.rb
+++ b/test/kitchen/cookbooks/os_prepare/recipes/default.rb
@ -3,10 +3,6 @@

 apt_update if platform_family?("debian")

-# inject the current inspec gem for use with audit cookbook
-# this is generated via Rake test:integration
-include_recipe("install_inspec")
-
 def uuid_from_string(string)
  require "digest/sha1"
  hash = Digest::SHA1.new
--- a/test/kitchen/cookbooks/os_prepare/recipes/iptables.rb
+++ b/test/kitchen/cookbooks/os_prepare/recipes/iptables.rb
@ -1,8 +1,11 @@
+if platform_family?("rhel", "debian", "amazon", "suse")
+  package "iptables"
+  if platform?("centos", "oracle")
+    package value_for_platform([ "centos", "oracle" ] => {"< 8" => "iptables-ipv6", ">= 8" => "iptables"})
+  end
+end
+
 if platform_family?("rhel", "debian", "fedora", "amazon", "suse")
-  package value_for_platform_family(
-    %w{centos oracle} => %w{iptables iptables-ipv6},
-    "default" => [ "iptables" ]
-  )
  # IPv4
  execute "iptables -A INPUT -i eth0 -p tcp -m tcp "\
          "--dport 80 -m state --state NEW -m comment "\
--- a/test/kitchen/policies/default/controls/_debug_spec.rb
+++ b/test/kitchen/policies/default/controls/_debug_spec.rb
@ -2,6 +2,7 @@ $stderr.puts "-----------------------------------"
 $stderr.puts "        TEST ENVIRONMENT           "
 $stderr.puts "-----------------------------------"
 $stderr.puts "    Docker: #{!ENV['DOCKER'].nil?}"
+$stderr.puts "    InSpec: #{Inspec::VERSION}"
 $stderr.puts "   OS name: #{os[:name] || 'unknown' }"
 $stderr.puts "OS release: #{os[:release] || 'unknown'}"
 $stderr.puts " OS family: #{os[:family] || 'unknown'}"
--- a/test/kitchen/policies/default/controls/audit_spec.rb
+++ b/test/kitchen/policies/default/controls/audit_spec.rb
@ -1,39 +0,0 @@
-# This file tests the audit validation which runs as part of the
-# chef-client process. This is setup to export to a json file in the .kitchen.yml
-#
-# For more info please see docs/dev/integratin_test.md
-
-control 'Test audit cookbook json exist' do
-  describe file('/tmp/json_export.json') do
-    it { should exist }
-    its('size') { should > 0 }
-  end
-end
-
-# Grab bundled inspec version. This should be the same as the one
-# passed for audit cookbook. If its not, you should do a `bundle install`
-inspec_version = Inspec::VERSION
-# or: Gem.loaded_specs['inspec'].version.to_s rescue Inspec::VERSION
-
-control 'Test audit cookbook json output' do
-  describe json('/tmp/json_export.json') do
-    its(['platform', 'name']) { should eq platform.name }
-    its(['statistics', 'duration']) { should  > 0 }
-    its('version') { should cmp inspec_version }
-  end
-end
-
-# make sure all tests passed
-file = file('/tmp/json_export.json')
-if file.exist?
-  json = JSON.parse(file.content)
-  json['profiles'].first['controls'].each do |child_control|
-    child_control['results'].each do |result|
-      control result['code_desc'] do
-        describe json(content: result.to_json) do
-          its('status') { should cmp 'passed' }
-        end
-      end
-    end
-  end
-end