feat: add e2e-minishift Makefile target and workflow job

Signed-off-by: Hristo Hristov <me@hhristov.info>

.github/workflows/coverage.yml

@@ -56,7 +56,7 @@ jobs:
         with:
           args: '-no-fail -fmt sarif -out gosec.sarif ./...'
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@b623f5fd572a69d335c9da3487c1ce53741a09bf
+        uses: github/codeql-action/upload-sarif@0ec47d036c68ae0cf94c629009b1029407111281
         with:
           sarif_file: gosec.sarif
   unit_tests:

.github/workflows/docker-build.yml

@@ -40,6 +40,6 @@ jobs:
           # See: https://github.com/aquasecurity/trivy-action/issues/389#issuecomment-2385416577
           TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@b623f5fd572a69d335c9da3487c1ce53741a09bf
+        uses: github/codeql-action/upload-sarif@0ec47d036c68ae0cf94c629009b1029407111281
         with:
           sarif_file: 'trivy-results.sarif'

.github/workflows/e2e.yml

@@ -65,3 +65,19 @@ jobs:
 
       - name: e2e (Enterprise)
         run: sudo KUBERNETES_SUPPORTED_VERSION=${{ matrix.k8s-version }} make e2e
+  e2e-openshift:
+    name: E2E Testing (MINC)
+    runs-on: ubuntu-latest-8-cores
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version-file: 'go.mod'
+
+      - uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
+
+      - name: e2e
+        run: sudo make e2e-openshift

.github/workflows/releaser.yml

@@ -30,7 +30,7 @@ jobs:
         timeout-minutes: 5
         continue-on-error: true
       - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
-      - uses: anchore/sbom-action/download-syft@f0d33c151c04af6fcbf4363834e838fcc7c87783
+      - uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610
       - name: Install Cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
       - name: Run GoReleaser

Makefile

@@ -113,7 +113,7 @@ dev-destroy: kind
 	$(KIND) delete cluster --name capsule
 
 dev-install-deps: dev-setup-fluxcd dev-setup-cert-manager dev-install-gw-api-crds  wait-for-helmreleases
-
+dev-install-deps-openshift: dev-setup-fluxcd-openshift dev-setup-cert-manager dev-install-gw-api-crds  wait-for-helmreleases
 API_GW         := none
 API_GW_VERSION := v1.3.0
 API_GW_LOOKUP  := kubernetes-sigs/gateway-api
@@ -189,6 +189,7 @@ dev-setup:
 		./charts/capsule || true
 
 setup-monitoring: dev-setup-fluxcd
+
 	@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/monitoring | envsubst | kubectl apply -f -
 	@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/monitoring/dashboards | kubectl apply -f -
 	@$(MAKE) wait-for-helmreleases
@@ -210,7 +211,14 @@ dev-setup-cert-manager:
 	@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/cert-manager | envsubst | kubectl apply -f -
 
 dev-setup-fluxcd:
-	@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/fluxcd | envsubst | kubectl apply -f -
+	@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/fluxcd | envsubst | kubectl apply -f -; \
+
+dev-setup-cert-manager-openshift:
+	@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/cert-manager | envsubst | kubectl apply -f -
+
+dev-setup-fluxcd-openshift:
+	@$(KUBECTL) kustomize --load-restrictor='LoadRestrictionsNone' hack/distro/overlays/openshift | envsubst | kubectl apply -f -; \
+
 
 
 # Here to setup the current capsule version
@@ -345,6 +353,18 @@ golint: golangci-lint
 golint-fix: golangci-lint
 	$(GOLANGCI_LINT) run -c .golangci.yaml --verbose --fix
 
+.PHONY: e2e-openshift
+e2e-openshift: ginkgo
+	$(MAKE) e2e-build-openshift && $(MAKE) e2e-exec && $(MAKE) e2e-destroy-openshift
+e2e-build-openshift: minc
+	$(MINC) config set provider docker
+	$(MINC) create --disable-overlay-cache true
+	$(MINC) status
+	$(MAKE) dev-install-deps-openshift
+	$(MAKE) e2e-install-openshift
+
+e2e-destroy-openshift: minc
+	$(MINC) delete
 
 # Running e2e tests in a KinD instance
 .PHONY: e2e
@@ -375,6 +395,28 @@ e2e-install: helm-controller-version ko-build-all
 		capsule \
 		./charts/capsule
 
+.PHONY: e2e-install-openshift
+e2e-install-openshift: helm-controller-version ko-build-all
+	$(MAKE) e2e-load-image-openshift IMAGE=$(CAPSULE_IMG) VERSION=$(VERSION)
+	$(HELM) upgrade \
+	    --dependency-update \
+		--debug \
+		--install \
+		--namespace capsule-system \
+		--create-namespace \
+		--set 'replicaCount=2'\
+		--set 'manager.image.pullPolicy=Never' \
+		--set 'manager.resources=null'\
+		--set "manager.image.tag=$(VERSION)" \
+		--set 'manager.livenessProbe.failureThreshold=10' \
+		--set 'webhooks.hooks.nodes.enabled=true' \
+		--set "webhooks.exclusive=true"\
+		--set "manager.options.logLevel=debug"\
+		--set "jobs.podSecurityContext.enabled=false"\
+		--set "jobs.securityContext.enabled=false"\
+		capsule \
+		./charts/capsule
+
 .PHONY: trace-install
 trace-install:
 	helm upgrade \
@@ -413,6 +455,12 @@ seccomp:
 e2e-load-image: kind
 	$(KIND) load docker-image $(IMAGE):$(VERSION) --name $(CLUSTER_NAME)
 
+.PHONY: e2e-load-image-openshift
+e2e-load-image-openshift: minc
+	docker save $(IMAGE):$(VERSION) > capsule.tar
+	docker cp capsule.tar microshift:/tmp/
+	docker exec microshift sh -c 'podman load -i /tmp/capsule.tar'
+
 .PHONY: e2e-exec
 e2e-exec: ginkgo
 	$(GINKGO) -v -tags e2e ./e2e
@@ -472,6 +520,13 @@ ct:
 	@test -s $(CT) && $(CT) version | grep -q $(CT_VERSION) || \
 	$(call go-install-tool,$(CT),github.com/$(CT_LOOKUP)/v3/ct@$(CT_VERSION))
 
+MINC:= $(LOCALBIN)/minc
+MINC_VERSION := 573415ebe9bb0dcb24f682763f5d8c238e62d694 # https://github.com/minc-org/minc/pull/57
+MINC_LOOKUP  := minc-org/minc
+minc:
+	echo "Installing minc to $(MINC)" && \
+	$(call go-install-tool,$(MINC),github.com/$(MINC_LOOKUP)/cmd/minc@$(MINC_VERSION))
+
 KIND         := $(LOCALBIN)/kind
 KIND_VERSION := v0.31.0
 KIND_LOOKUP  := kubernetes-sigs/kind

hack/distro/overlays/openshift/kustomization.yaml

@@ -0,0 +1,34 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../fluxcd
+  - https://raw.githubusercontent.com/fluxcd/flux2/main/manifests/openshift/scc.yaml
+patches:
+  - target:
+      kind: Deployment
+      labelSelector: app.kubernetes.io/part-of=flux
+    patch: |
+      apiVersion: apps/v1
+      kind: Deployment
+      metadata:
+        name: all
+      spec:
+        template:
+          spec:
+            securityContext:
+              $patch: delete
+            containers:
+              - name: manager
+                securityContext:
+                  seccompProfile:
+                    $patch: delete
+
+  - target:
+      kind: Namespace
+      labelSelector: app.kubernetes.io/part-of=flux
+    patch: |-
+      - op: remove
+        path: /metadata/labels/pod-security.kubernetes.io~1warn
+      - op: remove
+        path: /metadata/labels/pod-security.kubernetes.io~1warn-version