Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(k8s-test): Try login and obtain API token #11656

Merged
merged 2 commits into from
Feb 6, 2025
Merged

feat(k8s-test): Try login and obtain API token #11656

merged 2 commits into from
Feb 6, 2025

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Jan 26, 2025

Reopen #10496

@kiblik kiblik force-pushed the k8s_test_login_and_api branch 2 times, most recently from 2907ab4 to 5e8ef99 Compare January 26, 2025 14:54
@kiblik kiblik force-pushed the k8s_test_login_and_api branch 2 times, most recently from 68fe4d3 to e044215 Compare January 26, 2025 18:43
@kiblik kiblik marked this pull request as ready for review January 26, 2025 18:55
@kiblik kiblik force-pushed the k8s_test_login_and_api branch from e044215 to 64775a9 Compare January 26, 2025 22:24
@github-actions github-actions bot removed the docker label Jan 26, 2025
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jan 26, 2025
edited
Loading

DryRun Security Summary

The GitHub Actions workflow file k8s-tests.yml manages the secure deployment of DefectDojo on a Kubernetes cluster using Minikube, including setup of essential components like PostgreSQL and Redis, validation steps, credential management, and error handling mechanisms.

Expand for full summary

Summary:

The provided code change is for a GitHub Actions workflow file named k8s-tests.yml that is responsible for deploying the DefectDojo application on a Kubernetes cluster using Minikube. From an application security perspective, the key points to highlight are:

  1. The workflow sets up a Minikube cluster, loads the necessary Docker images, and deploys the DefectDojo application using Helm, including the database (PostgreSQL) and message broker (Redis) components, which are important from a security perspective as they handle sensitive application data.

  2. The workflow includes several steps to validate the deployment, including checking the status of the Kubernetes resources, waiting for the pods to be ready, and performing a login check, which helps ensure the application is deployed correctly and is accessible.

  3. The workflow retrieves the admin password for the DefectDojo application from a Kubernetes secret, which is a common practice, but it's important to ensure that these credentials are properly managed and rotated periodically to maintain security.

  4. The workflow performs a simple API check by authenticating with the DefectDojo API using the admin credentials, which is a good practice to ensure the application is functioning correctly, but it's important to consider the security implications of hardcoding these credentials in the workflow.

  5. The workflow includes error handling mechanisms, such as retrying the login check and dumping the logs of any pods in an error state, which helps with troubleshooting and identifying potential security issues that may arise during the deployment process.

Files Changed:

  • .github/workflows/k8s-tests.yml: This file is a GitHub Actions workflow that is responsible for deploying the DefectDojo application on a Kubernetes cluster using Minikube. The changes in this file focus on ensuring a reliable and secure deployment of the application, including setting up the Kubernetes cluster, validating the deployment, and handling errors.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

mtesauro
mtesauro approved these changes Jan 31, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

dsever
dsever reviewed Feb 3, 2025
View reviewed changes
.github/workflows/k8s-tests.yml Outdated
echo "Simple API check"
CR=$(kubectl run curl --quiet=true --image=curlimages/curl:7.73.0 \
--overrides='{ "apiVersion": "v1" }' \
--restart=Never -i --rm -- -s -m 20 --header "Host: $DD_HOSTNAME" http://`kubectl get service defectdojo-django -o json \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kiblik kubectl get svc defectdojo-django -o jsonpath='{.spec.clusterIP}'

@kiblik kiblik force-pushed the k8s_test_login_and_api branch 2 times, most recently from 85c456e to dbdd175 Compare February 3, 2025 18:39
cneill
cneill previously approved these changes Feb 4, 2025
View reviewed changes
@cneill cneill dismissed their stale review February 4, 2025 17:43

unit tests

@cneill
Copy link
Contributor

cneill commented Feb 4, 2025

Any idea why the k8s unit tests are failing? I tried re-running, but no dice.

Screenshot 2025-02-04 at 12 02 13

@kiblik kiblik force-pushed the k8s_test_login_and_api branch from dbdd175 to e74f1f0 Compare February 4, 2025 21:27
@github-actions github-actions bot added the helm label Feb 4, 2025
@kiblik kiblik force-pushed the k8s_test_login_and_api branch from e74f1f0 to d534dbd Compare February 4, 2025 21:38
@github-actions github-actions bot removed the helm label Feb 4, 2025
@kiblik kiblik force-pushed the k8s_test_login_and_api branch from d534dbd to 04df7c1 Compare February 4, 2025 22:00
@kiblik kiblik requested review from cneill and dsever February 4, 2025 22:10
@kiblik
Copy link
Contributor Author

kiblik commented Feb 4, 2025

Any idea why the k8s unit tests are failing? I tried re-running, but no dice.

Fixed

@mtesauro mtesauro merged commit 45d9dfe into DefectDojo:dev Feb 6, 2025
73 checks passed
@kiblik kiblik deleted the k8s_test_login_and_api branch February 6, 2025 07:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cneill cneill cneill approved these changes

@mtesauro mtesauro mtesauro approved these changes

@Maffooch Maffooch Maffooch approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

@dsever dsever Awaiting requested review from dsever

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@kiblik @cneill @mtesauro @dsever @Maffooch @blakeaowens