Skip to content

feat: add hardening scan support for multiple services and update workflows #202

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
borislavr wants to merge 22 commits into
base: main
Choose a base branch
from
Draft

feat: add hardening scan support for multiple services and update workflows #202

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
8e146bf
feat: add hardening scan support for multiple services and update wor…
borislavr Apr 29, 2026
666b7a0
chore: enable Trivy scan in OpenSearch workflow
borislavr Apr 30, 2026
cb5e7bf
fix: typo in file name and zookeeper.yaml workflow
borislavr May 8, 2026
def973c
chore: bump k8s-hardening-scan action from v2.2.1 to v2.2.2
borislavr May 8, 2026
0d36a4f
chore: remove upgrade comment from monitoring_hardening.yaml
borislavr May 12, 2026
9f43a61
chore: consul & opensearch hardening templates adjustment
borislavr May 13, 2026
57a06be
chore: fix smServiceAccountName formatting in YAML
borislavr May 14, 2026
68d0a5d
chore: update service account name in Consul configuration
borislavr May 14, 2026
6f008cb
chore: update k8s hardening scan action version
borislavr May 14, 2026
36b8600
chore: update k8s-hardening-scan action to improved version
borislavr May 14, 2026
d504bb5
feat: enable monitoring in OpenSearch hardening workflow
borislavr May 14, 2026
4834920
chore: disabled monitoring for opensearch
borislavr May 14, 2026
d475eb0
chore: disabled monitoring for opensearch
borislavr May 14, 2026
5759c5e
feat: added disasterRecovery into opensearch
borislavr May 14, 2026
56c6e04
feat: added tls mode for opensearch
borislavr May 14, 2026
0cd7785
feat: opensearch
borislavr May 14, 2026
96b9e17
feat: opensearch
borislavr May 14, 2026
ed102a1
feat: add hardening check to monitoring workflow
borislavr May 18, 2026
cbb5b40
chore: switched on monitoring installation for zookeeper in hardening…
borislavr May 19, 2026
065c5fc
feat: update hardening check action to use main branch in workflows
borislavr May 21, 2026
4fe453c
fix: update test tags to use 'smoke' for consistency in monitoring an…
borislavr May 21, 2026
327d581
chore: update opensearch_clean_all_on_sc_hardening.yml
borislavr May 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 16 additions & 3 deletions .github/workflows/consul.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ on:
required: false
default: ubuntu-latest
scope:
description: Consul Test Scope (pr or nightly)
description: Consul Test Scope (pr, nightly or hardening)
type: string
required: false
default: pr
Expand Down Expand Up @@ -57,7 +57,7 @@ on:
required: false
default: ubuntu-latest
scope:
description: Consul Test Scope (pr or nightly)
description: Consul Test Scope (pr, nightly or hardening)
type: string
required: false
default: pr
Expand Down Expand Up @@ -120,8 +120,10 @@ jobs:
CONFIG_FILE="./workflow-config/consul_nightly.yaml"
elif [[ "$SCOPE" == "pr" ]]; then
CONFIG_FILE="./workflow-config/consul.yaml"
elif [[ "$SCOPE" == "hardening" ]]; then
CONFIG_FILE="./workflow-config/consul_hardening.yaml"
else
echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr' or 'nightly'."
echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr', 'nightly' or 'hardening'."
exit 1
fi
./scripts/matrix.sh "$LATEST_TAG" "$CONFIG_FILE" "$SERVICE_BRANCH"
Expand Down Expand Up @@ -348,6 +350,17 @@ jobs:
if: matrix.test.sequence == 'upgrade'
run: sleep 90s

- name: Hardening Check
if: inputs.scope == 'hardening'
uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@main
with:
namespaces: consul
output-file: consul-hardening-scan.json
install-kubescape: true
execute-trivy-scan: false
fail-on-mandatory-checks: true
config-file: ${{ inputs.repository_name }}/.github/hardening-config.yaml

- name: Verify Consul upgrade
if: matrix.test.sequence == 'upgrade'
uses: ./qubership-test-pipelines/actions/shared/verify_installation
Expand Down
34 changes: 33 additions & 1 deletion .github/workflows/monitoring.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,11 @@ on:
type: string
required: false
default: multi-node
scope:
description: Monitoring Test Scope (pr, nightly or hardening)
type: string
required: false
default: pr
skip_tests:
description: Skip all tests (for doc-only changes)
type: boolean
Expand Down Expand Up @@ -62,6 +67,11 @@ on:
type: string
required: false
default: multi-node
scope:
description: Monitoring Test Scope (pr, nightly or hardening)
type: string
required: false
default: pr
skip_tests:
description: Skip all tests (for doc-only changes)
type: boolean
Expand Down Expand Up @@ -100,12 +110,23 @@ jobs:
- name: Process versions file and matrix generation
id: process-versions
env:
SCOPE: ${{ inputs.scope }}
LATEST_TAG: ${{ steps.get-latest-tag.outputs.latest_tag }}
SERVICE_BRANCH: ${{ inputs.service_branch }}
working-directory: ${{ github.workspace }}/qubership-test-pipelines
run: |
chmod +x ./scripts/matrix.sh
./scripts/matrix.sh "$LATEST_TAG" ./workflow-config/monitoring.yaml "$SERVICE_BRANCH"
if [[ "$SCOPE" == "nightly" ]]; then
CONFIG_FILE="./workflow-config/monitoring_nightly.yaml"
elif [[ "$SCOPE" == "pr" ]]; then
CONFIG_FILE="./workflow-config/monitoring.yaml"
elif [[ "$SCOPE" == "hardening" ]]; then
CONFIG_FILE="./workflow-config/monitoring_hardening.yaml"
else
echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr', 'nightly' or 'hardening'."
exit 1
fi
./scripts/matrix.sh "$LATEST_TAG" "$CONFIG_FILE" "$SERVICE_BRANCH"

Monitoring-Test-Cases:
if: ${{ !inputs.skip_tests }}
Expand Down Expand Up @@ -209,6 +230,17 @@ jobs:
if: matrix.test.sequence == 'upgrade'
run: sleep 2m

- name: Hardening Check
if: inputs.scope == 'hardening'
uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@main
with:
namespaces: monitoring
output-file: monitoring-hardening-scan.json
install-kubescape: true
execute-trivy-scan: true
fail-on-mandatory-checks: true
config-file: ${{ inputs.repository_name }}/.github/hardening-config.yaml

- name: Get Upgraded Monitoring CR name
if: matrix.test.sequence == 'upgrade'
uses: ./qubership-test-pipelines/actions/shared/get_crds
Expand Down
19 changes: 16 additions & 3 deletions .github/workflows/opensearch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ on:
required: false
default: ubuntu-latest
scope:
description: Opensearch Test Scope (pr or nightly)
description: Opensearch Test Scope (pr, nightly or hardening)
type: string
required: false
default: pr
Expand Down Expand Up @@ -55,7 +55,7 @@ on:
required: false
default: ubuntu-latest
scope:
description: Opensearch Test Scope (pr or nightly)
description: Opensearch Test Scope (pr, nightly or hardening)
type: string
required: false
default: pr
Expand Down Expand Up @@ -117,8 +117,10 @@ jobs:
CONFIG_FILE="./workflow-config/opensearch_nightly.yaml"
elif [[ "$SCOPE" == "pr" ]]; then
CONFIG_FILE="./workflow-config/opensearch.yaml"
elif [[ "$SCOPE" == "hardening" ]]; then
CONFIG_FILE="./workflow-config/opensearch_hardening.yaml"
else
echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr' or 'nightly'."
echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr', 'nightly' or 'hardening'."
exit 1
fi
./scripts/matrix.sh "$LATEST_TAG" "$CONFIG_FILE" "$SERVICE_BRANCH"
Expand Down Expand Up @@ -351,6 +353,17 @@ jobs:
if: ${{ matrix.test.sequence == 'upgrade' }}
run: sleep 1m

- name: Hardening Check
if: inputs.scope == 'hardening'
uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@main
with:
namespaces: opensearch
output-file: opensearch-hardening-scan.json
install-kubescape: true
execute-trivy-scan: true
fail-on-mandatory-checks: true
config-file: ${{ inputs.repository_name }}/.github/hardening-config.yaml

- name: Verify Opensearch upgrade to [${{ matrix.test.upgrade_version }}]
if: ${{ matrix.test.sequence == 'upgrade' }}
uses: ./qubership-test-pipelines/actions/shared/verify_installation
Expand Down
34 changes: 33 additions & 1 deletion .github/workflows/pgskipper.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,11 @@ on:
type: string
required: false
default: ubuntu-latest
scope:
description: Pgskipper Test Scope (pr, nightly or hardening)
type: string
required: false
default: pr
service_versions_json:
description: PostgreSQL image versions as JSON
type: string
Expand Down Expand Up @@ -62,6 +67,11 @@ on:
type: string
required: false
default: ubuntu-latest
scope:
description: Pgskipper Test Scope (pr, nightly or hardening)
type: string
required: false
default: pr
service_versions_json:
description: PostgreSQL image versions as JSON
type: string
Expand Down Expand Up @@ -123,12 +133,23 @@ jobs:
- name: Process versions file and matrix generation
id: process-versions
env:
SCOPE: ${{ inputs.scope }}
LATEST_TAG: ${{ steps.get-latest-tag.outputs.latest_tag }}
SERVICE_BRANCH: ${{ inputs.service_branch }}
working-directory: ${{ github.workspace }}/qubership-test-pipelines
run: |
chmod +x ./scripts/matrix.sh
./scripts/matrix.sh "$LATEST_TAG" ./workflow-config/pgskipper.yaml "$SERVICE_BRANCH"
if [[ "$SCOPE" == "nightly" ]]; then
CONFIG_FILE="./workflow-config/pgskipper_nightly.yaml"
elif [[ "$SCOPE" == "pr" ]]; then
CONFIG_FILE="./workflow-config/pgskipper.yaml"
elif [[ "$SCOPE" == "hardening" ]]; then
CONFIG_FILE="./workflow-config/pgskipper_hardening.yaml"
else
echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr', 'nightly' or 'hardening'."
exit 1
fi
./scripts/matrix.sh "$LATEST_TAG" "$CONFIG_FILE" "$SERVICE_BRANCH"

- name: Parse JSON into matrix
id: parse-matrix
Expand Down Expand Up @@ -344,6 +365,17 @@ jobs:
if: matrix.test.sequence == 'upgrade'
run: sleep 10s

- name: Hardening Check
if: inputs.scope == 'hardening'
uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@6a2de8d62ac5b6998e30f923613c998c263ea9f2 # v2.2.2
with:
namespaces: pgskipper
output-file: pgskipper-hardening-scan.json
install-kubescape: true
execute-trivy-scan: false
fail-on-mandatory-checks: true
config-file: ${{ inputs.repository_name }}/.github/hardening-config.yaml

- name: Verify Pgskipper Services upgrade
if: matrix.test.sequence == 'upgrade'
uses: ./qubership-test-pipelines/actions/shared/verify_installation
Expand Down
19 changes: 16 additions & 3 deletions .github/workflows/rabbitmq.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ on:
required: false
default: ubuntu-latest
scope:
description: RabbitMQ Test Scope (pr or nightly)
description: RabbitMQ Test Scope (pr, nightly or hardening)
type: string
required: false
default: pr
Expand Down Expand Up @@ -56,7 +56,7 @@ on:
required: false
default: ubuntu-latest
scope:
description: RabbitMQ Test Scope (pr or nightly)
description: RabbitMQ Test Scope (pr, nightly or hardening)
type: string
required: false
default: pr
Expand Down Expand Up @@ -119,8 +119,10 @@ jobs:
CONFIG_FILE="./workflow-config/rabbitmq_nightly.yaml"
elif [[ "$SCOPE" == "pr" ]]; then
CONFIG_FILE="./workflow-config/rabbitmq.yaml"
elif [[ "$SCOPE" == "hardening" ]]; then
CONFIG_FILE="./workflow-config/rabbitmq_hardening.yaml"
else
echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr' or 'nightly'."
echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr', 'nightly' or 'hardening'."
exit 1
fi
./scripts/matrix.sh "$LATEST_TAG" "$CONFIG_FILE" "$SERVICE_BRANCH"
Expand Down Expand Up @@ -308,6 +310,17 @@ jobs:
if: ${{ matrix.test.sequence == 'upgrade' }}
run: sleep 1m

- name: Hardening Check
if: inputs.scope == 'hardening'
uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@6a2de8d62ac5b6998e30f923613c998c263ea9f2 # v2.2.2
with:
namespaces: rabbitmq
output-file: rabbitmq-hardening-scan.json
install-kubescape: true
execute-trivy-scan: false
fail-on-mandatory-checks: true
config-file: ${{ inputs.repository_name }}/.github/hardening-config.yaml

- name: Verify RabbitMQ upgrade
if: ${{ matrix.test.sequence == 'upgrade' }}
uses: ./qubership-test-pipelines/actions/shared/verify_installation
Expand Down
42 changes: 37 additions & 5 deletions .github/workflows/zookeeper.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,11 @@ on:
type: string
required: false
default: ubuntu-latest
scope:
description: Zookeeper Test Scope (pr, nightly or hardening)
type: string
required: false
default: pr
skip_tests:
description: Skip all tests (for doc-only changes)
type: boolean
Expand Down Expand Up @@ -54,6 +59,11 @@ on:
type: boolean
required: false
default: false
scope:
description: Zookeeper Test Scope (pr, nightly or hardening)
type: string
required: false
default: pr

secrets:
AWS_S3_ACCESS_KEY_ID:
Expand Down Expand Up @@ -108,10 +118,21 @@ jobs:
env:
LATEST_TAG: ${{ steps.get-latest-tag.outputs.latest_tag }}
SERVICE_BRANCH: ${{ inputs.service_branch }}
SCOPE: ${{ inputs.scope }}
working-directory: ${{ github.workspace }}/qubership-test-pipelines
run: |
chmod +x ./scripts/matrix.sh
./scripts/matrix.sh "$LATEST_TAG" ./workflow-config/zookeeper.yaml "$SERVICE_BRANCH"
if [[ "$SCOPE" == "nightly" ]]; then
CONFIG_FILE="./workflow-config/zookeeper_nightly.yaml"
elif [[ "$SCOPE" == "pr" ]]; then
CONFIG_FILE="./workflow-config/zookeeper.yaml"
elif [[ "$SCOPE" == "hardening" ]]; then
CONFIG_FILE="./workflow-config/zookeeper_hardening.yaml"
else
echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr', 'nightly' or 'hardening'."
exit 1
fi
./scripts/matrix.sh "$LATEST_TAG" "$CONFIG_FILE" "$SERVICE_BRANCH"

Zookeeper-Test-Cases:
if: ${{ !inputs.skip_tests }}
Expand Down Expand Up @@ -273,6 +294,17 @@ jobs:
if: matrix.test.sequence == 'upgrade'
run: sleep 1m

- name: Hardening Check
if: inputs.scope == 'hardening'
uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@6a2de8d62ac5b6998e30f923613c998c263ea9f2 # v2.2.2
with:
namespaces: zookeeper
output-file: zookeeper-hardening-scan.json
install-kubescape: true
execute-trivy-scan: false
fail-on-mandatory-checks: true
config-file: ${{ inputs.repository_name }}/.github/hardening-config.yaml

- name: Verify Zookeeper upgrade
if: matrix.test.sequence == 'upgrade'
uses: ./qubership-test-pipelines/actions/shared/verify_installation
Expand Down Expand Up @@ -306,7 +338,7 @@ jobs:

# 15-Clean [LATEST] TLS
Clean-Latest-TLS:
if: ${{ !inputs.skip_tests }}
if: ${{ !inputs.skip_tests && inputs.scope != 'hardening' }}
runs-on: ${{ inputs.runner_type }}
name: Clean [${{ inputs.service_branch }}] TLS
steps:
Expand Down Expand Up @@ -407,7 +439,7 @@ jobs:

# 16-Clean [LATEST] TLS Secrets
Clean-Latest-TLS-Secrets:
if: ${{ !inputs.skip_tests }}
if: ${{ !inputs.skip_tests && inputs.scope != 'hardening' }}
runs-on: ${{ inputs.runner_type }}
needs: Clean-Latest-TLS
name: Clean [${{ inputs.service_branch }}] TLS Secrets
Expand Down Expand Up @@ -467,7 +499,7 @@ jobs:

# 17-Upgrade [LATEST] TLS Certificates -> Clean [LATEST] TLS Certificates
Clean-Latest-TLS-Certificates:
if: ${{ !inputs.skip_tests }}
if: ${{ !inputs.skip_tests && inputs.scope != 'hardening' }}
runs-on: ${{ inputs.runner_type }}
needs: Clean-Latest-TLS
name: Clean [${{ inputs.service_branch }}] TLS Certificates
Expand Down Expand Up @@ -529,7 +561,7 @@ jobs:
final-status-check:
if: ${{ always() }}
runs-on: ubuntu-latest
needs: [Zookeeper-Test-Cases, Clean-Latest-TLS-Certificates, Clean-Latest-TLS-Secrets]
needs: [Zookeeper-Test-Cases, Clean-Latest-TLS, Clean-Latest-TLS-Certificates, Clean-Latest-TLS-Secrets]
steps:
- name: Checkout pipeline
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v5.1.0
Expand Down
Loading
Loading