diff --git a/.github/workflows/deployment-test.yml b/.github/workflows/deployment-test.yml index 1a7b5cf3..6a62a2f7 100644 --- a/.github/workflows/deployment-test.yml +++ b/.github/workflows/deployment-test.yml @@ -14,9 +14,13 @@ permissions: id-token: write # This is required for requesting the JWT contents: read # This is required for actions/checkout +env: + AWS_REGION: us-west-1 + CLUSTER_NAMME: test-eks-deploy${{ github.event.number }} + jobs: EKS_deployment_test: - runs-on: ubuntu-20.04 + runs-on: ubuntu-24.04 steps: - name: Checkout code uses: actions/checkout@v4 @@ -27,7 +31,7 @@ jobs: uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: ${{ secrets.AWS_IAM_ROLE }} - aws-region: "${{ secrets.AWS_REGION }}" + aws-region: "${{ env.AWS_REGION }}" - name: Install eksctl run: | @@ -40,36 +44,36 @@ jobs: - name: Deploy eks cluster run: | - eksctl create cluster && \ - --name test-eks-deploy-${{ github.event.number }} && \ - --with-oidc && \ - --region us-east-1 && \ - --nodes-min 6 && \ - --nodes-max 6 && \ - --managed && \ - --spot && \ - -t t3a.medium && \ + eksctl create cluster \ + --name ${{ env.CLUSTER_NAMME }} \ + --with-oidc \ + --region ${{ env.AWS_REGION }} \ + --nodes-min 6 \ + --nodes-max 6 \ + --managed \ + --spot \ + -t t3a.medium \ --tags "issue=https://github.com/wazuh/wazuh-kubernetes/pull/${{ github.event.number }},team=devops,termination_date=2030-01-01 21:00:00" - name: Create sa for ebs-csi-controller run: | - eksctl create iamserviceaccount && \ - --name ebs-csi-controller-sa && \ - --region us-east-1 && \ - --namespace kube-system && \ - --cluster test-eks-deploy-${{ github.event.number }} && \ - --role-name AmazonEKS_EBS_CSI_DriverRole_test-eks-deploy-${{ github.event.number }} && \ - --role-only && \ - --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy && \ + eksctl create iamserviceaccount \ + --name ebs-csi-controller-sa \ + --region ${{ env.AWS_REGION }} \ + --namespace kube-system \ + --cluster ${{ env.CLUSTER_NAMME }} \ + --role-name eksctl-EBS-CSI-DriverRole-${{ env.CLUSTER_NAMME }} \ + --role-only \ + --attach-policy-arn arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy \ --approve - name: Install addon aws-ebs-csi-driver into a eks cluster deployed run: | - eksctl create addon && \ - --name aws-ebs-csi-driver && \ - --cluster test-eks-deploy-${{ github.event.number }} && \ - --region ${{ secrets.AWS_REGION }} && \ - --service-account-role-arn arn:aws:iam::567970947422:role/AmazonEKS_EBS_CSI_DriverRole_test-eks-deploy-${{ github.event.number }} && \ + eksctl create addon \ + --name aws-ebs-csi-driver \ + --cluster ${{ env.CLUSTER_NAMME }} \ + --region ${{ env.AWS_REGION }} \ + --service-account-role-arn arn:aws:iam::567970947422:role/eksctl-EBS-CSI-DriverRole-${{ env.CLUSTER_NAMME }} \ --force - name: Create Wazuh indexer certificates @@ -81,20 +85,150 @@ jobs: - name: Deploy Wazuh stack run: kubectl apply -k envs/eks/ + - name: Wait 10 minutes for Wazuh stack startup + run: sleep 10m + + - name: View stack status + run: kubectl get all -n wazuh -o wide + + - name: View Wazuh dashboard logs + run: kubectl logs $(kubectl get pods -n wazuh | grep wazuh-dashboard | awk '{print $1;}') -n wazuh + + - name: View Wazuh indexer 0 logs + run: kubectl logs wazuh-indexer-0 -n wazuh + + - name: View Wazuh indexer 1 logs + run: kubectl logs wazuh-indexer-1 -n wazuh + + - name: View Wazuh indexer 2 logs + run: kubectl logs wazuh-indexer-2 -n wazuh + + - name: View Wazuh manager master logs + run: kubectl logs wazuh-manager-master-0 -n wazuh + + - name: View Wazuh manager worker 0 logs + run: kubectl logs wazuh-manager-worker-0 -n wazuh + + - name: View Wazuh manager worker 1 logs + run: kubectl logs wazuh-manager-worker-1 -n wazuh + + - name: Set Wazuh service URLs + run: | + echo "MANAGER_URL=https://$(kubectl get service wazuh -n wazuh -o jsonpath='{.status.loadBalancer.ingress[0].hostname}'):$(kubectl get service wazuh -n wazuh -o jsonpath='{.spec.ports[?(@.port==55000)].port}')" >> $GITHUB_ENV + echo "INDEXER_URL=https://$(kubectl get service indexer -n wazuh -o jsonpath='{.status.loadBalancer.ingress[0].hostname}'):$(kubectl get service indexer -n wazuh -o jsonpath='{.spec.ports[?(@.port==9200)].port}')" >> $GITHUB_ENV + echo "DASHBOARD_URL=https://$(kubectl get service dashboard -n wazuh -o jsonpath='{.status.loadBalancer.ingress[0].hostname}'):$(kubectl get service dashboard -n wazuh -o jsonpath='{.spec.ports[?(@.port==443)].port}')" >> $GITHUB_ENV + + - name: Check Wazuh indexer start + run: | + status_green="`curl -XGET "${{ env.INDEXER_URL }}/_cluster/health" -u admin:SecretPassword -k -s | grep green | wc -l`" + if [[ $status_green -eq 1 ]]; then + curl -XGET "${{ env.INDEXER_URL }}/_cluster/health" -u admin:SecretPassword -k -s + else + curl -XGET "${{ env.INDEXER_URL }}/_cluster/health" -u admin:SecretPassword -k -s + exit 1 + fi + status_index="`curl -XGET "${{ env.INDEXER_URL }}/_cat/indices" -u admin:SecretPassword -k -s | wc -l`" + status_index_green="`curl -XGET "${{ env.INDEXER_URL }}/_cat/indices" -u admin:SecretPassword -k -s | grep "green" | wc -l`" + if [[ $status_index_green -eq $status_index ]]; then + curl -XGET "${{ env.INDEXER_URL }}/_cat/indices" -u admin:SecretPassword -k -s + else + curl -XGET "${{ env.INDEXER_URL }}/_cat/indices" -u admin:SecretPassword -k -s + exit 1 + fi + + - name: Check Wazuh indexer nodes + run: | + nodes="`curl -XGET "${{ env.INDEXER_URL }}/_cat/nodes" -u admin:SecretPassword -k -s | grep -E "indexer" | wc -l`" + if [[ $nodes -eq 3 ]]; then + echo "Wazuh indexer nodes: ${nodes}" + else + echo "Wazuh indexer nodes: ${nodes}" + exit 1 + fi + + - name: Check documents into wazuh-alerts index + run: | + docs="`curl -XGET "${{ env.INDEXER_URL }}/wazuh-alerts*/_count" -u admin:SecretPassword -k -s | jq -r ".count"`" + if [[ $docs -gt 0 ]]; then + echo "wazuh-alerts index documents: ${docs}" + else + echo "wazuh-alerts index documents: ${docs}" + exit 1 + fi + + - name: Check Wazuh templates + run: | + qty_templates="`curl -XGET "${{ env.INDEXER_URL }}/_cat/templates" -u admin:SecretPassword -k -s | grep -P "wazuh|wazuh-agent|wazuh-statistics" | wc -l`" + templates="`curl -XGET "${{ env.INDEXER_URL }}/_cat/templates" -u admin:SecretPassword -k -s | grep -P "wazuh|wazuh-agent|wazuh-statistics"`" + if [[ $qty_templates -gt 3 ]]; then + echo "wazuh templates:" + echo "${templates}" + else + echo "wazuh templates:" + echo "${templates}" + exit 1 + fi + + - name: Check Wazuh manager start + run: | + services="`curl -k -s -X GET "${{ env.MANAGER_URL }}/manager/status?pretty=true" -H "Authorization: Bearer ${{env.TOKEN}}" | jq -r .data.affected_items | grep running | wc -l`" + if [[ $services -gt 9 ]]; then + echo "Wazuh Manager Services: ${services}" + echo "OK" + else + echo "Wazuh indexer nodes: ${nodes}" + curl -k -X GET "${{ env.MANAGER_URL }}/manager/status?pretty=true" -H "Authorization: Bearer ${{env.TOKEN}}" | jq -r .data.affected_items + exit 1 + fi + env: + TOKEN: $(curl -s -u wazuh-wui:MyS3cr37P450r.*- -k -X GET "${{ env.MANAGER_URL }}/security/user/authenticate?raw=true") + + - name: Check Wazuh dashboard service URL + run: | + status=$(curl -XGET --silent ${{ env.DASHBOARD_URL }}/app/status -k -u admin:SecretPassword -I -s | grep -E "^HTTP" | awk '{print $2}') + if [[ $status -eq 200 ]]; then + echo "Wazuh dashboard status: ${status}" + else + echo "Wazuh dashboard status: ${status}" + exit 1 + fi + + - name: Delete eks cluster + if: always() + run: | + eksctl delete cluster \ + --name ${{ env.CLUSTER_NAMME }} \ + --region ${{ env.AWS_REGION }} + + - name: Delete EBS dynamic volumes + if: always() + run: | + for volume_id in $(aws ec2 describe-volumes \ + --region ${{ env.AWS_REGION }} \ + --filters Name=tag:KubernetesCluster,Values="${{ env.CLUSTER_NAMME }}" \ + --query "Volumes[].VolumeId" \ + --output text); do + echo "Eliminando volumen con ID: $volume_id" + aws ec2 delete-volume --region ${{ env.AWS_REGION }} --volume-id $volume_id + done + Local_deployment_test: - runs-on: ubuntu-20.04 + runs-on: ubuntu-24.04 steps: - name: Checkout code uses: actions/checkout@v4 with: ref: ${{ inputs.BRANCH_VERSION }} + - name: Free Disk Space (Ubuntu) + uses: jlumbroso/free-disk-space@main + - name: free disk space run: | sudo swapoff -a sudo rm -f /swapfile + sudo apt update -y && sudo apt upgrade -y sudo apt clean - docker rmi $(docker image ls -aq) df -h - name: Install Minikube cluster @@ -111,5 +245,113 @@ jobs: - name: Create Wazuh dashboard certificates run: wazuh/certs/dashboard_http/generate_certs.sh + - name: Change provisioner for minikube + run: | + sed -i 's/provisioner: microk8s.io\/hostpath/# provisioner: microk8s.io\/hostpath/; s/# provisioner: k8s.io\/minikube-hostpath/provisioner: k8s.io\/minikube-hostpath/' envs/local-env/storage-class.yaml + - name: Deploy Wazuh stack - run: minikube kubectl apply -k envs/local/ \ No newline at end of file + run: kubectl apply -k envs/local-env/ + + - name: Wait 10 minutes for Wazuh stack startup + run: sleep 10m + + - name: Start minikube tunnel + run: | + minikube tunnel &> /dev/null & + sleep 30 + + - name: View stack status + run: kubectl get all -n wazuh -o wide + + - name: View Wazuh dashboard logs + run: kubectl logs $(kubectl get pods -n wazuh | grep wazuh-dashboard | awk '{print $1;}') -n wazuh + + - name: View Wazuh indexer 0 logs + run: kubectl logs wazuh-indexer-0 -n wazuh + + - name: View Wazuh manager master logs + run: kubectl logs wazuh-manager-master-0 -n wazuh + + - name: View Wazuh manager worker 0 logs + run: kubectl logs wazuh-manager-worker-0 -n wazuh + + - name: Set Wazuh service URLs + run: | + echo "MANAGER_URL=https://$(kubectl get service wazuh -n wazuh -o jsonpath='{.status.loadBalancer.ingress[0].ip}'):$(kubectl get service wazuh -n wazuh -o jsonpath='{.spec.ports[?(@.port==55000)].port}')" >> $GITHUB_ENV + echo "INDEXER_URL=https://$(kubectl get service indexer -n wazuh -o jsonpath='{.status.loadBalancer.ingress[0].ip}'):$(kubectl get service indexer -n wazuh -o jsonpath='{.spec.ports[?(@.port==9200)].port}')" >> $GITHUB_ENV + echo "DASHBOARD_URL=https://$(kubectl get service dashboard -n wazuh -o jsonpath='{.status.loadBalancer.ingress[0].ip}'):$(kubectl get service dashboard -n wazuh -o jsonpath='{.spec.ports[?(@.port==443)].port}')" >> $GITHUB_ENV + + - name: Check Wazuh indexer start + run: | + status_green="`curl -XGET "${{ env.INDEXER_URL }}/_cluster/health" -u admin:SecretPassword -k -s | grep green | wc -l`" + if [[ $status_green -eq 1 ]]; then + curl -XGET "${{ env.INDEXER_URL }}/_cluster/health" -u admin:SecretPassword -k -s + else + curl -XGET "${{ env.INDEXER_URL }}/_cluster/health" -u admin:SecretPassword -k -s + exit 1 + fi + status_index="`curl -XGET "${{ env.INDEXER_URL }}/_cat/indices" -u admin:SecretPassword -k -s | wc -l`" + status_index_green="`curl -XGET "${{ env.INDEXER_URL }}/_cat/indices" -u admin:SecretPassword -k -s | grep "green" | wc -l`" + if [[ $status_index_green -eq $status_index ]]; then + curl -XGET "${{ env.INDEXER_URL }}/_cat/indices" -u admin:SecretPassword -k -s + else + curl -XGET "${{ env.INDEXER_URL }}/_cat/indices" -u admin:SecretPassword -k -s + exit 1 + fi + + - name: Check Wazuh indexer nodes + run: | + nodes="`curl -XGET "${{ env.INDEXER_URL }}/_cat/nodes" -u admin:SecretPassword -k -s | grep -E "indexer" | wc -l`" + if [[ $nodes -eq 1 ]]; then + echo "Wazuh indexer nodes: ${nodes}" + else + echo "Wazuh indexer nodes: ${nodes}" + exit 1 + fi + + - name: Check documents into wazuh-alerts index + run: | + docs="`curl -XGET "${{ env.INDEXER_URL }}/wazuh-alerts*/_count" -u admin:SecretPassword -k -s | jq -r ".count"`" + if [[ $docs -gt 0 ]]; then + echo "wazuh-alerts index documents: ${docs}" + else + echo "wazuh-alerts index documents: ${docs}" + exit 1 + fi + + - name: Check Wazuh templates + run: | + qty_templates="`curl -XGET "${{ env.INDEXER_URL }}/_cat/templates" -u admin:SecretPassword -k -s | grep -P "wazuh|wazuh-agent|wazuh-statistics" | wc -l`" + templates="`curl -XGET "${{ env.INDEXER_URL }}/_cat/templates" -u admin:SecretPassword -k -s | grep -P "wazuh|wazuh-agent|wazuh-statistics"`" + if [[ $qty_templates -gt 3 ]]; then + echo "wazuh templates:" + echo "${templates}" + else + echo "wazuh templates:" + echo "${templates}" + exit 1 + fi + + - name: Check Wazuh manager start + run: | + services="`curl -k -s -X GET "${{ env.MANAGER_URL }}/manager/status?pretty=true" -H "Authorization: Bearer ${{env.TOKEN}}" | jq -r .data.affected_items | grep running | wc -l`" + if [[ $services -gt 9 ]]; then + echo "Wazuh Manager Services: ${services}" + echo "OK" + else + echo "Wazuh indexer nodes: ${nodes}" + curl -k -X GET "${{ env.MANAGER_URL }}/manager/status?pretty=true" -H "Authorization: Bearer ${{env.TOKEN}}" | jq -r .data.affected_items + exit 1 + fi + env: + TOKEN: $(curl -s -u wazuh-wui:MyS3cr37P450r.*- -k -X GET "${{ env.MANAGER_URL }}/security/user/authenticate?raw=true") + + - name: Check Wazuh dashboard service URL + run: | + status=$(curl -XGET --silent ${{ env.DASHBOARD_URL }}/app/status -k -u admin:SecretPassword -I -s | grep -E "^HTTP" | awk '{print $2}') + if [[ $status -eq 200 ]]; then + echo "Wazuh dashboard status: ${status}" + else + echo "Wazuh dashboard status: ${status}" + exit 1 + fi diff --git a/CHANGELOG.md b/CHANGELOG.md index d487df29..4ac1537d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,19 +6,55 @@ All notable changes to this project will be documented in this file. ### Added -- Update to Wazuh version [5.0.0](https://github.com/wazuh/wazuh/blob/v5.0.0/CHANGELOG.md#v500) +- New PR Checks ([#896](https://github.com/wazuh/wazuh-kubernetes/pull/896)) \- (Kubernetes workflow Test) + +### Changed + +- None + +### Fixed + +- None + +### Deleted + +- None ## [4.10.2] ### Added -- Update to Wazuh version [4.10.2](https://github.com/wazuh/wazuh/blob/v4.10.2/CHANGELOG.md#v4101) +- None + +### Changed + +- None + +### Fixed + +- None + +### Deleted + +- None ## [4.10.1] ### Added -- Update to Wazuh version [4.10.1](https://github.com/wazuh/wazuh/blob/v4.10.1/CHANGELOG.md#v4101) +- None + +### Changed + +- None + +### Fixed + +- None + +### Deleted + +- None ## [4.10.0]