feat(hwlab): add dev cd audit
This commit is contained in:
@@ -1,6 +1,6 @@
|
||||
import assert from "node:assert/strict";
|
||||
import { spawnSync } from "node:child_process";
|
||||
import { mkdirSync, writeFileSync } from "node:fs";
|
||||
import { existsSync, mkdirSync, readdirSync, writeFileSync } from "node:fs";
|
||||
import { tmpdir } from "node:os";
|
||||
import { join } from "node:path";
|
||||
import { buildHwlabCdRemoteCommandForTest } from "./src/hwlab-cd";
|
||||
@@ -40,6 +40,7 @@ function makeFakeHwlabRepo(): string {
|
||||
mkdirSync(join(root, "reports/dev-gate"), { recursive: true });
|
||||
writeFileSync(join(root, "scripts/dev-cd-apply.mjs"), [
|
||||
"const kubeconfigIndex = process.argv.indexOf('--kubeconfig');",
|
||||
"if (process.argv.includes('--apply') || process.argv.includes('--write-report') || process.argv.includes('--confirm-dev')) { throw new Error('mutation flag must not be used in wrapper tests'); }",
|
||||
"process.stdout.write(JSON.stringify({",
|
||||
" ok: true,",
|
||||
" status: 'pass',",
|
||||
@@ -85,6 +86,43 @@ function makeFakeHwlabRepo(): string {
|
||||
function makeFakeBin(mode: "native" | "desktop" | "stale-default" | "wrong-node" | "missing-secret" | "second-plane"): string {
|
||||
const bin = join(tmpdir(), `unidesk-hwlab-cd-bin-${process.pid}-${Date.now()}-${mode}-${Math.random().toString(16).slice(2)}`);
|
||||
mkdirSync(bin, { recursive: true });
|
||||
const deploymentJson = {
|
||||
items: [
|
||||
{
|
||||
metadata: {
|
||||
name: "hwlab-cloud-api",
|
||||
labels: { "app.kubernetes.io/name": "hwlab-cloud-api", "hwlab.pikastech.local/service-id": "hwlab-cloud-api" },
|
||||
annotations: { "deployment.kubernetes.io/revision": "7" },
|
||||
},
|
||||
spec: {
|
||||
replicas: 1,
|
||||
template: { spec: { containers: [{ name: "hwlab-cloud-api", image: "127.0.0.1:5000/hwlab/hwlab-cloud-api:abc1234", env: [{ name: "HWLAB_COMMIT_ID", value: "abc1234" }] }] } },
|
||||
},
|
||||
status: { availableReplicas: 1, updatedReplicas: 1, unavailableReplicas: 0, conditions: [{ type: "Available", status: "True" }, { type: "Progressing", status: "True", reason: "NewReplicaSetAvailable" }] },
|
||||
},
|
||||
{
|
||||
metadata: {
|
||||
name: "hwlab-cloud-web",
|
||||
labels: { "app.kubernetes.io/name": "hwlab-cloud-web", "hwlab.pikastech.local/service-id": "hwlab-cloud-web" },
|
||||
annotations: { "deployment.kubernetes.io/revision": "8" },
|
||||
},
|
||||
spec: {
|
||||
replicas: 1,
|
||||
template: { spec: { containers: [{ name: "hwlab-cloud-web", image: "127.0.0.1:5000/hwlab/hwlab-cloud-web:abc1234", env: [{ name: "HWLAB_COMMIT_ID", value: "abc1234" }] }] } },
|
||||
},
|
||||
status: { availableReplicas: 1, updatedReplicas: 1, unavailableReplicas: 0, conditions: [{ type: "Available", status: "True" }, { type: "Progressing", status: "True" }] },
|
||||
},
|
||||
],
|
||||
};
|
||||
const podsJson = {
|
||||
items: [
|
||||
{
|
||||
metadata: { name: "hwlab-cloud-api-abc" },
|
||||
status: { containerStatuses: [{ name: "hwlab-cloud-api", image: "127.0.0.1:5000/hwlab/hwlab-cloud-api:abc1234", imageID: "docker-pullable://127.0.0.1:5000/hwlab/hwlab-cloud-api@sha256:" + "b".repeat(64), state: { running: {} } }] },
|
||||
},
|
||||
],
|
||||
};
|
||||
const jobsJson = { items: [{ metadata: { name: "hwlab-runtime-provision-old" }, status: { succeeded: 1, failed: 0, active: 0, completionTime: "2026-05-24T00:00:00Z" } }] };
|
||||
const explicitContext = mode === "desktop" ? "docker-desktop" : "default";
|
||||
const explicitServer = mode === "desktop" ? "https://127.0.0.1:11700" : "https://127.0.0.1:6443";
|
||||
const explicitNodes = mode === "desktop" ? "desktop-control-plane" : mode === "wrong-node" ? "d602" : "d601";
|
||||
@@ -112,6 +150,9 @@ function makeFakeBin(mode: "native" | "desktop" | "stale-default" | "wrong-node"
|
||||
" printf 'Error from server (NotFound): namespaces \"hwlab-dev\" not found\\n' >&2; exit 1",
|
||||
"fi",
|
||||
"if [[ \"$*\" =~ ^-n[[:space:]]+hwlab-dev[[:space:]]+get[[:space:]]+lease[[:space:]]+hwlab-dev-cd-lock[[:space:]]+-o[[:space:]]+json$ ]]; then printf 'Error from server (NotFound): leases.coordination.k8s.io \"hwlab-dev-cd-lock\" not found\\n' >&2; exit 1; fi",
|
||||
"if [[ \"$*\" == '-n hwlab-dev get deployments -o json' ]]; then printf '%s\\n' " + JSON.stringify(JSON.stringify(deploymentJson)) + "; exit 0; fi",
|
||||
"if [[ \"$*\" == '-n hwlab-dev get pods -o json' ]]; then printf '%s\\n' " + JSON.stringify(JSON.stringify(podsJson)) + "; exit 0; fi",
|
||||
"if [[ \"$*\" == '-n hwlab-dev get jobs -o json' ]]; then printf '%s\\n' " + JSON.stringify(JSON.stringify(jobsJson)) + "; exit 0; fi",
|
||||
"if [[ \"$*\" == '-n hwlab-dev get secret hwlab-code-agent-provider -o name' && " + JSON.stringify(mode) + " == 'missing-secret' ]]; then printf 'Error from server (NotFound): secrets \"hwlab-code-agent-provider\" not found\\n' >&2; exit 1; fi",
|
||||
"if [[ \"$*\" =~ ^-n\\ hwlab-dev\\ get\\ secret\\ ([^[:space:]]+)\\ -o\\ name$ ]]; then printf 'secret/%s\\n' \"${BASH_REMATCH[1]}\"; exit 0; fi",
|
||||
"if [[ \"$*\" == '-n hwlab-dev describe secret hwlab-cloud-api-dev-db' ]]; then printf 'Name: hwlab-cloud-api-dev-db\\nData\\n====\\ndatabase-url: 48 bytes\\n'; exit 0; fi",
|
||||
@@ -120,6 +161,34 @@ function makeFakeBin(mode: "native" | "desktop" | "stale-default" | "wrong-node"
|
||||
"printf 'unexpected kubectl args: %s\\n' \"$*\" >&2; exit 99",
|
||||
].join("\n"));
|
||||
spawnSync("chmod", ["+x", join(bin, "kubectl")]);
|
||||
writeFileSync(join(bin, "curl"), [
|
||||
"#!/usr/bin/env bash",
|
||||
"set -euo pipefail",
|
||||
"url=\"${@: -1}\"",
|
||||
"if [[ \"$*\" == *'http://127.0.0.1:5000/v2/'* ]]; then printf '{}\\n'; exit 0; fi",
|
||||
"if [[ \"$url\" == 'http://74.48.78.17:16666/health/live' ]]; then printf '%s\\n' " + JSON.stringify(JSON.stringify({
|
||||
serviceId: "hwlab-cloud-web",
|
||||
environment: "dev",
|
||||
status: "ready",
|
||||
ready: true,
|
||||
commit: { id: "abc1234" },
|
||||
image: { reference: "127.0.0.1:5000/hwlab/hwlab-cloud-web:abc1234", tag: "abc1234" },
|
||||
blockerCodes: [],
|
||||
})) + "; exit 0; fi",
|
||||
"if [[ \"$url\" == 'http://74.48.78.17:16667/health/live' ]]; then printf '%s\\n' " + JSON.stringify(JSON.stringify({
|
||||
serviceId: "hwlab-cloud-api",
|
||||
environment: "dev",
|
||||
status: "ready",
|
||||
ready: true,
|
||||
commit: { id: "abc1234" },
|
||||
image: { reference: "127.0.0.1:5000/hwlab/hwlab-cloud-api:abc1234", tag: "abc1234" },
|
||||
db: { ready: true, connected: true, liveDbEvidence: true, runtimeReadiness: { status: "ready", ready: true, blocker: null } },
|
||||
runtime: { status: "ready", ready: true, durable: true, durableRequested: true, liveRuntimeEvidence: true, blocker: null, adapter: "postgres" },
|
||||
blockerCodes: [],
|
||||
})) + "; exit 0; fi",
|
||||
"printf 'unexpected curl args: %s\\n' \"$*\" >&2; exit 22",
|
||||
].join("\n"));
|
||||
spawnSync("chmod", ["+x", join(bin, "curl")]);
|
||||
return bin;
|
||||
}
|
||||
|
||||
@@ -142,11 +211,14 @@ const secondPlaneBin = makeFakeBin("second-plane");
|
||||
const help = runCli(["hwlab", "help"]);
|
||||
assert.equal(help.ok, true);
|
||||
assert.equal((help.data as JsonRecord).command, "hwlab cd");
|
||||
assert.equal(((help.data as JsonRecord).usage as string[]).includes("bun scripts/cli.ts hwlab cd audit --env dev"), true);
|
||||
|
||||
const remoteCommand = buildHwlabCdRemoteCommandForTest(withLocalTransport(["cd", "apply", "--env", "dev", "--dry-run"]));
|
||||
assert.equal(remoteCommand.includes("scripts/dev-cd-apply.mjs"), true);
|
||||
assert.equal(remoteCommand.includes("/etc/rancher/k3s/k3s.yaml"), true);
|
||||
assert.equal(remoteCommand.includes("kubectl rollout"), false);
|
||||
assert.equal(remoteCommand.includes("kubectl apply"), false);
|
||||
assert.equal(remoteCommand.includes("break-stale-lock"), false);
|
||||
|
||||
const realApply = runCli(["hwlab", "cd", "apply", "--env", "dev", "--hwlab-repo", fakeRepo], {
|
||||
PATH: `${nativeBin}:${process.env.PATH ?? ""}`,
|
||||
@@ -201,6 +273,46 @@ assert.equal(((dryRunData.target as JsonRecord).promotionCommit), "abc1234567890
|
||||
assert.equal(((dryRunData.promotion as JsonRecord).source), "deploy/deploy.json");
|
||||
assert.equal(JSON.stringify(dryRunData).includes("sk-secret"), false);
|
||||
|
||||
const reportsBefore = existsSync(join(fakeRepo, "reports")) ? JSON.stringify(readdirSync(join(fakeRepo, "reports"), { recursive: true })) : "";
|
||||
const audit = runCli(withLocalTransport([
|
||||
"hwlab",
|
||||
"cd",
|
||||
"audit",
|
||||
"--env",
|
||||
"dev",
|
||||
"--hwlab-repo",
|
||||
fakeRepo,
|
||||
]), {
|
||||
PATH: `${nativeBin}:${process.env.PATH ?? ""}`,
|
||||
});
|
||||
assert.equal(audit.ok, true);
|
||||
const auditData = dataOf(audit);
|
||||
const auditSummary = auditData.audit as JsonRecord;
|
||||
assert.equal(auditSummary.status, "pass");
|
||||
assert.equal((auditSummary.namespace), "hwlab-dev");
|
||||
assert.equal(((auditSummary.nodeGuard as JsonRecord).nodeNames as unknown[]).includes("d601"), true);
|
||||
assert.equal(((auditSummary.secrets as JsonRecord).valuesRead), false);
|
||||
assert.equal(((auditSummary.secrets as JsonRecord).valuesPrinted), false);
|
||||
assert.equal(JSON.stringify(auditSummary).includes("48 bytes"), false);
|
||||
assert.equal(((auditSummary.registry as JsonRecord).status), "pass");
|
||||
assert.equal(((auditSummary.lease as JsonRecord).staleClassification), "not-held");
|
||||
assert.equal((((auditSummary.desiredState as JsonRecord).imageConvergence as JsonRecord).status), "pass");
|
||||
assert.equal(((auditSummary.workload as JsonRecord).status), "healthy");
|
||||
assert.equal(((auditSummary.publicHealth as JsonRecord).status), "pass");
|
||||
assert.equal(((auditSummary.durability as JsonRecord).status), "pass");
|
||||
assert.deepEqual((auditSummary.blockerTypes as unknown[]), []);
|
||||
assert.equal(((auditSummary.safety as JsonRecord).reportsWritten), false);
|
||||
assert.equal(((auditSummary.safety as JsonRecord).cdLockMutated), false);
|
||||
assert.equal((auditData.remote as JsonRecord).providerId, "D601");
|
||||
assert.equal(JSON.stringify(auditData).length < 80_000, true);
|
||||
assert.equal(JSON.stringify(auditData).includes("kubectl apply"), false);
|
||||
assert.equal(JSON.stringify(auditData).includes("kubectl rollout"), false);
|
||||
assert.equal(JSON.stringify(auditData).includes("--apply"), false);
|
||||
assert.equal(JSON.stringify(auditData).includes("--write-report"), false);
|
||||
assert.equal(JSON.stringify(auditData).includes("sk-secret"), false);
|
||||
const reportsAfter = existsSync(join(fakeRepo, "reports")) ? JSON.stringify(readdirSync(join(fakeRepo, "reports"), { recursive: true })) : "";
|
||||
assert.equal(reportsAfter, reportsBefore);
|
||||
|
||||
const status = runCli(withLocalTransport([
|
||||
"hwlab",
|
||||
"cd",
|
||||
@@ -240,10 +352,9 @@ assert.equal((staleDefaultGuard.defaultKubectlDiagnostic as JsonRecord).status,
|
||||
const desktopRefusal = runCli(withLocalTransport([
|
||||
"hwlab",
|
||||
"cd",
|
||||
"apply",
|
||||
"audit",
|
||||
"--env",
|
||||
"dev",
|
||||
"--dry-run",
|
||||
"--hwlab-repo",
|
||||
fakeRepo,
|
||||
]), {
|
||||
@@ -252,7 +363,8 @@ const desktopRefusal = runCli(withLocalTransport([
|
||||
assert.equal(desktopRefusal.ok, false);
|
||||
const desktopData = dataOf(desktopRefusal);
|
||||
assert.equal(desktopData.status, "refused");
|
||||
assert.deepEqual((desktopData.nodeGuard as JsonRecord).refusalSignals, ["docker-desktop", "desktop-control-plane", "127.0.0.1:11700"]);
|
||||
assert.deepEqual((((desktopData.audit as JsonRecord).nodeGuard as JsonRecord).refusalSignals), ["docker-desktop", "desktop-control-plane", "127.0.0.1:11700"]);
|
||||
assert.equal(((desktopData.blockerTypes as unknown[]).includes("docker-desktop-context-risk")), true);
|
||||
|
||||
const wrongNodeBlocked = runCli(withLocalTransport([
|
||||
"hwlab",
|
||||
|
||||
Reference in New Issue
Block a user