-
Notifications
You must be signed in to change notification settings - Fork 27
feat(autoscaler): deploy node-agent on nodes missing the grouping label #389
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
8d6d32e
75ea4f5
a96a01c
99a27e9
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -26,8 +26,33 @@ jobs: | |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| with: | ||
| path: operator | ||
| - uses: actions/setup-go@v5 | ||
| with: | ||
| go-version: "1.25" | ||
| - name: Build with integration tag | ||
| run: go test -tags=integration -run=^$ ./... | ||
| # The node-agent autoscaler integration tests render the actual DaemonSet | ||
| # template that lives in the helm-charts repo. Check it out and extract the | ||
| # template so the tests run for real instead of skipping (see | ||
| # nodeagentautoscaler/integration_test.go). | ||
| - name: Checkout helm-charts | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| repository: kubescape/helm-charts | ||
| ref: main | ||
| path: helm-charts | ||
| - uses: azure/setup-helm@v4 | ||
| - name: Extract node-agent daemonset template | ||
| run: | | ||
| # The chart has local (file://) subchart dependencies that must be | ||
| # vendored into charts/ before templating a fresh checkout. | ||
| helm dependency build helm-charts/charts/kubescape-operator | ||
| helm template test helm-charts/charts/kubescape-operator \ | ||
| --kube-version 1.29.0 \ | ||
| --set nodeAgent.autoscaler.enabled=true --set clusterName=test \ | ||
| | grep -A 400 "daemonset-template.yaml:" | tail -n +2 | sed 's/^ //' \ | ||
| | awk '/^---/{exit} {print}' > /tmp/test-daemonset-template.yaml | ||
| test -s /tmp/test-daemonset-template.yaml || { echo "template extraction produced an empty file"; exit 1; } | ||
| - name: Build and run integration tests | ||
| working-directory: operator | ||
| run: go test -tags=integration ./... | ||
|
Comment on lines
+41
to
+58
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win Pin the chart checkout to the companion change instead of This job now validates behavior that depends on the companion Helm template branch, so checking out 🤖 Prompt for AI Agents |
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
Disable credential persistence on the extra checkout.
This checkout is read-only, so persisting the workflow token into
helm-charts/.git/configis unnecessary and creates an avoidable leak path if that workspace is ever uploaded or reused.Suggested hardening
- name: Checkout helm-charts uses: actions/checkout@v4 with: repository: kubescape/helm-charts ref: main path: helm-charts + persist-credentials: false📝 Committable suggestion
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 38-43: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Source: Linters/SAST tools