openstack/openstack-helm-infra
Code Issues Proposed changes

Merge "Add bandit check to osh-infra"

Browse Source
This commit is contained in:
Zuul 2020-01-03 20:51:03 +00:00 committed by Gerrit Code Review
commit 954a06b3fd
4 changed files with 56 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
playbooks/osh-infra-bandit.yaml Normal file
View File

@ -0,0 +1,28 @@
- hosts: all
name: openstack-helm-infra-bandit
tasks:
- name: Install Required Packages and Setup Host
shell: |
set -xe;
./tools/deployment/common/000-install-packages.sh
./tools/deployment/common/005-deploy-k8s.sh
sudo -H pip install yq bandit
environment:
zuul_site_mirror_fqdn: "{{ zuul_site_mirror_fqdn }}"
args:
chdir: "{{ zuul.project.src_dir }}"
- name: Template out python files
shell: |
set -xe;
make all
mkdir -p python-files
./tools/gate/template-python.sh
args:
chdir: "{{ zuul.project.src_dir }}"
- name: Run bandit against python files
shell: bandit -r ./python-files
args:
chdir: "{{ zuul.project.src_dir }}"

16
tools/gate/template-python.sh Executable file
View File

@ -0,0 +1,16 @@
#!/bin/bash
EXCLUDES="helm-toolkit doc tests tools logs tmp roles playbooks releasenotes zuul.d python-files"
DIRS=`ls -d */ | cut -f1 -d'/'`
for EX in $EXCLUDES; do
DIRS=`echo $DIRS | sed "s/\b$EX\b//g"`
done
for DIR in $DIRS; do
PYFILES=$(helm template $DIR | yq 'select(.data != null) | .data | to_entries | map(select(.key | test(".*\\.py"))) | select(length > 0) | values[] | {(.key) : (.value)}' | jq -s add)
PYKEYS=$(echo "$PYFILES" | jq -r 'select(. != null) | keys[]')
for KEY in $PYKEYS; do
echo "$PYFILES" | jq -r --arg KEY "$KEY" '.[$KEY]' > ./python-files/"$DIR-$KEY"
done
done

10
zuul.d/jobs.yaml
View File

@ -30,6 +30,16 @@
run: playbooks/zuul-linter.yaml run: playbooks/zuul-linter.yaml
nodeset: openstack-helm-single-node nodeset: openstack-helm-single-node
- job:
name: openstack-helm-infra-bandit
run: playbooks/osh-infra-bandit.yaml
nodeset: openstack-helm-single-node
# Note(gagehugo): Uncomment this once it passes so that it only runs
# when python related files are changed.
# files:
# - ^.*\.py\.tpl$
# - ^.*\.py$
- job: - job:
name: openstack-helm-infra name: openstack-helm-infra
parent: openstack-helm-infra-functional parent: openstack-helm-infra-functional

2
zuul.d/project.yaml
View File

@ -19,6 +19,8 @@
check: check:
jobs: jobs:
- openstack-helm-lint - openstack-helm-lint
- openstack-helm-infra-bandit:
voting: false
- openstack-helm-infra-aio-logging - openstack-helm-infra-aio-logging
- openstack-helm-infra-aio-monitoring - openstack-helm-infra-aio-monitoring
- openstack-helm-infra-federated-monitoring: - openstack-helm-infra-federated-monitoring: