feat: containerized fixture builder and cross-arch test coverage#338
feat: containerized fixture builder and cross-arch test coverage#338bartoszmajsak wants to merge 5 commits into
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: bartoszmajsak The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
20ff280 to
bd62fba
Compare
|
@smith-xyz PTAL when you find some time. |
|
@bartoszmajsak LGTM. Before merge, can we add rejectSections for go124_external_pie_amd64_app so we don’t regress the .data.rel.ro scan path silently; consider TestReadTable for go-native-fips-app and t.Fatal in assertFixtureInvariants. |
Replaces per-fixture build scripts with a parameterized build_fixture.sh backed by a Containerfile that layers zig onto Red Hat's go-toolset images. Supports --goarch (amd64, s390x, arm64, ppc64le), --buildmode, --cgo, --fips, and --go-image. Red Hat Go provides fips140=auto in GODEBUG, which the scanner requires for native FIPS detection. Source main.go now includes //go:debug fips140=auto (ignored by Go < 1.26). Adds test/resources/README.md documenting the rebuild workflow and fixture matrix. Signed-off-by: Bartosz Majsak <bartosz.majsak@gmail.com>
All fixtures rebuilt from unified main.go using the containerized builder with Red Hat go-toolset images. New fixtures: - go124_ppc64le_app: quantum=4 little-endian, previously untested - go124_external_pie_amd64_app: .data.rel.ro fallback path - go-native-fips-app: Go 1.26 native FIPS (fips140=auto) Changed fixtures: - fips_compliant_app: now amd64 (was arm64), Go 1.20 boringcrypto - All others: rebuilt with Red Hat Go for consistent FIPS settings Mock directories added for new fixtures (symlinked binaries). Existing mock dir copies updated. Signed-off-by: Bartosz Majsak <bartosz.majsak@gmail.com>
Addresses PR openshift#337 review feedback: - slog.Debug in tryParseTable for rejected pclntab candidates - Fix test names (s390x fixture is CGO not PIE, fips is amd64) - Fixture invariant assertions: each test case declares expected ELF section and machine type, with rejectSections to ensure fallback paths are actually exercised - Integration tests for all new fixtures in TestRunLocalScan - ppc64le unit test (quantum=4 LE) - .data.rel.ro fallback unit test (magic scanning loop) Signed-off-by: Bartosz Majsak <bartosz.majsak@gmail.com>
Adds rejectSections to the external PIE test case so a fixture rebuild that introduces a dedicated .gopclntab section will fail loudly instead of silently skipping the .data.rel.ro magic-scanning fallback. Switches assertFixtureInvariants to t.Fatalf so broken fixtures stop immediately rather than producing misleading downstream failures. Adds go-native-fips-app to TestReadTable for crypto/fips140 coverage. Signed-off-by: Bartosz Majsak <bartosz.majsak@gmail.com>
bd62fba to
309c7a7
Compare
@smith-xyz Good feedback, thanks! Adressed in 309c7a7
IIUC |
Signed-off-by: Bartosz Majsak <bartosz.majsak@gmail.com>
|
@bartoszmajsak: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@bartoszmajsak can you rebase and resolve the conflict so we can merge this in? |
|
PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Summary
Follow-up to #337. Replaces ad-hoc per-fixture build scripts with a single parameterized builder backed by Red Hat's go-toolset container images and zig for cross-compilation. All test fixtures are now built from one
main.go, producing consistent FIPS settings across Go versions.Addresses #337 review feedback:
build_fixture.shtryParseTableerrors -slog.Debugfor rejected candidatesFills two coverage gaps:
.data.rel.rofallback - Go 1.24 external PIE exercises the magic scanning loop that no other fixture reachesAdds fixture invariant assertions so rebuilt binaries can't silently change which code path they exercise.
Test plan
build_fixture.shper README, commit,make test verifymake testpasses (135 tests across 9 packages)