verify helm chart on pr

.docker/prod.Dockerfile

@@ -1,11 +1,12 @@
 ARG VERSION=edge
-# this allows to work on forked repository
-ARG REPOSITORY=greenbone/openvas-scanner
+# this allows to override gvm-libs for e.g. smoketests
+ARG GVM_LIBS=registry.community.greenbone.net/community/gvm-libs
 
 FROM rust AS rust
+
 FROM greenbone/openvas-smb AS openvas-smb
 
-FROM registry.community.greenbone.net/community/gvm-libs:${VERSION} AS build
+FROM ${GVM_LIBS}:${VERSION} AS build
 COPY . /source
 RUN sh /source/.github/install-openvas-dependencies.sh
 COPY --from=openvas-smb /usr/local/lib/ /usr/local/lib/
@@ -24,7 +25,7 @@
 # Do we want to copy feed verifier as well?
 # RUN cp release/feed-verifier /install/bin
 
-FROM registry.community.greenbone.net/community/gvm-libs:${VERSION}
+FROM ${GVM_LIBS}:${VERSION}
 RUN apt-get update && apt-get install --no-install-recommends --no-install-suggests -y \
   bison \
   libglib2.0-0 \
@@ -68,4 +69,4 @@
 # allow nmap to send e.g. UDP or TCP SYN probes without root permissions
 ENV NMAP_PRIVILEGED=1
 RUN setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nmap
 CMD /usr/local/bin/openvasd

.github/workflows/auto_label.yml

@@ -9,7 +9,7 @@ permissions:
 
 jobs:
   label:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted-generic
     steps:
         - uses: greenbone/actions/pr-conventional-commit-labeler@main
           with:

.github/workflows/build.yml

@@ -4,7 +4,7 @@ on: [workflow_call]
 
 jobs:
   C:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted-generic
     container: greenbone/gvm-libs:stable
     steps:
       - uses: actions/checkout@v4
@@ -16,7 +16,7 @@ jobs:
           cmake -Bbuild -DCMAKE_C_COMPILER=/usr/share/clang/scan-build-14/libexec/ccc-analyzer
           cmake --build build
   Rust:
-    runs-on: "ubuntu-latest"
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/setup-rust

.github/workflows/codeql.yml

@@ -11,7 +11,7 @@ on:
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest
+    runs-on: self-hosted-generic
     permissions:
       actions: read
       contents: read

.github/workflows/control.yml

@@ -40,7 +40,7 @@ jobs:
   # this prevents us from having to pass down all labels, event_name, etc
   # to init.yml
   adapt_release:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted-generic
     outputs:
       kind: ${{ steps.kind.outputs.kind}}
     steps:
@@ -79,7 +79,7 @@ jobs:
   linting:
     uses: ./.github/workflows/linting.yml
   functional:
-    needs: [unittests, build]
+    # needs: [unittests, build]
     uses: ./.github/workflows/functional.yaml
   container:
     needs: [build, init]
@@ -143,18 +143,11 @@ jobs:
       email: ${{ secrets.GREENBONE_BOT_MAIL }}
       gpg_key: ${{ secrets.GPG_KEY }}
       gpg_pass: ${{ secrets.GPG_PASSPHRASE }}
-  smoketests:
-    if: github.event_name != 'pull_request'
-    needs: [container, init]
-    uses: ./.github/workflows/smoketest.yaml
-    with:
-      docker_repo: ${{ github.repository }}
-      docker_tag: ${{needs.init.outputs.docker_test_tag}}
   helm:
+    if: github.event_name != 'pull_request' && vars.IMAGE_REGISTRY != ''
+    needs: [container, init]
     permissions:
       packages: write
-    needs: [smoketests]
-    if: vars.IMAGE_REGISTRY != ''
     uses: ./.github/workflows/push-helm-chart.yml
     secrets:
       user: ${{ secrets.GREENBONE_BOT }}

.github/workflows/dependency-review.yml

@@ -7,7 +7,7 @@ permissions:
 
 jobs:
   dependency-review:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted-generic
     steps:
       - name: 'Dependency Review'
         uses: greenbone/actions/dependency-review@v3

.github/workflows/functional.yaml

@@ -10,7 +10,7 @@ jobs:
   # Tests that gvm-libs, openvas-smb and openvas dependencies work together and
   # that openvas is buildable and integrates openvas-smb when available
   distributed-monolith-railguard:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted-generic
     strategy:
       fail-fast: false
       matrix:
@@ -27,8 +27,97 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/compile-x86_64
-  tests:
+  build-image:
+    runs-on: self-hosted-generic
+    steps:
+      - uses: actions/checkout@v4
+      - run: |
+          docker build -t registry.community.greenbone.net/community/openvas-scanner:edge -f .docker/prod.Dockerfile .
+          docker pull registry.community.greenbone.net/community/vulnerability-tests:community
+          docker pull registry.community.greenbone.net/community/notus-data:community
+          docker save -o ${{ runner.temp }}/vtc.tar registry.community.greenbone.net/community/vulnerability-tests:community
+          docker save -o ${{ runner.temp }}/nc.tar registry.community.greenbone.net/community/notus-data:community
+          docker save -o ${{ runner.temp }}/openvas.tar registry.community.greenbone.net/community/openvas-scanner:edge
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ovimage
+          path: ${{ runner.temp }}/*.tar
+
+  smoketest:   
+    # currently we cannot use internal runner as they cannot start k3s until it
+    # is fixed we need to build the image in another job running on
+    # self-hosted-generic export it as a tar and import it here to work around
+    # the unreliability of registry.community.greenbone.net/community
+    # when called too often
     runs-on: ubuntu-latest
+    needs: [build-image]
+    steps:
+      - name: Start a local k8s cluster
+        uses: jupyterhub/action-k3s-helm@v4
+        with:
+          k3s-channel: latest
+          metrics-enabled: false
+          docker-enabled: true
+      - uses: actions/checkout@v4
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: ovimage
+          path: ${{ runner.temp }}
+      - name: publish current docker image into k3s
+        run: |
+          docker load --input ${{ runner.temp }}/openvas.tar
+          docker load --input ${{ runner.temp }}/nc.tar
+          docker load --input ${{ runner.temp }}/vtc.tar
+          docker image ls -a
+      - name: 'do not, I repeat, do NOT pull that'
+        run: |
+          # repository: registry.community.greenbone.net/community/openvas-scanner
+          # pullPolicy: Always
+          # tag: "edge"
+          echo "openvas:" >> st.yaml
+          echo "  repository: registry.community.greenbone.net/community/openvas-scanner" >> st.yaml
+          echo "  tag: edge" >> st.yaml
+          echo "  pullPolicy: Never" >> st.yaml
+          echo "vulnerabilitytests:" >> st.yaml
+          echo "  repository: registry.community.greenbone.net/community/vulnerability-tests" >> st.yaml
+          echo "  tag: community" >> st.yaml
+          echo "  pullPolicy: Never" >> st.yaml
+          echo "notusdata:" >> st.yaml
+          echo "  repository: registry.community.greenbone.net/community/notus-data" >> st.yaml
+          echo "  tag: community" >> st.yaml
+          echo "  pullPolicy: Never" >> st.yaml
+          cat st.yaml
+      - name: deploy openvasd
+        run: |
+          cd rust/examples/tls/self-signed
+          make delete deploy
+          cd -
+
+          helm uninstall openvasd --namespace openvasd|| true
+          helm install --namespace openvasd --create-namespace openvasd charts/openvasd/ \
+            --values charts/openvasd/values.yaml \
+            --values charts/openvasd/mtls-wo-ingress.yaml \
+            --values st.yaml
+          kubectl rollout status --watch --timeout 600s deployment/openvasd --namespace openvasd 
+          echo "OPENVASD_SERVER=https://$(kubectl get svc -n openvasd | awk 'FNR == 2 {print $(3)}')" >> $GITHUB_ENV
+      - run: kubectl get pods -n openvasd -o=wide
+      - run: kubectl describe pod openvasd -n openvasd
+      - name: smoketest
+        working-directory: rust/crates/smoketest
+        env:
+          SCAN_CONFIG: configs/simple_scan_ssh_only.json
+          CLIENT_KEY: ../../examples/tls/self-signed/client.rsa
+          CLIENT_CERT: ../../examples/tls/self-signed/client.pem
+        run: |
+          make build run || ls -las ../../
+      # - uses: actions/cache@v4
+      #   with:
+      #     path: /tmp/openvas.tar
+      #     key: openvas-cache-${{ github.run_id }}
+  tests:
+    runs-on: self-hosted-generic
     needs: [build-rs]
     services:
       redis:

.github/workflows/helm-release-on-tag.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   release-helm-chart:
     name: Release helm chart
-    runs-on: ubuntu-latest
+    runs-on: self-hosted-generic
     strategy:
       fail-fast: false
       matrix:

.github/workflows/init.yaml

@@ -45,7 +45,7 @@ on:
 
 jobs:
   init:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted-generic
     outputs:
       is_latest_tag: ${{ steps.version.outputs.is_latest_tag }}
       is_version_tag: ${{ steps.version.outputs.is_version_tag }}

.github/workflows/linting.yml

@@ -4,7 +4,7 @@ on: [workflow_call]
 
 jobs:
   C:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted-generic
     steps:
       - name: Check out openvas-scanner
         uses: actions/checkout@v4

.github/workflows/push-container-oldstable.yml

@@ -18,7 +18,7 @@ on:
 jobs:
   debian_oldstable:
     name: ghcr:debian:oldstable
-    runs-on: "ubuntu-latest"
+    runs-on: "self-hosted-generic"
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4

.github/workflows/push-container-testing.yml

@@ -19,7 +19,7 @@ jobs:
   # TODO: do we need to push or is building enough?
   debian_testing:
     name: ghcr:debian:testing
-    runs-on: "ubuntu-latest"
+    runs-on: "self-hosted-generic"
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4

.github/workflows/push-container.yml

@@ -82,7 +82,7 @@ jobs:
 
   debian_stable:
     name: ghcr:debian:stable
-    runs-on: "ubuntu-latest"
+    runs-on: "self-hosted-generic"
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4

.github/workflows/push-helm-chart.yml

@@ -15,7 +15,7 @@ on:
 
 jobs:
   helm:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted-generic
     steps:
       - uses: actions/checkout@v4
       - uses: greenbone/actions/helm-build-push@v3

.github/workflows/release.yml

@@ -53,7 +53,7 @@ on:
 jobs:
   release:
     name: release
-    runs-on: "ubuntu-latest"
+    runs-on: "self-hosted-generic"
     env:
       RELEASE_KIND: ${{inputs.release_kind}}
       RELEASE_REF: ${{inputs.release_ref}}

.github/workflows/sbom-upload.yml

@@ -5,7 +5,7 @@ on:
     branches: ["main"]
 jobs:
   SBOM-upload:
-    runs-on: ubuntu-latest
+    runs-on: self-hosted-generic
     permissions:
       id-token: write
       contents: write