From 63dfcdfa3da7c202acb81f72301f59b5a2ce3f30 Mon Sep 17 00:00:00 2001 From: shivaccuknox <150668714+shivaccuknox@users.noreply.github.com> Date: Fri, 5 Jul 2024 16:24:59 +0530 Subject: [PATCH] fix: rename chainsaw tests (#213) * - Renaming tests - Corrected the status field in show status * - makefile controller-gen paths fixed - crd changes to get the correct status * - Separated the rbac from crd generation so that unnecesary roles are not given to nimbus-operator --------- Co-authored-by: Ved Ratan <82467006+VedRatan@users.noreply.github.com> --- Makefile | 3 ++- .../clustersecurityintentbinding_types.go | 2 +- ...bus.com_clustersecurityintentbindings.yaml | 2 +- deployments/nimbus/templates/crds.yaml | 2 +- .../excludename/chainsaw-test.yaml | 23 ++++++++++++++----- .../matchall/chainsaw-test.yaml | 15 +++++++----- .../matchname/chainsaw-test.yaml | 13 +++++++---- 7 files changed, 40 insertions(+), 20 deletions(-) diff --git a/Makefile b/Makefile index fba2dfc4..fb96f231 100644 --- a/Makefile +++ b/Makefile @@ -50,7 +50,8 @@ help: ## Display this help. .PHONY: manifests manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. - $(CONTROLLER_GEN) rbac:roleName=nimbus-operator crd webhook paths="./internal/..." output:crd:artifacts:config=config/crd/bases + $(CONTROLLER_GEN) rbac:roleName=nimbus-operator webhook paths="./internal/..." + $(CONTROLLER_GEN) crd paths="./api/..." output:crd:artifacts:config=config/crd/bases .PHONY: generate generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. diff --git a/api/v1alpha1/clustersecurityintentbinding_types.go b/api/v1alpha1/clustersecurityintentbinding_types.go index 24357d4d..6d653eff 100644 --- a/api/v1alpha1/clustersecurityintentbinding_types.go +++ b/api/v1alpha1/clustersecurityintentbinding_types.go @@ -42,7 +42,7 @@ type ClusterSecurityIntentBindingStatus struct { //+kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.status" //+kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" //+kubebuilder:printcolumn:name="Intents",type="integer",JSONPath=".status.numberOfBoundIntents" -//+kubebuilder:printcolumn:name="NimbusPolicies",type="integer",JSONPath=".status.numberofNimbusPolicies" +//+kubebuilder:printcolumn:name="NimbusPolicies",type="integer",JSONPath=".status.numberOfNimbusPolicies" //+kubebuilder:printcolumn:name="ClusterNimbusPolicy",type="string",JSONPath=".status.clusterNimbusPolicy" //+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object diff --git a/config/crd/bases/intent.security.nimbus.com_clustersecurityintentbindings.yaml b/config/crd/bases/intent.security.nimbus.com_clustersecurityintentbindings.yaml index 596ef5a7..6b4b8734 100644 --- a/config/crd/bases/intent.security.nimbus.com_clustersecurityintentbindings.yaml +++ b/config/crd/bases/intent.security.nimbus.com_clustersecurityintentbindings.yaml @@ -26,7 +26,7 @@ spec: - jsonPath: .status.numberOfBoundIntents name: Intents type: integer - - jsonPath: .status.numberofNimbusPolicies + - jsonPath: .status.numberOfNimbusPolicies name: NimbusPolicies type: integer - jsonPath: .status.clusterNimbusPolicy diff --git a/deployments/nimbus/templates/crds.yaml b/deployments/nimbus/templates/crds.yaml index 358314e0..e3b94375 100644 --- a/deployments/nimbus/templates/crds.yaml +++ b/deployments/nimbus/templates/crds.yaml @@ -161,7 +161,7 @@ spec: - jsonPath: .status.numberOfBoundIntents name: Intents type: integer - - jsonPath: .status.numberofNimbusPolicies + - jsonPath: .status.numberOfNimbusPolicies name: NimbusPolicies type: integer - jsonPath: .status.clusterNimbusPolicy diff --git a/tests/controllers/clustersecurityintentbinding/excludename/chainsaw-test.yaml b/tests/controllers/clustersecurityintentbinding/excludename/chainsaw-test.yaml index 7badede0..318c709c 100644 --- a/tests/controllers/clustersecurityintentbinding/excludename/chainsaw-test.yaml +++ b/tests/controllers/clustersecurityintentbinding/excludename/chainsaw-test.yaml @@ -4,14 +4,18 @@ apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: - name: exclude-names-add-csib + name: csib-exclude-names-add-update-csib spec: description: > - 1. Add dev, staging, prod ns - 2. Adds a csib for excludeNames with dev, staging - 3. Update csib for excludeNames with dev, prod, regional - 4. Add a ns with name management - this ns is not part of the excludeNames - Add a ns with name regional - this is part of the excludeNames + This test case tests out multiple scenarios. + 1. First we add namespaces dev, staging, and prod. Then we create a csib with excludeNames for + dev and staging. This should result in creation of Nimbus policies for all namespaces + except "dev", "staging". + 2. Then we update csib for excludeNames with dev, prod, regional. This should result in the + deletion of the the prod nimbus policy + 3. Finally, we add a ns with names management, regional. management ns is not part of the excludeNames + while regional is part of the excludeNames. This step should result in creation of nimbus + policy for management ns, and nimbus policy for regional should not be created steps: - name: "1. Create prod, dev, staging Namespaces" try: @@ -106,3 +110,10 @@ spec: content: kubectl -n regional get np nimbus-ctlr-gen-escape-to-host check: ($error != null): true + + - name: "Verify NimbusPolicy presence in management" + try: + - script: + content: kubectl -n management get np nimbus-ctlr-gen-escape-to-host + check: + ($error == null): true diff --git a/tests/controllers/clustersecurityintentbinding/matchall/chainsaw-test.yaml b/tests/controllers/clustersecurityintentbinding/matchall/chainsaw-test.yaml index 8ede1399..3fae4e8d 100644 --- a/tests/controllers/clustersecurityintentbinding/matchall/chainsaw-test.yaml +++ b/tests/controllers/clustersecurityintentbinding/matchall/chainsaw-test.yaml @@ -4,14 +4,17 @@ apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: - name: multiple-ns-add-csib + name: csib-matchall-ns-add-csib spec: description: > - 1. Create prod, dev, staging ns - 2. Add security intent - 3. Add csib - 4. Delete prod namespace - 5. Create prod namespace again + Multiple scenarios are tested here + 1. Three namespaces are created - prod, dev, staging - and we create a csib with a + matchAll condition (*). This is supposed to create nimbus policies in all namespaces + except kube-system. + 2. Then we delete the prod namespace, and verify that the nimbus policy no longer exists + in that namespace. The nimbus policies in the other namespaces should not be affected. + 3. The we create the prod namespace again, and verify that the nimbus policy in prod + namespace is created again. Additionally, the existing nimbus policies are unaffected steps: - name: "Create prod, dev, staging Namespaces" try: diff --git a/tests/controllers/clustersecurityintentbinding/matchname/chainsaw-test.yaml b/tests/controllers/clustersecurityintentbinding/matchname/chainsaw-test.yaml index d89df222..5aad5426 100644 --- a/tests/controllers/clustersecurityintentbinding/matchname/chainsaw-test.yaml +++ b/tests/controllers/clustersecurityintentbinding/matchname/chainsaw-test.yaml @@ -4,12 +4,17 @@ apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: - name: match-names-add-csib + name: csib-match-names-add-update-csib spec: description: > - 1. Adds a csib for matchNames with dev, staging - 2. Delete staging ns - 3. Update csib for matchNames with dev, prod + Multiple scenarios are tested here + 1. First we create the dev and staging namespaces. Then we add a csib with matchNames with + dev, staging. This should result in creation of nimbus policies in dev, and staging namespaces + only, and not in other namespaces. + 2. Then we delete the staging ns, and the nimbus policy in dev should not be affected. Also, no + nimbus policy should be present in prod. + 3. Then we update csib for matchNames with dev, prod. This should result in creation of nimbus + policy in prod ns. Also, nimbus policy in dev should also be present. steps: - name: "Create prod, dev, staging Namespaces" try: