add dummy provider and e2e for external data validation (#1606)

open-policy-agent · Oct 26, 2021 · b1a6812 · b1a6812
1 parent 9fd8514
commit b1a6812
Show file tree

Hide file tree

Showing 20 changed files with 418 additions and 46 deletions.
diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml
@@ -102,6 +102,7 @@ jobs:
           make test-e2e
 
       - name: Save logs
+        if: ${{ always() }}
         run: |
           kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-controller.json
           kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit.json
@@ -139,6 +140,7 @@ jobs:
           make test-e2e GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }} ENABLE_MUTATION_TESTS=1
 
       - name: Save logs
+        if: ${{ always() }}
         run: |
           kubectl logs -n ${{ matrix.GATEKEEPER_NAMESPACE }} -l control-plane=controller-manager --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-${{ matrix.GATEKEEPER_NAMESPACE }}-controller.json
           kubectl logs -n ${{ matrix.GATEKEEPER_NAMESPACE }} -l control-plane=audit-controller --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-${{ matrix.GATEKEEPER_NAMESPACE }}-audit.json
@@ -147,7 +149,52 @@ jobs:
         uses: actions/upload-artifact@v2
         if: ${{ always() }}
         with:
-          name: logs
+          name: helm-logs
+          path: |
+            logs-*.json
+
+  build_test_externaldata:
+    name: "[External Data] Build and Test"
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    strategy:
+      matrix:
+        KUBERNETES_VERSION: ["1.22.0"]
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+
+      - name: Set up Go 1.17
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.17
+
+      - name: Bootstrap e2e
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/bin
+          echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
+          make e2e-bootstrap KUBERNETES_VERSION=${{ matrix.KUBERNETES_VERSION }}
+
+      - name: Run e2e
+        run: |
+          make e2e-build-load-image IMG=gatekeeper-e2e:latest CRD_IMG=gatekeeper-crds:latest
+          make e2e-build-load-externaldata-image
+          make deploy IMG=gatekeeper-e2e:latest USE_LOCAL_IMG=true ENABLE_EXTERNAL_DATA=true
+          # there should be no additional manifest changes
+          git diff --exit-code
+          make test-e2e ENABLE_EXTERNAL_DATA_TESTS=1
+
+      - name: Save logs
+        if: ${{ always() }}
+        run: |
+          kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-externaldata-controller.json
+          kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-externaldata-audit.json
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v2
+        if: ${{ always() }}
+        with:
+          name: externaldata-logs
           path: |
             logs-*.json
 

diff --git a/Makefile b/Makefile
@@ -116,6 +116,10 @@ e2e-bootstrap:
 e2e-build-load-image: docker-buildx
 	kind load docker-image --name kind ${IMG} ${CRD_IMG}
 
+e2e-build-load-externaldata-image: docker-buildx-builder
+	docker buildx build --platform="linux/amd64" -t dummy-provider:test --load -f test/externaldata/dummy-provider/Dockerfile test/externaldata/dummy-provider
+	kind load docker-image --name kind dummy-provider:test
+
 e2e-verify-release: patch-image deploy test-e2e
 	echo -e '\n\n======= manager logs =======\n\n' && kubectl logs -n ${GATEKEEPER_NAMESPACE} -l control-plane=controller-manager
 
@@ -195,6 +199,7 @@ deploy-mutation: patch-image
 deploy: patch-image manifests
 ifeq ($(ENABLE_EXTERNAL_DATA),true)
 	@grep -q -v 'enable-external-data' ./config/overlays/dev/manager_image_patch.yaml && sed -i '/- --operation=webhook/a \ \ \ \ \ \ \ \ - --enable-external-data=true' ./config/overlays/dev/manager_image_patch.yaml
+	@grep -q -v 'enable-external-data' ./config/overlays/dev/manager_image_patch.yaml && sed -i '/- --operation=audit/a \ \ \ \ \ \ \ \ - --enable-external-data=true' ./config/overlays/dev/manager_image_patch.yaml
 endif
 	docker run -v $(shell pwd)/config:/config -v $(shell pwd)/vendor:/vendor \
 	  k8s.gcr.io/kustomize/kustomize:v${KUSTOMIZE_VERSION} build \
@@ -283,51 +288,39 @@ docker-build: build-crds
 	docker build --pull -f crd.Dockerfile .staging/crds/ --build-arg LDFLAGS=${LDFLAGS} --build-arg KUBE_VERSION=${KUBERNETES_VERSION} --build-arg TARGETOS="linux" --build-arg TARGETARCH="amd64" -t ${CRD_IMG}
 	docker build --pull . --build-arg LDFLAGS=${LDFLAGS} -t ${IMG}
 
-# Build docker image with buildx
-# Experimental docker feature to build cross platform multi-architecture docker images
-# https://docs.docker.com/buildx/working-with-buildx/
-docker-buildx: build-crds
+docker-buildx-builder:
 	if ! docker buildx ls | grep -q container-builder; then\
 		docker buildx create --name container-builder --use;\
 	fi
+
+# Build image with buildx to build cross platform multi-architecture docker images
+# https://docs.docker.com/buildx/working-with-buildx/
+docker-buildx: build-crds docker-buildx-builder
 	docker buildx build --build-arg LDFLAGS=${LDFLAGS} --platform "linux/amd64" \
 		-t $(IMG) \
 		. --load
 	docker buildx build --build-arg LDFLAGS=${LDFLAGS} --build-arg KUBE_VERSION=${KUBERNETES_VERSION} --platform "linux/amd64" \
 		-t $(CRD_IMG) \
 		-f crd.Dockerfile .staging/crds/ --load
 
-docker-buildx-dev:
-	@if ! docker buildx ls | grep -q container-builder; then\
-		docker buildx create --name container-builder --use;\
-	fi
+docker-buildx-dev: docker-buildx-builder
 	docker buildx build --build-arg LDFLAGS=${LDFLAGS} --platform "linux/amd64,linux/arm64,linux/arm/v7" \
 		-t $(REPOSITORY):$(DEV_TAG) \
 		-t $(REPOSITORY):dev \
 		. --push
 
-docker-buildx-crds-dev: build-crds
-	@if ! docker buildx ls | grep -q container-builder; then\
-		docker buildx create --name container-builder --use;\
-	fi
-
+docker-buildx-crds-dev: build-crds docker-buildx-builder
 	docker buildx build --build-arg LDFLAGS=${LDFLAGS} --build-arg KUBE_VERSION=${KUBERNETES_VERSION} --platform "linux/amd64,linux/arm64,linux/arm/v7" \
 		-t $(CRD_REPOSITORY):$(DEV_TAG) \
 		-t $(CRD_REPOSITORY):dev \
 		-f crd.Dockerfile .staging/crds/ --push
 
-docker-buildx-release:
-	@if ! docker buildx ls | grep -q container-builder; then\
-		docker buildx create --name container-builder --use;\
-	fi
+docker-buildx-release: docker-buildx-builder
 	docker buildx build --build-arg LDFLAGS=${LDFLAGS} --platform "linux/amd64,linux/arm64,linux/arm/v7" \
 		-t $(REPOSITORY):$(VERSION) \
 		. --push
 
-docker-buildx-crds-release: build-crds
-	@if ! docker buildx ls | grep -q container-builder; then\
-		docker buildx create --name container-builder --use;\
-	fi
+docker-buildx-crds-release: build-crds docker-buildx-builder
 	docker buildx build --build-arg LDFLAGS=${LDFLAGS} --build-arg KUBE_VERSION=${KUBERNETES_VERSION} --platform "linux/amd64,linux/arm64,linux/arm/v7" \
 		-t $(CRD_REPOSITORY):$(VERSION) \
 		-f crd.Dockerfile .staging/crds/ --push

diff --git a/build/tooling/Dockerfile b/build/tooling/Dockerfile
@@ -1,6 +1,6 @@
 FROM golang:1.17
 
-RUN GO111MODULE=on go get sigs.k8s.io/controller-tools/cmd/[email protected]
+RUN GO111MODULE=on go install sigs.k8s.io/controller-tools/cmd/[email protected]
 
 RUN mkdir /gatekeeper
 WORKDIR /gatekeeper
diff --git a/go.mod b/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/onsi/ginkgo v1.16.4
 	github.com/onsi/gomega v1.16.0
 	github.com/open-policy-agent/cert-controller v0.2.0
-	github.com/open-policy-agent/frameworks/constraint v0.0.0-20211012225819-a8579b618cb7
+	github.com/open-policy-agent/frameworks/constraint v0.0.0-20211025234246-f478d8a555b5
 	github.com/open-policy-agent/opa v0.29.4
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.11.0

diff --git a/go.sum b/go.sum
@@ -607,8 +607,8 @@ github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAl
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
 github.com/open-policy-agent/cert-controller v0.2.0 h1:Z+IPOYDor28l6cjEo2WvTZY6Bv5oYR6wECEIP8pyG/M=
 github.com/open-policy-agent/cert-controller v0.2.0/go.mod h1:SWS7Ame8oKHF11cDsQCFlULrrOMV5Z59FIGEAF/M6YI=
-github.com/open-policy-agent/frameworks/constraint v0.0.0-20211012225819-a8579b618cb7 h1:X2dfeC/XNGcoBlytXDKnlom0roCCM8bS75Ms+vqDe/s=
-github.com/open-policy-agent/frameworks/constraint v0.0.0-20211012225819-a8579b618cb7/go.mod h1:sxECOn2E9o4DIK6ttinq1frfiErxi0Z8oIgtz7VDVBc=
+github.com/open-policy-agent/frameworks/constraint v0.0.0-20211025234246-f478d8a555b5 h1:v5CdVF+Gk0OGPZM+6g0CKjaUWjehnf5e/sezx1Qp7vw=
+github.com/open-policy-agent/frameworks/constraint v0.0.0-20211025234246-f478d8a555b5/go.mod h1:sxECOn2E9o4DIK6ttinq1frfiErxi0Z8oIgtz7VDVBc=
 github.com/open-policy-agent/opa v0.29.4 h1:rNa/Gd3Fs0xWgL0aZoyblRwCZLJsSLDQOhnck6DWpaA=
 github.com/open-policy-agent/opa v0.29.4/go.mod h1:ZCOTD3yyFR8JvF8ETdWdiSPn9WcF1dXeQWOv7VoPorU=
 github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492/go.mod h1:Ngi6UdF0k5OKD5t5wlmGhe/EDKPoUM3BXZSSfIuJbis=

diff --git a/test/bats/test.bats b/test/bats/test.bats
@@ -75,6 +75,8 @@ teardown_file() {
   assert_equal "" "${output}"
 
   kubectl delete --ignore-not-found svc mutate-svc
+  kubectl delete --ignore-not-found assignmetadata k8sownerlabel
+  kubectl delete --ignore-not-found assign k8sexternalip
 }
 
 @test "applying sync config" {
@@ -222,10 +224,49 @@ __required_labels_audit_test() {
 }
 
 @test "disable http.send" {
-  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f ${BATS_TESTS_DIR}/templates/use_http_send_template.yaml"
+  kubectl apply -f ${BATS_TESTS_DIR}/templates/use_http_send_template.yaml
   wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced constrainttemplate k8sdenynamehttpsend"
   run kubectl apply -f ${BATS_TESTS_DIR}/bad/bad_http_send.yaml
   assert_failure
   run kubectl get constrainttemplate/k8sdenynamehttpsend -o jsonpath="{.status}"
   assert_match 'undefined function http.send' "${output}"
 }
+
+@test "external data provider crd is established" {
+  if [ -z $ENABLE_EXTERNAL_DATA_TESTS ]; then
+    skip "skipping external data tests"
+  fi
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl wait --for condition=established --timeout=60s crd/providers.externaldata.gatekeeper.sh"
+}
+
+@test "gatekeeper external data validation test" {
+  if [ -z $ENABLE_EXTERNAL_DATA_TESTS ]; then
+    skip "skipping external data validation tests"
+  fi
+
+  # deployment, service and provider for dummy-provider
+  run kubectl apply -f test/externaldata/dummy-provider/manifest
+  assert_success
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl wait --for=condition=Ready --timeout=60s pod -l run=dummy-provider -n dummy-provider"
+
+  kubectl apply -f test/externaldata/dummy-provider/policy/template.yaml
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f test/externaldata/dummy-provider/policy/constraint.yaml"
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced k8sexternaldata dummy"
+
+  run kubectl apply -f test/externaldata/dummy-provider/policy/examples/error.yaml
+  assert_match 'denied the request' "${output}"
+  assert_match 'error_test/image:latest_invalid' "${output}"
+  assert_failure
+
+  run kubectl apply -f test/externaldata/dummy-provider/policy/examples/system-error.yaml
+  assert_match 'denied the request' "${output}"
+  assert_match 'testing system error' "${output}"
+  assert_failure
+
+  run kubectl apply -f test/externaldata/dummy-provider/policy/examples/valid.yaml
+  assert_success
+
+  kubectl delete --ignore-not-found -f test/externaldata/dummy-provider/manifest
+  kubectl delete --ignore-not-found deploy error-deployment valid-deployment system-error-deployment
+  kubectl delete --ignore-not-found constrainttemplate k8sexternaldata
+}
diff --git a/test/externaldata/dummy-provider/Dockerfile b/test/externaldata/dummy-provider/Dockerfile
@@ -0,0 +1,35 @@
+ARG BUILDPLATFORM="linux/amd64"
+ARG BUILDERIMAGE="golang:1.17"
+ARG BASEIMAGE="gcr.io/distroless/static:nonroot"
+
+FROM --platform=$BUILDPLATFORM $BUILDERIMAGE as builder
+
+ARG TARGETPLATFORM
+ARG TARGETOS
+ARG TARGETARCH
+ARG TARGETVARIANT=""
+ARG LDFLAGS
+
+ENV GO111MODULE=on \
+    CGO_ENABLED=0 \
+    GOOS=${TARGETOS} \
+    GOARCH=${TARGETARCH} \
+    GOARM=${TARGETVARIANT}
+
+WORKDIR /go/src/github.com/open-policy-agent/gatekeeper/test/externaldata/dummy-provider
+
+COPY . .
+
+RUN go mod init && go mod tidy
+
+RUN go build -o provider provider.go
+
+FROM $BASEIMAGE
+
+WORKDIR /
+
+COPY --from=builder /go/src/github.com/open-policy-agent/gatekeeper/test/externaldata/dummy-provider .
+
+USER 65532:65532
+
+ENTRYPOINT ["/provider"]
diff --git a/test/externaldata/dummy-provider/manifest/deployment.yaml b/test/externaldata/dummy-provider/manifest/deployment.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dummy-provider
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dummy-provider
+  namespace: dummy-provider
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      run: dummy-provider
+  template:
+    metadata:
+      labels:
+        run: dummy-provider
+    spec:
+      containers:
+      - image: dummy-provider:test
+        imagePullPolicy: Never
+        name: dummy-provider
+        ports:
+        - containerPort: 8090
+          protocol: TCP
+      restartPolicy: Always
+      nodeSelector:
+        kubernetes.io/os: linux
diff --git a/test/externaldata/dummy-provider/manifest/provider.yaml b/test/externaldata/dummy-provider/manifest/provider.yaml
@@ -0,0 +1,7 @@
+apiVersion: externaldata.gatekeeper.sh/v1alpha1
+kind: Provider
+metadata:
+  name: dummy-provider
+spec:
+  url: http://dummy-provider.dummy-provider:8090/validate
+  timeout: 2
diff --git a/test/externaldata/dummy-provider/manifest/service.yaml b/test/externaldata/dummy-provider/manifest/service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: dummy-provider
+  namespace: dummy-provider
+spec:
+  ports:
+  - port: 8090
+    protocol: TCP
+    targetPort: 8090
+  selector:
+    run: dummy-provider
+  sessionAffinity: None
diff --git a/test/externaldata/dummy-provider/policy/constraint.yaml b/test/externaldata/dummy-provider/policy/constraint.yaml
@@ -0,0 +1,10 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sExternalData
+metadata:
+  name: dummy
+spec:
+  enforcementAction: deny
+  match:
+    kinds:
+      - apiGroups: ["apps"]
+        kinds: ["Deployment"]
diff --git a/test/externaldata/dummy-provider/policy/examples/error.yaml b/test/externaldata/dummy-provider/policy/examples/error.yaml
@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: error-deployment
+  labels:
+    app: error-deployment
+spec:
+  replicas: 0 # testing purposes only
+  selector:
+    matchLabels:
+      app: error-deployment
+  template:
+    metadata:
+      labels:
+        app: error-deployment
+    spec:
+      containers:
+      - name: error
+        image: error_test/image:latest
diff --git a/test/externaldata/dummy-provider/policy/examples/system-error.yaml b/test/externaldata/dummy-provider/policy/examples/system-error.yaml
@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: system-error-deployment
+  labels:
+    app: system-error-deployment
+spec:
+  replicas: 0 # testing purposes only
+  selector:
+    matchLabels:
+      app: system-error-deployment
+  template:
+    metadata:
+      labels:
+        app: system-error-deployment
+    spec:
+      containers:
+      - name: system-error
+        image: test/image:latest_systemError
diff --git a/test/externaldata/dummy-provider/policy/examples/valid.yaml b/test/externaldata/dummy-provider/policy/examples/valid.yaml
@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: valid-deployment
+  labels:
+    app: valid-deployment
+spec:
+  replicas: 0 # testing purposes only
+  selector:
+    matchLabels:
+      app: valid-deployment
+  template:
+    metadata:
+      labels:
+        app: valid-deployment
+    spec:
+      containers:
+      - name: valid
+        image: test/image:v1