From fc2909ab984669da4b2bfc55dd19944a69847daa Mon Sep 17 00:00:00 2001
From: Christoph Hamsen <hamsen.christoph@posteo.de>
Date: Sun, 4 Feb 2024 20:00:47 +0100
Subject: [PATCH] fix

---
 .../workflows/.reusable-integration-test.yml  |  8 ++---
 README.md                                     | 22 ++++++-------
 charts/semgr8s/values.yaml                    |  6 ++--
 tests/integration/README.md                   | 14 +++++++++
 tests/integration/main.sh                     |  6 +++-
 tests/integration/scripts/rules.sh            | 10 ++++++
 tests/integration/test_cases/basic.yaml       | 18 +++--------
 tests/integration/test_cases/rules.yaml       | 31 +++++++++++++++++++
 8 files changed, 82 insertions(+), 33 deletions(-)
 create mode 100644 tests/integration/README.md
 create mode 100644 tests/integration/scripts/rules.sh
 create mode 100644 tests/integration/test_cases/rules.yaml

diff --git a/.github/workflows/.reusable-integration-test.yml b/.github/workflows/.reusable-integration-test.yml
index 7aeb30c..649fa82 100644
--- a/.github/workflows/.reusable-integration-test.yml
+++ b/.github/workflows/.reusable-integration-test.yml
@@ -96,7 +96,7 @@ jobs:
       matrix:
         integration-test-arg:
           [
-            "basic",
+            "rules",
           ]
     steps:
       - name: Checkout code
@@ -116,7 +116,7 @@ jobs:
           k8s-version: v1.25
       - name: Run test
         run: |
-          bash tests/integration/integration-test.sh "${{ matrix.integration-test-arg }}"
+          bash tests/integration/main.sh "${{ matrix.integration-test-arg }}"
       - name: Display semgr8s configuration
         if: always()
         run: |
@@ -169,7 +169,7 @@ jobs:
           k8s-version: ${{ matrix.k8s-version }}
       - name: Run pre-config and workload integration tests
         run: |
-          bash tests/integration/integration-test.sh "pre-and-workload"
+          bash tests/integration/main.sh "basic"
       - name: Display k8s state and logs if integration test failed
         if: failure()
         run: |
@@ -222,7 +222,7 @@ jobs:
           k8s-version: ${{ matrix.k8s-version }}
       - name: Run pre-config and workload integration tests
         run: |
-          bash tests/integration/integration-test.sh "pre-and-workload"
+          bash tests/integration/main.sh "basic"
       - name: Display k8s state and logs if integration test failed
         if: failure()
         run: |
diff --git a/README.md b/README.md
index 8dff3f0..422cd5b 100644
--- a/README.md
+++ b/README.md
@@ -99,22 +99,22 @@ Once all resources are in `READY` state, you have successfully installed semgr8s
 
 ### Testing
 
-Several test resources are provided under `tests/`.
-Semgr8s denies creating pods with insecure configuration according to the rules in `charts/semgr8s/rules`:
+Several test resources are provided under `tests/demo/`.
+For namespaces with label `semgr8s/validation=enabled`, Semgr8s denies creating pods with insecure configuration according to the rules in `charts/semgr8s/rules`:
 
 ```bash
-kubectl create -f tests/failing_deployment.yaml
+kubectl create -f tests/demo/failing_deployment.yaml
 ```
 <details>
   <summary>output</summary>
   
   ```bash
   namespace/test-semgr8s-failing created
-  Error from server: error when creating "tests/failing_deployment.yaml": admission webhook "semgr8s-svc.semgr8ns.svc" denied the request: Found 1 violation(s) of the following policies: 
+  Error from server: error when creating "tests/demo/failing_deployment.yaml": admission webhook "semgr8s-svc.semgr8ns.svc" denied the request: Found 1 violation(s) of the following policies: 
   * rules.allow-privilege-escalation-no-securitycontext
-  Error from server: error when creating "tests/failing_deployment.yaml": admission webhook "semgr8s-svc.semgr8ns.svc" denied the request: Found 1 violation(s) of the following policies: 
+  Error from server: error when creating "tests/demo/failing_deployment.yaml": admission webhook "semgr8s-svc.semgr8ns.svc" denied the request: Found 1 violation(s) of the following policies: 
   * rules.privileged-container
-  Error from server: error when creating "tests/failing_deployment.yaml": admission webhook "semgr8s-svc.semgr8ns.svc" denied the request: Found 1 violation(s) of the following policies: 
+  Error from server: error when creating "tests/demo/failing_deployment.yaml": admission webhook "semgr8s-svc.semgr8ns.svc" denied the request: Found 1 violation(s) of the following policies: 
   * rules.hostnetwork-pod
   ```
 </details>
@@ -122,7 +122,7 @@ kubectl create -f tests/failing_deployment.yaml
 Securely configured resources on the other hand are permitted to the cluster:
 
 ```bash
-kubectl create -f tests/passing_deployment.yaml
+kubectl create -f tests/demo/passing_deployment.yaml
 ```
 <details>
   <summary>output</summary>
@@ -153,7 +153,7 @@ kubectl delete ns semgr8ns
 Test resources are deleted via:
 
 ```bash
-kubectl delete -f tests/
+kubectl delete -f tests/demo/
 ```
 <details>
   <summary>output</summary>
@@ -162,9 +162,9 @@ kubectl delete -f tests/
   namespace "test-semgr8s-failing" deleted
   namespace "test-semgr8s-passing" deleted
   pod "passing-testpod-1" deleted
-  Error from server (NotFound): error when deleting "tests/failing_deployment.yaml": pods "failing-testpod-1" not found
-  Error from server (NotFound): error when deleting "tests/failing_deployment.yaml": pods "failing-testpod-2" not found
-  Error from server (NotFound): error when deleting "tests/failing_deployment.yaml": pods "failing-testpod-3" not found
+  Error from server (NotFound): error when deleting "tests/demo/failing_deployment.yaml": pods "failing-testpod-1" not found
+  Error from server (NotFound): error when deleting "tests/demo/failing_deployment.yaml": pods "failing-testpod-2" not found
+  Error from server (NotFound): error when deleting "tests/demo/failing_deployment.yaml": pods "failing-testpod-3" not found
 
   ```
 </details>
diff --git a/charts/semgr8s/values.yaml b/charts/semgr8s/values.yaml
index 62f7576..b117c0e 100644
--- a/charts/semgr8s/values.yaml
+++ b/charts/semgr8s/values.yaml
@@ -1,18 +1,16 @@
 deployment:
   replicaCount: 1
   image:
-    repository: ghcr.io/sse-secure-systems/semgr8s
+    repository: "{IMAGE}"
     pullPolicy: IfNotPresent
-    tag: ""
+    tag: "{TAG}"
   containerPort: 5000
   imagePullSecrets: []
   podAnnotations: {}
   podSecurityContext: {}
   securityContext: {}
-
 service:
   type: ClusterIP
   port: 443
-
 application:
   remoteRules: []
diff --git a/tests/integration/README.md b/tests/integration/README.md
new file mode 100644
index 0000000..0da5f01
--- /dev/null
+++ b/tests/integration/README.md
@@ -0,0 +1,14 @@
+# Run integration tests
+
+Use the cluster of your choice, e.g. [kind](https://kind.sigs.k8s.io/).
+Specify which semgr8s image is to be used as environment variable, e.g.:
+
+```bash
+export IMAGE=ghcr.io/sse-secure-systems/semgr8s
+export TAG=v0.1.0
+```
+
+Run the desired integration test via:
+```bash
+tests/integration/main.sh "basic"
+```
diff --git a/tests/integration/main.sh b/tests/integration/main.sh
index 138439d..9b49138 100755
--- a/tests/integration/main.sh
+++ b/tests/integration/main.sh
@@ -22,9 +22,13 @@ cp charts/semgr8s/values.yaml charts/semgr8s/values.yaml.bak
 
 case $1 in
 "basic")
-	# testing basic functionality of all validators
+	# testing basic functionality
 	basic_integration_test
 	;;
+"basic")
+	# testing multiple pre-built rules
+	rules_integration_test
+	;;
 "restore")
 	restore
 	;;
diff --git a/tests/integration/scripts/rules.sh b/tests/integration/scripts/rules.sh
new file mode 100644
index 0000000..bf1f7dd
--- /dev/null
+++ b/tests/integration/scripts/rules.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+rules_integration_test() {
+	create_namespaces
+	update_with_file "basic"
+	install "make"
+	multi_test "rules"
+	uninstall "make"
+}
diff --git a/tests/integration/test_cases/basic.yaml b/tests/integration/test_cases/basic.yaml
index 7c088ee..8dccf3c 100644
--- a/tests/integration/test_cases/basic.yaml
+++ b/tests/integration/test_cases/basic.yaml
@@ -11,17 +11,9 @@ testCases:
   ref: 40_nosc_pod
   namespace: validatedns
   expected_msg: rules.allow-privilege-escalation-no-securitycontext
-- id: b-03
-  txt: Testing non-compliant privileged pod...
-  type: k8s-yaml
-  ref: 41_privileged_pod
-  namespace: validatedns
-  expected_msg: rules.privileged-container
-- id: b-04
-  txt: Testing non-compliant pod w/ access to host network...
-  type: k8s-yaml
-  ref: 42_hostnetwork_pod
-  namespace: validatedns
-  expected_msg: rules.hostnetwork-pod
 
-values: {}
+values:
+  deployment:
+    image:
+      repository: "${IMAGE}"
+      tag: "${TAG}"
diff --git a/tests/integration/test_cases/rules.yaml b/tests/integration/test_cases/rules.yaml
new file mode 100644
index 0000000..fafd7a0
--- /dev/null
+++ b/tests/integration/test_cases/rules.yaml
@@ -0,0 +1,31 @@
+testCases:
+- id: r-01
+  txt: Testing compliant pod...
+  type: k8s-yaml
+  ref: 20_compliant_pod
+  namespace: validatedns
+  expected_msg: pod/compliant-pod created
+- id: r-02
+  txt: Testing non-compliant pod w/o securityContext...
+  type: k8s-yaml
+  ref: 40_nosc_pod
+  namespace: validatedns
+  expected_msg: rules.allow-privilege-escalation-no-securitycontext
+- id: r-03
+  txt: Testing non-compliant privileged pod...
+  type: k8s-yaml
+  ref: 41_privileged_pod
+  namespace: validatedns
+  expected_msg: rules.privileged-container
+- id: r-04
+  txt: Testing non-compliant pod w/ access to host network...
+  type: k8s-yaml
+  ref: 42_hostnetwork_pod
+  namespace: validatedns
+  expected_msg: rules.hostnetwork-pod
+
+values:
+  deployment:
+    image:
+      repository: "${IMAGE}"
+      tag: "${TAG}"