test: add chainsaw tests (#438)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

.circleci/config.yml

@@ -15,7 +15,8 @@ references:
         sha256sum vault_1.13.2_linux_amd64.zip | grep f7930279de8381de7c532164b4a4408895d9606c0d24e2e9d2f9acb5dfe99b3c
         unzip vault_1.13.2_linux_amd64.zip
         mv vault /usr/bin/vault
-  e2e_configuration: &e2e_configuration
+
+  chainsaw_configuration: &chainsaw_configuration
     pre_script: e2e/pre.sh
     script: e2e/test.sh
     command_runner_image: quay.io/reactiveops/ci-images:v13-buster
@@ -99,15 +100,16 @@ workflows:
       - rok8s/kubernetes_e2e_tests:
           name: "End-To-End Kubernetes 1.23"
           kind_node_image: "kindest/node:v1.23.13@sha256:ef453bb7c79f0e3caba88d2067d4196f427794086a7d0df8df4f019d5e336b61"
-          <<: *e2e_configuration
+          <<: *chainsaw_configuration
       - rok8s/kubernetes_e2e_tests:
           name: "End-To-End Kubernetes 1.24"
           kind_node_image: "kindest/node:v1.24.7@sha256:577c630ce8e509131eab1aea12c022190978dd2f745aac5eb1fe65c0807eb315"
-          <<: *e2e_configuration
+          <<: *chainsaw_configuration
       - rok8s/kubernetes_e2e_tests:
           name: "End-To-End Kubernetes 1.25"
           kind_node_image: "kindest/node:v1.25.3@sha256:f52781bc0d7a19fb6c405c2af83abfeb311f130707a0e219175677e366cc45d1"
-          <<: *e2e_configuration
+          <<: *chainsaw_configuration
+
   release:
     jobs:
       - build_and_release:

e2e/chainsaw/.chainsaw.yaml

@@ -0,0 +1,10 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/configuration-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Configuration
+metadata:
+  name: congiguration
+spec:
+  parallel: 1
+  fullName: true
+  failFast: false
+  delayBeforeCleanup: 3s

e2e/chainsaw/cluster-role-bindings/chainsaw-test.yaml

@@ -0,0 +1,12 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: clusterrolebindings
+spec:
+  steps:
+  - try:
+    - apply:
+        file: resources.yaml
+    - assert:
+        file: expected.yaml

e2e/chainsaw/cluster-role-bindings/expected.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    rbac-manager: reactiveops
+  ownerReferences:
+  - apiVersion: rbacmanager.reactiveops.io/v1beta1
+    kind: RBACDefinition
+    name: rbac-manager-definition
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: test-rbac-manager
+subjects:
+- kind: ServiceAccount
+  name: test-rbac-manager
+  namespace: rbac-manager

e2e/rbacdefinition/cluterrolebindings/setup.sh → e2e/chainsaw/cluster-role-bindings/resources.yaml

@@ -1,6 +1,3 @@
-kubectl create clusterrole test-rbac-manager --verb="create" --resource=deployment
-
-cat <<EOF | kubectl create -f -
 apiVersion: rbacmanager.reactiveops.io/v1beta1
 kind: RBACDefinition
 metadata:
@@ -13,4 +10,3 @@ rbacBindings:
         namespace: rbac-manager
     clusterRoleBindings:
       - clusterRole: test-rbac-manager
-EOF

e2e/chainsaw/deleted/chainsaw-test.yaml

@@ -0,0 +1,22 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: clusterrolebindings
+spec:
+  steps:
+  - description: setup rbac definition, make sure expected resources are created
+    try:
+    - apply:
+        file: resources.yaml
+    - assert:
+        file: expected.yaml
+  - description: delete rbac definition, make sure previously created resources are deleted
+    try:
+    - delete:
+        ref:
+          apiVersion: rbacmanager.reactiveops.io/v1beta1
+          kind: RBACDefinition
+          name: rbac-manager-definition
+    - error:
+        file: expected.yaml

e2e/chainsaw/deleted/expected.yaml

@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    rbac-manager: reactiveops
+  ownerReferences:
+  - apiVersion: rbacmanager.reactiveops.io/v1beta1
+    kind: RBACDefinition
+    name: rbac-manager-definition
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: test-rbac-manager
+subjects:
+- kind: ServiceAccount
+  name: test-rbac-manager
+  namespace: rbac-manager

e2e/chainsaw/deleted/resources.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbacmanager.reactiveops.io/v1beta1
+kind: RBACDefinition
+metadata:
+  name: rbac-manager-definition
+rbacBindings:
+  - name: admins
+    subjects:
+      - kind: ServiceAccount
+        name: test-rbac-manager
+        namespace: rbac-manager
+    clusterRoleBindings:
+      - clusterRole: test-rbac-manager

e2e/chainsaw/service-accounts/chainsaw-test.yaml

@@ -0,0 +1,12 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: clusterrolebindings
+spec:
+  steps:
+  - try:
+    - apply:
+        file: resources.yaml
+    - assert:
+        file: expected.yaml

e2e/chainsaw/service-accounts/expected.yaml

@@ -0,0 +1,33 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    rbac-manager: reactiveops
+  ownerReferences:
+  - apiVersion: rbacmanager.reactiveops.io/v1beta1
+    kind: RBACDefinition
+    name: rbac-manager-definition-1
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: test-rbac-manager
+subjects:
+- kind: ServiceAccount
+  name: test-rbac-manager
+  namespace: rbac-manager
+---
+apiVersion: v1
+kind: ServiceAccount
+imagePullSecrets:
+- name: robot-secret
+metadata:
+  annotations:
+    rbacmanager.reactiveops.io/managed-pull-secrets: robot-secret
+  labels:
+    rbac-manager: reactiveops
+  name: test-rbac-manager
+  namespace: rbac-manager
+  ownerReferences:
+  - apiVersion: rbacmanager.reactiveops.io/v1beta1
+    kind: RBACDefinition
+    name: rbac-manager-definition-1

e2e/rbacdefinition/serviceaccounts/setup.sh → e2e/chainsaw/service-accounts/resources.yaml

@@ -1,6 +1,3 @@
-kubectl create clusterrole test-rbac-manager --verb="create" --resource=deployment
-
-cat <<EOF | kubectl create -f -
 apiVersion: rbacmanager.reactiveops.io/v1beta1
 kind: RBACDefinition
 metadata:
@@ -15,4 +12,3 @@ rbacBindings:
           - robot-secret
     clusterRoleBindings:
       - clusterRole: test-rbac-manager
-EOF

e2e/pre.sh

@@ -32,4 +32,4 @@ yq -i '.spec.template.spec.containers[0].imagePullPolicy = "IfNotPresent"' deplo
 cat deploy/3_deployment.yaml
 
 docker cp deploy e2e-command-runner:/
-docker cp e2e/rbacdefinition e2e-command-runner:/
+docker cp e2e/chainsaw e2e-command-runner:/

e2e/test.sh

@@ -20,7 +20,21 @@ printf "\n\n"
 kubectl apply -f deploy/
 kubectl -n rbac-manager wait deployment/rbac-manager --timeout=120s --for condition=available
 
-bash "$BASE_DIR/rbacdefinition/run.sh"
+printf "\n\n"
+echo "********************************************************************"
+echo "** Install and run Chainsaw **"
+echo "********************************************************************"
+printf "\n\n"
+
+cd "$BASE_DIR/chainsaw"
+
+curl -sL https://github.com/kyverno/chainsaw/releases/download/v0.1.0/chainsaw_linux_amd64.tar.gz -o linux_amd64.tar.gz
+tar -xvf linux_amd64.tar.gz chainsaw
+rm linux_amd64.tar.gz
+chmod +x chainsaw
+
+./chainsaw test
+
 if [ $? -ne 0 ]; then
   exit 1
 fi