added integration tests

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

fixes

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

fix helm path

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

revert run steps

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

removed ownerrefs

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

run background

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

run background

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

added time

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

added further tests

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

.github/workflows/pr-checks.yaml

@@ -97,3 +97,52 @@ jobs:
       - name: Build image
         working-directory: ./pkg/adapter/${{ matrix.adapters }}
         run: make docker-build
+
+  chainsaw-tests:
+    runs-on: ubuntu-latest
+    steps:
+        - name: Checkout
+          uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+        - name: Install helm
+          id: helm
+          uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+          with:
+            token: ${{ secrets.GITHUB_TOKEN }}
+
+
+
+        - name: Install go
+          uses: actions/setup-go@v5
+          with:
+            go-version: '1.21' # The Go version to download (if necessary) and use.
+
+
+
+        - name: Install chainsaw
+          uses: kyverno/action-install-chainsaw@8307cf9038333ce168dd4339ae24f9ab16ab7a00 # v0.1.4
+
+
+        - name: Create k8s Kind Cluster
+          uses: helm/kind-action@v1
+          with:
+            cluster_name: testing
+
+
+        - name: Build image and load in the kind cluster
+          run: |
+            make docker-build
+            kind load docker-image 5gsec/nimbus:latest --name=testing
+
+        - name: Install Nimbus
+          run: |
+            helm upgrade --install nimbus-operator deployments/nimbus -n nimbus --create-namespace --set image.pullPolicy=Never
+
+        - name: Wait for Nimbus to start
+          run: |
+            kubectl wait --for=condition=ready --timeout=5m -n nimbus pod -l app.kubernetes.io/name=nimbus
+            kubectl get pods -A
+          
+        - name: Run Tests
+          run: |
+            chainsaw test --test-dir=tests/controllers/  --config tests/chainsaw-config.yaml

tests/chainsaw-config.yaml

@@ -0,0 +1,6 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Configuration
+metadata:
+  name: configuration
+spec:
+  parallel: 1

tests/controllers/np-creation/README.md

@@ -0,0 +1,7 @@
+# Description
+
+This test ensures the creation of nimbus-policy and assert the status subresources of SecurityIntent and SecurityIntentBinding.
+
+# Expected Behaviour
+
+Upon creation of SecurityIntent and SecurityIntentBinding the NimbusPolicy should get created. Furthermore the SecurityIntent subresource should contain the id and action field and SecurityIntentBinding status subresource reflects the number and names of bound intents, along with the generated NimbusPolicy name.

tests/controllers/np-creation/chainsaw-test.yaml

@@ -0,0 +1,52 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: np-creation
+spec:
+  timeouts:
+    assert: 10s
+  steps:
+  - name: 01-Create-Resources-Assert-NP
+    try:
+    - apply:
+        file: ../../../examples/namespaced/dns-manipulation-si-sib.yaml
+    - assert:
+        file: ../../../examples/namespaced/dns-manipulation-si-sib.yaml
+    - assert:
+        file: nimbus-policy.yaml
+
+  - name: 02-Assert-SI-Status(action)
+    try:
+      - script:
+          content: kubectl get si -n $NAMESPACE dns-manipulation -o=jsonpath='{.status.action}'
+          check: 
+            (contains($stdout, 'Block')): true
+
+  - name: 03-Assert-SI-Status(id)
+    try:
+      - script:
+          content: kubectl get si -n $NAMESPACE dns-manipulation -o=jsonpath='{.status.id}'
+          check: 
+            (contains($stdout, 'dnsManipulation')): true
+
+  - name: 04-Assert-SIB-Status(No. of Bound Intents)
+    try:
+      - script:
+          content: kubectl get sib -n $NAMESPACE dns-manipulation-binding -o=jsonpath='{.status.numberOfBoundIntents}'
+          check: 
+            (contains($stdout, '1')): true
+
+  - name: 05-Assert-SIB-Status(Bound Intents)
+    try:
+      - script:
+          content: kubectl get sib -n $NAMESPACE dns-manipulation-binding -o=jsonpath='{.status.boundIntents}'
+          check: 
+            (contains($stdout, 'dns-manipulation')): true
+
+  - name: 06-Assert-SIB-Status(NimbusPolicy)
+    try:
+      - script:
+          content: kubectl get sib -n $NAMESPACE dns-manipulation-binding -o=jsonpath='{.status.nimbusPolicy}'
+          check: 
+            (contains($stdout, 'dns-manipulation-binding')): true
+

tests/controllers/np-creation/nimbus-policy.yaml

@@ -0,0 +1,20 @@
+apiVersion: intent.security.nimbus.com/v1
+kind: NimbusPolicy
+metadata:
+  name: dns-manipulation-binding
+  ownerReferences:
+   - apiVersion: intent.security.nimbus.com/v1
+     blockOwnerDeletion: true
+     controller: true
+     kind: SecurityIntentBinding
+     name: dns-manipulation-binding
+spec:
+   rules:
+   - description: An adversary can manipulate DNS requests to redirect network traffic
+       and potentially reveal end user activity.
+     id: dnsManipulation
+     rule:
+       action: Block
+   selector:
+     matchLabels:
+       app: nginx

tests/controllers/np-updation/README.md

@@ -0,0 +1,7 @@
+# Description
+
+This test ensures the persistant nature of nimbus-policy.
+
+# Expected Behaviour
+
+On updation of NimbusPolicy the policy by modifying the value of the key in .spec.selector.matchLablels.app the policy should get reverted back to its original state.

tests/controllers/np-updation/chainsaw-test.yaml

@@ -0,0 +1,25 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: np-updation
+spec:
+  timeouts:
+    assert: 10s
+  steps:
+
+  - name: step-01 
+    try:
+      - apply:
+          file: ../../../examples/namespaced/dns-manipulation-si-sib.yaml
+      - assert:
+          file: ../../../examples/namespaced/dns-manipulation-si-sib.yaml
+  - name: step-02
+    try:
+      - apply:
+          file: updated-nimbus-policy.yaml
+  - name: step-03
+    try:
+      - script:
+          content: kubectl get np -n $NAMESPACE dns-manipulation-binding -o=jsonpath='{.spec.selector.matchLabels.app}'
+          check: 
+            (contains($stdout, 'frontend')): false

tests/controllers/np-updation/updated-nimbus-policy.yaml

@@ -0,0 +1,14 @@
+apiVersion: intent.security.nimbus.com/v1
+kind: NimbusPolicy
+metadata:
+  name: dns-manipulation-binding
+spec:
+   rules:
+   - description: An adversary can manipulate DNS requests to redirect network traffic
+       and potentially reveal end user activity.
+     id: dnsManipulation
+     rule:
+       action: Block
+   selector:
+     matchLabels:
+       app: frontend

tests/controllers/sib-deletion/README.md

@@ -0,0 +1,7 @@
+# Description
+
+This test ensures that NimbusPolicy is tightly coupled with SecurityIntentBinding.
+
+# Expected Behaviour
+
+On deletion of SecurityIntentBinding, NimbusPolicy should automatically get deleted.

tests/controllers/sib-deletion/chainsaw-test.yaml

@@ -0,0 +1,44 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: sib-deletion
+spec:
+  timeouts:
+    assert: 10s
+  steps:
+  - name: 01-Create-Resources
+    try:
+      - apply:
+          file: ../../../examples/namespaced/dns-manipulation-si-sib.yaml
+      - assert:
+          file: ../../../examples/namespaced/dns-manipulation-si-sib.yaml
+  - name: 02-Delete-SIB
+    try:
+      # - delete:
+      #     ref:
+      #       apiVersion: intent.security.nimbus.com/v1
+      #       kind: SecurityIntentBinding
+      #       name: dns-manipulation-binding
+      #     expect:
+      #     - match:
+      #         apiVersion: intent.security.nimbus.com/v1
+      #         kind: SecurityIntentBinding
+      #         name: dns-manipulation-binding
+      #       check:
+      #         ($error != null): true
+      - script:
+          content: kubectl delete sib dns-manipulation-binding -n $NAMESPACE
+
+  - name: step-03
+    try:
+    - sleep:
+        duration: 5s
+
+  - name: 04-Assert-NP-Deletion
+    try:
+      - script:
+          content: kubectl get np -n $NAMESPACE dns-manipulation-binding
+          check: 
+            ($error != null): true
+
+

tests/controllers/sib-updation/README.md

@@ -0,0 +1,7 @@
+# Description
+
+This test ensures that the change in SecurityIntentBinding by should get reflected in NimbusPolicy.
+
+# Expected Behaviour
+
+On updation of SecurityIntentBinding by updating the selector value, the corresponding selector in the NimbusPolicy should get updated.

tests/controllers/sib-updation/chainsaw-test.yaml

@@ -0,0 +1,28 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: sib-updation
+spec:
+  timeouts:
+    assert: 10s
+  steps:
+  - name: 01-Create-Resources 
+    try:
+      - apply:
+          file: ../../../examples/namespaced/dns-manipulation-si-sib.yaml
+      - assert:
+          file: ../../../examples/namespaced/dns-manipulation-si-sib.yaml
+  - name: 02-Update-SIB
+    try:
+      - apply:
+          file: updated-sib.yaml
+      - assert:
+          file: updated-sib.yaml 
+  - name: 03-Assert-NP
+    try:
+      - script:
+          content: kubectl get np -n $NAMESPACE dns-manipulation-binding -o=jsonpath='{.spec.selector.matchLabels.app}'
+          check: 
+            (contains($stdout, 'frontend')): true
+
+

tests/controllers/sib-updation/updated-sib.yaml

@@ -0,0 +1,14 @@
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntentBinding
+metadata:
+  name: dns-manipulation-binding
+spec:
+  intents:
+    - name: dns-manipulation
+  selector:
+    any:
+      - resources:
+          kind: Pod
+          namespace: default
+          matchLabels:
+            app: frontend