diff --git a/test/e2e/case10_kind_field_test.go b/test/e2e/case10_kind_field_test.go deleted file mode 100644 index a8b22356..00000000 --- a/test/e2e/case10_kind_field_test.go +++ /dev/null @@ -1,73 +0,0 @@ -// Copyright (c) 2020 Red Hat, Inc. -// Copyright Contributors to the Open Cluster Management project - -package e2e - -import ( - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -const ( - case10ConfigPolicyNamePod string = "policy-pod-c10-create" - case10ConfigPolicyNameCheck string = "policy-kind-labels" - case10ConfigPolicyNameFail string = "policy-kind-labels-fail" - case10PolicyYamlPod string = "../resources/case10_kind_field/case10_pod_create.yaml" - case10PolicyYamlCheck string = "../resources/case10_kind_field/case10_kind_check.yaml" - case10PolicyYamlFail string = "../resources/case10_kind_field/case10_kind_fail.yaml" -) - -var _ = Describe("Test pod obj template handling", func() { - Describe("Create a pod policy on managed cluster in ns:"+testNamespace, func() { - It("should create a policy properly on the managed cluster", func() { - By("Creating " + case10ConfigPolicyNamePod + " on managed") - utils.Kubectl("apply", "-f", case10PolicyYamlPod, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case10ConfigPolicyNamePod, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case10ConfigPolicyNamePod, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("should check annotations of all pods", func() { - By("Creating " + case10ConfigPolicyNameCheck + " on managed") - utils.Kubectl("apply", "-f", case10PolicyYamlCheck, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case10ConfigPolicyNameCheck, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case10ConfigPolicyNameCheck, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("should return noncompliant if no pods match annotations", func() { - By("Creating " + case10ConfigPolicyNameFail + " on managed") - utils.Kubectl("apply", "-f", case10PolicyYamlFail, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case10ConfigPolicyNameFail, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case10ConfigPolicyNameFail, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - }) - It("Cleans up", func() { - policies := []string{ - case10ConfigPolicyNamePod, - case10ConfigPolicyNameCheck, - case10ConfigPolicyNameFail, - } - - deleteConfigPolicies(policies) - }) - }) -}) diff --git a/test/e2e/case11_apiserver_config_test.go b/test/e2e/case11_apiserver_config_test.go deleted file mode 100644 index 01ef50d8..00000000 --- a/test/e2e/case11_apiserver_config_test.go +++ /dev/null @@ -1,136 +0,0 @@ -// Copyright (c) 2020 Red Hat, Inc. -// Copyright Contributors to the Open Cluster Management project - -package e2e - -import ( - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -const ( - etcdEncryptionEnforceName string = "etcd-encryption-enforce" - etcdEncryptionInformName string = "etcd-encryption-inform" - etcdEncryptionEnforceYaml string = "../resources/case11_apiserver_config/etcd_encryption_enforce.yaml" - //nolint:lll - etcdEncryptionEnforceInvalidYaml string = "../resources/case11_apiserver_config/etcd_encryption_enforce_invalid.yaml" - etcdEncryptionInformYaml string = "../resources/case11_apiserver_config/etcd_encryption_inform.yaml" - tlsProfileEnforceName string = "tls-profile-enforce" - tlsProfileInformName string = "tls-profile-inform" - tlsProfileEnforceYaml string = "../resources/case11_apiserver_config/tls_profile_enforce.yaml" - tlsProfileEnforceInvalidYaml string = "../resources/case11_apiserver_config/tls_profile_enforce_invalid.yaml" - tlsProfileInformYaml string = "../resources/case11_apiserver_config/tls_profile_inform.yaml" -) - -var _ = Describe("Test APIServer Config policy", func() { - Describe("Test etcd encryption and tls profile", func() { - It("should be noncompliant for no encryption", func() { - By("Creating " + etcdEncryptionInformYaml + " on managed") - utils.Kubectl("apply", "-f", etcdEncryptionInformYaml, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - etcdEncryptionInformName, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - informPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - etcdEncryptionInformName, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(informPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - }) - It("should be noncompliant for invalid encryption", func() { - By("Creating " + etcdEncryptionEnforceInvalidYaml + " on managed") - utils.Kubectl("apply", "-f", etcdEncryptionEnforceInvalidYaml, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - etcdEncryptionEnforceName, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - etcdEncryptionEnforceName, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - }) - It("should be compliant for aescbc encryption", func() { - By("Creating " + etcdEncryptionEnforceYaml + " on managed") - utils.Kubectl("apply", "-f", etcdEncryptionEnforceYaml, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - etcdEncryptionEnforceName, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - etcdEncryptionEnforceName, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - Eventually(func() interface{} { - informPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - etcdEncryptionInformName, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(informPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("should be noncompliant for no tls profile", func() { - By("Creating " + tlsProfileInformYaml + " on managed") - utils.Kubectl("apply", "-f", tlsProfileInformYaml, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - tlsProfileInformName, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - informPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - tlsProfileInformName, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(informPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - }) - It("should be noncompliant for invalid tls profile", func() { - By("Creating " + tlsProfileEnforceInvalidYaml + " on managed") - utils.Kubectl("apply", "-f", tlsProfileEnforceInvalidYaml, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - tlsProfileEnforceName, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - tlsProfileEnforceName, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - }) - It("should be compliant for intermediate tls profile", func() { - By("Creating " + tlsProfileEnforceYaml + " on managed") - utils.Kubectl("apply", "-f", tlsProfileEnforceYaml, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - tlsProfileEnforceName, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - tlsProfileEnforceName, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - Eventually(func() interface{} { - informPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - tlsProfileInformName, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(informPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - Eventually(func() interface{} { - informPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - etcdEncryptionInformName, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(informPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("Cleans up", func() { - policies := []string{ - etcdEncryptionEnforceName, - etcdEncryptionInformName, - tlsProfileEnforceName, - tlsProfileInformName, - } - - deleteConfigPolicies(policies) - }) - }) -}) diff --git a/test/e2e/case12_list_compare_test.go b/test/e2e/case12_list_compare_test.go deleted file mode 100644 index 301e785a..00000000 --- a/test/e2e/case12_list_compare_test.go +++ /dev/null @@ -1,402 +0,0 @@ -// Copyright (c) 2020 Red Hat, Inc. -// Copyright Contributors to the Open Cluster Management project - -package e2e - -import ( - "time" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -const ( - case12ConfigPolicyNameInform string = "policy-pod-mh-listinform" - case12ConfigPolicyNameEnforce string = "policy-pod-create-listinspec" - case12InformYaml string = "../resources/case12_list_compare/case12_pod_inform.yaml" - case12EnforceYaml string = "../resources/case12_list_compare/case12_pod_create.yaml" -) - -const ( - case12ConfigPolicyNameRoleInform string = "policy-role-mh-listinform" - case12ConfigPolicyNameRoleEnforce string = "policy-role-create-listinspec" - case12RoleInformYaml string = "../resources/case12_list_compare/case12_role_inform.yaml" - case12RoleEnforceYaml string = "../resources/case12_list_compare/case12_role_create.yaml" -) - -const ( - case12RoleToPatch string = "topatch-role-configpolicy" - case12RoleToPatchYaml string = "../resources/case12_list_compare/case12_role_create_small.yaml" - case12RolePatchEnforce string = "patch-role-configpolicy" - case12RolePatchEnforceYaml string = "../resources/case12_list_compare/case12_role_patch.yaml" - case12RolePatchInform string = "patch-role-configpolicy-inform" - case12RolePatchInformYaml string = "../resources/case12_list_compare/case12_role_patch_inform.yaml" -) - -const ( - case12OauthCreate string = "policy-idp-create" - case12OauthPatch string = "policy-idp-patch" - case12OauthVerify string = "policy-idp-verify" - case12OauthCreateYaml string = "../resources/case12_list_compare/case12_oauth_create.yaml" - case12OauthPatchYaml string = "../resources/case12_list_compare/case12_oauth_patch.yaml" - case12OauthVerifyYaml string = "../resources/case12_list_compare/case12_oauth_verify.yaml" -) - -const ( - case12SingleItemListCreate string = "policy-htpasswd-single" - case12SingleItemListPatch string = "policy-htpasswd-single" - case12SingleItemListInform string = "policy-htpasswd-single-inform" - case12SingleItemListCreateYaml string = "../resources/case12_list_compare/case12_oauth_single_create.yaml" - case12SingleItemListPatchYaml string = "../resources/case12_list_compare/case12_oauth_single_patch.yaml" - case12SingleItemListInformYaml string = "../resources/case12_list_compare/case12_oauth_single_inform.yaml" -) - -const ( - case12SmallerListExistingCreate string = "policy-htpasswd-less" - case12SmallerListExistingPatch string = "policy-htpasswd-less" - case12SmallerListExistingInform string = "policy-htpasswd-less-inform" - case12SmallerListExistingCreateYaml string = "../resources/case12_list_compare/case12_oauth_less_create.yaml" - case12SmallerListExistingPatchYaml string = "../resources/case12_list_compare/case12_oauth_less_patch.yaml" - case12SmallerListExistingInformYaml string = "../resources/case12_list_compare/case12_oauth_less_inform.yaml" -) - -const ( - case12WhitespaceListCreate string = "policy-pod-whitespace-env" - case12WhitespaceListInform string = "policy-pod-whitespace-env-inform" - case12WhitespaceListCreateYaml string = "../resources/case12_list_compare/case12_whitespace_create.yaml" - case12WhitespaceDeployment string = "envvar-whitespace" -) - -const ( - case12ByteCreate string = "policy-byte-create" - case12ByteCreateYaml string = "../resources/case12_list_compare/case12_byte_create.yaml" - case12ByteInform string = "policy-byte-inform" - case12ByteInformYaml string = "../resources/case12_list_compare/case12_byte_inform.yaml" -) - -var _ = Describe("Test list handling for musthave", func() { - Describe("Create a policy with a nested list on managed cluster in ns:"+testNamespace, func() { - It("should be created properly on the managed cluster", func() { - By("Creating " + case12ConfigPolicyNameEnforce + " and " + case12ConfigPolicyNameInform + " on managed") - utils.Kubectl("apply", "-f", case12EnforceYaml, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12ConfigPolicyNameEnforce, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12ConfigPolicyNameEnforce, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - utils.Kubectl("apply", "-f", case12InformYaml, "-n", testNamespace) - plc = utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12ConfigPolicyNameInform, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12ConfigPolicyNameInform, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("Cleans up", func() { - policies := []string{ - case12ConfigPolicyNameInform, - case12ConfigPolicyNameEnforce, - } - - deleteConfigPolicies(policies) - }) - }) - Describe("Create a policy with a list field on managed cluster in ns:"+testNamespace, func() { - It("should be created properly on the managed cluster", func() { - By("Creating " + case12ConfigPolicyNameRoleEnforce + " and " + - case12ConfigPolicyNameRoleInform + " on managed") - utils.Kubectl("apply", "-f", case12RoleEnforceYaml, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12ConfigPolicyNameRoleEnforce, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12ConfigPolicyNameRoleEnforce, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - utils.Kubectl("apply", "-f", case12RoleInformYaml, "-n", testNamespace) - plc = utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12ConfigPolicyNameRoleInform, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12ConfigPolicyNameRoleInform, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - }) - It("Cleans up", func() { - policies := []string{ - case12ConfigPolicyNameRoleInform, - case12ConfigPolicyNameRoleEnforce, - } - - deleteConfigPolicies(policies) - }) - }) - Describe("Create and patch a role on managed cluster in ns:"+testNamespace, func() { - It("should be created properly on the managed cluster", func() { - By("Creating " + case12RoleToPatch + " and " + case12RolePatchEnforce + " on managed") - utils.Kubectl("apply", "-f", case12RoleToPatchYaml, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12RoleToPatch, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12RoleToPatch, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - utils.Kubectl("apply", "-f", case12RolePatchEnforceYaml, "-n", testNamespace) - plc = utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12RolePatchEnforce, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12RolePatchEnforce, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - utils.Kubectl("apply", "-f", case12RolePatchInformYaml, "-n", testNamespace) - plc = utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12RolePatchInform, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12RolePatchInform, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("Cleans up", func() { - policies := []string{ - case12RoleToPatch, - case12RolePatchEnforce, - case12RolePatchInform, - } - - deleteConfigPolicies(policies) - }) - }) - Describe("Create and patch an oauth object on managed cluster in ns:"+testNamespace, func() { - It("should be created properly on the managed cluster", func() { - By("Creating " + case12OauthCreate + " and " + case12OauthPatch + " on managed") - utils.Kubectl("apply", "-f", case12OauthCreateYaml, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12OauthCreate, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12OauthCreate, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - utils.Kubectl("delete", "-f", case12OauthCreateYaml, "-n", testNamespace) - - utils.Kubectl("apply", "-f", case12OauthPatchYaml, "-n", testNamespace) - plc = utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12OauthPatch, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12OauthPatch, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - utils.Kubectl("apply", "-f", case12OauthVerifyYaml, "-n", testNamespace) - plc = utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12OauthVerify, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12OauthVerify, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - - It("should handle lists with just one object properly on the managed cluster", func() { - By("Creating " + case12SingleItemListCreate + " and " + case12SingleItemListPatch + " on managed") - utils.Kubectl("apply", "-f", case12SingleItemListCreateYaml, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12SingleItemListCreate, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12SingleItemListCreate, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - - utils.Kubectl("apply", "-f", case12SingleItemListPatchYaml, "-n", testNamespace) - plc = utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12SingleItemListPatch, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12SingleItemListPatch, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - utils.Kubectl("apply", "-f", case12SingleItemListInformYaml, "-n", testNamespace) - plc = utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12SingleItemListInform, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12SingleItemListInform, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - - It("should handle lists with fewer items in existing than the template", func() { - By("Creating " + case12SmallerListExistingCreate + " and " + case12SmallerListExistingPatch + " on managed") - utils.Kubectl("apply", "-f", case12SmallerListExistingCreateYaml, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12SmallerListExistingCreate, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12SmallerListExistingCreate, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - - utils.Kubectl("apply", "-f", case12SmallerListExistingPatchYaml, "-n", testNamespace) - plc = utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12SmallerListExistingPatch, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12SmallerListExistingPatch, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - utils.Kubectl("apply", "-f", case12SmallerListExistingInformYaml, "-n", testNamespace) - plc = utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12SmallerListExistingInform, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12SmallerListExistingInform, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - - It("Cleans up", func() { - policies := []string{ - case12OauthCreate, - case12OauthPatch, - case12OauthVerify, - case12SingleItemListCreate, - case12SingleItemListPatch, - case12SingleItemListInform, - case12SmallerListExistingCreate, - case12SmallerListExistingPatch, - case12SmallerListExistingInform, - } - - deleteConfigPolicies(policies) - }) - }) - Describe("Create a deployment object with env vars on managed cluster in ns:"+testNamespace, func() { - It("should only add the list item with prefix and suffix whitespace once", func() { - By("Creating " + case12WhitespaceListCreate + " and " + case12WhitespaceListInform + " on managed") - utils.Kubectl("apply", "-f", case12WhitespaceListCreateYaml, "-n", testNamespace) - - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12WhitespaceListCreate, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12WhitespaceListCreate, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - // Ensure it remains compliant for a while - need to ensure there were multiple enforce checks/attempts. - Consistently(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12WhitespaceListCreate, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, time.Second*20, 1).Should(Equal("Compliant")) - - // Verify that the container list and its environment variable list is correct (there are no duplicates) - deploy := utils.GetWithTimeout(clientManagedDynamic, gvrDeployment, - case12WhitespaceDeployment, "default", true, defaultTimeoutSeconds) - Expect(deploy).NotTo(BeNil()) - //nolint:forcetypeassert - tmpl := deploy.Object["spec"].(map[string]interface{})["template"].(map[string]interface{}) - //nolint:forcetypeassert - containers := tmpl["spec"].(map[string]interface{})["containers"].([]interface{}) - Expect(len(containers)).To(Equal(1)) - //nolint:forcetypeassert - envvars := containers[0].(map[string]interface{})["env"].([]interface{}) - Expect(len(envvars)).To(Equal(1)) - }) - - It("Cleans up", func() { - policies := []string{ - case12WhitespaceListCreate, - case12WhitespaceListInform, - } - - deleteConfigPolicies(policies) - }) - }) - Describe("Create a statefulset object with a byte quantity field on managed cluster in ns:"+testNamespace, func() { - It("should only add the list item with the rounded byte value once", func() { - By("Creating " + case12ByteCreate + " and " + case12ByteInform + " on managed") - utils.Kubectl("apply", "-f", case12ByteCreateYaml, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12ByteCreate, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12ByteCreate, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - // Ensure it remains compliant for a while - need to ensure there were multiple enforce checks/attempts. - Consistently(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12ByteCreate, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, time.Second*20, 1).Should(Equal("Compliant")) - - // Verify that the container list and its environment variable list is correct (there are no duplicates) - utils.Kubectl("apply", "-f", case12ByteInformYaml, "-n", testNamespace) - plc = utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12ByteInform, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case12ByteInform, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - - It("Cleans up", func() { - policies := []string{ - case12ByteCreate, - case12ByteInform, - } - - deleteConfigPolicies(policies) - }) - }) -}) diff --git a/test/e2e/case14_selection_test.go b/test/e2e/case14_selection_test.go deleted file mode 100644 index 680a57d1..00000000 --- a/test/e2e/case14_selection_test.go +++ /dev/null @@ -1,269 +0,0 @@ -// Copyright (c) 2020 Red Hat, Inc. -// Copyright Contributors to the Open Cluster Management project - -package e2e - -import ( - "context" - "time" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -const ( - case14LimitRangeFile string = "../resources/case14_namespaces/case14_limitrange.yaml" - case14LimitRangeName string = "container-mem-limit-range" -) - -var _ = Describe("Test policy compliance with namespace selection", Ordered, func() { - checkRelated := func(policy *unstructured.Unstructured) []interface{} { - related, _, err := unstructured.NestedSlice(policy.Object, "status", "relatedObjects") - if err != nil { - panic(err) - } - - return related - } - - testNamespaces := []string{"range1", "range2"} - newNs := "range3" - policyTests := []struct { - name string - yamlFile string - hasObjName bool - }{ - { - "policy-named-limitrange", - "../resources/case14_namespaces/case14_limitrange_named.yaml", - true, - }, - { - "policy-unnamed-limitrange", - "../resources/case14_namespaces/case14_limitrange_unnamed.yaml", - false, - }, - } - - BeforeAll(func() { - By("Create Namespaces if needed") - namespaces := clientManaged.CoreV1().Namespaces() - for _, ns := range testNamespaces { - if _, err := namespaces.Get(context.TODO(), ns, metav1.GetOptions{}); err != nil && errors.IsNotFound(err) { - Expect(namespaces.Create(context.TODO(), &corev1.Namespace{ - ObjectMeta: metav1.ObjectMeta{ - Name: ns, - }, - }, metav1.CreateOptions{})).NotTo(BeNil()) - } - Expect(namespaces.Get(context.TODO(), ns, metav1.GetOptions{})).NotTo(BeNil()) - } - }) - - AfterAll(func() { - for _, policy := range policyTests { - By("Deleting " + policy.name + " on managed") - utils.Kubectl("delete", "-f", policy.yamlFile, "-n", testNamespace) - } - for _, ns := range testNamespaces { - By("Deleting " + case14LimitRangeName + " on " + ns) - utils.Kubectl("delete", "-f", case14LimitRangeFile, "-n", ns) - } - for _, ns := range append(testNamespaces, newNs) { - By("Deleting namespace " + ns) - utils.Kubectl("delete", "namespace", ns, "--ignore-not-found") - } - }) - - It("should create the policy on managed cluster in ns "+testNamespace, func() { - for _, policy := range policyTests { - By("Creating " + policy.name + " on managed") - utils.Kubectl("apply", "-f", policy.yamlFile, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - policy.name, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - By("Checking that " + policy.name + " is NonCompliant") - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - policy.name, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - } - }) - - It("should stay noncompliant when limitrange is in one matching namespace", func() { - By("Creating limitrange " + case14LimitRangeName + " on range1") - utils.Kubectl("apply", "-f", case14LimitRangeFile, "-n", "range1") - for _, policy := range policyTests { - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - policy.name, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - policy.name, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - Consistently(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - policy.name, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, time.Second*20, 1).Should(Equal("NonCompliant")) - } - }) - - It("should be compliant with limitrange in all matching namespaces", func() { - By("Creating " + case14LimitRangeName + " on range2") - utils.Kubectl("apply", "-f", case14LimitRangeFile, "-n", "range2") - for _, policy := range policyTests { - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - policy.name, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - policy.name, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - } - }) - - It("should be noncompliant after adding new matching namespace", func() { - By("Creating namespace " + newNs) - namespaces := clientManaged.CoreV1().Namespaces() - Expect(namespaces.Create(context.TODO(), &corev1.Namespace{ - ObjectMeta: metav1.ObjectMeta{ - Name: newNs, - }, - }, metav1.CreateOptions{})).NotTo(BeNil()) - Expect(namespaces.Get(context.TODO(), newNs, metav1.GetOptions{})).NotTo(BeNil()) - for _, policy := range policyTests { - By("Checking that " + policy.name + " is NonCompliant") - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - policy.name, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - Consistently(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - policy.name, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, time.Second*20, 1).Should(Equal("NonCompliant")) - By("Checking that " + policy.name + " has the correct relatedObjects") - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - policy.name, testNamespace, true, defaultTimeoutSeconds) - // If an object name is specified in the policy, related objects match those in the template. - // If an object name is not specified in the policy, related objects match those in the - // cluster as this is not enforceable. - if policy.hasObjName { - Expect(len(checkRelated(plc))).Should(Equal(len(testNamespaces) + 1)) - } else { - Expect(len(checkRelated(plc))).Should(Equal(len(testNamespaces))) - } - } - }) - - It("should update relatedObjects after enforcing the policy", func() { - for _, policy := range policyTests { - By("Patching " + policy.name + " to enforce") - utils.Kubectl("patch", "configurationpolicy", policy.name, `--type=json`, - `-p=[{"op":"replace","path":"/spec/remediationAction","value":"enforce"}]`, "-n", testNamespace) - By("Checking that " + policy.name + " is Compliant") - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - policy.name, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - By("Checking that " + policy.name + " has the correct relatedObjects") - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - policy.name, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Expect(len(checkRelated(plc))).Should(Equal(len(testNamespaces) + 1)) - } - }) - - It("should update relatedObjects after updating the namespaceSelector to fewer namespaces", func() { - for _, policy := range policyTests { - By("Patching the " + policy.name + " namespaceSelector to reduce the namespaces") - utils.Kubectl("patch", "configurationpolicy", policy.name, `--type=json`, - `-p=[{"op":"replace","path":"/spec/namespaceSelector/include","value":["range[2-3]"]}]`, - "-n", testNamespace) - By("Checking that " + policy.name + " is Compliant") - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - policy.name, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - By("Checking that " + policy.name + " has the correct relatedObjects") - Eventually(func() int { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - policy.name, testNamespace, true, defaultTimeoutSeconds) - - return len(checkRelated(managedPlc)) - }, defaultTimeoutSeconds, 1).Should(Equal(len(testNamespaces))) - } - }) - - It("should update relatedObjects after restoring the namespaceSelector", func() { - for _, policy := range policyTests { - By("Restoring the " + policy.name + " namespaceSelector") - utils.Kubectl("apply", "-f", policy.yamlFile, "-n", testNamespace) - By("Checking that " + policy.name + " is Compliant") - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - policy.name, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - By("Checking that " + policy.name + " has the correct relatedObjects") - Eventually(func() int { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - policy.name, testNamespace, true, defaultTimeoutSeconds) - - return len(checkRelated(managedPlc)) - }, defaultTimeoutSeconds, 1).Should(Equal(len(testNamespaces) + 1)) - } - }) - - It("should update relatedObjects after deleting a namespace", func() { - By("Deleting namespace " + newNs) - namespaces := clientManaged.CoreV1().Namespaces() - Expect(namespaces.Delete(context.TODO(), newNs, metav1.DeleteOptions{})).To(BeNil()) - Eventually(func() bool { - _, err := namespaces.Get(context.TODO(), newNs, metav1.GetOptions{}) - - return errors.IsNotFound(err) - }, defaultTimeoutSeconds, 1).Should(BeTrue()) - for _, policy := range policyTests { - By("Checking that " + policy.name + " is Compliant") - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - policy.name, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - policy.name, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - By("Checking that " + policy.name + " has the correct relatedObjects") - Eventually(func() int { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - policy.name, testNamespace, true, defaultTimeoutSeconds) - - return len(checkRelated(managedPlc)) - }, defaultTimeoutSeconds, 1).Should(Equal(len(testNamespaces))) - } - }) -}) diff --git a/test/e2e/case15_event_format_test.go b/test/e2e/case15_event_format_test.go deleted file mode 100644 index d6e66ad9..00000000 --- a/test/e2e/case15_event_format_test.go +++ /dev/null @@ -1,250 +0,0 @@ -// Copyright (c) 2021 Red Hat, Inc. -// Copyright Contributors to the Open Cluster Management project - -package e2e - -import ( - "context" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - k8serrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -const ( - case15AlwaysCompliantParentYaml = "../resources/case15_event_format/case15_parent_alwayscompliant.yaml" - case15AlwaysCompliantParentName = "parent-alwayscompliant" - case15AlwaysCompliantYaml = "../resources/case15_event_format/case15_mnh_pod_alwayscompliant.yaml" - case15AlwaysCompliantName = "mnh-pod-alwayscompliant" - case15NeverCompliantYaml = "../resources/case15_event_format/case15_mh_pod_nevercompliant.yaml" - case15NeverCompliantName = "mh-pod-nevercompliant" - case15NeverCompliantParentYaml = "../resources/case15_event_format/case15_parent_nevercompliant.yaml" - case15NeverCompliantParentName = "parent-nevercompliant" - case15BecomesCompliantYaml = "../resources/case15_event_format/case15_mh_pod_becomescompliant.yaml" - case15BecomesCompliantName = "mh-pod-becomescompliant" - case15BecomesCompliantParentYaml = "../resources/case15_event_format/case15_parent_becomescompliant.yaml" - case15BecomesCompliantParentName = "parent-becomescompliant" - case15BecomesNonCompliantYaml = "../resources/case15_event_format/case15_mnh_pod_becomesnoncompliant.yaml" - case15BecomesNonCompliantName = "mnh-pod-becomesnoncompliant" - case15BecomesNonCompliantParentYaml = "../resources/case15_event_format/case15_parent_becomesnoncompliant.yaml" - case15BecomesNonCompliantParentName = "parent-becomesnoncompliant" - case15PodForNonComplianceYaml = "../resources/case15_event_format/case15_becomesnoncompliant_pod.yaml" -) - -var _ = Describe("Testing compliance event formatting", func() { - It("Records the right events for a policy that is always compliant", func() { - By("Creating parent policy " + case15AlwaysCompliantParentName + " on " + testNamespace) - utils.Kubectl("apply", "-f", case15AlwaysCompliantParentYaml, "-n", testNamespace) - parent := utils.GetWithTimeout(clientManagedDynamic, gvrPolicy, - case15AlwaysCompliantParentName, testNamespace, true, defaultTimeoutSeconds) - Expect(parent).NotTo(BeNil()) - - By("Creating compliant policy " + case15AlwaysCompliantName + " on " + testNamespace + " with parent " + - case15AlwaysCompliantParentName) - plcDef := utils.ParseYaml(case15AlwaysCompliantYaml) - ownerRefs := plcDef.GetOwnerReferences() - ownerRefs[0].UID = parent.GetUID() - plcDef.SetOwnerReferences(ownerRefs) - _, err := clientManagedDynamic.Resource(gvrConfigPolicy).Namespace(testNamespace). - Create(context.TODO(), plcDef, metav1.CreateOptions{}) - Expect(err).To(BeNil()) - - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case15AlwaysCompliantName, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case15AlwaysCompliantName, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - - By("Checking events on the configurationpolicy") - compPlcEvents := utils.GetMatchingEvents(clientManaged, testNamespace, - case15AlwaysCompliantName, "", "Policy status is: Compliant", defaultTimeoutSeconds) - Expect(compPlcEvents).NotTo(BeEmpty()) - nonCompPlcEvents := utils.GetMatchingEvents(clientManaged, testNamespace, - case15AlwaysCompliantName, "", "Policy status is: NonCompliant", defaultTimeoutSeconds) - Expect(nonCompPlcEvents).To(BeEmpty()) - - By("Checking events on the parent policy") - compParentEvents := utils.GetMatchingEvents(clientManaged, testNamespace, - case15AlwaysCompliantParentName, "policy: "+testNamespace+"/"+ - case15AlwaysCompliantName, "^Compliant;", defaultTimeoutSeconds) - Expect(compParentEvents).NotTo(BeEmpty()) - nonCompParentEvents := utils.GetMatchingEvents(clientManaged, testNamespace, - case15AlwaysCompliantParentName, "policy: "+testNamespace+"/"+ - case15AlwaysCompliantName, "^NonCompliant;", defaultTimeoutSeconds) - Expect(nonCompParentEvents).To(BeEmpty()) - }) - It("Records the right events for a policy that is never compliant", func() { - By("Creating parent policy " + case15NeverCompliantParentName + " on " + testNamespace) - utils.Kubectl("apply", "-f", case15NeverCompliantParentYaml, "-n", testNamespace) - parent := utils.GetWithTimeout(clientManagedDynamic, gvrPolicy, - case15NeverCompliantParentName, testNamespace, true, defaultTimeoutSeconds) - Expect(parent).NotTo(BeNil()) - - By("Creating noncompliant policy " + case15NeverCompliantName + " on " + testNamespace + " with parent " + - case15NeverCompliantParentName) - plcDef := utils.ParseYaml(case15NeverCompliantYaml) - ownerRefs := plcDef.GetOwnerReferences() - ownerRefs[0].UID = parent.GetUID() - plcDef.SetOwnerReferences(ownerRefs) - _, err := clientManagedDynamic.Resource(gvrConfigPolicy).Namespace(testNamespace). - Create(context.TODO(), plcDef, metav1.CreateOptions{}) - Expect(err).To(BeNil()) - - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case15NeverCompliantName, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case15NeverCompliantName, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - - By("Checking events on the configurationpolicy") - compPlcEvents := utils.GetMatchingEvents(clientManaged, testNamespace, - case15NeverCompliantName, "", "Policy status is: Compliant", defaultTimeoutSeconds) - Expect(compPlcEvents).To(BeEmpty()) - nonCompPlcEvents := utils.GetMatchingEvents(clientManaged, testNamespace, - case15NeverCompliantName, "", "Policy status is: NonCompliant", defaultTimeoutSeconds) - Expect(nonCompPlcEvents).NotTo(BeEmpty()) - - By("Checking events on the parent policy") - compParentEvents := utils.GetMatchingEvents(clientManaged, testNamespace, - case15NeverCompliantParentName, "policy: "+testNamespace+"/"+case15NeverCompliantName, - "^Compliant;", defaultTimeoutSeconds) - Expect(compParentEvents).To(BeEmpty()) - nonCompParentEvents := utils.GetMatchingEvents(clientManaged, testNamespace, - case15NeverCompliantParentName, "policy: "+testNamespace+"/"+case15NeverCompliantName, - "^NonCompliant;", defaultTimeoutSeconds) - Expect(nonCompParentEvents).NotTo(BeEmpty()) - }) - It("Records events for a policy that becomes compliant", func() { - By("Creating parent policy " + case15BecomesCompliantParentName + " on " + testNamespace) - utils.Kubectl("apply", "-f", case15BecomesCompliantParentYaml, "-n", testNamespace) - parent := utils.GetWithTimeout(clientManagedDynamic, gvrPolicy, - case15BecomesCompliantParentName, testNamespace, true, defaultTimeoutSeconds) - Expect(parent).NotTo(BeNil()) - - By("Creating noncompliant policy " + case15BecomesCompliantName + " on " + testNamespace + " with parent " + - case15BecomesCompliantParentName) - plcDef := utils.ParseYaml(case15BecomesCompliantYaml) - ownerRefs := plcDef.GetOwnerReferences() - ownerRefs[0].UID = parent.GetUID() - plcDef.SetOwnerReferences(ownerRefs) - _, err := clientManagedDynamic.Resource(gvrConfigPolicy).Namespace(testNamespace). - Create(context.TODO(), plcDef, metav1.CreateOptions{}) - Expect(err).To(BeNil()) - - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case15BecomesCompliantName, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case15BecomesCompliantName, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - - By("Enforcing the policy to make it compliant") - utils.Kubectl("patch", "configurationpolicy", case15BecomesCompliantName, `--type=json`, - `-p=[{"op":"replace","path":"/spec/remediationAction","value":"enforce"}]`, "-n", testNamespace) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case15BecomesCompliantName, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - - By("Checking for compliant events on the configurationpolicy and the parent policy") - compPlcEvents := utils.GetMatchingEvents(clientManaged, testNamespace, - case15BecomesCompliantName, "", "Policy status is: Compliant", defaultTimeoutSeconds) - Expect(compPlcEvents).NotTo(BeEmpty()) - compParentEvents := utils.GetMatchingEvents(clientManaged, testNamespace, case15BecomesCompliantParentName, - "policy: "+testNamespace+"/"+case15BecomesCompliantName, "^Compliant;", defaultTimeoutSeconds) - Expect(compParentEvents).NotTo(BeEmpty()) - }) - It("Records events for a policy that becomes noncompliant", func() { - By("Creating parent policy " + case15BecomesNonCompliantParentName + " on " + testNamespace) - utils.Kubectl("apply", "-f", case15BecomesNonCompliantParentYaml, "-n", testNamespace) - parent := utils.GetWithTimeout(clientManagedDynamic, gvrPolicy, - case15BecomesNonCompliantParentName, testNamespace, true, defaultTimeoutSeconds) - Expect(parent).NotTo(BeNil()) - - By("Creating compliant policy " + case15BecomesNonCompliantName + " on " + testNamespace + " with parent " + - case15BecomesNonCompliantParentName) - plcDef := utils.ParseYaml(case15BecomesNonCompliantYaml) - ownerRefs := plcDef.GetOwnerReferences() - ownerRefs[0].UID = parent.GetUID() - plcDef.SetOwnerReferences(ownerRefs) - _, err := clientManagedDynamic.Resource(gvrConfigPolicy).Namespace(testNamespace). - Create(context.TODO(), plcDef, metav1.CreateOptions{}) - Expect(err).To(BeNil()) - - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case15BecomesNonCompliantName, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case15BecomesNonCompliantName, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - - By("Creating a pod to make it noncompliant") - utils.Kubectl("apply", "-f", case15PodForNonComplianceYaml) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case15BecomesNonCompliantName, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - - By("Checking for noncompliant events on the configurationpolicy and the parent policy") - nonCompPlcEvents := utils.GetMatchingEvents(clientManaged, testNamespace, - case15BecomesNonCompliantName, "", "Policy status is: NonCompliant", defaultTimeoutSeconds) - Expect(nonCompPlcEvents).NotTo(BeEmpty()) - nonCompParentEvents := utils.GetMatchingEvents(clientManaged, testNamespace, - case15BecomesNonCompliantParentName, "policy: "+testNamespace+"/"+case15BecomesNonCompliantName, - "^NonCompliant;", defaultTimeoutSeconds) - Expect(nonCompParentEvents).NotTo(BeEmpty()) - }) - It("Cleans up", func() { - policies := []string{ - case15AlwaysCompliantParentName, - case15NeverCompliantParentName, - case15BecomesCompliantParentName, - case15BecomesNonCompliantParentName, - } - for _, policyName := range policies { - err := clientManagedDynamic.Resource(gvrPolicy).Namespace(testNamespace).Delete( - context.TODO(), policyName, metav1.DeleteOptions{}, - ) - if !k8serrors.IsNotFound(err) { - Expect(err).To(BeNil()) - } - } - - configPolicies := []string{ - case15AlwaysCompliantName, - case15NeverCompliantName, - case15BecomesCompliantName, - case15BecomesNonCompliantName, - } - - deleteConfigPolicies(configPolicies) - - utils.Kubectl("delete", "-f", case15PodForNonComplianceYaml) - err := clientManaged.CoreV1().Pods("default").Delete( - context.TODO(), "case15-becomescompliant", metav1.DeleteOptions{}) - if !k8serrors.IsNotFound(err) { - Expect(err).To(BeNil()) - } - }) -}) diff --git a/test/e2e/case16_policy_template_decryption_test.go b/test/e2e/case16_policy_template_decryption_test.go deleted file mode 100644 index 5403a130..00000000 --- a/test/e2e/case16_policy_template_decryption_test.go +++ /dev/null @@ -1,160 +0,0 @@ -// Copyright (c) 2021 Red Hat, Inc. -// Copyright Contributors to the Open Cluster Management project - -package e2e - -import ( - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -const ( - case16CreatedNamespace = "my-ns" - case16Policy = "../resources/case16_policy_template_decryption/policy.yaml" - case16PolicyDiffKey = "../resources/case16_policy_template_decryption/policy-diff-key.yaml" - case16PolicyDiffKeyName = "policy-namespace-create-diff-key" - case16PolicyInvalidIV = "../resources/case16_policy_template_decryption/policy-invalid-iv.yaml" - case16PolicyInvalidIVName = "policy-namespace-create-invalid-iv" - // Use a separate policy for this which contains an encrypted string that will force the cache to be refreshed - case16PolicyInvalidKey = "../resources/case16_policy_template_decryption/policy-invalid-key.yaml" - case16PolicyInvalidKeyName = "policy-namespace-create-invalid-key" - case16PolicyName = "policy-namespace-create" - case16SecondCreatedNamespace = "my-second-ns" - case16Secret = "../resources/case16_policy_template_decryption/secret.yaml" - case16SecretInvalid = "../resources/case16_policy_template_decryption/secret-invalid.yaml" - case16SecretDiffKey = "../resources/case16_policy_template_decryption/secret-diff-key.yaml" -) - -var _ = Describe("Test policy template decryption", func() { - It("deletes the namespace "+case16CreatedNamespace, func() { - utils.Kubectl("delete", "namespace", case16CreatedNamespace, "--ignore-not-found") - }) - - It("creates the policy-encryption-key secret in "+testNamespace, func() { - utils.Kubectl("apply", "-f", case16Secret, "-n", testNamespace) - }) - - It("creates the policy "+case16PolicyName+" in "+testNamespace, func() { - utils.Kubectl("apply", "-f", case16Policy, "-n", testNamespace) - }) - - It("verifies the policy "+case16PolicyName+" in "+testNamespace, func() { - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout( - clientManagedDynamic, gvrConfigPolicy, case16PolicyName, testNamespace, true, defaultTimeoutSeconds, - ) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - - It("simulates a key rotation", func() { - utils.Kubectl("apply", "-f", case16SecretDiffKey, "-n", testNamespace) - }) - - It("Creates the policy "+case16PolicyDiffKeyName+" in "+testNamespace+" that uses the new key", func() { - utils.Kubectl("apply", "-f", case16PolicyDiffKey, "-n", testNamespace) - }) - - It("verifies the policy "+case16PolicyDiffKeyName+" in "+testNamespace, func() { - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout( - clientManagedDynamic, - gvrConfigPolicy, - case16PolicyDiffKeyName, - testNamespace, - true, - defaultTimeoutSeconds, - ) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - - It("verifies that the policy "+case16PolicyName+" in "+testNamespace+" is still compliant", func() { - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout( - clientManagedDynamic, - gvrConfigPolicy, - case16PolicyName, - testNamespace, - true, - defaultTimeoutSeconds, - ) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - - It("cleans up", func() { - utils.Kubectl("delete", "-f", case16Policy, "-n", testNamespace) - utils.Kubectl("delete", "-f", case16PolicyDiffKey, "-n", testNamespace) - utils.Kubectl("delete", "-f", case16Secret, "-n", testNamespace) - utils.Kubectl("delete", "namespace", case16CreatedNamespace, "--ignore-not-found") - utils.Kubectl("delete", "namespace", case16SecondCreatedNamespace, "--ignore-not-found") - }) -}) - -var _ = Describe("Test policy template decryption with an invalid AES key", func() { - It("creates the invalid policy-encryption-key secret in "+testNamespace, func() { - utils.Kubectl("apply", "-f", case16SecretInvalid, "-n", testNamespace) - }) - - It("creates the policy "+case16PolicyInvalidKeyName+" in "+testNamespace, func() { - utils.Kubectl("apply", "-f", case16PolicyInvalidKey, "-n", testNamespace) - }) - - It("verifies the policy "+case16PolicyInvalidKeyName+" in "+testNamespace+" is noncompliant", func() { - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout( - clientManagedDynamic, - gvrConfigPolicy, - case16PolicyInvalidKeyName, - testNamespace, - true, - defaultTimeoutSeconds, - ) - - return utils.GetStatusMessage(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal(`The "policy-encryption-key" Secret contains an invalid AES key`)) - }) - - It("cleans up", func() { - utils.Kubectl("delete", "-f", case16PolicyInvalidKey, "-n", testNamespace) - utils.Kubectl("delete", "-f", case16Secret, "-n", testNamespace) - }) -}) - -var _ = Describe("Test policy template decryption with an invalid initialization vector", func() { - It("creates the policy-encryption-key secret in "+testNamespace, func() { - utils.Kubectl("apply", "-f", case16Secret, "-n", testNamespace) - }) - - It("creates the policy "+case16PolicyInvalidIVName+" in "+testNamespace, func() { - utils.Kubectl("apply", "-f", case16PolicyInvalidIV, "-n", testNamespace) - }) - - It("verifies the policy "+case16PolicyInvalidIVName+" in "+testNamespace+" is noncompliant", func() { - expected := `The "policy.open-cluster-management.io/encryption-iv" annotation value is not a valid ` + - "initialization vector" - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout( - clientManagedDynamic, - gvrConfigPolicy, - case16PolicyInvalidIVName, - testNamespace, - true, - defaultTimeoutSeconds, - ) - - return utils.GetStatusMessage(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal(expected)) - }) - - It("cleans up", func() { - utils.Kubectl("delete", "-f", case16PolicyInvalidIV, "-n", testNamespace) - utils.Kubectl("delete", "-f", case16Secret, "-n", testNamespace) - }) -}) diff --git a/test/e2e/case17_evaluation_interval_test.go b/test/e2e/case17_evaluation_interval_test.go deleted file mode 100644 index 3952bd90..00000000 --- a/test/e2e/case17_evaluation_interval_test.go +++ /dev/null @@ -1,188 +0,0 @@ -// Copyright (c) 2022 Red Hat, Inc. -// Copyright Contributors to the Open Cluster Management project - -package e2e - -import ( - "context" - "strings" - "time" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - k8serrors "k8s.io/apimachinery/pkg/api/errors" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -const ( - case17ParentPolicyName = "parent-policy-c17-create-ns" - case17ParentPolicy = "../resources/case17_evaluation_interval/parent-policy.yaml" - case17Policy = "../resources/case17_evaluation_interval/policy.yaml" - case17PolicyName = "policy-c17-create-ns" - case17PolicyNever = "../resources/case17_evaluation_interval/policy-never-reevaluate.yaml" - case17PolicyNeverName = "policy-c17-create-ns-never" - case17CreatedNamespaceName = "case17-test-never" -) - -var _ = Describe("Test evaluation interval", func() { - It("Verifies that status.lastEvaluated is properly set", func() { - By("Creating the parent policy " + case17ParentPolicyName + " on the managed cluster") - utils.Kubectl("apply", "-f", case17ParentPolicy, "-n", testNamespace) - parent := utils.GetWithTimeout(clientManagedDynamic, - gvrPolicy, - case17ParentPolicyName, - testNamespace, - true, - defaultTimeoutSeconds, - ) - Expect(parent).NotTo(BeNil()) - - By("Creating " + case17PolicyName + " on the managed cluster") - plcDef := utils.ParseYaml(case17Policy) - ownerRefs := plcDef.GetOwnerReferences() - ownerRefs[0].UID = parent.GetUID() - plcDef.SetOwnerReferences(ownerRefs) - _, err := clientManagedDynamic.Resource(gvrConfigPolicy).Namespace(testNamespace).Create( - context.TODO(), plcDef, v1.CreateOptions{}, - ) - Expect(err).To(BeNil()) - - By("Getting status.lastEvaluated") - var managedPlc *unstructured.Unstructured - - Eventually(func() interface{} { - managedPlc = utils.GetWithTimeout( - clientManagedDynamic, gvrConfigPolicy, case17PolicyName, testNamespace, true, defaultTimeoutSeconds, - ) - - lastEvaluated, _ := utils.GetLastEvaluated(managedPlc) - - return lastEvaluated - }, defaultTimeoutSeconds, 1).ShouldNot(Equal("")) - - lastEvaluated, lastEvaluatedGeneration := utils.GetLastEvaluated(managedPlc) - Expect(lastEvaluatedGeneration).To(Equal(managedPlc.GetGeneration())) - - lastEvaluatedParsed, err := time.Parse(time.RFC3339, lastEvaluated) - Expect(err).To(BeNil()) - - By("Waiting for status.lastEvaluated to refresh") - Eventually(func() interface{} { - managedPlc = utils.GetWithTimeout( - clientManagedDynamic, gvrConfigPolicy, case17PolicyName, testNamespace, true, defaultTimeoutSeconds, - ) - - lastEvalRefreshed, _ := utils.GetLastEvaluated(managedPlc) - - return lastEvalRefreshed - }, defaultTimeoutSeconds, 1).ShouldNot(Equal(lastEvaluated)) - - lastEvalRefreshed, lastEvalGenerationRefreshed := utils.GetLastEvaluated(managedPlc) - Expect(lastEvalGenerationRefreshed).To(Equal(lastEvaluatedGeneration)) - - lastEvalRefreshedParsed, err := time.Parse(time.RFC3339, lastEvalRefreshed) - Expect(err).To(BeNil()) - - Expect(lastEvaluatedParsed.Before(lastEvalRefreshedParsed)).To(BeTrue()) - - By("Verifying that only one event was sent for the configuration policy") - events := utils.GetMatchingEvents( - clientManaged, - testNamespace, - case17PolicyName, - "", - "Policy status is: NonCompliant", - defaultTimeoutSeconds, - ) - Expect(len(events)).To(Equal(1)) - Expect(events[0].Count).To(Equal(int32(1))) - - By("Verifying that only one event was sent for the parent policy") - parentEvents := utils.GetMatchingEvents( - clientManaged, - testNamespace, - case17ParentPolicyName, - "policy: "+testNamespace+"/"+case17PolicyName, - "^NonCompliant;", - defaultTimeoutSeconds, - ) - Expect(len(parentEvents)).To(Equal(1)) - Expect(parentEvents[0].Count).To(Equal(int32(1))) - }) - - It("Verifies that a compliant policy is not reevaluated when set to never", func() { - By("Creating " + case17PolicyNeverName + " on the managed cluster") - utils.Kubectl("apply", "-f", case17PolicyNever, "-n", testNamespace) - plc := utils.GetWithTimeout( - clientManagedDynamic, gvrConfigPolicy, case17PolicyNeverName, testNamespace, true, defaultTimeoutSeconds, - ) - Expect(plc).NotTo(BeNil()) - - By("Getting status.lastEvaluated") - var managedPlc *unstructured.Unstructured - - Eventually(func() interface{} { - managedPlc = utils.GetWithTimeout( - clientManagedDynamic, - gvrConfigPolicy, - case17PolicyNeverName, - testNamespace, - true, - defaultTimeoutSeconds, - ) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - - lastEvaluated, _ := utils.GetLastEvaluated(managedPlc) - _, err := time.Parse(time.RFC3339, lastEvaluated) - Expect(err).To(BeNil()) - - By("Verifying that compliance message mentions it won't be reevaluated") - msg, ok := utils.GetStatusMessage(managedPlc).(string) - Expect(ok).To(BeTrue()) - - expectedSuffix := `. This policy will not be evaluated again due to spec.evaluationInterval.compliant being ` + - `set to "never".` - Expect(strings.HasSuffix(msg, expectedSuffix)).To(BeTrue()) - - By("Verifying that status.lastEvaluated will not change after waiting 15 seconds") - time.Sleep(15 * time.Second) - - managedPlc = utils.GetWithTimeout( - clientManagedDynamic, gvrConfigPolicy, case17PolicyNeverName, testNamespace, true, defaultTimeoutSeconds, - ) - lastEvalRefreshed, _ := utils.GetLastEvaluated(managedPlc) - Expect(lastEvalRefreshed).To(Equal(lastEvaluated)) - }) - - It("Cleans up", func() { - utils.Kubectl("delete", "-f", case17ParentPolicy, "-n", testNamespace) - utils.Kubectl("delete", "-f", case17Policy, "-n", testNamespace, "--ignore-not-found") - utils.Kubectl("delete", "-f", case17PolicyNever, "-n", testNamespace) - - err := clientManaged.CoreV1().Namespaces().Delete( - context.TODO(), case17CreatedNamespaceName, v1.DeleteOptions{}, - ) - if !k8serrors.IsNotFound(err) { - Expect(err).To(BeNil()) - } - - events, err := clientManaged.CoreV1().Events(testNamespace).List(context.TODO(), v1.ListOptions{}) - Expect(err).To(BeNil()) - - for _, event := range events.Items { - name := event.GetName() - - if strings.HasPrefix(name, case17ParentPolicyName) || - strings.HasPrefix(name, case17PolicyName) || - strings.HasPrefix(name, case17PolicyNeverName) { - err = clientManaged.CoreV1().Events(testNamespace).Delete(context.TODO(), name, v1.DeleteOptions{}) - Expect(err).To(BeNil()) - } - } - }) -}) diff --git a/test/e2e/case18_discovery_refresh_test.go b/test/e2e/case18_discovery_refresh_test.go deleted file mode 100644 index 80d2d77c..00000000 --- a/test/e2e/case18_discovery_refresh_test.go +++ /dev/null @@ -1,140 +0,0 @@ -// Copyright (c) 2022 Red Hat, Inc. -// Copyright Contributors to the Open Cluster Management project - -package e2e - -import ( - "context" - "os/exec" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - k8serrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -const ( - case18PolicyName = "policy-c18" - case18Policy = "../resources/case18_discovery_refresh/policy.yaml" - case18PolicyTemplateName = "policy-c18-template" - case18PolicyTemplatePreReqs = "../resources/case18_discovery_refresh/prereqs-for-template-policy.yaml" - case18PolicyTemplate = "../resources/case18_discovery_refresh/policy-template.yaml" - case18ConfigMapName = "c18-configmap" -) - -var _ = Describe("Test discovery info refresh", func() { - It("Verifies that the discovery info is refreshed after a CRD is installed", func() { - By("Creating " + case18PolicyName + " on managed") - utils.Kubectl("apply", "-f", case18Policy, "-n", testNamespace) - policy := utils.GetWithTimeout( - clientManagedDynamic, - gvrConfigPolicy, - case18PolicyName, - testNamespace, - true, - defaultTimeoutSeconds, - ) - Expect(policy).NotTo(BeNil()) - - By("Verifying " + case18PolicyName + " becomes compliant") - Eventually(func() interface{} { - policy := utils.GetWithTimeout( - clientManagedDynamic, - gvrConfigPolicy, - case18PolicyName, - testNamespace, - true, - defaultTimeoutSeconds, - ) - - return utils.GetComplianceState(policy) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - - It("Verifies that the discovery info is refreshed when a template references a new object kind", func() { - By("Creating the prerequisites on managed") - // This needs to be wrapped in an eventually since the object can't be created immediately after the CRD - // is created. - Eventually( - func() interface{} { - cmd := exec.Command("kubectl", "apply", "-f", case18PolicyTemplatePreReqs) - - err := cmd.Start() - if err != nil { - return err - } - - err = cmd.Wait() - - return err - }, - defaultTimeoutSeconds, - 1, - ).Should(BeNil()) - - By("Creating " + case18PolicyTemplateName + " on managed") - utils.Kubectl("apply", "-f", case18PolicyTemplate, "-n", testNamespace) - policy := utils.GetWithTimeout( - clientManagedDynamic, - gvrConfigPolicy, - case18PolicyTemplateName, - testNamespace, - true, - defaultTimeoutSeconds, - ) - Expect(policy).NotTo(BeNil()) - - By("Verifying " + case18PolicyTemplateName + " becomes compliant") - Eventually(func() interface{} { - policy := utils.GetWithTimeout( - clientManagedDynamic, - gvrConfigPolicy, - case18PolicyTemplateName, - testNamespace, - true, - defaultTimeoutSeconds, - ) - - return utils.GetComplianceState(policy) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - - It("Cleans up", func() { - err := clientManagedDynamic.Resource(gvrConfigPolicy).Namespace(testNamespace).Delete( - context.TODO(), case18PolicyName, metav1.DeleteOptions{}, - ) - if !k8serrors.IsNotFound(err) { - Expect(err).To(BeNil()) - } - - err = clientManagedDynamic.Resource(gvrCRD).Delete( - context.TODO(), "pizzaslices.food.example.com", metav1.DeleteOptions{}, - ) - if !k8serrors.IsNotFound(err) { - Expect(err).To(BeNil()) - } - - err = clientManagedDynamic.Resource(gvrConfigPolicy).Namespace(testNamespace).Delete( - context.TODO(), case18PolicyTemplateName, metav1.DeleteOptions{}, - ) - if !k8serrors.IsNotFound(err) { - Expect(err).To(BeNil()) - } - - err = clientManagedDynamic.Resource(gvrCRD).Delete( - context.TODO(), "pizzaslices.diner.example.com", metav1.DeleteOptions{}, - ) - if !k8serrors.IsNotFound(err) { - Expect(err).To(BeNil()) - } - - err = clientManaged.CoreV1().ConfigMaps("default").Delete( - context.TODO(), case18ConfigMapName, metav1.DeleteOptions{}, - ) - if !k8serrors.IsNotFound(err) { - Expect(err).To(BeNil()) - } - }) -}) diff --git a/test/e2e/case19_ns_selector_test.go b/test/e2e/case19_ns_selector_test.go deleted file mode 100644 index e582d3d5..00000000 --- a/test/e2e/case19_ns_selector_test.go +++ /dev/null @@ -1,149 +0,0 @@ -// Copyright (c) 2020 Red Hat, Inc. -// Copyright Contributors to the Open Cluster Management project - -package e2e - -import ( - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -const ( - case19PolicyName string = "policy-configmap-selector-e2e" - case19PolicyYaml string = "../resources/case19_ns_selector/case19_cm_policy.yaml" - case19TemplatesName string = "configmap-selector-e2e" - case19TemplatesKind string = "ConfigMap" - case19PrereqYaml string = "../resources/case19_ns_selector/case19_cm_manifest.yaml" - case19PatchPrefix string = "[{\"op\":\"replace\",\"path\":\"/spec/namespaceSelector\",\"value\":" - case19PatchSuffix string = "}]" -) - -// Test setup for namespace selection policy tests: -// - Namespaces `case19-[1-5]-e2e`, each with a `name: ` label -// - Single deployed Configmap `configmap-selector-e2e` in namespace `case19-1-e2e` -// - Deployed policy should be compliant since it matches the single deployed ConfigMap -// - Policies are patched so that the namespace doesn't match and should be NonCompliant -var _ = Describe("Test object namespace selection", Ordered, func() { - // NamespaceSelector patches to test - resetPatch := "{\"include\":[\"case19-1-e2e\"]}" - allPatch := "{\"matchExpressions\":[{\"key\":\"name\",\"operator\":\"Exists\"}]}" - patches := map[string]struct { - patch string - message string - }{ - "no namespaceSelector specified": { - "{}", - "namespaced object " + case19TemplatesName + " of kind " + case19TemplatesKind + - " has no namespace specified" + - " from the policy namespaceSelector nor the object metadata", - }, - "a non-matching LabelSelector": { - "{\"matchLabels\":{\"name\":\"not-a-namespace\"}}", - "namespaced object " + case19TemplatesName + " of kind " + case19TemplatesKind + - " has no namespace specified" + - " from the policy namespaceSelector nor the object metadata", - }, - "LabelSelector and exclude": { - "{\"exclude\":[\"*-[3-4]-e2e\"],\"matchLabels\":{}," + - "\"matchExpressions\":[{\"key\":\"name\",\"operator\":\"Exists\"}]}", - "configmaps not found: [configmap-selector-e2e] in namespace case19-2-e2e missing; " + - "[configmap-selector-e2e] in namespace case19-5-e2e missing", - }, - "empty LabelSelector and include/exclude": { - "{\"include\":[\"case19-[2-5]-e2e\"],\"exclude\":[\"*-[3-4]-e2e\"]," + - "\"matchLabels\":{},\"matchExpressions\":[]}", - "configmaps not found: [configmap-selector-e2e] in namespace case19-2-e2e missing; " + - "[configmap-selector-e2e] in namespace case19-5-e2e missing", - }, - "LabelSelector": { - "{\"matchExpressions\":[{\"key\":\"name\",\"operator\":\"Exists\"}]}", - "configmaps not found: [configmap-selector-e2e] in namespace case19-2-e2e missing; " + - "[configmap-selector-e2e] in namespace case19-3-e2e missing; " + - "[configmap-selector-e2e] in namespace case19-4-e2e missing; " + - "[configmap-selector-e2e] in namespace case19-5-e2e missing", - }, - "Malformed filepath in include": { - "{\"include\":[\"*-[a-z-*\"]}", - "Error filtering namespaces with provided namespaceSelector: " + - "error parsing 'include' pattern '*-[a-z-*': syntax error in pattern", - }, - "MatchExpressions with incorrect operator": { - "{\"matchExpressions\":[{\"key\":\"name\",\"operator\":\"Seriously\"}]}", - "Error filtering namespaces with provided namespaceSelector: " + - "error parsing namespace LabelSelector: \"Seriously\" is not a valid pod selector operator", - }, - "MatchExpressions with missing values": { - "{\"matchExpressions\":[{\"key\":\"name\",\"operator\":\"In\",\"values\":[]}]}", - "Error filtering namespaces with provided namespaceSelector: " + - "error parsing namespace LabelSelector: " + - "values: Invalid value: []string(nil): for 'in', 'notin' operators, values set can't be empty", - }, - } - - It("creates prerequisite objects", func() { - utils.Kubectl("apply", "-f", case19PrereqYaml) - // Delete the last namespace so we can use it to test whether - // adding a namespace works as the final test - utils.Kubectl("delete", "namespace", "case19-6-e2e") - utils.Kubectl("apply", "-f", case19PolicyYaml, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case19PolicyName, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - }) - - It("should properly handle the namespaceSelector", func() { - for name, patch := range patches { - By("patching compliant policy " + case19PolicyName + " on the managed cluster") - utils.Kubectl("patch", "--namespace=managed", "configurationpolicy", case19PolicyName, "--type=json", - "--patch="+case19PatchPrefix+resetPatch+case19PatchSuffix, - ) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case19PolicyName, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - By("patching with " + name) - utils.Kubectl("patch", "--namespace=managed", "configurationpolicy", case19PolicyName, "--type=json", - "--patch="+case19PatchPrefix+patch.patch+case19PatchSuffix, - ) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case19PolicyName, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case19PolicyName, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetStatusMessage(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal(patch.message)) - } - }) - - It("should handle when a matching labeled namespace is added", func() { - utils.Kubectl("apply", "-f", case19PrereqYaml) - By("patching with a patch for all namespaces") - utils.Kubectl("patch", "--namespace=managed", "configurationpolicy", case19PolicyName, "--type=json", - "--patch="+case19PatchPrefix+allPatch+case19PatchSuffix, - ) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case19PolicyName, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetStatusMessage(managedPlc) - }, defaultTimeoutSeconds, 1).Should(ContainSubstring( - "[configmap-selector-e2e] in namespace case19-6-e2e missing")) - }) - - AfterAll(func() { - utils.Kubectl("delete", "-f", case19PrereqYaml) - policies := []string{ - case19PolicyName, - } - deleteConfigPolicies(policies) - }) -}) diff --git a/test/e2e/case1_pod_handling_test.go b/test/e2e/case1_pod_handling_test.go deleted file mode 100644 index d741b86a..00000000 --- a/test/e2e/case1_pod_handling_test.go +++ /dev/null @@ -1,164 +0,0 @@ -// Copyright (c) 2020 Red Hat, Inc. -// Copyright Contributors to the Open Cluster Management project - -package e2e - -import ( - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -const ( - case1ConfigPolicyNameInform string = "policy-pod-create-inform" - case1ConfigPolicyNameEnforce string = "policy-pod-create" - case1PodName string = "nginx-pod-e2e" - case1PolicyYamlInform string = "../resources/case1_pod_handling/case1_pod_create_inform.yaml" - case1PolicyYamlEnforce string = "../resources/case1_pod_handling/case1_pod_create_enforce.yaml" - case1PolicyCheckMNHYaml string = "../resources/case1_pod_handling/case1_pod_check-mnh.yaml" - case1PolicyCheckMOHYaml string = "../resources/case1_pod_handling/case1_pod_check-moh.yaml" - case1PolicyCheckMHYaml string = "../resources/case1_pod_handling/case1_pod_check-mh.yaml" - case1PolicyYamlEnforceEmpty string = "../resources/case1_pod_handling/case1_pod_create_empty_list.yaml" - case1PolicyYamlInformEmpty string = "../resources/case1_pod_handling/case1_pod_check_empty_list.yaml" - case1PolicyCheckMNHIncompleteYaml string = "../resources/case1_pod_handling/case1_pod_check-mnh-incomplete.yaml" - case1PolicyYamlMultipleCreate string = "../resources/case1_pod_handling/case1_pod_create_multiple.yaml" - case1PolicyYamlMultipleCheckMH string = "../resources/case1_pod_handling/case1_pod_check_multiple_mh.yaml" -) - -var _ = Describe("Test pod obj template handling", func() { - Describe("Create a policy on managed cluster in ns:"+testNamespace, func() { - It("should be created properly on the managed cluster", func() { - By("Creating " + case1PolicyYamlInform + " on managed") - utils.Kubectl("apply", "-f", case1PolicyYamlInform, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case1ConfigPolicyNameInform, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case1ConfigPolicyNameInform, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - }) - It("should create pod on managed cluster", func() { - By("creating " + case1PolicyYamlEnforce + " on hub with spec.remediationAction = enforce") - utils.Kubectl("apply", "-f", case1PolicyYamlEnforce, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case1ConfigPolicyNameEnforce, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case1ConfigPolicyNameEnforce, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - Eventually(func() interface{} { - informPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case1ConfigPolicyNameInform, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(informPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - pod := utils.GetWithTimeout(clientManagedDynamic, gvrPod, - case1PodName, "default", true, defaultTimeoutSeconds) - Expect(pod).NotTo(BeNil()) - utils.Kubectl("apply", "-f", case1PolicyCheckMHYaml, "-n", testNamespace) - plcMH := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - "policy-pod-check-mh-list", testNamespace, true, defaultTimeoutSeconds) - Expect(plcMH).NotTo(BeNil()) - Eventually(func() interface{} { - mHPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - "policy-pod-check-mh-list", testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(mHPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - utils.Kubectl("apply", "-f", case1PolicyYamlEnforceEmpty, "-n", testNamespace) - plcEmpty := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - "policy-pod-emptycontainerlist", testNamespace, true, defaultTimeoutSeconds) - Expect(plcEmpty).NotTo(BeNil()) - Eventually(func() interface{} { - emptyPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - "policy-pod-emptycontainerlist", testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(emptyPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - utils.Kubectl("apply", "-f", case1PolicyYamlMultipleCreate, "-n", testNamespace) - plcMultiple := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - "policy-pod-create-multiple", testNamespace, true, defaultTimeoutSeconds) - Expect(plcMultiple).NotTo(BeNil()) - Eventually(func() interface{} { - multiPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - "policy-pod-create-multiple", testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(multiPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("should create violations properly", func() { - utils.Kubectl("apply", "-f", case1PolicyCheckMNHYaml, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - "policy-pod-check-mnh", testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - "policy-pod-check-mnh", testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - utils.Kubectl("apply", "-f", case1PolicyCheckMNHIncompleteYaml, "-n", testNamespace) - plc = utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - "policy-pod-check-mnh-incomplete", testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - "policy-pod-check-mnh-incomplete", testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - utils.Kubectl("apply", "-f", case1PolicyCheckMOHYaml, "-n", testNamespace) - plc = utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - "policy-pod-check-moh", testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - "policy-pod-check-moh", testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - utils.Kubectl("apply", "-f", case1PolicyYamlInformEmpty, "-n", testNamespace) - plc = utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - "policy-pod-check-emptycontainerlist", testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - "policy-pod-check-emptycontainerlist", testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - utils.Kubectl("apply", "-f", case1PolicyYamlMultipleCheckMH, "-n", testNamespace) - plc = utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - "policy-pod-check-multiple-mh", testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - "policy-pod-check-multiple-mh", testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("Cleans up", func() { - policies := []string{ - case1ConfigPolicyNameInform, - case1ConfigPolicyNameEnforce, - "policy-pod-check-emptycontainerlist", - "policy-pod-check-mh-list", - "policy-pod-check-mnh-incomplete", - "policy-pod-check-mnh", - "policy-pod-check-multiple-mh", - "policy-pod-check-moh", - "policy-pod-create-multiple", - "policy-pod-emptycontainerlist", - } - deleteConfigPolicies(policies) - }) - }) -}) diff --git a/test/e2e/case20_delete_objects_test.go b/test/e2e/case20_delete_objects_test.go deleted file mode 100644 index 686ab161..00000000 --- a/test/e2e/case20_delete_objects_test.go +++ /dev/null @@ -1,534 +0,0 @@ -// Copyright (c) 2020 Red Hat, Inc. -// Copyright Contributors to the Open Cluster Management project - -package e2e - -import ( - "context" - "errors" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -const ( - case20PodName string = "nginx-pod-e2e20" - case20PodWithFinalizer string = "nginx-pod-cannot-delete" - case20ConfigPolicyNameCreate string = "policy-pod-create" - case20ConfigPolicyNameEdit string = "policy-pod-edit" - case20ConfigPolicyNameExisting string = "policy-pod-already-created" - case20ConfigPolicyNameInform string = "policy-pod-inform" - case20ConfigPolicyNameFinalizer string = "policy-pod-create-withfinalizer" - case20ConfigPolicyNameChange string = "policy-pod-change-remediation" - case20PodYaml string = "../resources/case20_delete_objects/case20_pod.yaml" - case20PolicyYamlCreate string = "../resources/case20_delete_objects/case20_create_pod.yaml" - case20PolicyYamlEdit string = "../resources/case20_delete_objects/case20_edit_pod.yaml" - case20PolicyYamlExisting string = "../resources/case20_delete_objects/case20_enforce_noncreated_pod.yaml" - case20PolicyYamlInform string = "../resources/case20_delete_objects/case20_inform_pod.yaml" - case20PolicyYamlFinalizer string = "../resources/case20_delete_objects/case20_createpod_finalizer.yaml" - case20PolicyYamlChangeInform string = "../resources/case20_delete_objects/case20_change_inform.yaml" - case20PolicyYamlChangeEnforce string = "../resources/case20_delete_objects/case20_change_enforce.yaml" -) - -var _ = Describe("Test status fields being set for object deletion", func() { - Describe("Create a policy on managed cluster in ns:"+testNamespace, func() { - It("should update status fields properly for created objects", func() { - By("Creating " + case20ConfigPolicyNameCreate + " on managed") - utils.Kubectl("apply", "-f", case20PolicyYamlCreate, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameCreate, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameCreate, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameCreate, testNamespace, true, defaultTimeoutSeconds) - relatedObj := managedPlc.Object["status"].(map[string]interface{})["relatedObjects"].([]interface{})[0] - properties := relatedObj.(map[string]interface{})["properties"].(map[string]interface{}) - - return properties["createdByPolicy"].(bool) - }, defaultTimeoutSeconds, 1).Should(Equal(true)) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameCreate, testNamespace, true, defaultTimeoutSeconds) - relatedObj := managedPlc.Object["status"].(map[string]interface{})["relatedObjects"].([]interface{})[0] - properties := relatedObj.(map[string]interface{})["properties"].(map[string]interface{}) - - return properties["uid"].(string) - }, defaultTimeoutSeconds, 1).Should(Not(Equal(""))) - }) - It("should update status fields properly for non-created objects", func() { - By("Creating " + case20ConfigPolicyNameExisting + " on managed") - utils.Kubectl("apply", "-f", case20PolicyYamlExisting, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameExisting, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameExisting, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameExisting, testNamespace, true, defaultTimeoutSeconds) - relatedObj := managedPlc.Object["status"].(map[string]interface{})["relatedObjects"].([]interface{})[0] - properties := relatedObj.(map[string]interface{})["properties"].(map[string]interface{}) - - return properties["createdByPolicy"].(bool) - }, defaultTimeoutSeconds, 1).Should(Equal(false)) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameExisting, testNamespace, true, defaultTimeoutSeconds) - relatedObj := managedPlc.Object["status"].(map[string]interface{})["relatedObjects"].([]interface{})[0] - properties := relatedObj.(map[string]interface{})["properties"].(map[string]interface{}) - - return properties["uid"] - }, defaultTimeoutSeconds, 1).Should(BeNil()) - }) - It("should update status fields properly for edited objects", func() { - By("Creating " + case20ConfigPolicyNameEdit + " on managed") - utils.Kubectl("apply", "-f", case20PolicyYamlEdit, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameEdit, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameEdit, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameEdit, testNamespace, true, defaultTimeoutSeconds) - relatedObj := managedPlc.Object["status"].(map[string]interface{})["relatedObjects"].([]interface{})[0] - properties := relatedObj.(map[string]interface{})["properties"].(map[string]interface{}) - - return properties["createdByPolicy"].(bool) - }, defaultTimeoutSeconds, 1).Should(Equal(false)) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameEdit, testNamespace, true, defaultTimeoutSeconds) - relatedObj := managedPlc.Object["status"].(map[string]interface{})["relatedObjects"].([]interface{})[0] - properties := relatedObj.(map[string]interface{})["properties"].(map[string]interface{}) - - return properties["uid"] - }, defaultTimeoutSeconds, 1).Should(BeNil()) - }) - It("should not update status field for inform policies", func() { - By("Creating " + case20ConfigPolicyNameInform + " on managed") - utils.Kubectl("apply", "-f", case20PolicyYamlInform, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameInform, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameInform, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameInform, testNamespace, true, defaultTimeoutSeconds) - relatedObj := managedPlc.Object["status"].(map[string]interface{})["relatedObjects"].([]interface{})[0] - properties := relatedObj.(map[string]interface{})["properties"] - - return properties - }, defaultTimeoutSeconds, 1).Should(BeNil()) - }) - It("Cleans up", func() { - utils.Kubectl("delete", "pod", case20PodName, "-n", "default") - policies := []string{ - case20ConfigPolicyNameCreate, - case20ConfigPolicyNameExisting, - case20ConfigPolicyNameEdit, - case20ConfigPolicyNameInform, - } - - deleteConfigPolicies(policies) - - Consistently(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameCreate, testNamespace, false, defaultTimeoutSeconds) - - return managedPlc - }, defaultTimeoutSeconds, 1).Should(BeNil()) - - Consistently(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameExisting, testNamespace, false, defaultTimeoutSeconds) - - return managedPlc - }, defaultTimeoutSeconds, 1).Should(BeNil()) - - Consistently(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameEdit, testNamespace, false, defaultTimeoutSeconds) - - return managedPlc - }, defaultTimeoutSeconds, 1).Should(BeNil()) - }) - }) -}) - -var _ = Describe("Test objects that should be deleted are actually being deleted", func() { - Describe("Create a policy on managed cluster in ns:"+testNamespace, func() { - It("Should create pod", func() { - // create pod - By("Creating " + case20PodName + " on default") - utils.Kubectl("apply", "-f", case20PodYaml) - Eventually(func() interface{} { - pod := utils.GetWithTimeout(clientManagedDynamic, gvrPod, - case20PodName, "default", true, defaultTimeoutSeconds) - - return pod - }, defaultTimeoutSeconds, 1).Should(Not(BeNil())) - // check policy - By("Creating " + case20ConfigPolicyNameInform + " on managed") - utils.Kubectl("apply", "-f", case20PolicyYamlInform, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameInform, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameInform, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("should not delete pod", func() { - deleteConfigPolicies([]string{case20ConfigPolicyNameInform}) - pod := utils.GetWithTimeout(clientManagedDynamic, gvrPod, - case20PodName, "default", true, defaultTimeoutSeconds) - Expect(pod).Should(Not(BeNil())) - Consistently(func() interface{} { - pod := utils.GetWithTimeout(clientManagedDynamic, gvrPod, - case20PodName, "default", true, defaultTimeoutSeconds) - - return pod - }, defaultTimeoutSeconds, 1).Should(Not(BeNil())) - }) - It("Should create DeleteIfCreated policy", func() { - // delete pod to reset - utils.Kubectl("delete", "pod", "nginx-pod-e2e20", "-n", "default") - // create policy to create pod - By("Creating " + case20ConfigPolicyNameCreate + " on managed") - utils.Kubectl("apply", "-f", case20PolicyYamlCreate, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameCreate, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameCreate, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - Eventually(func() interface{} { - pod := utils.GetWithTimeout(clientManagedDynamic, gvrPod, - case20PodName, "default", true, defaultTimeoutSeconds) - - return pod - }, defaultTimeoutSeconds, 1).Should(Not(BeNil())) - }) - It("should delete child object properly", func() { - // delete policy, should delete pod - deleteConfigPolicies([]string{case20ConfigPolicyNameCreate}) - Eventually(func() interface{} { - pod := utils.GetWithTimeout(clientManagedDynamic, gvrPod, - case20PodName, "default", false, defaultTimeoutSeconds) - - return pod - }, defaultTimeoutSeconds, 1).Should(BeNil()) - }) - It("should create deleteifcreated policy for non created obj", func() { - // policy that did not create pod - By("Creating " + case20PodName + " on default") - utils.Kubectl("apply", "-f", case20PodYaml) - Eventually(func() interface{} { - pod := utils.GetWithTimeout(clientManagedDynamic, gvrPod, - case20PodName, "default", true, defaultTimeoutSeconds) - - return pod - }, defaultTimeoutSeconds, 1).Should(Not(BeNil())) - - By("Creating " + case20ConfigPolicyNameEdit + " on managed") - utils.Kubectl("apply", "-f", case20PolicyYamlEdit, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameEdit, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameEdit, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("should not delete the child object", func() { - // delete policy, should delete pod - deleteConfigPolicies([]string{case20ConfigPolicyNameEdit}) - Consistently(func() interface{} { - pod := utils.GetWithTimeout(clientManagedDynamic, gvrPod, - case20PodName, "default", true, defaultTimeoutSeconds) - - return pod - }, defaultTimeoutSeconds, 1).Should(Not(BeNil())) - }) - It("should handle deleteAll properly for created obj", func() { - By("Creating " + case20ConfigPolicyNameExisting + " on managed") - utils.Kubectl("apply", "-f", case20PolicyYamlExisting, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameExisting, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameExisting, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("should delete the child object properly", func() { - // delete policy, should delete pod - deleteConfigPolicies([]string{case20ConfigPolicyNameExisting}) - Eventually(func() interface{} { - pod := utils.GetWithTimeout(clientManagedDynamic, gvrPod, - case20PodName, "default", false, defaultTimeoutSeconds) - - return pod - }, defaultTimeoutSeconds, 1).Should(BeNil()) - Consistently(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameExisting, testNamespace, false, defaultTimeoutSeconds) - - return managedPlc - }, defaultTimeoutSeconds, 1).Should(BeNil()) - }) - It("should handle deleteAll properly for non created obj", func() { - By("Creating " + case20PodName + " on default") - utils.Kubectl("apply", "-f", case20PodYaml) - Eventually(func() interface{} { - pod := utils.GetWithTimeout(clientManagedDynamic, gvrPod, - case20PodName, "default", true, defaultTimeoutSeconds) - - return pod - }, defaultTimeoutSeconds, 1).Should(Not(BeNil())) - By("Creating " + case20ConfigPolicyNameExisting + " on managed") - utils.Kubectl("apply", "-f", case20PolicyYamlExisting, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameExisting, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameExisting, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("should delete the child object properly", func() { - // delete policy, should delete pod - deleteConfigPolicies([]string{case20ConfigPolicyNameExisting}) - Eventually(func() interface{} { - pod := utils.GetWithTimeout(clientManagedDynamic, gvrPod, - case20PodName, "default", false, defaultTimeoutSeconds) - - return pod - }, defaultTimeoutSeconds, 1).Should(BeNil()) - }) - It("Should create pod with finalizer", func() { - // create policy to create pod - By("Creating " + case20ConfigPolicyNameFinalizer + " on managed") - utils.Kubectl("apply", "-f", case20PolicyYamlFinalizer, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameFinalizer, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameFinalizer, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - Eventually(func() interface{} { - pod := utils.GetWithTimeout(clientManagedDynamic, gvrPod, - case20PodWithFinalizer, "default", true, defaultTimeoutSeconds) - - return pod - }, defaultTimeoutSeconds, 1).Should(Not(BeNil())) - }) - It("should hang on unfinished child object delete", func() { - // delete policy, should delete pod - err := clientManagedDynamic.Resource(gvrConfigPolicy).Namespace(testNamespace).Delete( - context.TODO(), case20ConfigPolicyNameFinalizer, metav1.DeleteOptions{}, - ) - Expect(err).To(BeNil()) - - Consistently(func() interface{} { - pod := utils.GetWithTimeout(clientManagedDynamic, gvrPod, - case20PodWithFinalizer, "default", true, defaultTimeoutSeconds) - - return pod - }, defaultTimeoutSeconds, 1).Should(Not(BeNil())) - Consistently(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameFinalizer, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Terminating")) - }) - It("should finish delete when pod finalizer is removed", func() { - utils.Kubectl( - "patch", - "pods/nginx-pod-cannot-delete", - "--type", - "json", - `-p=[{"op":"remove","path":"/metadata/finalizers"}]`, - ) - Eventually(func() interface{} { - pod := utils.GetWithTimeout(clientManagedDynamic, gvrPod, - case20PodWithFinalizer, "default", false, defaultTimeoutSeconds) - - return pod - }, defaultTimeoutSeconds, 1).Should(BeNil()) - Consistently(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameFinalizer, testNamespace, false, defaultTimeoutSeconds) - - return managedPlc - }, defaultTimeoutSeconds, 1).Should(BeNil()) - }) - It("should handle changing policy from inform to enforce", func() { - By("Creating " + case20ConfigPolicyNameChange + " on managed") - utils.Kubectl("apply", "-f", case20PolicyYamlChangeInform, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameChange, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameChange, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - By("Patching " + case20ConfigPolicyNameChange + " to enforce") - utils.Kubectl("apply", "-f", case20PolicyYamlChangeEnforce, "-n", testNamespace) - plc = utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameChange, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameChange, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("should delete the child object properly", func() { - // delete policy, should delete pod - deleteConfigPolicies([]string{case20ConfigPolicyNameChange}) - Eventually(func() interface{} { - pod := utils.GetWithTimeout(clientManagedDynamic, gvrPod, - case20PodName, "default", false, defaultTimeoutSeconds) - - return pod - }, defaultTimeoutSeconds, 1).Should(BeNil()) - Consistently(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameChange, testNamespace, false, defaultTimeoutSeconds) - - return managedPlc - }, defaultTimeoutSeconds, 1).Should(BeNil()) - }) - It("should handle changing policy from enforce to inform", func() { - By("Creating " + case20ConfigPolicyNameChange + " on managed") - utils.Kubectl("apply", "-f", case20PolicyYamlChangeEnforce, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameChange, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameChange, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - By("Patching " + case20ConfigPolicyNameChange + " to inform") - utils.Kubectl("apply", "-f", case20PolicyYamlChangeInform, "-n", testNamespace) - plc = utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameChange, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameChange, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("should not delete the child object properly", func() { - // delete policy, should not delete pod - deleteConfigPolicies([]string{case20ConfigPolicyNameChange}) - Eventually(func() interface{} { - pod := utils.GetWithTimeout(clientManagedDynamic, gvrPod, - case20PodName, "default", true, defaultTimeoutSeconds) - - return pod - }, defaultTimeoutSeconds, 1).Should(Not(BeNil())) - }) - It("Cleans up", func() { - utils.Kubectl("delete", "pod", case20PodName, "-n", "default") - }) - }) - Describe("Test behavior after manually deleting object", Ordered, func() { - It("creates a policy to create a pod", func() { - By("Creating " + case20ConfigPolicyNameCreate + " on managed") - utils.Kubectl("apply", "-f", case20PolicyYamlCreate, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameCreate, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case20ConfigPolicyNameCreate, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - By("Verifying the pod is present") - Eventually(func() interface{} { - pod := utils.GetWithTimeout(clientManagedDynamic, gvrPod, - case20PodName, "default", true, defaultTimeoutSeconds) - - return pod - }, defaultTimeoutSeconds, 1).Should(Not(BeNil())) - }) - It("automatically recreates the pod after it's deleted", func() { - By("Deleting the pod with kubectl") - utils.Kubectl("delete", "pod/"+case20PodName, "-n", "default") - - By("Verifying the pod was recreated and isn't still being deleted") - Eventually(func() interface{} { - pod := utils.GetWithTimeout(clientManagedDynamic, gvrPod, - case20PodName, "default", true, defaultTimeoutSeconds) - - _, found, err := unstructured.NestedString(pod.Object, "metadata", "deletionTimestamp") - if err != nil { - return err - } - if found { - return errors.New("Pod is being deleted") - } - - return nil - }, defaultTimeoutSeconds, 1).Should(BeNil()) - }) - It("deletes the pod after the policy is deleted", func() { - deleteConfigPolicies([]string{case20ConfigPolicyNameCreate}) - Eventually(func() interface{} { - pod := utils.GetWithTimeout(clientManagedDynamic, gvrPod, - case20PodName, "default", false, defaultTimeoutSeconds) - - return pod - }, defaultTimeoutSeconds, 1).Should(BeNil()) - }) - }) -}) diff --git a/test/e2e/case21_alternative_kubeconfig_test.go b/test/e2e/case21_alternative_kubeconfig_test.go deleted file mode 100644 index a497a97c..00000000 --- a/test/e2e/case21_alternative_kubeconfig_test.go +++ /dev/null @@ -1,94 +0,0 @@ -// Copyright Contributors to the Open Cluster Management project - -package e2e - -import ( - "context" - "fmt" - "os" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/client-go/kubernetes" - "k8s.io/client-go/tools/clientcmd" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -var _ = Describe("Test an alternative kubeconfig for policy evaluation", Ordered, Label("hosted-mode"), func() { - const ( - envName = "TARGET_KUBECONFIG_PATH" - namespaceName = "e2e-test-ns" - policyName = "create-ns" - policyYAML = "../resources/case21_alternative_kubeconfig/policy.yaml" - parentPolicyName = "parent-create-ns" - parentPolicyYAML = "../resources/case21_alternative_kubeconfig/parent-policy.yaml" - ) - - var targetK8sClient *kubernetes.Clientset - - BeforeAll(func() { - By("Checking that the " + envName + " environment variable is valid") - altKubeconfigPath := os.Getenv(envName) - Expect(altKubeconfigPath).ToNot(Equal("")) - - targetK8sConfig, err := clientcmd.BuildConfigFromFlags("", altKubeconfigPath) - Expect(err).To(BeNil()) - - targetK8sClient, err = kubernetes.NewForConfig(targetK8sConfig) - Expect(err).To(BeNil()) - }) - - AfterAll(func() { - deleteConfigPolicies([]string{policyName}) - - err := clientManagedDynamic.Resource(gvrPolicy).Namespace(testNamespace).Delete( - context.TODO(), parentPolicyName, metav1.DeleteOptions{}, - ) - if !errors.IsNotFound(err) { - Expect(err).To(BeNil()) - } - - err = targetK8sClient.CoreV1().Namespaces().Delete(context.TODO(), namespaceName, metav1.DeleteOptions{}) - if !errors.IsNotFound(err) { - Expect(err).To(BeNil()) - } - }) - - It("should create the namespace using the alternative kubeconfig", func() { - By("Creating parent policy " + parentPolicyName + " on " + testNamespace) - utils.Kubectl("apply", "-f", parentPolicyYAML, "-n", testNamespace) - parent := utils.GetWithTimeout(clientManagedDynamic, gvrPolicy, - parentPolicyName, testNamespace, true, defaultTimeoutSeconds) - Expect(parent).NotTo(BeNil()) - - By("Creating the " + policyName + " policy") - plcDef := utils.ParseYaml(policyYAML) - ownerRefs := plcDef.GetOwnerReferences() - ownerRefs[0].UID = parent.GetUID() - plcDef.SetOwnerReferences(ownerRefs) - _, err := clientManagedDynamic.Resource(gvrConfigPolicy).Namespace(testNamespace). - Create(context.TODO(), plcDef, metav1.CreateOptions{}) - Expect(err).To(BeNil()) - - By("Verifying that the " + policyName + " policy is compliant") - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout( - clientManagedDynamic, gvrConfigPolicy, policyName, testNamespace, true, defaultTimeoutSeconds, - ) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - - By("Verifying that the " + policyName + " was created using the alternative kubeconfig") - _, err = targetK8sClient.CoreV1().Namespaces().Get(context.TODO(), namespaceName, metav1.GetOptions{}) - Expect(err).To(BeNil()) - - By("Verifying that a compliance event was created on the parent policy") - compParentEvents := utils.GetMatchingEvents(clientManaged, testNamespace, parentPolicyName, - fmt.Sprintf("policy: %v/%v", testNamespace, policyName), "^Compliant;", defaultTimeoutSeconds) - Expect(compParentEvents).NotTo(BeEmpty()) - }) -}) diff --git a/test/e2e/case22_pod_update_image_test.go b/test/e2e/case22_pod_update_image_test.go deleted file mode 100644 index 611de235..00000000 --- a/test/e2e/case22_pod_update_image_test.go +++ /dev/null @@ -1,74 +0,0 @@ -// Copyright Contributors to the Open Cluster Management project - -package e2e - -import ( - "context" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - corev1 "k8s.io/api/core/v1" - k8serrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -var _ = Describe("Test that an array can be updated when using named objects", Ordered, func() { - const ( - podName = "pod-case22" - policyName = "case22-pod-create" - policyYAML = "../resources/case22_pod_update_image/policy.yaml" - ) - - It("Verifies an image on a pod container can be updated (RHBZ#2117728)", func() { - By("Creating the " + podName + " pod") - pod := &corev1.Pod{ - ObjectMeta: metav1.ObjectMeta{ - Name: podName, - }, - Spec: corev1.PodSpec{ - Containers: []corev1.Container{ - { - Name: "nginx", - // The policy is going to apply 1.7.8 - Image: "nginx:1.7.9", - Ports: []corev1.ContainerPort{ - { - ContainerPort: 80, - }, - }, - }, - }, - }, - } - _, err := clientManaged.CoreV1().Pods("default").Create(context.TODO(), pod, metav1.CreateOptions{}) - Expect(err).To(BeNil()) - - By("Creating the " + policyName + " policy") - utils.Kubectl("apply", "-f", policyYAML, "-n", testNamespace) - - By("Verifying that the " + policyName + " policy is compliant") - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout( - clientManagedDynamic, gvrConfigPolicy, policyName, testNamespace, true, defaultTimeoutSeconds, - ) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - - By("Verifying the pod's image was updated") - pod, err = clientManaged.CoreV1().Pods("default").Get(context.TODO(), podName, metav1.GetOptions{}) - Expect(err).To(BeNil()) - Expect(pod.Spec.Containers).To(HaveLen(1)) - Expect(pod.Spec.Containers[0].Image).To(Equal("nginx:1.7.8")) - }) - - AfterAll(func() { - deleteConfigPolicies([]string{policyName}) - err := clientManaged.CoreV1().Pods("default").Delete(context.TODO(), podName, metav1.DeleteOptions{}) - if !k8serrors.IsNotFound(err) { - Expect(err).To(BeNil()) - } - }) -}) diff --git a/test/e2e/case23_invalid_field_test.go b/test/e2e/case23_invalid_field_test.go deleted file mode 100644 index cdfbd909..00000000 --- a/test/e2e/case23_invalid_field_test.go +++ /dev/null @@ -1,109 +0,0 @@ -// Copyright Contributors to the Open Cluster Management project - -package e2e - -import ( - "context" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - corev1 "k8s.io/api/core/v1" - k8serrors "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -var _ = Describe("Test an objectDefinition with an invalid field", Ordered, func() { - const ( - configMapName = "case23" - policyName = "case23-invalid-field" - policyYAML = "../resources/case23_invalid_field/policy.yaml" - ) - - It("Fails when an invalid field is provided", func() { - By("Creating the " + policyName + " policy") - utils.Kubectl("apply", "-f", policyYAML, "-n", testNamespace) - - By("Verifying that the " + policyName + " policy is noncompliant") - var managedPlc *unstructured.Unstructured - - Eventually(func() interface{} { - managedPlc = utils.GetWithTimeout( - clientManagedDynamic, gvrConfigPolicy, policyName, testNamespace, true, defaultTimeoutSeconds, - ) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - - // expectedMsg := "Error validating the object case23, the error is `ValidationError(ConfigMap): unknown " + - // "field \"invalid\" in io.k8s.api.core.v1.ConfigMap`" - expectedMsg := "configmaps [case23] in namespace default is missing, and cannot be created, reason: " + - "`ValidationError(ConfigMap): unknown field \"invalid\" in io.k8s.api.core.v1.ConfigMap`" - Expect(utils.GetStatusMessage(managedPlc)).To(Equal(expectedMsg)) - - By("Verifying the message is correct when the " + configMapName + " ConfigMap already exists") - configmap := &corev1.ConfigMap{ - ObjectMeta: metav1.ObjectMeta{ - Name: configMapName, - }, - } - _, err := clientManaged.CoreV1().ConfigMaps("default").Create(context.TODO(), configmap, metav1.CreateOptions{}) - Expect(err).To(BeNil()) - - expectedMsg = "Error validating the object case23, the error is `ValidationError(ConfigMap): unknown " + - "field \"invalid\" in io.k8s.api.core.v1.ConfigMap`" - Eventually(func() interface{} { - managedPlc = utils.GetWithTimeout( - clientManagedDynamic, gvrConfigPolicy, policyName, testNamespace, true, defaultTimeoutSeconds, - ) - - return utils.GetStatusMessage(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal(expectedMsg)) - }) - - AfterAll(func() { - deleteConfigPolicies([]string{policyName}) - - err := clientManaged.CoreV1().ConfigMaps("default").Delete( - context.TODO(), configMapName, metav1.DeleteOptions{}, - ) - if !k8serrors.IsNotFound(err) { - Expect(err).To(BeNil()) - } - }) -}) - -var _ = Describe("Test an objectDefinition with a missing status field that should be ignored", Ordered, func() { - const ( - podName = "nginx-case23-missing-status" - policyName = "case23-pod-missing-status-fields" - policyYAML = "../resources/case23_invalid_field/policy-ignore-status-field.yaml" - ) - - It("Still enforces when a status is provided but is missing a required field", func() { - By("Creating the " + policyName + " policy") - utils.Kubectl("apply", "-f", policyYAML, "-n", testNamespace) - - By("Verifying that the " + policyName + " policy is compliant") - var managedPlc *unstructured.Unstructured - - Eventually(func() interface{} { - managedPlc = utils.GetWithTimeout( - clientManagedDynamic, gvrConfigPolicy, policyName, testNamespace, true, defaultTimeoutSeconds, - ) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - - AfterAll(func() { - deleteConfigPolicies([]string{policyName}) - - err := clientManaged.CoreV1().Pods("default").Delete(context.TODO(), podName, metav1.DeleteOptions{}) - if !k8serrors.IsNotFound(err) { - Expect(err).To(BeNil()) - } - }) -}) diff --git a/test/e2e/case24_role_handling_test.go b/test/e2e/case24_role_handling_test.go deleted file mode 100644 index 6dc90b71..00000000 --- a/test/e2e/case24_role_handling_test.go +++ /dev/null @@ -1,45 +0,0 @@ -// Copyright Contributors to the Open Cluster Management project - -package e2e - -import ( - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -var _ = Describe("Test inform policies on ClusterRoles (RHBZ#2130985)", Ordered, func() { - const ( - policyName = "case24-role-handling" - policyYAML = "../resources/case24_role_handling/policy.yaml" - rolesYAML = "../resources/case24_role_handling/roles.yaml" - ) - - BeforeEach(func() { - By("Creating the roles") - utils.Kubectl("apply", "-f", rolesYAML) - }) - - AfterEach(func() { - By("Deleting the " + policyName + " policy") - deleteConfigPolicies([]string{policyName}) - - By("Deleting the roles") - utils.Kubectl("delete", "-f", rolesYAML, "--ignore-not-found=true") - }) - - It("verifies an inform policy with the created ClusterRoles ", func() { - By("Creating the " + policyName + " policy") - utils.Kubectl("apply", "-f", policyYAML, "-n", testNamespace) - - By("Verifying that the " + policyName + " policy is compliant") - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout( - clientManagedDynamic, gvrConfigPolicy, policyName, testNamespace, true, defaultTimeoutSeconds, - ) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) -}) diff --git a/test/e2e/case25_related_object_metric_test.go b/test/e2e/case25_related_object_metric_test.go deleted file mode 100644 index b455eed1..00000000 --- a/test/e2e/case25_related_object_metric_test.go +++ /dev/null @@ -1,78 +0,0 @@ -package e2e - -import ( - "fmt" - "os/exec" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -var _ = Describe("Test related object metrics", Ordered, func() { - const ( - policy1Name = "case25-test-policy-1" - policy2Name = "case25-test-policy-2" - relatedObject = "case25-configmap" - policyYaml = "../resources/case25_related_object_metric/case25-test-policy.yaml" - ) - It("should create policies and related objects", func() { - By("Creating " + policyYaml) - utils.Kubectl("apply", - "-f", policyYaml, - "-n", testNamespace) - By("Verifying the policies were created") - plc1 := utils.GetWithTimeout( - clientManagedDynamic, gvrConfigPolicy, policy1Name, testNamespace, true, defaultTimeoutSeconds, - ) - Expect(plc1).NotTo(BeNil()) - plc2 := utils.GetWithTimeout( - clientManagedDynamic, gvrConfigPolicy, policy2Name, testNamespace, true, defaultTimeoutSeconds, - ) - By("Verifying the related object was created") - Expect(plc2).NotTo(BeNil()) - obj := utils.GetWithTimeout( - clientManagedDynamic, gvrConfigMap, relatedObject, "default", true, defaultTimeoutSeconds, - ) - Expect(obj).NotTo(BeNil()) - }) - - It("should correctly report common related objects", func() { - By("Checking metric endpoint for relate object gauge for policy " + policy1Name) - Eventually(func() interface{} { - return utils.GetMetrics( - "common_related_objects", fmt.Sprintf(`policy=\"%s/%s\"`, testNamespace, policy1Name)) - }, defaultTimeoutSeconds, 1).Should(Equal([]string{"2"})) - By("Checking metric endpoint for relate object gauge for policy " + policy2Name) - Eventually(func() interface{} { - return utils.GetMetrics( - "common_related_objects", fmt.Sprintf(`policy=\"%s/%s\"`, testNamespace, policy2Name)) - }, defaultTimeoutSeconds, 1).Should(Equal([]string{"2"})) - }) - - cleanup := func() { - // Delete the policies and ignore any errors (in case it was deleted previously) - cmd := exec.Command("kubectl", "delete", - "-f", policyYaml, - "-n", testNamespace) - _, _ = cmd.CombinedOutput() - opt := metav1.ListOptions{} - utils.ListWithTimeout( - clientManagedDynamic, gvrConfigPolicy, opt, 0, false, defaultTimeoutSeconds) - utils.GetWithTimeout( - clientManagedDynamic, gvrConfigMap, relatedObject, "default", false, defaultTimeoutSeconds) - } - - It("should clean up", cleanup) - - It("should have no common related object metrics after clean up", func() { - By("Checking metric endpoint for related object gauges") - Eventually(func() interface{} { - return utils.GetMetrics("common_related_objects") - }, defaultTimeoutSeconds, 1).Should(Equal([]string{})) - }) - - AfterAll(cleanup) -}) diff --git a/test/e2e/case26_user_error_metric_test.go b/test/e2e/case26_user_error_metric_test.go deleted file mode 100644 index 594c3880..00000000 --- a/test/e2e/case26_user_error_metric_test.go +++ /dev/null @@ -1,60 +0,0 @@ -package e2e - -import ( - "os/exec" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -var _ = Describe("Test related object metrics", Ordered, func() { - const ( - policy1Name = "case26-test-policy-1" - policyYaml = "../resources/case26_user_error_metric/case26-missing-crd.yaml" - ) - It("should create policy", func() { - By("Creating " + policyYaml) - utils.Kubectl("apply", - "-f", policyYaml, - "-n", testNamespace) - By("Verifying the policies were created") - plc1 := utils.GetWithTimeout( - clientManagedDynamic, gvrConfigPolicy, policy1Name, testNamespace, true, defaultTimeoutSeconds, - ) - Expect(plc1).NotTo(BeNil()) - }) - - It("should correctly report no CRD user error", func() { - By("Checking metric endpoint for user error gauge for policy " + policy1Name) - Eventually(func() interface{} { - return utils.GetMetrics( - "policy_user_errors", - ) - }, defaultTimeoutSeconds, 1).Should(Equal([]string{"policies", "counter", "1"})) - }) - - cleanup := func() { - // Delete the policies and ignore any errors (in case it was deleted previously) - cmd := exec.Command("kubectl", "delete", - "-f", policyYaml, - "-n", testNamespace) - _, _ = cmd.CombinedOutput() - opt := metav1.ListOptions{} - utils.ListWithTimeout( - clientManagedDynamic, gvrConfigPolicy, opt, 0, false, defaultTimeoutSeconds) - } - - It("should clean up", cleanup) - - It("should have no common related object metrics after clean up", func() { - By("Checking metric endpoint for related object gauges") - Eventually(func() interface{} { - return utils.GetMetrics("policy_user_errors") - }, defaultTimeoutSeconds, 1).Should(Equal([]string{})) - }) - - AfterAll(cleanup) -}) diff --git a/test/e2e/case2_role_handling_test.go b/test/e2e/case2_role_handling_test.go deleted file mode 100644 index 21529a3f..00000000 --- a/test/e2e/case2_role_handling_test.go +++ /dev/null @@ -1,104 +0,0 @@ -// Copyright (c) 2020 Red Hat, Inc. -// Copyright Contributors to the Open Cluster Management project - -package e2e - -import ( - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -const ( - case2ConfigPolicyNameInform string = "policy-role-create-inform" - case2ConfigPolicyNameEnforce string = "policy-role-create" - case2roleName string = "pod-reader-e2e" - case2PolicyYamlInform string = "../resources/case2_role_handling/case2_role_create_inform.yaml" - case2PolicyYamlEnforce string = "../resources/case2_role_handling/case2_role_create_enforce.yaml" - case2PolicyCheckMNHYaml string = "../resources/case2_role_handling/case2_role_check-mnh.yaml" - case2PolicyCheckMOHYaml string = "../resources/case2_role_handling/case2_role_check-moh.yaml" - case2PolicyCheckCompliant string = "../resources/case2_role_handling/case2_role_check-c.yaml" -) - -var _ = Describe("Test role obj template handling", func() { - Describe("Create a policy on managed cluster in ns:"+testNamespace, func() { - It("should be created properly on the managed cluster", func() { - By("Creating " + case2PolicyYamlInform + " on managed") - utils.Kubectl("apply", "-f", case2PolicyYamlInform, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case2ConfigPolicyNameInform, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case2ConfigPolicyNameInform, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - }) - It("should create role on managed cluster", func() { - By("creating " + case2PolicyYamlEnforce + " on hub with spec.remediationAction = enforce") - utils.Kubectl("apply", "-f", case2PolicyYamlEnforce, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case2ConfigPolicyNameEnforce, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case2ConfigPolicyNameEnforce, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - Eventually(func() interface{} { - informPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case2ConfigPolicyNameInform, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(informPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - role := utils.GetWithTimeout(clientManagedDynamic, gvrRole, case2roleName, - "default", true, defaultTimeoutSeconds) - Expect(role).NotTo(BeNil()) - }) - It("should create statuses properly", func() { - utils.Kubectl("apply", "-f", case2PolicyCheckMNHYaml, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - "policy-role-check-mnh", testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - "policy-role-check-mnh", testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - utils.Kubectl("apply", "-f", case2PolicyCheckMOHYaml, "-n", testNamespace) - plc = utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - "policy-role-check-moh", testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - "policy-role-check-moh", testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - utils.Kubectl("apply", "-f", case2PolicyCheckCompliant, "-n", testNamespace) - plc = utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - "policy-role-check-comp", testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - "policy-role-check-comp", testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("Cleans up", func() { - policies := []string{ - case2ConfigPolicyNameInform, - case2ConfigPolicyNameEnforce, - "policy-role-check-comp", - "policy-role-check-mnh", - "policy-role-check-moh", - } - deleteConfigPolicies(policies) - }) - }) -}) diff --git a/test/e2e/case3_imgvuln_test.go b/test/e2e/case3_imgvuln_test.go deleted file mode 100644 index 761927b7..00000000 --- a/test/e2e/case3_imgvuln_test.go +++ /dev/null @@ -1,99 +0,0 @@ -// Copyright (c) 2020 Red Hat, Inc. -// Copyright Contributors to the Open Cluster Management project - -package e2e - -import ( - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -const ( - case3ConfigPolicyNameCSV string = "policy-imagemanifestvulnpolicy-example-csv" - case3ConfigPolicyNameSub string = "policy-imagemanifestvulnpolicy-example-sub" - case3ConfigPolicyNameVuln string = "policy-imagemanifestvulnpolicy-example-imv" - case3ConfigPolicyNameVulnObj string = "policy-imagemanifestvulnpolicy-example-imv-obj" - case3PolicyYamlCSV string = "../resources/case3_imgvuln/case3_csv.yaml" - case3PolicyYamlSub string = "../resources/case3_imgvuln/case3_subscription.yaml" - case3PolicyYamlVuln string = "../resources/case3_imgvuln/case3_vuln.yaml" - case3PolicyYamlVulnObj string = "../resources/case3_imgvuln/case3_vuln_object.yaml" -) - -var _ = Describe("Test img vulnerability obj template handling", func() { - Describe("Create a clusterserviceversion on managed cluster in ns:"+testNamespace, func() { - It("should be created properly on the managed cluster", func() { - By("Creating " + case3ConfigPolicyNameCSV + " on managed") - utils.Kubectl("apply", "-f", case3PolicyYamlCSV, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case3ConfigPolicyNameCSV, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case3ConfigPolicyNameCSV, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - - deleteConfigPolicies([]string{case3ConfigPolicyNameCSV}) - }) - It("should check for a subscription on managed cluster", func() { - By("Creating " + case3ConfigPolicyNameSub + " on managed") - utils.Kubectl("apply", "-f", case3PolicyYamlSub, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case3ConfigPolicyNameSub, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case3ConfigPolicyNameSub, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - - deleteConfigPolicies([]string{case3ConfigPolicyNameSub}) - }) - It("should be noncompliant for no CRD found (kind)", func() { - By("Creating " + case3ConfigPolicyNameVuln + " on managed") - utils.Kubectl("apply", "-f", case3PolicyYamlVuln, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case3ConfigPolicyNameVuln, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case3ConfigPolicyNameVuln, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - Consistently(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case3ConfigPolicyNameVuln, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, 20, 1).Should(Equal("NonCompliant")) - - deleteConfigPolicies([]string{case3ConfigPolicyNameVuln}) - }) - It("should be noncompliant for no CRD found (object)", func() { - By("Creating " + case3ConfigPolicyNameVulnObj + " on managed") - utils.Kubectl("apply", "-f", case3PolicyYamlVulnObj, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case3ConfigPolicyNameVulnObj, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case3ConfigPolicyNameVulnObj, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - Consistently(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case3ConfigPolicyNameVulnObj, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, 20, 1).Should(Equal("NonCompliant")) - - deleteConfigPolicies([]string{case3ConfigPolicyNameVulnObj}) - }) - }) -}) diff --git a/test/e2e/case4_clusterversion_test.go b/test/e2e/case4_clusterversion_test.go deleted file mode 100644 index a9b08e13..00000000 --- a/test/e2e/case4_clusterversion_test.go +++ /dev/null @@ -1,75 +0,0 @@ -// Copyright (c) 2020 Red Hat, Inc. -// Copyright Contributors to the Open Cluster Management project - -package e2e - -import ( - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -const ( - case4ConfigPolicyName string = "openshift-upgrade-channel-e2e" - case4PolicyYaml string = "../resources/case4_clusterversion/case4_clusterversion_create.yaml" - case4ConfigPolicyNameInform string = "openshift-upgrade-channel-inform" - case4PolicyYamlInform string = "../resources/case4_clusterversion/case4_clusterversion_inform.yaml" - case4ConfigPolicyNamePatch string = "openshift-upgrade-channel-patch" - case4PolicyYamlPatch string = "../resources/case4_clusterversion/case4_clusterversion_patch.yaml" -) - -var _ = Describe("Test cluster version obj template handling", func() { - Describe("enforce patch on unnamespaced resource clusterversion "+testNamespace, func() { - It("should be created properly on the managed cluster", func() { - By("Creating " + case4ConfigPolicyName + " on managed") - utils.Kubectl("apply", "-f", case4PolicyYaml, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case4ConfigPolicyName, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case4ConfigPolicyName, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - utils.Kubectl("delete", "configurationpolicy", case4ConfigPolicyName, "-n", testNamespace) - }) - It("should be patched properly on the managed cluster", func() { - By("Creating " + case4ConfigPolicyNamePatch + " on managed") - utils.Kubectl("apply", "-f", case4PolicyYamlPatch, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case4ConfigPolicyNamePatch, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case4ConfigPolicyNamePatch, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("should be generate status properly for cluster-level resources", func() { - By("Creating " + case4ConfigPolicyNameInform + " on managed") - utils.Kubectl("apply", "-f", case4PolicyYamlInform, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case4ConfigPolicyNameInform, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case4ConfigPolicyNameInform, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetStatusMessage(managedPlc) - }, 120, 1).Should(Equal( - "clusterversions [version] found as specified, therefore this Object template is compliant")) - }) - It("Cleans up", func() { - policies := []string{ - case4ConfigPolicyName, - case4ConfigPolicyNameInform, - case4ConfigPolicyNamePatch, - } - - deleteConfigPolicies(policies) - }) - }) -}) diff --git a/test/e2e/case5_multi_test.go b/test/e2e/case5_multi_test.go deleted file mode 100644 index 7fcaa9e6..00000000 --- a/test/e2e/case5_multi_test.go +++ /dev/null @@ -1,90 +0,0 @@ -// Copyright (c) 2020 Red Hat, Inc. -// Copyright Contributors to the Open Cluster Management project - -package e2e - -import ( - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -const ( - case5ConfigPolicyNameInform string = "policy-pod-multi-mh" - case5ConfigPolicyNameEnforce string = "policy-pod-multi-create" - case5ConfigPolicyNameCombo string = "policy-pod-multi-combo" - case5PodName1 string = "nginx-pod-1" - case5PodName2 string = "nginx-pod-1" - case5InformYaml string = "../resources/case5_multi/case5_multi_mh.yaml" - case5EnforceYaml string = "../resources/case5_multi/case5_multi_enforce.yaml" - case5ComboYaml string = "../resources/case5_multi/case5_multi_combo.yaml" -) - -var _ = Describe("Test multiple obj template handling", func() { - Describe("Create a policy on managed cluster in ns:"+testNamespace, func() { - It("should be created properly on the managed cluster", func() { - By("Creating " + case5ConfigPolicyNameInform + " and " + case5ConfigPolicyNameCombo + " on managed") - utils.Kubectl("apply", "-f", case5InformYaml, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case5ConfigPolicyNameInform, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case5ConfigPolicyNameInform, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - utils.Kubectl("apply", "-f", case5ComboYaml, "-n", testNamespace) - plc = utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case5ConfigPolicyNameCombo, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case5ConfigPolicyNameCombo, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - }) - It("should create pods on managed cluster", func() { - By("creating " + case5ConfigPolicyNameEnforce + " on hub with spec.remediationAction = enforce") - utils.Kubectl("apply", "-f", case5EnforceYaml, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case5ConfigPolicyNameEnforce, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case5ConfigPolicyNameEnforce, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - Eventually(func() interface{} { - informPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case5ConfigPolicyNameInform, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(informPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - Eventually(func() interface{} { - comboPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case5ConfigPolicyNameCombo, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(comboPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - pod1 := utils.GetWithTimeout(clientManagedDynamic, gvrPod, - case5PodName1, "default", true, defaultTimeoutSeconds) - Expect(pod1).NotTo(BeNil()) - pod2 := utils.GetWithTimeout(clientManagedDynamic, gvrPod, - case5PodName2, "default", true, defaultTimeoutSeconds) - Expect(pod2).NotTo(BeNil()) - }) - It("Cleans up", func() { - policies := []string{ - case5ConfigPolicyNameInform, - case5ConfigPolicyNameEnforce, - case5ConfigPolicyNameCombo, - } - - deleteConfigPolicies(policies) - }) - }) -}) diff --git a/test/e2e/case6_no_ns_test.go b/test/e2e/case6_no_ns_test.go deleted file mode 100644 index 68741949..00000000 --- a/test/e2e/case6_no_ns_test.go +++ /dev/null @@ -1,78 +0,0 @@ -// Copyright (c) 2020 Red Hat, Inc. -// Copyright Contributors to the Open Cluster Management project - -package e2e - -import ( - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -const ( - case6ConfigPolicyNameNS string = "policy-ns" - case6ConfigPolicyNameRole string = "role-policy-no-ns" - case6ConfigPolicyNameCombo string = "policy-combo-no-ns" - case6NSName1 string = "e2etest" - case6NSName2 string = "e2etest2" - case6NSYaml string = "../resources/case6_no_ns/case6_create_ns.yaml" - case6RoleYaml string = "../resources/case6_no_ns/case6_create_role.yaml" - case6ComboYaml string = "../resources/case6_no_ns/case6_combo.yaml" -) - -var _ = Describe("Test multiple obj template handling", func() { - Describe("Create a policy on managed cluster in ns:"+testNamespace, func() { - It("should create a violation if the object should be namespaced", func() { - By("Creating policies on managed") - utils.Kubectl("apply", "-f", case6RoleYaml, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case6ConfigPolicyNameRole, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case6ConfigPolicyNameRole, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - }) - It("should create pods on managed cluster", func() { - By("creating cluster level objects") - utils.Kubectl("apply", "-f", case6NSYaml, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case6ConfigPolicyNameNS, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case6ConfigPolicyNameNS, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - utils.Kubectl("apply", "-f", case6ComboYaml, "-n", testNamespace) - plc = utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case6ConfigPolicyNameCombo, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - comboPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case6ConfigPolicyNameCombo, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(comboPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - ns1 := utils.GetClusterLevelWithTimeout(clientManagedDynamic, gvrNS, - case6NSName1, true, defaultTimeoutSeconds) - Expect(ns1).NotTo(BeNil()) - ns2 := utils.GetClusterLevelWithTimeout(clientManagedDynamic, gvrNS, - case6NSName2, true, defaultTimeoutSeconds) - Expect(ns2).NotTo(BeNil()) - }) - It("Cleans up", func() { - policies := []string{ - case6ConfigPolicyNameNS, - case6ConfigPolicyNameRole, - case6ConfigPolicyNameCombo, - } - - deleteConfigPolicies(policies) - }) - }) -}) diff --git a/test/e2e/case7_no_spec_test.go b/test/e2e/case7_no_spec_test.go deleted file mode 100644 index 7b18b616..00000000 --- a/test/e2e/case7_no_spec_test.go +++ /dev/null @@ -1,193 +0,0 @@ -// Copyright (c) 2020 Red Hat, Inc. -// Copyright Contributors to the Open Cluster Management project - -package e2e - -import ( - "fmt" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -const ( - case7ConfigPolicyName string = "policy-securitycontextconstraints-1-sample-restricted-scc" - case7ObjName string = "sample-restricted-scc" - case7PolicyYaml string = "../resources/case7_no_spec/case7_no_spec_enforce.yaml" - case7ConfigPolicyNameNull string = "policy-securitycontextconstraints-1-sample-restricted-scc-null" - case7PolicyYamlNull string = "../resources/case7_no_spec/case7_no_spec_enforce_null.yaml" - case7ConfigPolicyNameInvalid string = "policy-securitycontextconstraints-1-sample-restricted-scc-invalid" - case7PolicyYamlInvalid string = "../resources/case7_no_spec/case7_no_spec_invalid_type.yaml" - //nolint:lll - case7ConfigPolicyNameInvalidInform string = "policy-securitycontextconstraints-1-sample-restricted-scc-invalid-inform" - case7PolicyYamlInvalidInform string = "../resources/case7_no_spec/case7_no_spec_invalid_type_inform.yaml" -) - -var expectedObj = map[string]interface{}{ - "allowHostDirVolumePlugin": false, - "allowHostIPC": false, - "allowHostNetwork": false, - "allowHostPID": false, - "allowHostPorts": false, - "allowPrivilegeEscalation": true, - "allowPrivilegedContainer": false, - "allowedCapabilities": []string{}, - "apiVersion": "security.openshift.io/v1", - "defaultAddCapabilities": []string{}, - "fsGroup": map[string]string{ - "type": "MustRunAs", - }, - "groups": []string{ - "system:authenticated", - }, - "kind": "SecurityContextConstraints", - "priority": int64(10), - "readOnlyRootFilesystem": false, - "requiredDropCapabilities": []string{ - "KILL", - "MKNOD", - "SETUID", - "SETGID", - }, - "runAsUser": map[string]string{ - "type": "MustRunAsRange", - }, - "seLinuxContext": map[string]string{ - "type": "MustRunAs", - }, - "supplementalGroups": map[string]string{ - "type": "RunAsAny", - }, - "users": []interface{}{}, - "volumes": []string{ - "configMap", - "downwardAPI", - "emptyDir", - "persistentVolumeClaim", - "projected", - "secret", - }, -} - -// GetPriority parses status field of object to get priority, a nullable field. -// if updateTemplate fails the field will be null -func matchToExpected(managedPlc *unstructured.Unstructured) (result bool) { - createdObj := managedPlc.Object - r := true - - for key, val := range expectedObj { - if fmt.Sprintf("%v", createdObj[key]) != fmt.Sprintf("%v", val) { - r = false - } - } - - return r -} - -var _ = Describe("Test cluster version obj template handling", func() { - Describe("create scc policy in namespace "+testNamespace, func() { - It("should be created properly on the managed cluster", func() { - By("Creating " + case7ConfigPolicyName + " on managed") - utils.Kubectl("apply", "-f", case7PolicyYaml, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case7ConfigPolicyName, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case7ConfigPolicyName, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - utils.Kubectl("delete", "configurationpolicy", case7ConfigPolicyName, "-n", testNamespace) - }) - It("should handle nullable fields properly", func() { - Consistently(func() interface{} { - managedObj := utils.GetClusterLevelWithTimeout(clientManagedDynamic, gvrSCC, - case7ObjName, true, defaultTimeoutSeconds) - - return matchToExpected(managedObj) - }, defaultTimeoutSeconds, 1).Should(Equal(true)) - }) - It("should handle change field to null", func() { - By("Creating " + case7ConfigPolicyNameNull + " on managed") - utils.Kubectl("apply", "-f", case7PolicyYamlNull, "-n", testNamespace, "--validate=false") - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case7ConfigPolicyNameNull, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case7ConfigPolicyNameNull, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - utils.Kubectl("delete", "configurationpolicy", case7ConfigPolicyNameNull, "-n", testNamespace) - expectedObj["priority"] = nil - Eventually(func() interface{} { - managedObj := utils.GetClusterLevelWithTimeout(clientManagedDynamic, gvrSCC, - case7ObjName, true, defaultTimeoutSeconds) - - return matchToExpected(managedObj) - }, defaultTimeoutSeconds, 1).Should(Equal(true)) - }) - It("should change field back to 10", func() { - By("Creating " + case7ConfigPolicyName + " on managed") - utils.Kubectl("apply", "-f", case7PolicyYaml, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case7ConfigPolicyName, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case7ConfigPolicyName, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - expectedObj["priority"] = int64(10) - Eventually(func() interface{} { - managedObj := utils.GetClusterLevelWithTimeout(clientManagedDynamic, gvrSCC, - case7ObjName, true, defaultTimeoutSeconds) - - return matchToExpected(managedObj) - }, defaultTimeoutSeconds, 1).Should(Equal(true)) - utils.Kubectl("delete", "configurationpolicy", case7ConfigPolicyName, "-n", testNamespace) - }) - It("should generate violation if field type is invalid (enforce)", func() { - By("Creating " + case7ConfigPolicyNameInvalid + " on managed") - utils.Kubectl("apply", "-f", case7PolicyYamlInvalid, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case7ConfigPolicyNameInvalid, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case7ConfigPolicyNameInvalid, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - }) - It("should generate violation if field type is invalid (inform)", func() { - By("Creating " + case7ConfigPolicyNameInvalidInform + " on managed") - utils.Kubectl("apply", "-f", case7PolicyYamlInvalidInform, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case7ConfigPolicyNameInvalidInform, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case7ConfigPolicyNameInvalidInform, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - }) - It("Cleans up", func() { - policies := []string{ - case7ConfigPolicyName, - case7ConfigPolicyNameNull, - case7ConfigPolicyNameInvalid, - case7ConfigPolicyNameInvalidInform, - } - - deleteConfigPolicies(policies) - }) - }) -}) diff --git a/test/e2e/case8_status_check_test.go b/test/e2e/case8_status_check_test.go deleted file mode 100644 index 4ac3993e..00000000 --- a/test/e2e/case8_status_check_test.go +++ /dev/null @@ -1,151 +0,0 @@ -// Copyright (c) 2020 Red Hat, Inc. -// Copyright Contributors to the Open Cluster Management project - -package e2e - -import ( - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -const ( - case8ConfigPolicyNamePod string = "policy-pod-to-check" - case8ConfigPolicyNameCheck string = "policy-status-checker" - case8ConfigPolicyNameCheckFail string = "policy-status-checker-fail" - case8ConfigPolicyNameEnforceFail string = "policy-status-enforce-fail" - case8PolicyYamlPod string = "../resources/case8_status_check/case8_pod.yaml" - case8PolicyYamlCheck string = "../resources/case8_status_check/case8_status_check.yaml" - case8PolicyYamlCheckFail string = "../resources/case8_status_check/case8_status_check_fail.yaml" - case8PolicyYamlEnforceFail string = "../resources/case8_status_check/case8_status_enforce_fail.yaml" - case8ConfigPolicyStatusPod string = "policy-pod-invalid" - case8PolicyYamlBadPod string = "../resources/case8_status_check/case8_pod_fail.yaml" - case8PolicyYamlSpecChange string = "../resources/case8_status_check/case8_pod_change.yaml" -) - -var _ = Describe("Test pod obj template handling", func() { - Describe("Create a policy on managed cluster in ns:"+testNamespace, func() { - It("should create a policy properly on the managed cluster", func() { - By("Creating " + case8ConfigPolicyNamePod + " on managed") - utils.Kubectl("apply", "-f", case8PolicyYamlPod, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case8ConfigPolicyNamePod, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case8ConfigPolicyNamePod, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("should check status of the created policy", func() { - By("Creating " + case8ConfigPolicyNameCheck + " on managed") - utils.Kubectl("apply", "-f", case8PolicyYamlCheck, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case8ConfigPolicyNameCheck, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case8ConfigPolicyNameCheck, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("should return nonCompliant if status does not match", func() { - By("Creating " + case8ConfigPolicyNameCheckFail + " on managed") - utils.Kubectl("apply", "-f", case8PolicyYamlCheckFail, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case8ConfigPolicyNameCheckFail, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case8ConfigPolicyNameCheckFail, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - }) - It("should return nonCompliant if status does not match (enforce)", func() { - By("Creating " + case8ConfigPolicyNameEnforceFail + " on managed") - utils.Kubectl("apply", "-f", case8PolicyYamlEnforceFail, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case8ConfigPolicyNameEnforceFail, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case8ConfigPolicyNameEnforceFail, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - }) - It("Cleans up", func() { - policies := []string{ - case8ConfigPolicyNamePod, - case8ConfigPolicyNameCheck, - case8ConfigPolicyNameCheckFail, - case8ConfigPolicyNameEnforceFail, - } - - deleteConfigPolicies(policies) - }) - }) - Describe("Create a policy with status on managed cluster in ns:"+testNamespace, func() { - It("should create a policy properly on the managed cluster", func() { - By("Creating " + case8ConfigPolicyStatusPod + " on managed") - utils.Kubectl("apply", "-f", case8PolicyYamlBadPod, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case8ConfigPolicyStatusPod, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case8ConfigPolicyStatusPod, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - Eventually(func() interface{} { - pod := utils.GetWithTimeout(clientManagedDynamic, gvrPod, - "nginx-badpod-e2e-8", "default", true, defaultTimeoutSeconds) - - return pod.Object["status"].(map[string]interface{})["phase"] - }, defaultTimeoutSeconds, 1).Should(Equal("Pending")) - }) - It("should be able to apply spec change and status does not interfere", func() { - By("Merging change to " + case8ConfigPolicyStatusPod + " on managed") - utils.Kubectl("apply", "-f", case8PolicyYamlSpecChange, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case8ConfigPolicyStatusPod, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case8ConfigPolicyStatusPod, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - Eventually(func() interface{} { - pod := utils.GetWithTimeout(clientManagedDynamic, gvrPod, - "nginx-badpod-e2e-8", "default", true, defaultTimeoutSeconds) - - return pod.Object["spec"].(map[string]interface{})["activeDeadlineSeconds"] - }, defaultTimeoutSeconds, 1).Should(Equal(int64(10))) - Eventually(func() interface{} { - pod := utils.GetWithTimeout(clientManagedDynamic, gvrPod, - "nginx-badpod-e2e-8", "default", true, defaultTimeoutSeconds) - - return pod.Object["status"].(map[string]interface{})["phase"] - }, defaultTimeoutSeconds, 1).Should(Equal("Failed")) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case8ConfigPolicyStatusPod, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("Cleans up", func() { - policies := []string{ - case8ConfigPolicyStatusPod, - } - - deleteConfigPolicies(policies) - }) - }) -}) diff --git a/test/e2e/case9_md_check_test.go b/test/e2e/case9_md_check_test.go deleted file mode 100644 index 866838aa..00000000 --- a/test/e2e/case9_md_check_test.go +++ /dev/null @@ -1,216 +0,0 @@ -// Copyright (c) 2020 Red Hat, Inc. -// Copyright Contributors to the Open Cluster Management project - -package e2e - -import ( - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - - "open-cluster-management.io/config-policy-controller/test/utils" -) - -const ( - case9ConfigPolicyNamePod string = "policy-pod-c9-create" - case9ConfigPolicyNameAnno string = "policy-pod-anno" - case9ConfigPolicyNameNoAnno string = "policy-pod-no-anno" - case9ConfigPolicyNameLabelPatch string = "policy-label-patch" - case9ConfigPolicyNameLabelCheck string = "policy-label-check" - case9ConfigPolicyNameLabelAuto string = "policy-label-check-auto" - case9ConfigPolicyNameNSCreate string = "policy-c9-create-ns" - case9ConfigPolicyNameIgnoreLabels string = "policy-ignore-labels" - case9MultiAnnoNSCreate string = "policy-create-ns-multiple-annotations" - case9CheckNSMusthave string = "policy-check-ns-mdcomptype-mh" - case9CheckNSMustonlyhave string = "policy-check-ns-mdcomptype-moh" - case9PolicyYamlPod string = "../resources/case9_md_check/case9_pod_create.yaml" - case9PolicyYamlAnno string = "../resources/case9_md_check/case9_annos.yaml" - case9PolicyYamlNoAnno string = "../resources/case9_md_check/case9_no_annos.yaml" - case9PolicyYamlLabelPatch string = "../resources/case9_md_check/case9_label_patch.yaml" - case9PolicyYamlLabelCheck string = "../resources/case9_md_check/case9_label_check.yaml" - case9PolicyYamlLabelAuto string = "../resources/case9_md_check/case9_label_check_auto.yaml" - case9PolicyYamlIgnoreLabels string = "../resources/case9_md_check/case9_mustonlyhave_nolabels.yaml" - case9PolicyYamlNSCreate string = "../resources/case9_md_check/case9_ns_create.yaml" - case9PolicyYamlMultiAnnoNSCreate string = "../resources/case9_md_check/case9_multianno_ns_create.yaml" - case9PolicyYamlCheckNSMusthave string = "../resources/case9_md_check/case9_checkns-md-mh.yaml" - case9PolicyYamlCheckNSMustonlyhave string = "../resources/case9_md_check/case9_checkns-md-moh.yaml" -) - -var _ = Describe("Test pod obj template handling", func() { - Describe("Create a pod policy on managed cluster in ns:"+testNamespace, func() { - It("should create a policy properly on the managed cluster", func() { - By("Creating " + case9ConfigPolicyNamePod + " on managed") - utils.Kubectl("apply", "-f", case9PolicyYamlPod, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case9ConfigPolicyNamePod, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case9ConfigPolicyNamePod, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("should check annotations of the created policy", func() { - By("Creating " + case9ConfigPolicyNameAnno + " on managed") - utils.Kubectl("apply", "-f", case9PolicyYamlAnno, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case9ConfigPolicyNameAnno, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case9ConfigPolicyNameAnno, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - }) - It("should return compliant if lack of annotations matches", func() { - By("Creating " + case9ConfigPolicyNameNoAnno + " on managed") - utils.Kubectl("apply", "-f", case9PolicyYamlNoAnno, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case9ConfigPolicyNameNoAnno, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case9ConfigPolicyNameNoAnno, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("should patch labels/annotations properly if enforce", func() { - By("Creating " + case9ConfigPolicyNameLabelPatch + " on managed") - utils.Kubectl("apply", "-f", case9PolicyYamlLabelPatch, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case9ConfigPolicyNameLabelPatch, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case9ConfigPolicyNameLabelPatch, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("should patch verify the patched label exists as expected", func() { - By("Creating " + case9ConfigPolicyNameLabelCheck + " on managed") - utils.Kubectl("apply", "-f", case9PolicyYamlLabelCheck, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case9ConfigPolicyNameLabelCheck, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case9ConfigPolicyNameLabelCheck, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("should ignore autogenerated annotations", func() { - By("Creating " + case9ConfigPolicyNameLabelAuto + " on managed") - utils.Kubectl("apply", "-f", case9PolicyYamlLabelAuto, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case9ConfigPolicyNameLabelAuto, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case9ConfigPolicyNameLabelAuto, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("should create a namespace with labels and annotations", func() { - By("Creating " + case9ConfigPolicyNameNSCreate + " on managed") - utils.Kubectl("apply", "-f", case9PolicyYamlNSCreate, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case9ConfigPolicyNameNSCreate, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case9ConfigPolicyNameNSCreate, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("should ignore labels and annotations if none are specified in the template", func() { - By("Creating " + case9ConfigPolicyNameIgnoreLabels + " on managed") - utils.Kubectl("apply", "-f", case9PolicyYamlIgnoreLabels, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case9ConfigPolicyNameIgnoreLabels, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case9ConfigPolicyNameIgnoreLabels, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - }) - It("Cleans up", func() { - policies := []string{ - case9ConfigPolicyNamePod, - case9ConfigPolicyNameAnno, - case9ConfigPolicyNameNoAnno, - case9ConfigPolicyNameLabelPatch, - case9ConfigPolicyNameLabelCheck, - case9ConfigPolicyNameLabelAuto, - case9ConfigPolicyNameNSCreate, - case9ConfigPolicyNameIgnoreLabels, - } - - deleteConfigPolicies(policies) - }) - }) - Describe("Create a namespace policy on managed cluster in ns:"+testNamespace, func() { - It("should create a namespace with multiple annotations on the managed cluster", func() { - By("Creating " + case9MultiAnnoNSCreate + " on managed") - utils.Kubectl("apply", "-f", case9PolicyYamlMultiAnnoNSCreate, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case9MultiAnnoNSCreate, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case9MultiAnnoNSCreate, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - utils.Kubectl("delete", "configurationpolicy", case9MultiAnnoNSCreate, "-n", testNamespace) - }) - It("should be compliant if metadataComplianceType is musthave", func() { - By("Creating " + case9CheckNSMusthave + " on managed") - utils.Kubectl("apply", "-f", case9PolicyYamlCheckNSMusthave, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case9CheckNSMusthave, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case9CheckNSMusthave, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("Compliant")) - utils.Kubectl("delete", "configurationpolicy", case9CheckNSMusthave, "-n", testNamespace) - }) - It("should return noncompliant if metadataComplianceType is mustonlyhave", func() { - By("Creating " + case9CheckNSMustonlyhave + " on managed") - utils.Kubectl("apply", "-f", case9PolicyYamlCheckNSMustonlyhave, "-n", testNamespace) - plc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case9CheckNSMustonlyhave, testNamespace, true, defaultTimeoutSeconds) - Expect(plc).NotTo(BeNil()) - Eventually(func() interface{} { - managedPlc := utils.GetWithTimeout(clientManagedDynamic, gvrConfigPolicy, - case9CheckNSMustonlyhave, testNamespace, true, defaultTimeoutSeconds) - - return utils.GetComplianceState(managedPlc) - }, defaultTimeoutSeconds, 1).Should(Equal("NonCompliant")) - utils.Kubectl("delete", "configurationpolicy", case9CheckNSMustonlyhave, "-n", testNamespace) - }) - It("should clean up the created namespace", func() { - By("Deleting the namespace from " + case9MultiAnnoNSCreate) - utils.Kubectl("delete", "ns", "case9-test-multi-annotation") - }) - It("Cleans up", func() { - policies := []string{ - case9MultiAnnoNSCreate, - case9CheckNSMusthave, - case9CheckNSMustonlyhave, - } - - deleteConfigPolicies(policies) - }) - }) -})