fix missing resources & failing tests, update CI

* new make target for running tests * removed kubeval & added kubeconform. See: instrumenta/kubeval#268 (comment) * use newer conftest install instructions * fix version flag
coopernetes · Feb 20, 2023 · 1c7367b · 1c7367b
1 parent 41b9fba
commit 1c7367b
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 20 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -18,12 +18,13 @@ jobs:
             curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh
             dep ensure
         fi
+        make test
         make install
-        curl -fsSLO https://github.com/open-policy-agent/conftest/releases/download/v0.30.0/conftest_0.30.0_Linux_x86_64.tar.gz
-        tar -C /usr/local/bin -xzvf conftest_0.30.0_Linux_x86_64.tar.gz
-        wget -q https://github.com/instrumenta/kubeval/releases/latest/download/kubeval-linux-amd64.tar.gz
-        tar xf kubeval-linux-amd64.tar.gz
-        sudo cp kubeval /usr/local/bin
+        LATEST_VERSION=$(wget -O - "https://api.github.com/repos/open-policy-agent/conftest/releases/latest" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
+        wget "https://github.com/open-policy-agent/conftest/releases/download/v${LATEST_VERSION}/conftest_${LATEST_VERSION}_Linux_x86_64.tar.gz"
+        tar xzf conftest_${LATEST_VERSION}_Linux_x86_64.tar.gz
+        sudo mv conftest /usr/local/bin
+        go install github.com/yannh/kubeconform/cmd/kubeconform@latest
     - name: Setup kind
       uses: engineerd/setup-kind@v0.5.0
       with:

diff --git a/Makefile b/Makefile
@@ -15,16 +15,20 @@ LDFLAGS=-ldflags "-X=main.Version=$(VERSION) -X=main.Build=$(BUILD)"
 # go source files, ignore vendor directory
 SRC = $(shell find . -type f -name '*.go' -not -path "./vendor/*")
 
-.PHONY: all build clean install uninstall fmt simplify check run
+.PHONY: all build test clean install uninstall fmt simplify check run
 
 all: check install
 
 $(TARGET): $(SRC)
-	@go build $(LDFLAGS) -o $(TARGET) cmd/rolegen/main.go
+	@go build $(LDFLAGS) -o $(TARGET) $(MAIN)/main.go
 
 build: $(TARGET)
 	@true
 
+test:
+	go test ./...
+	tests/e2e_tests.sh
+
 clean:
 	@rm -f $(TARGET)
 

diff --git a/cmd/kube-role-gen/main.go b/cmd/kube-role-gen/main.go
@@ -22,7 +22,7 @@ func main() {
 	kubeconfig := flag.String("kubeconfig", "", "absolute path to the kubeconfig file. "+
 		"If set, this will override the default behavior and "+
 		"ignore KUBECONFIG environment variable and/or $HOME/.kube/config file location.")
-	printVersion := flag.Bool("printVersion", false, "Print version info")
+	printVersion := flag.Bool("version", false, "Print version info")
 	flag.Parse()
 	if *printVersion {
 		fmt.Println(Version)

diff --git a/pkg/k8s/rbac.go b/pkg/k8s/rbac.go
@@ -9,6 +9,7 @@ import (
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"log"
+	"sort"
 	"strings"
 )
 
@@ -26,10 +27,7 @@ func CreateGranularRole(apiResourceList []*metav1.APIResourceList, name string,
 			log.Printf("Group %s contains %d resources", resourceList.GroupVersion, len(resourceList.APIResources))
 		}
 		groupName := extractGroupFromVersion(resourceList.GroupVersion)
-		oMap.Set(groupName, convertToVerbMap(resourceList.APIResources))
-	}
-	if verbose {
-		log.Print(oMap)
+		oMap.Set(groupName, convertToVerbMap(resourceList.APIResources, verbose))
 	}
 	policyRules := policyRuleByOrderedMap(*oMap)
 	return &rbacv1.ClusterRole{
@@ -51,12 +49,20 @@ func extractGroupFromVersion(groupVersion string) string {
 	return strings.Split(groupVersion, "/")[0]
 }
 
-func convertToVerbMap(resList []metav1.APIResource) map[string][]string {
+func convertToVerbMap(resList []metav1.APIResource, verbose bool) map[string][]string {
 	verbMap := make(map[string][]string)
 	for _, res := range resList {
-		verbKey := strings.Join(res.Verbs, ",")
+		if verbose {
+			log.Printf("Resource: %s - Verbs: %s",
+				res.Name,
+				res.Verbs.String())
+		}
+		verbs := make([]string, len(res.Verbs))
+		copy(verbs, res.Verbs)
+		sort.Strings(verbs)
+		verbKey := strings.Join(verbs, ",")
 		if val, ok := verbMap[verbKey]; ok {
-			val = append(val, res.Name)
+			verbMap[verbKey] = append(val, res.Name)
 		} else {
 			verbMap[verbKey] = []string{res.Name}
 		}

diff --git a/pkg/k8s/rbac_test.go b/pkg/k8s/rbac_test.go
@@ -40,7 +40,7 @@ func TestGatherResources(t *testing.T) {
 	}
 	rList := []metav1.APIResource{*r1, *r2}
 
-	actual := convertToVerbMap(rList)
+	actual := convertToVerbMap(rList, true)
 	expected := map[string][]string{"get,patch": {"test"}, "get,list": {"test2"}}
 
 	if !reflect.DeepEqual(actual, expected) {

diff --git a/tests/e2e_tests.sh b/tests/e2e_tests.sh
@@ -2,18 +2,23 @@
 set -euo pipefail
 IFS=$'\n\t'
 
-kube-role-gen | kubeval -
+kube-role-gen | kubeconform -summary
 kube-role-gen | kubectl apply --validate -f -
 kube-role-gen | conftest test --policy tests/gh-11.rego -
 
 # https://github.com/coopernetes/kube-role-gen/issues/8
-kube-role-gen -json | python -m json.tool 2>&1 > /dev/null
+if command -v python &> /dev/null
+then
+  kube-role-gen -json | python -m json.tool > /dev/null 2>&1
+else
+  kube-role-gen -json | python3 -m json.tool > /dev/null 2>&1
+fi
 
 # https://github.com/coopernetes/kube-role-gen/issues/14
 if [ -f "$HOME/.kube/config" ]; then
     cp $HOME/.kube/config /tmp/test-kubecfg
-    KUBECONFIG=/tmp/test-kubecfg kube-role-gen | kubeval -
-    kube-role-gen -kubeconfig /tmp/test-kubecfg | kubeval -
+    KUBECONFIG=/tmp/test-kubecfg kube-role-gen | kubeconform -summary
+    kube-role-gen -kubeconfig /tmp/test-kubecfg | kubeconform -summary
 fi
 
 kubectl apply --validate=false -f tests/crd.yaml