adding bats tests

Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
open-policy-agent · Jul 24, 2024 · 5800127 · 5800127
1 parent 11c8ea0
commit 5800127
Show file tree

Hide file tree

Showing 6 changed files with 110 additions and 4 deletions.
diff --git a/pkg/controller/constraint/constraint_controller.go b/pkg/controller/constraint/constraint_controller.go
@@ -303,8 +303,9 @@ func (r *ReconcileConstraint) Reconcile(ctx context.Context, request reconcile.R
 			generateVAPB, VAPEnforcementActions, err := shouldGenerateVAPB(*DefaultGenerateVAPB, enforcementAction, instance)
 			if err != nil {
 				status.Status.Errors = append(status.Status.Errors, constraintstatusv1beta1.Error{Message: err.Error()})
+				log.Error(err, "could not get enforcement actions for VAP")
 				if err2 := r.writer.Update(ctx, status); err2 != nil {
-					log.Error(err2, "could not get enforcement actions for VAP")
+					log.Error(err2, "could not report error for getting enforcement actions for VAP")
 				}
 				return reconcile.Result{}, err
 			}

diff --git a/test/bats/test.bats b/test/bats/test.bats
@@ -167,6 +167,9 @@ teardown_file() {
 
   kubectl apply -f ${BATS_TESTS_DIR}/templates/k8srequiredlabels_template.yaml
   wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f ${BATS_TESTS_DIR}/constraints/all_cm_must_have_gatekeeper_audit.yaml"
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f ${BATS_TESTS_DIR}/constraints/all_cm_must_have_gatekeeper_scoped_audit.yaml"
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f ${BATS_TESTS_DIR}/constraints/all_cm_must_have_gatekeeper_scoped.yaml"
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f ${BATS_TESTS_DIR}/constraints/all_cm_must_have_gatekeeper_scoped_webhook.yaml"
 }
 
 @test "no ignore label unless namespace is exempt test" {
@@ -206,6 +209,15 @@ teardown_file() {
   kubectl apply -f ${BATS_TESTS_DIR}/bad/bad_cm.yaml
 
   kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/bad/bad_cm.yaml
+
+  # deploying a violation to get rejected with scoped enforcement actions
+  run kubectl apply -f ${BATS_TESTS_DIR}/bad/bad_cm_scoped.yaml
+
+  assert_match 'Warning' "${output}"
+  assert_match 'denied the request' "${output}"
+  assert_failure
+
+  kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/bad/bad_cm_scoped.yaml
 }
 
 @test "container limits test" {
@@ -266,6 +278,88 @@ __required_labels_audit_test() {
     echo "Audit entry count is ${audit_entries}, wanted ${expected}"
     return 3
   fi
+
+  local cstr="$(kubectl get k8srequiredlabels.constraints.gatekeeper.sh cm-must-have-gk-scoped -ojson)"
+  if [[ $? -ne 0 ]]; then
+    echo "error retrieving constraint"
+    return 1
+  fi
+
+  echo "${cstr}"
+
+  local total_violations=$(echo "${cstr}" | jq '.status.totalViolations')
+  if [[ "${total_violations}" -ne "${expected}" ]]; then
+    echo "totalViolations is ${total_violations}, wanted ${expected}"
+    return 2
+  fi
+
+  local audit_entries=$(echo "${cstr}" | jq '.status.violations | length')
+  if [[ "${audit_entries}" -ne "${expected}" ]]; then
+    echo "Audit entry count is ${audit_entries}, wanted ${expected}"
+    return 3
+  fi
+
+  local violations=$(echo "${cstr}" | jq -r '.status.violations[].enforcementAction')
+  local match=true
+
+  for violation in $violations; do
+    if [[ "${violation}" != "deny" ]]; then
+      echo "Mismatch found: Enforcement action is ${violation}, expected deny"
+      match=false
+    fi
+  done
+
+  if [[ "${match}" == "false" ]]; then
+    return 3
+  fi
+
+  local cstr="$(kubectl get k8srequiredlabels.constraints.gatekeeper.sh cm-must-have-gk-scoped-audit -ojson)"
+  if [[ $? -ne 0 ]]; then
+    echo "error retrieving constraint"
+    return 1
+  fi
+
+  echo "${cstr}"
+
+  local total_violations=$(echo "${cstr}" | jq '.status.totalViolations')
+  if [[ "${total_violations}" -ne "${expected}" ]]; then
+    echo "totalViolations is ${total_violations}, wanted ${expected}"
+    return 2
+  fi
+
+  local audit_entries=$(echo "${cstr}" | jq '.status.violations | length')
+  if [[ "${audit_entries}" -ne "${expected}" ]]; then
+    echo "Audit entry count is ${audit_entries}, wanted ${expected}"
+    return 3
+  fi
+
+  local violations=$(echo "${cstr}" | jq -r '.status.violations[].enforcementAction')
+  local match=true
+
+  for violation in $violations; do
+    if [[ "${violation}" != "warn" ]]; then
+      echo "Mismatch found: Enforcement action is ${violation}, expected warn"
+      match=false
+    fi
+  done
+
+  if [[ "${match}" == "false" ]]; then
+    return 3
+  fi
+
+  local cstr="$(kubectl get k8srequiredlabels.constraints.gatekeeper.sh cm-must-have-gk-scoped-webhook -ojson)"
+  if [[ $? -ne 0 ]]; then
+    echo "error retrieving constraint"
+    return 1
+  fi
+
+  echo "${cstr}"
+
+  local total_violations=$(echo "${cstr}" | jq '.status.totalViolations')
+  if [[ "${total_violations}" -ne "0" ]]; then
+    echo "totalViolations is ${total_violations}, wanted 0"
+    return 2
+  fi
 }
 
 @test "required labels audit test" {

diff --git a/test/bats/tests/bad/bad_cm_scoped.yaml b/test/bats/tests/bad/bad_cm_scoped.yaml
@@ -2,4 +2,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   namespace: gatekeeper-test-playground-scoped
-  name: bad-cm
+  name: bad-cm-scoped
+  labels:
+    test.gatekeeper.sh/audit: "yes"
diff --git a/test/bats/tests/constraints/all_cm_must_have_gatekeeper_scoped.yaml b/test/bats/tests/constraints/all_cm_must_have_gatekeeper_scoped.yaml
@@ -12,9 +12,12 @@ spec:
         - name: audit.gatekeeper.sh
     - action: warn
       enforcementPoints:
-        - name: webhook.gatekeeper.sh
+        - name: validation.gatekeeper.sh
   match:
     namespaces: ["gatekeeper-test-playground-scoped"]
+    labelSelector:
+      matchLabels:
+        test.gatekeeper.sh/audit: "yes"
     kinds:
       - apiGroups: [""]
         kinds: ["ConfigMap"]

diff --git a/test/bats/tests/constraints/all_cm_must_have_gatekeeper_scoped_audit.yaml b/test/bats/tests/constraints/all_cm_must_have_gatekeeper_scoped_audit.yaml
@@ -12,6 +12,9 @@ spec:
         - name: audit.gatekeeper.sh
   match:
     namespaces: ["gatekeeper-test-playground-scoped"]
+    labelSelector:
+      matchLabels:
+        test.gatekeeper.sh/audit: "yes"
     kinds:
       - apiGroups: [""]
         kinds: ["ConfigMap"]

diff --git a/test/bats/tests/constraints/all_cm_must_have_gatekeeper_scoped_webhook.yaml b/test/bats/tests/constraints/all_cm_must_have_gatekeeper_scoped_webhook.yaml
@@ -9,9 +9,12 @@ spec:
   scopedEnforcementActions:
     - action: deny
       enforcementPoints:
-        - name: webhook.gatekeeper.sh
+        - name: validation.gatekeeper.sh
   match:
     namespaces: ["gatekeeper-test-playground-scoped"]
+    labelSelector:
+      matchLabels:
+        test.gatekeeper.sh/audit: "yes"
     kinds:
       - apiGroups: [""]
         kinds: ["ConfigMap"]