diff --git a/.circleci/config.yml b/.circleci/config.yml index 7102f0ff..16764f20 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -30,6 +30,21 @@ references: tags: ignore: /v.*/ + chainsaw_configuration: &chainsaw_configuration + pre_script: e2e/chainsaw-pre.sh + script: e2e/chainsaw-test.sh + command_runner_image: quay.io/reactiveops/ci-images:v13-buster + enable_docker_layer_caching: true + attach-workspace: true + requires: + - test + - snapshot + filters: + branches: + only: /.*/ + tags: + ignore: /v.*/ + jobs: test: docker: @@ -108,6 +123,19 @@ workflows: name: "End-To-End Kubernetes 1.25" kind_node_image: "kindest/node:v1.25.3@sha256:f52781bc0d7a19fb6c405c2af83abfeb311f130707a0e219175677e366cc45d1" <<: *e2e_configuration + - rok8s/kubernetes_e2e_tests: + name: "Chainsaw End-To-End Kubernetes 1.23" + kind_node_image: "kindest/node:v1.23.13@sha256:ef453bb7c79f0e3caba88d2067d4196f427794086a7d0df8df4f019d5e336b61" + <<: *chainsaw_configuration + - rok8s/kubernetes_e2e_tests: + name: "Chainsaw End-To-End Kubernetes 1.24" + kind_node_image: "kindest/node:v1.24.7@sha256:577c630ce8e509131eab1aea12c022190978dd2f745aac5eb1fe65c0807eb315" + <<: *chainsaw_configuration + - rok8s/kubernetes_e2e_tests: + name: "Chainsaw End-To-End Kubernetes 1.25" + kind_node_image: "kindest/node:v1.25.3@sha256:f52781bc0d7a19fb6c405c2af83abfeb311f130707a0e219175677e366cc45d1" + <<: *chainsaw_configuration + release: jobs: - build_and_release: diff --git a/e2e/chainsaw-pre.sh b/e2e/chainsaw-pre.sh new file mode 100644 index 00000000..ea622d5d --- /dev/null +++ b/e2e/chainsaw-pre.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +set -e + +wget -O /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/download/v4.35.1/yq_linux_amd64" +chmod +x /usr/local/bin/yq + +if [ -z "$CI_SHA1" ]; then + echo "CI_SHA1 not set. Something is wrong" + exit 1 +else + echo "CI_SHA1: $CI_SHA1" +fi + +printf "\n\n" +echo "********************************************************************" +echo "** LOADING IMAGES TO DOCKER AND KIND **" +echo "********************************************************************" +printf "\n\n" +docker load --input /tmp/workspace/docker_save/rbac-manager_${CI_SHA1}-amd64.tar +export PATH=$(pwd)/bin-kind:$PATH +kind load docker-image --name e2e quay.io/reactiveops/rbac-manager:${CI_SHA1}-amd64 +printf "\n\n" +echo "********************************************************************" +echo "** END LOADING IMAGE **" +echo "********************************************************************" +printf "\n\n" + +export newImage=quay.io/reactiveops/rbac-manager:${CI_SHA1}-amd64 +yq -i '.spec.template.spec.containers[0].image = env(newImage)' deploy/3_deployment.yaml +yq -i '.spec.template.spec.containers[0].imagePullPolicy = "IfNotPresent"' deploy/3_deployment.yaml +cat deploy/3_deployment.yaml + +docker cp deploy e2e-command-runner:/ +docker cp e2e/chainsaw e2e-command-runner:/ diff --git a/e2e/chainsaw-test.sh b/e2e/chainsaw-test.sh new file mode 100755 index 00000000..dfa2818f --- /dev/null +++ b/e2e/chainsaw-test.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +BASE_DIR=$(dirname $BASH_SOURCE) + +printf "\n\n" +echo "**************************" +echo "** Begin E2E Test Setup **" +echo "**************************" +printf "\n\n" + +set -e + + +printf "\n\n" +echo "********************************************************************" +echo "** Install rbac-manager at $CI_SHA1 **" +echo "********************************************************************" +printf "\n\n" + +kubectl apply -f deploy/ +kubectl -n rbac-manager wait deployment/rbac-manager --timeout=120s --for condition=available + +printf "\n\n" +echo "********************************************************************" +echo "** Install and run Chainsaw **" +echo "********************************************************************" +printf "\n\n" + +cd "$BASE_DIR/chainsaw" + +curl -sL https://github.com/kyverno/chainsaw/releases/download/v0.0.9/linux_amd64.tar.gz -o linux_amd64.tar.gz +tar -xvf linux_amd64.tar.gz chainsaw + +./chainsaw test + +if [ $? -ne 0 ]; then + exit 1 +fi diff --git a/e2e/chainsaw/.chainsaw.yaml b/e2e/chainsaw/.chainsaw.yaml new file mode 100644 index 00000000..0df1cfa4 --- /dev/null +++ b/e2e/chainsaw/.chainsaw.yaml @@ -0,0 +1,10 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/configuration-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Configuration +metadata: + name: congiguration +spec: + parallel: 1 + fullName: true + failFast: false + delayBeforeCleanup: 3s diff --git a/e2e/chainsaw/cluster-role-bindings/chainsaw-test.yaml b/e2e/chainsaw/cluster-role-bindings/chainsaw-test.yaml new file mode 100644 index 00000000..051c4a0e --- /dev/null +++ b/e2e/chainsaw/cluster-role-bindings/chainsaw-test.yaml @@ -0,0 +1,12 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: clusterrolebindings +spec: + steps: + - try: + - apply: + file: resources.yaml + - assert: + file: expected.yaml diff --git a/e2e/chainsaw/cluster-role-bindings/expected.yaml b/e2e/chainsaw/cluster-role-bindings/expected.yaml new file mode 100644 index 00000000..3fe1e408 --- /dev/null +++ b/e2e/chainsaw/cluster-role-bindings/expected.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + rbac-manager: reactiveops + ownerReferences: + - apiVersion: rbacmanager.reactiveops.io/v1beta1 + kind: RBACDefinition + name: rbac-manager-definition +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: test-rbac-manager +subjects: +- kind: ServiceAccount + name: test-rbac-manager + namespace: rbac-manager diff --git a/e2e/chainsaw/cluster-role-bindings/resources.yaml b/e2e/chainsaw/cluster-role-bindings/resources.yaml new file mode 100644 index 00000000..703f73ae --- /dev/null +++ b/e2e/chainsaw/cluster-role-bindings/resources.yaml @@ -0,0 +1,12 @@ +apiVersion: rbacmanager.reactiveops.io/v1beta1 +kind: RBACDefinition +metadata: + name: rbac-manager-definition +rbacBindings: + - name: admins + subjects: + - kind: ServiceAccount + name: test-rbac-manager + namespace: rbac-manager + clusterRoleBindings: + - clusterRole: test-rbac-manager diff --git a/e2e/chainsaw/deleted/chainsaw-test.yaml b/e2e/chainsaw/deleted/chainsaw-test.yaml new file mode 100644 index 00000000..e3a04ccb --- /dev/null +++ b/e2e/chainsaw/deleted/chainsaw-test.yaml @@ -0,0 +1,22 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: clusterrolebindings +spec: + steps: + - description: setup rbac definition, make sure expected resources are created + try: + - apply: + file: resources.yaml + - assert: + file: expected.yaml + - description: delete rbac definition, make sure previously created resources are deleted + try: + - delete: + ref: + apiVersion: rbacmanager.reactiveops.io/v1beta1 + kind: RBACDefinition + name: rbac-manager-definition + - error: + file: expected.yaml diff --git a/e2e/chainsaw/deleted/expected.yaml b/e2e/chainsaw/deleted/expected.yaml new file mode 100644 index 00000000..3fe1e408 --- /dev/null +++ b/e2e/chainsaw/deleted/expected.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + rbac-manager: reactiveops + ownerReferences: + - apiVersion: rbacmanager.reactiveops.io/v1beta1 + kind: RBACDefinition + name: rbac-manager-definition +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: test-rbac-manager +subjects: +- kind: ServiceAccount + name: test-rbac-manager + namespace: rbac-manager diff --git a/e2e/chainsaw/deleted/resources.yaml b/e2e/chainsaw/deleted/resources.yaml new file mode 100644 index 00000000..703f73ae --- /dev/null +++ b/e2e/chainsaw/deleted/resources.yaml @@ -0,0 +1,12 @@ +apiVersion: rbacmanager.reactiveops.io/v1beta1 +kind: RBACDefinition +metadata: + name: rbac-manager-definition +rbacBindings: + - name: admins + subjects: + - kind: ServiceAccount + name: test-rbac-manager + namespace: rbac-manager + clusterRoleBindings: + - clusterRole: test-rbac-manager diff --git a/e2e/chainsaw/service-accounts/chainsaw-test.yaml b/e2e/chainsaw/service-accounts/chainsaw-test.yaml new file mode 100644 index 00000000..051c4a0e --- /dev/null +++ b/e2e/chainsaw/service-accounts/chainsaw-test.yaml @@ -0,0 +1,12 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: clusterrolebindings +spec: + steps: + - try: + - apply: + file: resources.yaml + - assert: + file: expected.yaml diff --git a/e2e/chainsaw/service-accounts/expected.yaml b/e2e/chainsaw/service-accounts/expected.yaml new file mode 100644 index 00000000..7b4d821b --- /dev/null +++ b/e2e/chainsaw/service-accounts/expected.yaml @@ -0,0 +1,33 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + rbac-manager: reactiveops + ownerReferences: + - apiVersion: rbacmanager.reactiveops.io/v1beta1 + kind: RBACDefinition + name: rbac-manager-definition-1 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: test-rbac-manager +subjects: +- kind: ServiceAccount + name: test-rbac-manager + namespace: rbac-manager +--- +apiVersion: v1 +kind: ServiceAccount +imagePullSecrets: +- name: robot-secret +metadata: + annotations: + rbacmanager.reactiveops.io/managed-pull-secrets: robot-secret + labels: + rbac-manager: reactiveops + name: test-rbac-manager + namespace: rbac-manager + ownerReferences: + - apiVersion: rbacmanager.reactiveops.io/v1beta1 + kind: RBACDefinition + name: rbac-manager-definition-1 diff --git a/e2e/chainsaw/service-accounts/resources.yaml b/e2e/chainsaw/service-accounts/resources.yaml new file mode 100644 index 00000000..912ff0a5 --- /dev/null +++ b/e2e/chainsaw/service-accounts/resources.yaml @@ -0,0 +1,14 @@ +apiVersion: rbacmanager.reactiveops.io/v1beta1 +kind: RBACDefinition +metadata: + name: rbac-manager-definition-1 +rbacBindings: + - name: admins + subjects: + - kind: ServiceAccount + name: test-rbac-manager + namespace: rbac-manager + imagePullSecrets: + - robot-secret + clusterRoleBindings: + - clusterRole: test-rbac-manager