ci: add end to end test case for kyverno-envoy-plugin

Signed-off-by: Sanskarzz <sanskar.gur@gmail.com>

.github/workflows/tests.yaml

@@ -75,3 +75,23 @@ jobs:
         make kind-create-cluster
         make install-istio
         make kind-load-image
+  
+  e2e-tests-chainsaw:      
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+    - name: Setup Go
+      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      with:
+        go-version-file: go.mod
+        cache-dependency-path: go.sum
+    - name: Run tests
+      run: |
+        set -e
+        make kind-create-cluster
+        make kind-load-taged-image    
+    - name: Install Chainsaw
+      uses: kyverno/action-install-chainsaw@73115d8a049c89dd8e3799daac9d6c36f8b9b139 # v0.2.0
+    - name: Run Chainsaw Tests
+      run: chainsaw test tests/e2e-test/chainsaw-test.yaml        

Makefile

@@ -160,6 +160,14 @@ kind-load-image: build-ko
 	@echo Load image in kind... >&2
 	@$(KIND) load docker-image $(KO_REGISTRY)/$(PACKAGE):$(GIT_SHA)
 
+.PHONY: kind-load-taged-image
+kind-load-taged-image: ## Build image and load it in kind cluster
+kind-load-taged-image: $(KIND)
+kind-load-taged-image: build-ko
+	@echo Load image in kind... >&2
+	docker tag $(KO_REGISTRY)/$(PACKAGE):$(GIT_SHA) $(KO_REGISTRY)/$(PACKAGE):latest
+	@$(KIND) load docker-image $(KO_REGISTRY)/$(PACKAGE):latest
+
 #########	
 # ISTIO #
 #########

tests/e2e-test/chainsaw-test.yaml

@@ -0,0 +1,20 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: test-kyverno-envoy-plugin
+spec:
+  steps: 
+  - try:
+    - apply:
+        file: ./deployment.yaml
+    - script:  
+        content: kubectl run test -it --rm --restart=Never --image=busybox -- wget -q --output-document - testapp.default.svc.cluster.local:8080/book
+        check:
+          # Checks if the standard error output contains the string '403'. 
+          # This is likely used to verify that the expected HTTP 403 Forbidden response was received from the test application.
+          (contains($stdout, '403')): false
+    - script:  
+        content: kubectl run test -it --rm --restart=Never --image=busybox -- wget -q --post-data='{"bookname":"Harry Potter", "author":"J.K. Rowling"}' --output-document - testapp.default.svc.cluster.local:8080/book
+        check:
+          (contains($stderr, 'Error')): true
+          (contains($stdout, '403')): true

tests/e2e-test/deployment.yaml

@@ -0,0 +1,182 @@
+# Application Deployment with kyverno-envoy-plugin and Envoy sidecars.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: testapp
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: testapp
+  template:
+    metadata:
+      labels:
+        app: testapp
+    spec:
+      initContainers:
+        - name: proxy-init
+          image: sanskardevops/proxyinit:latest
+          # Configure the iptables bootstrap script to redirect traffic to the
+          # Envoy proxy on port 8000, specify that Envoy will be running as user
+          # 1111, These values must match up with the configuration
+          # defined below for the "envoy" and "kyverno-envoy-plugin" containers.
+          args: ["-p", "7000", "-u", "1111"]
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+            runAsNonRoot: false
+            runAsUser: 0
+      containers:
+        - name: test-application
+          image: sanskardevops/test-application:0.0.1
+          ports:
+            - containerPort: 8080
+        - name: envoy
+          image: envoyproxy/envoy:v1.30-latest
+          securityContext:
+            runAsUser: 1111
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - readOnly: true
+              mountPath: /config
+              name: proxy-config
+          args:
+            - "envoy"
+            - "--config-path"
+            - "/config/envoy.yaml"
+        - name: kyverno-envoy-plugin
+          image: ko.local/github.com/kyverno/kyverno-envoy-plugin:latest
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 8000
+            - containerPort: 9000
+          volumeMounts:
+            - readOnly: true
+              mountPath: /policies
+              name: policy-files
+          args:
+            - "serve"
+            - "--policy=/policies/policy.yaml"
+      volumes:
+        - name: proxy-config
+          configMap:
+            name: proxy-config
+        - name: policy-files
+          configMap:
+            name: policy-files
+--- 
+# Envoy Config with External Authorization filter that will query kyverno-envoy-plugin.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: proxy-config
+data:
+  envoy.yaml: |
+    static_resources:
+      listeners:
+      - address:
+          socket_address:
+            address: 0.0.0.0
+            port_value: 7000
+        filter_chains:
+        - filters:
+          - name: envoy.filters.network.http_connection_manager
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+              codec_type: auto
+              stat_prefix: ingress_http
+              route_config:
+                name: local_route
+                virtual_hosts:
+                - name: backend
+                  domains:
+                  - "*"
+                  routes:
+                  - match:
+                      prefix: "/"
+                    route:
+                      cluster: service
+              http_filters:
+              - name: envoy.ext_authz
+                typed_config:
+                  "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
+                  transport_api_version: V3
+                  with_request_body:
+                    max_request_bytes: 8192
+                    allow_partial_message: true
+                  failure_mode_allow: false
+                  grpc_service:
+                    google_grpc:
+                      target_uri: 127.0.0.1:9000
+                      stat_prefix: ext_authz
+                    timeout: 0.5s
+              - name: envoy.filters.http.router
+                typed_config:
+                  "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+      clusters:
+      - name: service
+        connect_timeout: 0.25s
+        type: strict_dns
+        lb_policy: round_robin
+        load_assignment:
+          cluster_name: service
+          endpoints:
+          - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: 127.0.0.1
+                    port_value: 8080
+    admin:
+      access_log_path: "/dev/null"
+      address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: 8001
+    layered_runtime:
+      layers:
+        - name: static_layer_0
+          static_layer:
+            envoy:
+              resource_limits:
+                listener:
+                  example_listener_name:
+                    connection_limit: 10000
+            overload:
+              global_downstream_max_connections: 50000
+---
+# Example policy to enforce into kyverno-envoy-plugin sidecars.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: policy-files
+data:
+  policy.yaml: |
+    apiVersion: json.kyverno.io/v1alpha1
+    kind: ValidatingPolicy
+    metadata:
+      name: checkrequest
+    spec:
+      rules:
+        - name: deny-other-methods
+          assert:
+            any:
+            - message: "only allow GET method calls at path /book "
+              check:
+                request:
+                    http:
+                        method: GET
+                        path: /book                                           
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: testapp
+spec:
+  type: ClusterIP
+  selector:
+    app: testapp
+  ports:
+  - port: 8080
+    targetPort: 8080