From 665ced5e55b2db68e978e62c659743cc385ffddc Mon Sep 17 00:00:00 2001 From: Gareth Healy Date: Thu, 21 May 2020 20:15:21 +0100 Subject: [PATCH] Added bats testing (#8) --- README.md | 8 +++- _test/k8s-validation-rolebinding/list.yml | 15 ++++++++ _test/ocp-42-deprecated-apiversions/list.yml | 28 ++++++++++++++ .../template.yml | 35 ++++++++++++++++++ _test/tests.bats | 37 +++++++++++++++++++ 5 files changed, 121 insertions(+), 2 deletions(-) create mode 100644 _test/k8s-validation-rolebinding/list.yml create mode 100644 _test/ocp-42-deprecated-apiversions/list.yml create mode 100644 _test/ocp-43-deprecated-apiversions/template.yml create mode 100755 _test/tests.bats diff --git a/README.md b/README.md index c2126d85..9e9fbfe9 100644 --- a/README.md +++ b/README.md @@ -17,5 +17,9 @@ A list of git repos that contain rego polices which can be combined with this re - [deprek8ion: Rego policies to monitor Kubernetes APIs deprecations](https://github.com/swade1987/deprek8ion) ## Conftest -conftest is a CLI to execute rego policies. It can be used to test locally before pushing to OPA. -- https://www.conftest.dev/install/ \ No newline at end of file +conftest is a CLI to execute rego policies. It can be used to test locally before pushing to [OPA](https://www.openpolicyagent.org/). +- https://www.conftest.dev/install/ + +## OPA Playground +OPA provides a web based playground, which can highlight which lines have been activated. Having issues with your policy? check it out with "Coverage" enabled: +- https://play.openpolicyagent.org/ \ No newline at end of file diff --git a/_test/k8s-validation-rolebinding/list.yml b/_test/k8s-validation-rolebinding/list.yml new file mode 100644 index 00000000..205f730f --- /dev/null +++ b/_test/k8s-validation-rolebinding/list.yml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: List +items: +- apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: NoApiGroup + roleRef: +- apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: NoKind + roleRef: + apiGroup: rbac.authorization.k8s.io diff --git a/_test/ocp-42-deprecated-apiversions/list.yml b/_test/ocp-42-deprecated-apiversions/list.yml new file mode 100644 index 00000000..c3495bed --- /dev/null +++ b/_test/ocp-42-deprecated-apiversions/list.yml @@ -0,0 +1,28 @@ +--- +apiVersion: v1 +kind: List +items: +- apiVersion: servicecatalog.k8s.io/v1beta1 + kind: Foo + metadata: + name: Bar +- apiVersion: automationbroker.io/v1alpha1 + kind: Foo + metadata: + name: Bar +- apiVersion: osb.openshift.io/v1 + kind: Foo + metadata: + name: Bar +- apiVersion: operatorsources.operators.coreos.com/v1 + kind: Foo + metadata: + name: Bar +- apiVersion: catalogsourceconfigs.operators.coreos.com/v1 + kind: Foo + metadata: + name: Bar +- apiVersion: catalogsourceconfigs.operators.coreos.com/v2 + kind: Foo + metadata: + name: Bar \ No newline at end of file diff --git a/_test/ocp-43-deprecated-apiversions/template.yml b/_test/ocp-43-deprecated-apiversions/template.yml new file mode 100644 index 00000000..73d21b62 --- /dev/null +++ b/_test/ocp-43-deprecated-apiversions/template.yml @@ -0,0 +1,35 @@ +--- +apiVersion: v1 +kind: Template +metadata: + name: Foo +--- +apiVersion: template.openshift.io/v1 +kind: Template +metadata: + name: Foo +objects: +- apiVersion: v1 + kind: ProjectRequest + metadata: + name: Bar +- apiVersion: v1 + kind: ImageStream + metadata: + name: Bar +- apiVersion: v1 + kind: BuildConfig + metadata: + name: Bar +- apiVersion: v1 + kind: DeploymentConfig + metadata: + name: Bar +- apiVersion: v1 + kind: RoleBinding + metadata: + name: Bar +- apiVersion: v1 + kind: Route + metadata: + name: Bar \ No newline at end of file diff --git a/_test/tests.bats b/_test/tests.bats new file mode 100755 index 00000000..65d41c51 --- /dev/null +++ b/_test/tests.bats @@ -0,0 +1,37 @@ +#!/usr/bin/env bats + +@test "k8s-validation-rolebinding" { + run conftest test _test/k8s-validation-rolebinding --output tap + + [ "$status" -eq 1 ] + [ "${lines[1]}" = "not ok 1 - _test/k8s-validation-rolebinding/list.yml - RoleBinding/NoApiGroup: RoleBinding roleRef.apiGroup key is null, use rbac.authorization.k8s.io instead." ] + [ "${lines[2]}" = "not ok 2 - _test/k8s-validation-rolebinding/list.yml - RoleBinding/NoKind: RoleBinding roleRef.kind key is null, use ClusterRole or Role instead." ] + [ "${lines[3]}" = "# Successes" ] +} + +@test "ocp-42-deprecated-apiversions" { + run conftest test _test/ocp-42-deprecated-apiversions --output tap + + [ "$status" -eq 1 ] + [ "${lines[1]}" = "not ok 1 - _test/ocp-42-deprecated-apiversions/list.yml - Foo/Bar: servicecatalog.k8s.io/v1beta1 is deprecated." ] + [ "${lines[2]}" = "not ok 2 - _test/ocp-42-deprecated-apiversions/list.yml - Foo/Bar: automationbroker.io/v1alpha1 is deprecated." ] + [ "${lines[3]}" = "not ok 3 - _test/ocp-42-deprecated-apiversions/list.yml - Foo/Bar: osb.openshift.io/v1 is deprecated." ] + [ "${lines[4]}" = "not ok 4 - _test/ocp-42-deprecated-apiversions/list.yml - Foo/Bar: operatorsources.operators.coreos.com/v1 is deprecated." ] + [ "${lines[5]}" = "not ok 5 - _test/ocp-42-deprecated-apiversions/list.yml - Foo/Bar: catalogsourceconfigs.operators.coreos.com/v1 is deprecated." ] + [ "${lines[6]}" = "not ok 6 - _test/ocp-42-deprecated-apiversions/list.yml - Foo/Bar: catalogsourceconfigs.operators.coreos.com/v2 is deprecated." ] + [ "${lines[7]}" = "# Successes" ] +} + +@test "ocp-43-deprecated-apiversions" { + run conftest test _test/ocp-43-deprecated-apiversions --output tap + + [ "$status" -eq 1 ] + [ "${lines[1]}" = "not ok 1 - _test/ocp-43-deprecated-apiversions/template.yml - Template/Foo: API v1 for Template is no longer served by default, use template.openshift.io/v1 instead." ] + [ "${lines[2]}" = "not ok 2 - _test/ocp-43-deprecated-apiversions/template.yml - ProjectRequest/Bar: API v1 for ProjectRequest is no longer served by default, use project.openshift.io/v1 instead." ] + [ "${lines[3]}" = "not ok 3 - _test/ocp-43-deprecated-apiversions/template.yml - ImageStream/Bar: API v1 for ImageStream is no longer served by default, use image.openshift.io/v1 instead." ] + [ "${lines[4]}" = "not ok 4 - _test/ocp-43-deprecated-apiversions/template.yml - BuildConfig/Bar: API v1 for BuildConfig is no longer served by default, use build.openshift.io/v1 instead." ] + [ "${lines[5]}" = "not ok 5 - _test/ocp-43-deprecated-apiversions/template.yml - DeploymentConfig/Bar: API v1 for DeploymentConfig is no longer served by default, use apps.openshift.io/v1 instead." ] + [ "${lines[6]}" = "not ok 6 - _test/ocp-43-deprecated-apiversions/template.yml - RoleBinding/Bar: API v1 for RoleBinding is no longer served by default, use rbac.authorization.k8s.io/v1 instead." ] + [ "${lines[7]}" = "not ok 7 - _test/ocp-43-deprecated-apiversions/template.yml - Route/Bar: API v1 for Route is no longer served by default, use route.openshift.io/v1 instead." ] + [ "${lines[8]}" = "# Successes" ] +} \ No newline at end of file