fix: rename chainsaw tests (#213)

* - Renaming tests - Corrected the status field in show status * - makefile controller-gen paths fixed - crd changes to get the correct status * - Separated the rbac from crd generation so that unnecesary roles are not given to nimbus-operator --------- Co-authored-by: Ved Ratan <[email protected]>
5GSEC · Jul 5, 2024 · 63dfcdf · 63dfcdf
1 parent 21f617f
commit 63dfcdf
Show file tree

Hide file tree

Showing 7 changed files with 40 additions and 20 deletions.
diff --git a/Makefile b/Makefile
@@ -50,7 +50,8 @@ help: ## Display this help.
 
 .PHONY: manifests
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) rbac:roleName=nimbus-operator crd webhook paths="./internal/..." output:crd:artifacts:config=config/crd/bases
+	$(CONTROLLER_GEN) rbac:roleName=nimbus-operator webhook paths="./internal/..."
+	$(CONTROLLER_GEN) crd paths="./api/..." output:crd:artifacts:config=config/crd/bases
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.

diff --git a/api/v1alpha1/clustersecurityintentbinding_types.go b/api/v1alpha1/clustersecurityintentbinding_types.go
@@ -42,7 +42,7 @@ type ClusterSecurityIntentBindingStatus struct {
 //+kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.status"
 //+kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
 //+kubebuilder:printcolumn:name="Intents",type="integer",JSONPath=".status.numberOfBoundIntents"
-//+kubebuilder:printcolumn:name="NimbusPolicies",type="integer",JSONPath=".status.numberofNimbusPolicies"
+//+kubebuilder:printcolumn:name="NimbusPolicies",type="integer",JSONPath=".status.numberOfNimbusPolicies"
 //+kubebuilder:printcolumn:name="ClusterNimbusPolicy",type="string",JSONPath=".status.clusterNimbusPolicy"
 //+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 

diff --git a/config/crd/bases/intent.security.nimbus.com_clustersecurityintentbindings.yaml b/config/crd/bases/intent.security.nimbus.com_clustersecurityintentbindings.yaml
@@ -26,7 +26,7 @@ spec:
     - jsonPath: .status.numberOfBoundIntents
       name: Intents
       type: integer
-    - jsonPath: .status.numberofNimbusPolicies
+    - jsonPath: .status.numberOfNimbusPolicies
       name: NimbusPolicies
       type: integer
     - jsonPath: .status.clusterNimbusPolicy

diff --git a/deployments/nimbus/templates/crds.yaml b/deployments/nimbus/templates/crds.yaml
@@ -161,7 +161,7 @@ spec:
     - jsonPath: .status.numberOfBoundIntents
       name: Intents
       type: integer
-    - jsonPath: .status.numberofNimbusPolicies
+    - jsonPath: .status.numberOfNimbusPolicies
       name: NimbusPolicies
       type: integer
     - jsonPath: .status.clusterNimbusPolicy

diff --git a/tests/controllers/clustersecurityintentbinding/excludename/chainsaw-test.yaml b/tests/controllers/clustersecurityintentbinding/excludename/chainsaw-test.yaml
@@ -4,14 +4,18 @@
 apiVersion: chainsaw.kyverno.io/v1alpha1
 kind: Test
 metadata:
-  name: exclude-names-add-csib
+  name: csib-exclude-names-add-update-csib
 spec:
   description: >
-    1. Add dev, staging, prod ns
-    2. Adds a csib for excludeNames with dev, staging
-    3. Update csib for excludeNames with dev, prod, regional
-    4. Add a ns with name management - this ns is not part of the excludeNames
-       Add a ns with name regional - this is part of the excludeNames
+    This test case tests out multiple scenarios. 
+    1. First we add namespaces dev, staging, and prod. Then we create a csib with excludeNames for
+       dev and staging. This should result in creation of Nimbus policies for all namespaces 
+       except "dev", "staging".
+    2. Then we update csib for excludeNames with dev, prod, regional. This should result in the
+       deletion of the the prod nimbus policy
+    3. Finally, we add a ns with names management, regional. management ns is not part of the excludeNames
+       while regional is part of the excludeNames. This step should result in creation of nimbus 
+       policy for management ns, and nimbus policy for regional should not be created
   steps:
     - name: "1. Create prod, dev, staging Namespaces"
       try:
@@ -106,3 +110,10 @@ spec:
             content: kubectl -n regional get np nimbus-ctlr-gen-escape-to-host
             check:
               ($error != null): true
+
+    - name: "Verify NimbusPolicy presence in management"
+      try:
+        - script:
+            content: kubectl -n management get np nimbus-ctlr-gen-escape-to-host
+            check:
+              ($error == null): true
diff --git a/tests/controllers/clustersecurityintentbinding/matchall/chainsaw-test.yaml b/tests/controllers/clustersecurityintentbinding/matchall/chainsaw-test.yaml
@@ -4,14 +4,17 @@
 apiVersion: chainsaw.kyverno.io/v1alpha1
 kind: Test
 metadata:
-  name: multiple-ns-add-csib
+  name: csib-matchall-ns-add-csib
 spec:
   description: >
-    1. Create prod, dev, staging ns
-    2. Add security intent
-    3. Add csib 
-    4. Delete prod namespace
-    5. Create prod namespace again
+    Multiple scenarios are tested here
+    1. Three namespaces are created - prod, dev, staging - and we create a csib with a 
+      matchAll condition (*). This is supposed to create nimbus policies in all namespaces
+      except kube-system. 
+    2. Then we delete the prod namespace, and verify that the nimbus policy no longer exists
+       in that namespace. The nimbus policies in the other namespaces should not be affected.
+    3. The we create the prod namespace again, and verify that the nimbus policy in prod
+      namespace is created again. Additionally, the existing nimbus policies are unaffected
   steps:
     - name: "Create prod, dev, staging Namespaces"
       try:

diff --git a/tests/controllers/clustersecurityintentbinding/matchname/chainsaw-test.yaml b/tests/controllers/clustersecurityintentbinding/matchname/chainsaw-test.yaml
@@ -4,12 +4,17 @@
 apiVersion: chainsaw.kyverno.io/v1alpha1
 kind: Test
 metadata:
-  name: match-names-add-csib
+  name: csib-match-names-add-update-csib
 spec:
   description: >
-    1. Adds a csib for matchNames with dev, staging
-    2. Delete staging ns
-    3. Update csib for matchNames with dev, prod
+    Multiple scenarios are tested here
+    1. First we create the dev and staging namespaces. Then we add a csib with matchNames with 
+       dev, staging. This should result in creation of nimbus policies in dev, and staging namespaces
+       only, and not in other namespaces. 
+    2. Then we delete the staging ns, and the nimbus policy in dev should not be affected. Also, no
+       nimbus policy should be present in prod.
+    3. Then we update csib for matchNames with dev, prod. This should result in creation of nimbus
+      policy in prod ns. Also, nimbus policy in dev should also be present.
   steps:
     - name: "Create prod, dev, staging Namespaces"
       try: