added integration tests

Signed-off-by: Ved Ratan <[email protected]>

internal/controller/tests/np-creation/README.md

@@ -0,0 +1,7 @@
+# Description
+
+This test ensures the creation of nimbus-policy.
+
+# Expected Behaviour
+
+Upon creation of SecurityIntent and SecurityIntentBinding the NimbusPolicy should get created.

internal/controller/tests/np-creation/chainsaw-test.yaml

@@ -0,0 +1,29 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: np-creation
+spec:
+  timeouts:
+    assert: 10s
+  steps:
+  - try:
+    # first operation: create the config map
+    - apply:
+        # file is relative to the test folder
+        file: ../../../../examples/namespaced/dns-manipulation-si-sib.yaml
+    # second operation: verify the config map exists and contains the expected data
+    - assert:
+        # file is relative to the test folder
+        file: ../../../../examples/namespaced/dns-manipulation-si-sib.yaml
+    - assert:
+        file: nimbus-policy.yaml
+  # - try:
+  #   - script:
+  #       content: kubectl get si
+  #       check:
+  #         (contains($stdout, 'dns-manipulation')): true
+  # - try:
+  #   - script:
+  #       content: kubectl get sib
+  #       check:
+  #         (contains($stdout, 'dns-manipulation-binding')): true

internal/controller/tests/np-creation/nimbus-policy.yaml

@@ -0,0 +1,21 @@
+apiVersion: intent.security.nimbus.com/v1
+kind: NimbusPolicy
+metadata:
+  name: dns-manipulation-binding
+  ownerReferences:
+   - apiVersion: intent.security.nimbus.com/v1
+     blockOwnerDeletion: true
+     controller: true
+     kind: SecurityIntentBinding
+     name: dns-manipulation-binding
+spec:
+   rules:
+   - description: An adversary can manipulate DNS requests to redirect network traffic
+       and potentially reveal end user activity.
+     id: dnsManipulation
+     rule:
+       action: Block
+       mode: best-effort
+   selector:
+     matchLabels:
+       app: nginx

internal/controller/tests/np-updation/README.md

@@ -0,0 +1,7 @@
+# Description
+
+This test ensures the persistant nature of nimbus-policy.
+
+# Expected Behaviour
+
+On updation of NimbusPolicy the policy by modifying the value of the key in .spec.selector.matchLablels.app the policy should get reverted back to its original state.

internal/controller/tests/np-updation/chainsaw-test.yaml

@@ -0,0 +1,27 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: np-updation
+spec:
+  timeouts:
+    assert: 10s
+  steps:
+
+  - name: step-01 
+    try:
+      - apply:
+          # file is relative to the test folder
+          file: ../../../../examples/namespaced/dns-manipulation-si-sib.yaml
+      - assert:
+          file: ../../../../examples/namespaced/dns-manipulation-si-sib.yaml
+  - name: step-02
+    try:
+      - apply:
+          file: updated-nimbus-policy.yaml
+  - name: step-03
+    try:
+      - script:
+          content: kubectl get np -n $NAMESPACE dns-manipulation-binding -o=jsonpath='{.spec.selector.matchLabels.app}'
+          check: 
+            (contains($stdout, 'frontend')): false
+

internal/controller/tests/np-updation/updated-nimbus-policy.yaml

@@ -0,0 +1,22 @@
+apiVersion: intent.security.nimbus.com/v1
+kind: NimbusPolicy
+metadata:
+  name: dns-manipulation-binding
+  ownerReferences:
+   - apiVersion: intent.security.nimbus.com/v1
+     blockOwnerDeletion: true
+     controller: true
+     kind: SecurityIntentBinding
+     name: dns-manipulation-binding
+     uid: "123456789"
+spec:
+   rules:
+   - description: An adversary can manipulate DNS requests to redirect network traffic
+       and potentially reveal end user activity.
+     id: dnsManipulation
+     rule:
+       action: Block
+       mode: best-effort
+   selector:
+     matchLabels:
+       app: frontend

internal/controller/tests/sib-deletion/README.md

@@ -0,0 +1,7 @@
+# Description
+
+This test ensures that NimbusPolicy is tightly coupled with SecurityIntentBinding.
+
+# Expected Behaviour
+
+On deletion of SecurityIntentBinding, NimbusPolicy should automatically get deleted.

internal/controller/tests/sib-deletion/chainsaw-test.yaml

@@ -0,0 +1,28 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: sib-deletion
+spec:
+  timeouts:
+    assert: 10s
+  steps:
+
+  - name: step-01 
+    try:
+      - apply:
+          # file is relative to the test folder
+          file: ../../../../examples/namespaced/dns-manipulation-si-sib.yaml
+      - assert:
+          file: ../../../../examples/namespaced/dns-manipulation-si-sib.yaml
+  - name: step-02
+    try:
+      - script:
+          content: kubectl delete sib -n $NAMESPACE dns-manipulation-binding
+  - name: step-03
+    try:
+      - script:
+          content: kubectl get np -n $NAMESPACE dns-manipulation-binding
+          check: 
+            ($error != null): true
+
+

internal/controller/tests/sib-deletion/nimbus-policy.yaml

@@ -0,0 +1,21 @@
+apiVersion: intent.security.nimbus.com/v1
+kind: NimbusPolicy
+metadata:
+  name: dns-manipulation-binding
+  ownerReferences:
+   - apiVersion: intent.security.nimbus.com/v1
+     blockOwnerDeletion: true
+     controller: true
+     kind: SecurityIntentBinding
+     name: dns-manipulation-binding
+spec:
+   rules:
+   - description: An adversary can manipulate DNS requests to redirect network traffic
+       and potentially reveal end user activity.
+     id: dnsManipulation
+     rule:
+       action: Block
+       mode: best-effort
+   selector:
+     matchLabels:
+       app: nginx

internal/controller/tests/sib-deletion/sib.yaml

@@ -0,0 +1,14 @@
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntentBinding
+metadata:
+  name: dns-manipulation-binding
+spec:
+  intents:
+    - name: dns-manipulation
+  selector:
+    any:
+      - resources:
+          kind: Pod
+          namespace: default
+          matchLabels:
+            app: frontend

internal/controller/tests/sib-updation/README.md

@@ -0,0 +1,7 @@
+# Description
+
+This test ensures that the change in SecurityIntentBinding by should get reflected in NimbusPolicy.
+
+# Expected Behaviour
+
+On updation of SecurityIntentBinding by updating the selector value, the corresponding selector in the NimbusPolicy should get updated.

internal/controller/tests/sib-updation/chainsaw-test.yaml

@@ -0,0 +1,28 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: np-updation
+spec:
+  timeouts:
+    assert: 10s
+  steps:
+
+  - name: step-01 
+    try:
+      - apply:
+          # file is relative to the test folder
+          file: ../../../../examples/namespaced/dns-manipulation-si-sib.yaml
+      - assert:
+          file: ../../../../examples/namespaced/dns-manipulation-si-sib.yaml
+  - name: step-02
+    try:
+      - apply:
+          file: updated-sib.yaml
+  - name: step-03
+    try:
+      - script:
+          content: kubectl get np -n $NAMESPACE dns-manipulation-binding -o=jsonpath='{.spec.selector.matchLabels.app}'
+          check: 
+            (contains($stdout, 'frontend')): true
+
+

internal/controller/tests/sib-updation/nimbus-policy.yaml

@@ -0,0 +1,21 @@
+apiVersion: intent.security.nimbus.com/v1
+kind: NimbusPolicy
+metadata:
+  name: dns-manipulation-binding
+  ownerReferences:
+   - apiVersion: intent.security.nimbus.com/v1
+     blockOwnerDeletion: true
+     controller: true
+     kind: SecurityIntentBinding
+     name: dns-manipulation-binding
+spec:
+   rules:
+   - description: An adversary can manipulate DNS requests to redirect network traffic
+       and potentially reveal end user activity.
+     id: dnsManipulation
+     rule:
+       action: Block
+       mode: best-effort
+   selector:
+     matchLabels:
+       app: nginx

internal/controller/tests/sib-updation/updated-sib.yaml

@@ -0,0 +1,14 @@
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntentBinding
+metadata:
+  name: dns-manipulation-binding
+spec:
+  intents:
+    - name: dns-manipulation
+  selector:
+    any:
+      - resources:
+          kind: Pod
+          namespace: default
+          matchLabels:
+            app: frontend