From 2b6c55781acedabdfdb7cd0f8da0b0d7de54c5d4 Mon Sep 17 00:00:00 2001 From: Binbin Li Date: Mon, 6 May 2024 05:50:32 +0000 Subject: [PATCH] test: add basic tests covering multi-tenancy --- test/bats/base-test.bats | 71 +++++++++++++++++++++++++++++++++++++- test/bats/plugin-test.bats | 63 --------------------------------- 2 files changed, 70 insertions(+), 64 deletions(-) diff --git a/test/bats/base-test.bats b/test/bats/base-test.bats index 4a22c16cb..11d6ed533 100644 --- a/test/bats/base-test.bats +++ b/test/bats/base-test.bats @@ -537,4 +537,73 @@ RATIFY_NAMESPACE=gatekeeper-system sleep 5 run kubectl run demo --namespace default --image=registry:5000/notation:signed assert_success -} \ No newline at end of file +} + +@test "namespaced notation/cosign verifiers test" { + teardown() { + echo "cleaning up" + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete namespacedverifiers.config.ratify.deislabs.io/verifier-cosign --namespace default --ignore-not-found=true' + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete namespacedverifiers.config.ratify.deislabs.io/verifier-notation --namespace default --ignore-not-found=true' + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl apply -f ./config/samples/clustered/verifier/config_v1beta1_verifier_notation.yaml' + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl apply -f ./config/samples/clustered/verifier/config_v1beta1_verifier_cosign.yaml' + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete namespacedkeymanagementproviders.config.ratify.deislabs.io/ratify-notation-inline-cert-0 -n default --ignore-not-found=true' + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl apply -f clusternotationkmprovider.yaml' + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete namespacedkeymanagementproviders.config.ratify.deislabs.io/ratify-cosign-inline-key-0 -n default --ignore-not-found=true' + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl apply -f clustercosignkmprovider.yaml' + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete namespacedpolicies.config.ratify.deislabs.io/ratify-policy --ignore-not-found=true' + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl apply -f clusterpolicy.yaml' + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete pod notation-demo --namespace default --force --ignore-not-found=true' + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete pod notation-demo1 --namespace default --force --ignore-not-found=true' + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete pod cosign-demo-key --namespace default --force --ignore-not-found=true' + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete pod cosign-demo-unsigned --namespace default --force --ignore-not-found=true' + } + + run kubectl apply -f ./library/multi-tenancy-validation/template.yaml + run kubectl apply -f ./library/multi-tenancy-validation/samples/constraint.yaml + sleep 3 + + # apply namespaced policy and delete cluster-wide policy. + run bash -c "kubectl get policies.config.ratify.deislabs.io/ratify-policy -o yaml > clusterpolicy.yaml" + assert_success + sed 's/kind: Policy/kind: NamespacedPolicy/;/^\s*resourceVersion:/d' clusterpolicy.yaml >namespacedpolicy.yaml + run kubectl apply -f namespacedpolicy.yaml + assert_success + + # apply namespaced kmp and delete cluster-wide kmp. + run bash -c "kubectl get keymanagementproviders.config.ratify.deislabs.io/ratify-notation-inline-cert-0 -o yaml > clusternotationkmprovider.yaml" + assert_success + sed 's/KeyManagementProvider/NamespacedKeyManagementProvider/' clusternotationkmprovider.yaml >namespacednotationkmprovider.yaml + run kubectl apply -f namespacednotationkmprovider.yaml + assert_success + + run bash -c "kubectl get keymanagementproviders.config.ratify.deislabs.io/ratify-cosign-inline-key-0 -o yaml > clustercosignkmprovider.yaml" + assert_success + sed 's/KeyManagementProvider/NamespacedKeyManagementProvider/;/^\s*resourceVersion:/d' clustercosignkmprovider.yaml >namespacedcosignkmprovider.yaml + run kubectl delete namespacedkeymanagementproviders.config.ratify.deislabs.io/ratify-cosign-inline-key-0 -n default --ignore-not-found=true + sleep 5 + run kubectl apply -f namespacedcosignkmprovider.yaml + assert_success + sleep 5 + + # apply namespaced notation verifiers and delete cluster-wide notation verifiers. + run kubectl apply -f ./config/samples/namespaced/verifier/config_v1beta1_verifier_notation.yaml + run kubectl delete verifiers.config.ratify.deislabs.io/verifier-notation --ignore-not-found=true + + # validate notation images. + run kubectl run notation-demo --namespace default --image=registry:5000/notation:signed + assert_success + + run kubectl run notation-demo1 --namespace default --image=registry:5000/notation:unsigned + assert_failure + + # apply namespaced cosign verifiers and delete cluster-wide cosign verifiers. + run kubectl apply -f ./config/samples/namespaced/verifier/config_v1beta1_verifier_cosign.yaml + run kubectl delete verifiers.config.ratify.deislabs.io/verifier-cosign --ignore-not-found=true + + # validate cosign images. + run kubectl run cosign-demo-key --namespace default --image=registry:5000/cosign:signed-key + assert_success + + run kubectl run cosign-demo-unsigned --namespace default --image=registry:5000/cosign:unsigned + assert_failure +} diff --git a/test/bats/plugin-test.bats b/test/bats/plugin-test.bats index 389d802c2..a44edc654 100644 --- a/test/bats/plugin-test.bats +++ b/test/bats/plugin-test.bats @@ -206,69 +206,6 @@ SLEEP_TIME=1 assert_success } -@test "namespaced sbom/notary/cosign/licensechecker/schemavalidator verifiers test" { - teardown() { - echo "cleaning up" - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete namespacedverifiers.config.ratify.deislabs.io/verifier-license-checker --namespace default --ignore-not-found=true' - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete namespacedverifiers.config.ratify.deislabs.io/verifier-sbom --namespace default --ignore-not-found=true' - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete namespacedverifiers.config.ratify.deislabs.io/verifier-schemavalidator --namespace default --ignore-not-found=true' - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete namespacedverifiers.config.ratify.deislabs.io/verifier-cosign --namespace default --ignore-not-found=true' - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete namespacedverifiers.config.ratify.deislabs.io/verifier-notation --namespace default --ignore-not-found=true' - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete pod all-in-one --namespace default --force --ignore-not-found=true' - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl apply -f ./config/samples/clustered/verifier/config_v1beta1_verifier_notation.yaml' - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl apply -f ./config/samples/clustered/verifier/config_v1beta1_verifier_cosign.yaml' - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete namespacedkeymanagementproviders.config.ratify.deislabs.io/ratify-notation-inline-cert-0 -n default --ignore-not-found=true' - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl apply -f clusternotationkmprovider.yaml' - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete namespacedkeymanagementproviders.config.ratify.deislabs.io/ratify-cosign-inline-key-0 -n default --ignore-not-found=true' - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl apply -f clustercosignkmprovider.yaml' - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete namespacedpolicies.config.ratify.deislabs.io/ratify-policy --ignore-not-found=true' - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl apply -f clusterpolicy.yaml' - } - - run kubectl apply -f ./library/multi-tenancy-validation/template.yaml - assert_success - sleep 5 - run kubectl apply -f ./library/multi-tenancy-validation/samples/constraint.yaml - assert_success - sleep 5 - - run kubectl apply -f ./config/samples/namespaced/verifier/config_v1beta1_verifier_notation.yaml - run kubectl delete verifiers.config.ratify.deislabs.io/verifier-notation --ignore-not-found=true - run kubectl apply -f ./config/samples/namespaced/verifier/config_v1beta1_verifier_cosign.yaml - run kubectl delete verifiers.config.ratify.deislabs.io/verifier-cosign --ignore-not-found=true - run kubectl apply -f ./config/samples/namespaced/verifier/config_v1beta1_verifier_sbom.yaml - run kubectl apply -f ./config/samples/namespaced/verifier/config_v1beta1_verifier_complete_licensechecker.yaml - run kubectl apply -f ./config/samples/namespaced/verifier/config_v1beta1_verifier_schemavalidator.yaml - - # apply namespaced policy and delete clustered policy. - run bash -c "kubectl get policies.config.ratify.deislabs.io/ratify-policy -o yaml > clusterpolicy.yaml" - assert_success - sed 's/kind: Policy/kind: NamespacedPolicy/;/^\s*resourceVersion:/d' clusterpolicy.yaml >namespacedpolicy.yaml - run kubectl apply -f namespacedpolicy.yaml - assert_success - - # apply namespaced kmp and delete clustered kmp. - run bash -c "kubectl get keymanagementproviders.config.ratify.deislabs.io/ratify-notation-inline-cert-0 -o yaml > clusternotationkmprovider.yaml" - assert_success - sed 's/KeyManagementProvider/NamespacedKeyManagementProvider/' clusternotationkmprovider.yaml >namespacednotationkmprovider.yaml - run kubectl apply -f namespacednotationkmprovider.yaml - assert_success - - run bash -c "kubectl get keymanagementproviders.config.ratify.deislabs.io/ratify-cosign-inline-key-0 -o yaml > clustercosignkmprovider.yaml" - assert_success - sed 's/KeyManagementProvider/NamespacedKeyManagementProvider/;/^\s*resourceVersion:/d' clustercosignkmprovider.yaml >namespacedcosignkmprovider.yaml - run kubectl delete namespacedkeymanagementproviders.config.ratify.deislabs.io/ratify-cosign-inline-key-0 -n default --ignore-not-found=true - sleep 5 - run kubectl apply -f namespacedcosignkmprovider.yaml - assert_success - sleep 5 - - # wait for the httpserver cache to be invalidated - sleep 15 - run kubectl run all-in-one --namespace default --image=registry:5000/all:v0 - assert_success -} - @test "validate crd add, replace and delete" { teardown() { echo "cleaning up"