chore: add istio in e2e tests (#282)

Signed-off-by: Charles-Edouard Brétéché <[email protected]>

.crds/envoy.kyverno.io_authorizationpolicies.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.0
   name: authorizationpolicies.envoy.kyverno.io
 spec:
   group: envoy.kyverno.io

.github/workflows/tests.yaml

@@ -127,7 +127,6 @@ jobs:
       - name: Run Chainsaw Tests
         run: chainsaw test tests/e2e/sidecar-injector
 
-
   e2e-authz-server:
     runs-on: ubuntu-latest
     needs: [ prepare-images ]
@@ -161,6 +160,11 @@ jobs:
         run: |
           set -e
           make kind-load-archive
+      - name: Setup istio
+        run: |
+          set -e
+          export HELM=${{ steps.helm.outputs.helm-path }}
+          make install-istio
       - name: Setup cert-manager
         run: |
           set -e
@@ -171,7 +175,28 @@ jobs:
           set -e
           export HELM=${{ steps.helm.outputs.helm-path }}
           make deploy-kyverno-authz-server
-      - name: Run Chainsaw Tests
-        run: chainsaw test tests/e2e/validation-webhook
-      # - name: Run Chainsaw Tests
-      #   run: chainsaw test tests/e2e/authz-server
+      - name: Install sample app
+        run: |
+          set -e
+          kubectl create ns app
+          kubectl label namespace app istio-injection=enabled
+          kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.24/samples/httpbin/httpbin.yaml -n app
+          kubectl patch deploy httpbin -n app --type=merge -p='{
+            "spec": {
+              "template": {
+                "metadata": {
+                  "labels": {
+                    "ext-authz": "enabled"
+                  }
+                }
+              }
+            }
+          }'
+      - name: Run Chainsaw Tests (authz-server)
+        run:  |
+          set -e
+          chainsaw test tests/e2e/authz-server
+      - name: Run Chainsaw Tests (validation-webhook)
+        run:  |
+          set -e
+          chainsaw test tests/e2e/validation-webhook

Makefile

@@ -340,7 +340,10 @@ install-istio: ## Install istio
 install-istio: $(HELM)
 	@echo Install istio... >&2
 	@$(HELM) upgrade --install istio-base --namespace istio-system --create-namespace --wait --repo https://istio-release.storage.googleapis.com/charts base
-	@$(HELM) upgrade --install istiod --namespace istio-system --create-namespace --wait --repo https://istio-release.storage.googleapis.com/charts istiod
+	@$(HELM) upgrade --install istiod --namespace istio-system --create-namespace --wait --repo https://istio-release.storage.googleapis.com/charts istiod \
+		--set meshConfig.extensionProviders[0].name=kyverno-authz-server \
+		--set meshConfig.extensionProviders[0].envoyExtAuthzGrpc.service=kyverno-authz-server.kyverno.svc.cluster.local \
+		--set-string meshConfig.extensionProviders[0].envoyExtAuthzGrpc.port=9081
 
 ########
 # HELM #

charts/kyverno-authz-server/templates/crds.yaml

@@ -12,7 +12,7 @@ metadata:
     {{- with .Values.crds.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.16.5
+    controller-gen.kubebuilder.io/version: v0.17.0
   name: authorizationpolicies.envoy.kyverno.io
 spec:
   group: envoy.kyverno.io

tests/e2e/authz-server/allow/chainsaw-test.yaml

@@ -0,0 +1,30 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: deny
+spec:
+  namespace: app
+  steps: 
+  - try:
+    - create:
+        file: ./istio-policy.yaml
+    - create:
+        file: ./policy.yaml
+    - create:
+        file: ./shell.yaml
+    - wait:
+        apiVersion: v1
+        kind: Pod
+        timeout: 1m
+        for:
+          condition:
+            name: Ready
+            value: 'true'
+    - script:
+        content: >
+          kubectl exec -n $NAMESPACE deploy/curl -- curl -s -w "\nhttp_code=%{http_code}" httpbin:8000/get -H "x-force-authorized: true"
+        check:
+          (wildcard('*http_code=200', $stdout)): true
+    finally:
+    - sleep:
+        duration: 10s

tests/e2e/authz-server/allow/istio-policy.yaml

@@ -0,0 +1,14 @@
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: policy
+  namespace: istio-system
+spec:
+  selector:
+    matchLabels:
+      ext-authz: enabled
+  action: CUSTOM
+  provider:
+    name: kyverno-authz-server
+  rules:
+  - {}

tests/e2e/authz-server/allow/policy.yaml

@@ -0,0 +1,11 @@
+# yaml-language-server: $schema=../../../../.schemas/json/authorizationpolicy-envoy-v1alpha1.json
+apiVersion: envoy.kyverno.io/v1alpha1
+kind: AuthorizationPolicy
+metadata:
+  name: policy
+spec:
+  allow:
+  - response: >
+      envoy
+        .Allowed()
+        .Response()

tests/e2e/authz-server/allow/shell.yaml

@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: curl
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: curl
+  labels:
+    app: curl
+    service: curl
+spec:
+  ports:
+  - port: 80
+    name: http
+  selector:
+    app: curl
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: curl
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: curl
+  template:
+    metadata:
+      labels:
+        app: curl
+    spec:
+      terminationGracePeriodSeconds: 0
+      serviceAccountName: curl
+      containers:
+      - name: curl
+        image: curlimages/curl
+        command: ["/bin/sleep", "infinity"]
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+        - mountPath: /etc/curl/tls
+          name: secret-volume
+      volumes:
+      - name: secret-volume
+        secret:
+          secretName: curl-secret
+          optional: true

tests/e2e/authz-server/default/chainsaw-test.yaml

@@ -0,0 +1,30 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: deny
+spec:
+  namespace: app
+  steps: 
+  - try:
+    - create:
+        file: ./istio-policy.yaml
+    - create:
+        file: ./policy.yaml
+    - create:
+        file: ./shell.yaml
+    - wait:
+        apiVersion: v1
+        kind: Pod
+        timeout: 1m
+        for:
+          condition:
+            name: Ready
+            value: 'true'
+    - script:
+        content: >
+          kubectl exec -n $NAMESPACE deploy/curl -- curl -s -w "\nhttp_code=%{http_code}" httpbin:8000/get -H "x-force-authorized: true"
+        check:
+          (wildcard('*http_code=200', $stdout)): true
+    finally:
+    - sleep:
+        duration: 10s

tests/e2e/authz-server/default/istio-policy.yaml

@@ -0,0 +1,14 @@
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: policy
+  namespace: istio-system
+spec:
+  selector:
+    matchLabels:
+      ext-authz: enabled
+  action: CUSTOM
+  provider:
+    name: kyverno-authz-server
+  rules:
+  - {}

tests/e2e/authz-server/default/policy.yaml

@@ -0,0 +1,21 @@
+# yaml-language-server: $schema=../../../../.schemas/json/authorizationpolicy-envoy-v1alpha1.json
+apiVersion: envoy.kyverno.io/v1alpha1
+kind: AuthorizationPolicy
+metadata:
+  name: policy
+spec:
+  deny:
+  - match: >
+      false
+    response: >
+      envoy
+        .Denied(403)
+        .WithBody("Unauthorized Request")
+        .Response()
+  allow:
+  - match: >
+      false
+    response: >
+      envoy
+        .Allowed()
+        .Response()

tests/e2e/authz-server/default/shell.yaml

@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: curl
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: curl
+  labels:
+    app: curl
+    service: curl
+spec:
+  ports:
+  - port: 80
+    name: http
+  selector:
+    app: curl
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: curl
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: curl
+  template:
+    metadata:
+      labels:
+        app: curl
+    spec:
+      terminationGracePeriodSeconds: 0
+      serviceAccountName: curl
+      containers:
+      - name: curl
+        image: curlimages/curl
+        command: ["/bin/sleep", "infinity"]
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+        - mountPath: /etc/curl/tls
+          name: secret-volume
+      volumes:
+      - name: secret-volume
+        secret:
+          secretName: curl-secret
+          optional: true

tests/e2e/authz-server/deny/chainsaw-test.yaml

@@ -0,0 +1,32 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: deny
+spec:
+  namespace: app
+  steps: 
+  - try:
+    - create:
+        file: ./istio-policy.yaml
+    - create:
+        file: ./policy.yaml
+    - create:
+        file: ./shell.yaml
+    - wait:
+        apiVersion: v1
+        kind: Pod
+        timeout: 1m
+        for:
+          condition:
+            name: Ready
+            value: 'true'
+    - script:
+        content: >
+          kubectl exec -n $NAMESPACE deploy/curl -- curl -s -w "\nhttp_code=%{http_code}" httpbin:8000/get -H "x-force-authorized: true"
+        check:
+          ($stdout): |-
+            Unauthorized Request
+            http_code=403
+    finally:
+    - sleep:
+        duration: 10s

tests/e2e/authz-server/deny/istio-policy.yaml

@@ -0,0 +1,14 @@
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: policy
+  namespace: istio-system
+spec:
+  selector:
+    matchLabels:
+      ext-authz: enabled
+  action: CUSTOM
+  provider:
+    name: kyverno-authz-server
+  rules:
+  - {}

tests/e2e/authz-server/deny/policy.yaml

@@ -0,0 +1,12 @@
+# yaml-language-server: $schema=../../../../.schemas/json/authorizationpolicy-envoy-v1alpha1.json
+apiVersion: envoy.kyverno.io/v1alpha1
+kind: AuthorizationPolicy
+metadata:
+  name: policy
+spec:
+  deny:
+  - response: >
+      envoy
+        .Denied(403)
+        .WithBody("Unauthorized Request")
+        .Response()