chore: add cli update test (#9192)

* chore: add cli update test

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* update

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

test/cli/test/update/kyverno-test.yaml

@@ -0,0 +1,16 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: update
+policies:
+- policy.yaml
+resources:
+- resources.yaml
+results:
+- kind: Deployment
+  policy: block-update-no-label-change
+  resources:
+  - my-ns/deployment
+  result: pass
+  rule: check-label-change
+variables: values.yaml

test/cli/test/update/policy.yaml

@@ -0,0 +1,27 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-update-no-label-change
+spec:
+  validationFailureAction: Audit
+  background: false
+  rules:
+    - name: check-label-change
+      match:
+        all:
+          - resources:
+              kinds:
+                - Deployment
+      preconditions:
+        all:
+          - key: "{{ request.operation || '' }}"
+            operator: Equals
+            value: UPDATE
+      validate:
+        message: Pass only if labels are different
+        deny:
+          conditions:
+            any:
+              - key: "{{ request.object.metadata.labels || `{}` }}"
+                operator: Equals
+                value: "{{ request.oldObject.metadata.labels || `{}` }}"

test/cli/test/update/resources.yaml

@@ -0,0 +1,11 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment
+  namespace: my-ns
+  annotations:
+    existing-annotation: existing-value
+  labels:
+    existing-label: existing-value
+spec:
+  replicas: 1

test/cli/test/update/values.yaml

@@ -0,0 +1,7 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Value
+metadata:
+  name: values
+globalValues:
+  request.operation: UPDATE
+  request.oldObject.metadata.labels.existing-label: foo