fix: add chainsaw test for mutate existing (#9210) (#9221)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

.vscode/launch.json

@@ -9,7 +9,8 @@
             "program": "${workspaceFolder}/cmd/kyverno",
             "args": [
                 "--kubeconfig=${userHome}/.kube/config",
-                "--serverIP=<SERVER-IP>:9443",
+                "--serverIP=172.18.0.1:9443",
+                "--backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller",
                 "-v=2",
                 "--caSecretName=kyverno-svc.kyverno.svc.kyverno-tls-ca",
                 "--tlsSecretName=kyverno-svc.kyverno.svc.kyverno-tls-pair",

test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/README.md

@@ -0,0 +1,17 @@
+## Description
+
+This test makes sure that the generated updaterequest is deleted after applying the mutation.
+
+## Expected Behavior
+
+The target resource `pod` is mutated and all updaterequests are deleted.
+
+## Steps
+
+### Test Steps
+
+1. Create a namespace.
+2. Create two configmaps `test-org-1` and `test-org-2` i.e. the trigger resources.
+3. Create a pod i.e. the target resource.
+4. Create a policy that has `mutateExistingOnPolicyUpdate` set to true.
+5. Two update requests are generated for both configmaps, one of which has a `failure` status. It is expected that both URs got deleted.

test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/chainsaw-test.yaml

@@ -0,0 +1,38 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: multiple-trigger-resources
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: namespace.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: configmap.yaml
+  - name: step-03
+    try:
+    - apply:
+        file: pod.yaml
+  - name: step-04
+    try:
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy-ready.yaml
+  - name: step-05
+    try:
+    - assert:
+        file: patched-pod.yaml
+  - name: step-06
+    try:
+    - sleep:
+        duration: 10s
+  - name: step-07
+    try:
+    - script:
+        content: "if kubectl get updaterequests -n kyverno 2>&1 | grep -q 'No resources found in kyverno namespace.'\nthen \n  exit 0 \nelse \n  exit
+          1\nfi\n"

test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/configmap.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test-org-1
+  namespace: org-label-inheritance-existing-ns-1
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test-org-2
+  namespace: org-label-inheritance-existing-ns-1

test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    org: kyverno-test-1
+  name: org-label-inheritance-existing-ns-1

test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/patched-pod.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-org-1
+  namespace: org-label-inheritance-existing-ns-1
+  annotations:
+    org: kyverno-test-1
+spec:
+  containers:
+  - image: nginx:latest
+    name: test-org

test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/pod.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-org-1
+  namespace: org-label-inheritance-existing-ns-1
+spec:
+  containers:
+  - image: nginx:latest
+    name: test-org

test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/policy-ready.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: org-label-inheritance-existing-1
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/multiple-trigger-resources/policy.yaml

@@ -0,0 +1,35 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: org-label-inheritance-existing-1
+  annotations:  
+    pod-policies.kyverno.io/autogen-controllers: none
+spec:
+  mutateExistingOnPolicyUpdate: true
+  validationFailureAction: Enforce
+  rules:
+  - name: propagate org label from namespace
+    match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+          namespaceSelector:
+            matchExpressions:
+              - key: org
+                operator: Exists
+    context:
+    - name: org
+      apiCall:
+        urlPath: /api/v1/namespaces/{{ request.object.metadata.namespace }}
+        jmesPath: metadata.labels.org
+    mutate:
+      targets:
+      - apiVersion: v1
+        kind: Pod
+        namespace: "{{ request.object.metadata.namespace }}"
+        name: "{{ request.object.metadata.name }}"
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            org: "{{ org }}"