From a188491091b3cb30963e191bd999507e89233884 Mon Sep 17 00:00:00 2001
From: shuting <shuting@nirmata.com>
Date: Wed, 5 Apr 2023 19:11:49 +0800
Subject: [PATCH] test: new kuttl test for image verify failure policy (#6788)

* add a kuttl test

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* rename policy

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>
---
 .../01-policy.yaml                            |  6 ++++
 .../02-namespace.yaml                         |  4 +++
 .../03-create-bad-pod.yaml                    |  5 +++
 .../README.md                                 | 11 +++++++
 .../bad-pod.yaml                              |  9 ++++++
 .../policy-ready.yaml                         |  9 ++++++
 .../policy.yaml                               | 32 +++++++++++++++++++
 7 files changed, 76 insertions(+)
 create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/01-policy.yaml
 create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/02-namespace.yaml
 create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/03-create-bad-pod.yaml
 create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/README.md
 create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/bad-pod.yaml
 create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy-ready.yaml
 create mode 100644 test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml

diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/01-policy.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/01-policy.yaml
new file mode 100644
index 0000000000..57ffd5631d
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/01-policy.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-ready.yaml
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/02-namespace.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/02-namespace.yaml
new file mode 100644
index 0000000000..6f5564258f
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/02-namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: failure-policy-test-noconfigmap-diffimage-success
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/03-create-bad-pod.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/03-create-bad-pod.yaml
new file mode 100644
index 0000000000..0e36363f89
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/03-create-bad-pod.yaml
@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: bad-pod.yaml
+  shouldFail: false
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/README.md b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/README.md
new file mode 100644
index 0000000000..c40477b6f5
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/README.md
@@ -0,0 +1,11 @@
+## Description
+
+This test verifies that resource creation is not blocked if the `failurePolicy` is set to `Ignore`, when there is an error resolving context variables.
+
+## Expected Behavior
+
+The pod should be created successfully.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/6742
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/bad-pod.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/bad-pod.yaml
new file mode 100644
index 0000000000..0d38ac01a6
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/bad-pod.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-fail
+  namespace: failure-policy-test-noconfigmap-diffimage-success
+spec:
+  containers:
+  - image: ghcr.io/kyverno/test-verify-image:signed
+    name: test-fail
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy-ready.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy-ready.yaml
new file mode 100644
index 0000000000..cfdc4c1e1c
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy-ready.yaml
@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: image-verify-polset-failurepolicy-ignore
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
diff --git a/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml
new file mode 100644
index 0000000000..397730342e
--- /dev/null
+++ b/test/conformance/kuttl/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml
@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    pod-policies.kyverno.io/autogen-controllers: none
+  name: image-verify-polset-failurepolicy-ignore
+spec:
+  background: false
+  failurePolicy: Ignore
+  rules:
+    - context:
+        - configMap:
+            name: myconfigmap
+            namespace: mynamespace
+          name: myconfigmap
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      name: image-verify-pol1
+      verifyImages:
+        - imageReferences:
+            - ghcr.io/*
+          mutateDigest: false
+          verifyDigest: false
+          attestors:
+            - entries:
+                - keys:
+                    publicKeys: '{{myconfigmap.data.configmapkey}}'
+  validationFailureAction: Audit
+  webhookTimeoutSeconds: 30