test: pod restart on configmap/secret update (#7306)

* test: pod restart on secret update Signed-off-by: Alok N <alokme123@gmail.com> * fix: requested changes Signed-off-by: Alok N <alokme123@gmail.com> * fix: debug remove, secret Signed-off-by: Alok N <alokme123@gmail.com> --------- Signed-off-by: Alok N <alokme123@gmail.com>
2025-03-31 03:45:17 +00:00 · 2023-05-26 20:36:13 +05:30 · 2023-05-26 20:36:13 +05:30 · ad1c2d6bca
commit ad1c2d6bca
parent f74eac4e52
13 changed files with 174 additions and 0 deletions
--- a/test/conformance/kuttl/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/01-manifests.yaml
+++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/01-manifests.yaml
@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- manifests.yaml
+- cluster-role.yaml
--- a/test/conformance/kuttl/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/02-policy.yaml
+++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/02-policy.yaml
@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-ready.yaml
--- a/test/conformance/kuttl/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/03-save-pod-name.yaml
+++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/03-save-pod-name.yaml
@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: "kubectl get po -n kube-state-metrics | awk 'NR==2{print $1}' > pod-name.txt"
--- a/test/conformance/kuttl/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/04-update-sc.yaml
+++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/04-update-sc.yaml
@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kube-state-metrics-crds
+  namespace: kube-state-metrics
+data:
+  foo: bm90LWJhcg==
--- a/test/conformance/kuttl/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/05-sleep.yaml
+++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/05-sleep.yaml
@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 5
--- a/test/conformance/kuttl/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/06-check-restart.yaml
+++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/06-check-restart.yaml
@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: "if [ \"$(kubectl get pods -n kyverno | sort --key 5 --numeric | awk 'NR==2{print $1}')\" != \"$(cat pod-name.txt)\" ];then exit;else (exit 1);fi"
--- a/test/conformance/kuttl/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/README.md
+++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/README.md
@ -0,0 +1,11 @@
+## Description
+
+This test checks if a restart is triggered on a generated secret update
+
+## Expected Behavior
+
+Pod restarted after the generated secret is updated
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/6605
--- a/test/conformance/kuttl/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/cluster-role.yaml
+++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/cluster-role.yaml
@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno:background-controller:additional
+  labels:
+    app.kubernetes.io/component: background-controller
+    app.kubernetes.io/instance: kyverno
+    app.kubernetes.io/part-of: kyverno
+rules:
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - update
--- a/test/conformance/kuttl/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/manifests.yaml
+++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/manifests.yaml
@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kube-state-metrics
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kube-state-metrics-source-cm
+  namespace: kube-state-metrics
+  labels:
+    kubestatemetrics.platform.example: source
+data:
+  allowed: '"true"'
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: kube-state-metrics
+  name: kube-state-metrics
+  labels:
+    app: busybox
+spec:
+  selector:
+    matchLabels:
+      app: busybox
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      containers:
+      - name: busybox
+        image: busybox:1.35
+        command:
+        - sleep
+        - "36000"
--- a/test/conformance/kuttl/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/policy-ready.yaml
+++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/policy-ready.yaml
@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: generate-cm-for-kube-state-metrics-crds
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
--- a/test/conformance/kuttl/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/policy.yaml
+++ b/test/conformance/kuttl/generate/clusterpolicy/cornercases/pod-restart-on-cm-update/policy.yaml
@ -0,0 +1,68 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: generate-cm-for-kube-state-metrics-crds
+  annotations:
+    policies.kyverno.io/description: >-
+      This policy generates and synchronizes a configmap for custom resource kube-state-metrics.
+spec:
+  generateExisting: true
+  mutateExistingOnPolicyUpdate: false
+  schemaValidation: false
+  rules:
+    - name: generate-cm-for-kube-state-metrics-crds
+      match:
+        any:
+          - resources:
+              names:
+                - "*"
+              kinds:
+                - ConfigMap
+              namespaces:
+                - "kube-state-metrics"
+              selector:
+                matchLabels:
+                  kubestatemetrics.platform.example: source
+      generate:
+        synchronize: true
+        apiVersion: v1
+        kind: Secret
+        name: kube-state-metrics-crds
+        namespace: kube-state-metrics
+        data:
+          metadata:
+            labels:
+              generatedBy: kyverno
+              kubestatemetrics.platform.example: generated
+          data:
+            foo: YmFy
+    - name: restart-kube-state-metrics-on-sc-change
+      match:
+        any:
+          - resources:
+              kinds:
+                - Secret
+              names:
+                - "kube-state-metrics-crds"
+              namespaces:
+                - "kube-state-metrics"
+      preconditions:
+        all:
+          - key: "{{ request.object.metadata.labels.\"kubestatemetrics.platform.example\" || '' }}"
+            operator: NotEquals
+            value: source
+          - key: "{{request.operation || 'BACKGROUND'}}"
+            operator: Equals
+            value: UPDATE
+      mutate:
+        targets:
+          - apiVersion: apps/v1
+            kind: Deployment
+            name: kube-state-metrics
+            namespace: kube-state-metrics
+        patchStrategicMerge:
+          spec:
+            template:
+              metadata:
+                annotations:
+                  platform.cloud.allianz/triggerrestart: "{{request.object.metadata.resourceVersion}}"
--- a/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/03-sleep.yaml
+++ b/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/03-sleep.yaml
@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 5
--- a/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/04-resource.yaml
+++ b/test/conformance/kuttl/mutate/refactor/add-external-secret-prefix/04-resource.yaml