From be974e7d938eb8b64d3ffccf2f5b32a2112d9c4c Mon Sep 17 00:00:00 2001
From: Mohd Kamaal <102820439+Mohdcode@users.noreply.github.com>
Date: Mon, 17 Mar 2025 19:36:12 +0530
Subject: [PATCH] chainsaw test to check messageExpression interpolation
 (#12415)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Mohd Kamaal <mohdkamaal2019@gmail.com>
Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
 .../report-message-exp/chainsaw-test.yaml     | 24 ++++++
 .../report-message-exp/deployment.yaml        | 62 +++++++++++++
 .../report-message-exp/policy.yaml            | 26 ++++++
 .../report-message-exp/report.yaml            | 86 +++++++++++++++++++
 4 files changed, 198 insertions(+)
 create mode 100644 test/conformance/chainsaw/validating-policies/report-message-exp/chainsaw-test.yaml
 create mode 100644 test/conformance/chainsaw/validating-policies/report-message-exp/deployment.yaml
 create mode 100644 test/conformance/chainsaw/validating-policies/report-message-exp/policy.yaml
 create mode 100644 test/conformance/chainsaw/validating-policies/report-message-exp/report.yaml

diff --git a/test/conformance/chainsaw/validating-policies/report-message-exp/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/report-message-exp/chainsaw-test.yaml
new file mode 100644
index 0000000000..08461f5511
--- /dev/null
+++ b/test/conformance/chainsaw/validating-policies/report-message-exp/chainsaw-test.yaml
@@ -0,0 +1,24 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: accept
+spec:
+  template: false
+  steps:
+  - name: create policy
+    try:
+    - create:
+        file: policy.yaml
+    - sleep:
+        duration: 10s
+  - name: create deployment
+    try:
+    - create:
+        file: deployment.yaml
+    - sleep:
+        duration: 10s
+  - name: check report
+    try:
+    - assert:
+        file: report.yaml
diff --git a/test/conformance/chainsaw/validating-policies/report-message-exp/deployment.yaml b/test/conformance/chainsaw/validating-policies/report-message-exp/deployment.yaml
new file mode 100644
index 0000000000..d4fa66e53f
--- /dev/null
+++ b/test/conformance/chainsaw/validating-policies/report-message-exp/deployment.yaml
@@ -0,0 +1,62 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bad-deployment
+  labels:
+    app: nginx
+    env: testing
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:latest
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: no-env
+  labels:
+    app: nginx
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:latest
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: good-deployment
+  labels:
+    app: nginx
+    env: prod
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+        env: prod
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:latest
\ No newline at end of file
diff --git a/test/conformance/chainsaw/validating-policies/report-message-exp/policy.yaml b/test/conformance/chainsaw/validating-policies/report-message-exp/policy.yaml
new file mode 100644
index 0000000000..8e0a5238f6
--- /dev/null
+++ b/test/conformance/chainsaw/validating-policies/report-message-exp/policy.yaml
@@ -0,0 +1,26 @@
+apiVersion: policies.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: check-deployment-labels
+  annotations:
+    policies.kyverno.io/title: Check Deployment Labels
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/severity: medium
+spec:
+  validationActions: 
+   - Audit
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [apps]
+      apiVersions: [v1]
+      operations:  [CREATE, UPDATE]
+      resources:   [deployments]
+  variables:
+    - name: environment
+      expression: >-
+        has(object.metadata.labels) && 'env' in object.metadata.labels && object.metadata.labels['env'] == 'prod'
+  validations:
+    - expression: >-
+        variables.environment == true
+      messageExpression: >-
+        'Deployment labels must be env=prod' + (has(object.metadata.labels) && 'env' in object.metadata.labels ? ' but found env=' + string(object.metadata.labels['env']) : ' but no env label is present')
\ No newline at end of file
diff --git a/test/conformance/chainsaw/validating-policies/report-message-exp/report.yaml b/test/conformance/chainsaw/validating-policies/report-message-exp/report.yaml
new file mode 100644
index 0000000000..cfb3c5b6c9
--- /dev/null
+++ b/test/conformance/chainsaw/validating-policies/report-message-exp/report.yaml
@@ -0,0 +1,86 @@
+apiVersion: v1
+items:
+- apiVersion: wgpolicyk8s.io/v1alpha2
+  kind: PolicyReport
+  metadata:
+    generation: 1
+    labels:
+      app.kubernetes.io/managed-by: kyverno
+    ownerReferences:
+    - apiVersion: apps/v1
+      kind: Deployment
+      name: no-env
+  results:
+  - category: Other
+    message: Deployment labels must be env=prod but no env label is present
+    policy: check-deployment-labels
+    result: fail
+    scored: true
+    severity: medium
+    source: KyvernoValidatingPolicy
+  scope:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: no-env
+  summary:
+    error: 0
+    fail: 1
+    pass: 0
+    skip: 0
+    warn: 0
+- apiVersion: wgpolicyk8s.io/v1alpha2
+  kind: PolicyReport
+  metadata:
+    generation: 1
+    labels:
+      app.kubernetes.io/managed-by: kyverno
+    ownerReferences:
+    - apiVersion: apps/v1
+      kind: Deployment
+      name: good-deployment
+  results:
+  - category: Other
+    message: success
+    policy: check-deployment-labels
+    result: pass
+    scored: true
+    severity: medium
+    source: KyvernoValidatingPolicy
+  scope:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: good-deployment
+  summary:
+    error: 0
+    fail: 0
+    pass: 1
+    skip: 0
+    warn: 0
+- apiVersion: wgpolicyk8s.io/v1alpha2
+  kind: PolicyReport
+  metadata:
+    generation: 1
+    labels:
+      app.kubernetes.io/managed-by: kyverno
+    ownerReferences:
+    - apiVersion: apps/v1
+      kind: Deployment
+      name: bad-deployment
+  results:
+  - category: Other
+    message: Deployment labels must be env=prod but found env=testing
+    policy: check-deployment-labels
+    result: fail
+    scored: true
+    severity: medium
+    source: KyvernoValidatingPolicy
+  scope:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: bad-deployment
+  summary:
+    error: 0
+    fail: 1
+    pass: 0
+    skip: 0
+    warn: 0