chore: run vap reports test suite using chainsaw (#8965)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

.github/workflows/conformance.yaml

@@ -464,6 +464,148 @@ jobs:
         if: failure()
         uses: ./.github/actions/kyverno-logs
 
+  chainsaw-validatingadmissionpolicies-reports-v1alpha1:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: read
+    strategy:
+      fail-fast: false
+      matrix:
+        config:
+          - name: validating-admission-policy-reports
+            values:
+              - standard
+              - validating-admission-policy-reports
+        k8s-version:
+          - name: v1.26
+            version: v1.26.6
+          - name: v1.27
+            version: v1.27.3
+        tests:
+          - validating-admission-policy-reports
+    needs: prepare-images
+    name: chainsaw - ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Setup caches
+        uses: ./.github/actions/setup-caches
+        timeout-minutes: 5
+        continue-on-error: true
+        with:
+          build-cache-key: run-conformance
+      - name: Setup build env
+        uses: ./.github/actions/setup-build-env
+        timeout-minutes: 10
+      - name: Create kind cluster
+        shell: bash
+        run: |
+          set -e
+          export KIND_IMAGE=kindest/node:${{ matrix.k8s-version.version }}
+          export KIND_CONFIG=vap-v1alpha1
+          make kind-create-cluster
+      - name: Download kyverno images archive
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: kyverno.tar
+      - name: Load kyverno images archive in kind cluster
+        shell: bash
+        run: |
+          set -e
+          make kind-load-image-archive
+      - name: Install kyverno
+        shell: bash
+        run: |
+          set -e
+          export USE_CONFIG=${{ join(matrix.config.values, ',') }}
+          make kind-install-kyverno
+      - name: Wait for kyverno ready
+        uses: ./.github/actions/kyverno-wait-ready
+      - name: Install Chainsaw
+        uses: kyverno/chainsaw/.github/actions/install@704abd5ea8fd74189e1192733a879a00a7d527f5 # main
+        with:
+          release: v0.0.6-alpha.4
+      - name: Test with Chainsaw
+        shell: bash
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -e
+          chainsaw test  --config ./test/conformance/chainsaw/_config/common.yaml --test-dir ./test/conformance/chainsaw/${{ matrix.tests }} --no-color=false
+      - name: Debug failure
+        if: failure()
+        uses: ./.github/actions/kyverno-logs
+
+  chainsaw-validatingadmissionpolicies-reports-v1beta1:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: read
+    strategy:
+      fail-fast: false
+      matrix:
+        config:
+          - name: validating-admission-policy-reports
+            values:
+              - standard
+              - validating-admission-policy-reports
+        k8s-version:
+          - name: v1.28
+            version: v1.28.0
+        tests:
+          - validating-admission-policy-reports
+    needs: prepare-images
+    name: chainsaw - ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Setup caches
+        uses: ./.github/actions/setup-caches
+        timeout-minutes: 5
+        continue-on-error: true
+        with:
+          build-cache-key: run-conformance
+      - name: Setup build env
+        uses: ./.github/actions/setup-build-env
+        timeout-minutes: 10
+      - name: Create kind cluster
+        shell: bash
+        run: |
+          set -e
+          export KIND_IMAGE=kindest/node:${{ matrix.k8s-version.version }}
+          export KIND_CONFIG=vap-v1beta1
+          make kind-create-cluster
+      - name: Download kyverno images archive
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: kyverno.tar
+      - name: Load kyverno images archive in kind cluster
+        shell: bash
+        run: |
+          set -e
+          make kind-load-image-archive
+      - name: Install kyverno
+        shell: bash
+        run: |
+          set -e
+          export USE_CONFIG=${{ join(matrix.config.values, ',') }}
+          make kind-install-kyverno
+      - name: Wait for kyverno ready
+        uses: ./.github/actions/kyverno-wait-ready
+      - name: Install Chainsaw
+        uses: kyverno/chainsaw/.github/actions/install@704abd5ea8fd74189e1192733a879a00a7d527f5 # main
+        with:
+          release: v0.0.6-alpha.4
+      - name: Test with Chainsaw
+        shell: bash
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -e
+          chainsaw test  --config ./test/conformance/chainsaw/_config/common.yaml --test-dir ./test/conformance/chainsaw/${{ matrix.tests }} --no-color=false
+      - name: Debug failure
+        if: failure()
+        uses: ./.github/actions/kyverno-logs
+
   # runs conformance test suites with configuration:
   ttl:
     runs-on: ubuntu-latest

test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-fail/01-deployment.yaml

@@ -0,0 +1,10 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: TestStep
+metadata:
+  name: deployment
+spec:
+  try:
+  - apply:
+      file: deployment.yaml
+  - assert:
+      file: deployment-assert.yaml

test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-fail/02-policy.yaml

@@ -0,0 +1,10 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: TestStep
+metadata:
+  name: policy
+spec:
+  try:
+  - apply:
+      file: policy.yaml
+  - assert:
+      file: policy.yaml

test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-fail/03-report.yaml

@@ -0,0 +1,8 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: TestStep
+metadata:
+  name: report
+spec:
+  try:
+  - assert:
+      file: report-assert.yaml

test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-fail/README.md

@@ -0,0 +1,8 @@
+# Title
+
+This test creates a deployment with four replicas.
+It then creates a validating admission policy that checks the replicas of the deployment.
+
+## Expected Behavior
+
+The deployment is created and a policy report is generated for it with a fail result.

test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-fail/deployment-assert.yaml

@@ -0,0 +1,4 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment-fail

test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-fail/deployment.yaml

@@ -0,0 +1,17 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment-fail
+spec:
+  replicas: 4
+  selector:
+    matchLabels:
+      app: app
+  template:
+    metadata:
+      labels:
+        app: app
+    spec:
+      containers:
+      - name: container2
+        image: nginx

test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-fail/policy.yaml

@@ -0,0 +1,14 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: check-deployment-replicas-02
+spec:
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments"]
+  validations:
+    - expression: "object.spec.replicas <= 3"
+      message: "Deployment spec.replicas must be less than 3."

test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-fail/report-assert.yaml

@@ -0,0 +1,13 @@
+apiVersion: wgpolicyk8s.io/v1alpha2
+kind: PolicyReport
+metadata:
+  ownerReferences:
+  - apiVersion: apps/v1
+    kind: Deployment
+    name: deployment-fail
+summary:
+  error: 0
+  fail: 1
+  pass: 0
+  skip: 0
+  warn: 0

test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-pass/01-deployment.yaml

@@ -0,0 +1,10 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: TestStep
+metadata:
+  name: deployment
+spec:
+  try:
+  - apply:
+      file: deployment.yaml
+  - assert:
+      file: deployment-assert.yaml

test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-pass/02-policy.yaml

@@ -0,0 +1,10 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: TestStep
+metadata:
+  name: policy
+spec:
+  try:
+  - apply:
+      file: policy.yaml
+  - assert:
+      file: policy.yaml

test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-pass/03-report.yaml

@@ -0,0 +1,8 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: TestStep
+metadata:
+  name: report
+spec:
+  try:
+  - assert:
+      file: report-assert.yaml

test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-pass/README.md

@@ -0,0 +1,8 @@
+# Title
+
+This test creates a deployment with two replicas.
+It then creates a validating admission policy that checks the replicas of the deployment.
+
+## Expected Behavior
+
+The deployment is created and a policy report is generated for it with a pass result.

test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-pass/deployment-assert.yaml

@@ -0,0 +1,4 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment-pass

test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-pass/deployment.yaml

@@ -0,0 +1,17 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment-pass
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: app
+  template:
+    metadata:
+      labels:
+        app: app
+    spec:
+      containers:
+      - name: container2
+        image: nginx

test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-pass/policy.yaml

@@ -0,0 +1,14 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: check-deployment-replicas-01
+spec:
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments"]
+  validations:
+    - expression: "object.spec.replicas <= 3"
+      message: "Deployment spec.replicas must be less than 3."

test/conformance/chainsaw/validating-admission-policy-reports/background/validating-admission-policy-pass/report-assert.yaml

@@ -0,0 +1,13 @@
+apiVersion: wgpolicyk8s.io/v1alpha2
+kind: PolicyReport
+metadata:
+  ownerReferences:
+  - apiVersion: apps/v1
+    kind: Deployment
+    name: deployment-pass
+summary:
+  error: 0
+  fail: 0
+  pass: 1
+  skip: 0
+  warn: 0

test/conformance/chainsaw/validating-admission-policy-reports/events/01-deployment.yaml

@@ -0,0 +1,10 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: TestStep
+metadata:
+  name: deployment
+spec:
+  try:
+  - apply:
+      file: deployment.yaml
+  - assert:
+      file: deployment-assert.yaml

test/conformance/chainsaw/validating-admission-policy-reports/events/02-policy.yaml

@@ -0,0 +1,10 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: TestStep
+metadata:
+  name: policy
+spec:
+  try:
+  - apply:
+      file: policy.yaml
+  - assert:
+      file: policy.yaml

test/conformance/chainsaw/validating-admission-policy-reports/events/03-event.yaml

@@ -0,0 +1,8 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: TestStep
+metadata:
+  name: event
+spec:
+  try:
+  - assert:
+      file: policy-event.yaml

test/conformance/chainsaw/validating-admission-policy-reports/events/README.md

@@ -0,0 +1,12 @@
+# Title
+
+This test checks for generated events when applying ValidatingAdmissionPolicies.
+
+## Expected Behavior
+
+
+This test creates a deployment with 4 replicas that violates the policy. It verifies policy violation events generation for the ValidatingAdmissionPolicy and the Deployment.
+
+## Reference Issues
+
+https://github.com/kyverno/kyverno/issues/8781

test/conformance/chainsaw/validating-admission-policy-reports/events/deployment-assert.yaml

@@ -0,0 +1,4 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment-fail-01

test/conformance/chainsaw/validating-admission-policy-reports/events/deployment.yaml

@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment-fail-01
+  labels:
+    app: nginx-1
+spec:
+  replicas: 4
+  selector:
+    matchLabels:
+      app: nginx-1
+  template:
+    metadata:
+      labels:
+        app: nginx-1
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        ports:
+        - containerPort: 80

test/conformance/chainsaw/validating-admission-policy-reports/events/policy-event.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Event
+metadata:
+  namespace: default
+involvedObject:
+  kind: ValidatingAdmissionPolicy
+  name: check-deployment-replicas-vap
+reason: PolicyViolation
+action: Resource Passed
+reportingComponent: kyverno-scan
+type: Warning

test/conformance/chainsaw/validating-admission-policy-reports/events/policy.yaml

@@ -0,0 +1,14 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: check-deployment-replicas-vap
+spec:
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments"]
+  validations:
+    - expression: "object.spec.replicas <= 3"
+      message: "Deployment spec.replicas must be less than 3."