Add most basic kuttl tests for generate rules, clone and sync (#5413)

- add pol-clone-nosync-create and pol-clone-nosync-invalid tests
- add pol-clone-nosync-delete-downstream
- add pol-clone-nosync-modify-downstream
- add pol-clone-nosync-delete-source
- add pol-clone-nosync-modify-source
- add pol-clone-nosync-delete-rule
- add pol-clone-nosync-delete-policy
- add cpol-clone-sync-delete-rule
- add cpol-clone-sync-delete-policy
- add (but disabled) cpol-clone-sync-modify-source
- fix and move back cpol-clone-sync-modify-source
- add cpol-clone-sync-delete-source
- add cpol-clone-sync-modify-downstream
- add pol-clone-sync-invalid
- add pol-clone-sync-delete-rule
- add pol-clone-sync-delete-policy
- introduce pre-test sleep for Namespace deletion

Signed-off-by: Chip Zoller <chipzoller@gmail.com>
Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/00-sleep.yaml

@@ -0,0 +1,5 @@
+# A pre-test sleep is needed here due to https://github.com/kudobuilder/kuttl/pull/422
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 5

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-ready.yaml

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/02-resource.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- ns.yaml
+assert:
+- cloned.yaml

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/03-delete.yaml

@@ -0,0 +1,7 @@
+# Specifying the kind as `TestStep` performs certain behaviors like this delete operation.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: kyverno.io/v2beta1
+  kind: ClusterPolicy
+  name: cpol-clone-sync-delete-policy

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/04-sleep.yaml

@@ -0,0 +1,5 @@
+# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 5

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/05-assert.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: myfoons
+type: Opaque

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/99-cleanup.yaml

@@ -0,0 +1,5 @@
+# This clean-up stage is necessary because of https://github.com/kyverno/kyverno/issues/5101
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete ur -A --all

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test ensures that deletion of a ClusterPolicy, with a generate rule using clone and sync, does NOT cause the downstream resource to be deleted.
+
+## Expected Behavior
+
+Once the ClusterPolicy is deleted, the downstream resource is expected to remain. If it does remain, the test passes. If it gets deleted, the test fails.
+
+## Reference Issue(s)
+
+N/A

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/cloned.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: myfoons
+type: Opaque

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/ns.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: myfoons

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/policy-ready.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: cpol-clone-sync-delete-policy
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-policy/policy.yaml

@@ -0,0 +1,38 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: cpol-clone-sync-delete-policy
+spec:
+  rules:
+  - name: cpol-clone-sync-delete-policy-secret
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: regcred
+      namespace: "{{request.object.metadata.name}}"
+      synchronize: true
+      clone:
+        namespace: default
+        name: regcred
+---
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: default
+type: Opaque
+---
+apiVersion: v1
+data:
+  color: yellow
+kind: ConfigMap
+metadata:
+  namespace: default
+  name: mytestcm

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/00-sleep.yaml

@@ -0,0 +1,5 @@
+# A pre-test sleep is needed here due to https://github.com/kudobuilder/kuttl/pull/422
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 5

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-ready.yaml

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/02-resource.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- ns.yaml
+assert:
+- cloned.yaml

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/03-removerule.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- singlerule.yaml
+assert:
+- check.yaml

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/99-cleanup.yaml

@@ -0,0 +1,5 @@
+# This clean-up stage is necessary because of https://github.com/kyverno/kyverno/issues/5101
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete ur -A --all

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test ensures that deletion of a rule within a policy containing multiple rules, with a generate rule using clone and sync, does NOT cause the downstream resource to be deleted.
+
+## Expected Behavior
+
+Once the rule is deleted, the downstream resource is expected to remain. If it does remain, the test passes. If it gets deleted, the test fails.
+
+## Reference Issue(s)
+
+N/A

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/check.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: myfoons
+type: Opaque
+---
+apiVersion: v1
+data:
+  color: yellow
+kind: ConfigMap
+metadata:
+  namespace: myfoons
+  name: mytestcm

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/cloned.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: myfoons
+type: Opaque
+---
+apiVersion: v1
+data:
+  color: yellow
+kind: ConfigMap
+metadata:
+  namespace: myfoons
+  name: mytestcm

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/ns.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: myfoons

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/policy-ready.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: cpol-clone-sync-delete-rule
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/policy.yaml

@@ -0,0 +1,53 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: cpol-clone-sync-delete-rule
+spec:
+  rules:
+  - name: cpol-clone-sync-delete-rule-secret
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: regcred
+      namespace: "{{request.object.metadata.name}}"
+      synchronize: true
+      clone:
+        namespace: default
+        name: regcred
+  - name: cpol-clone-sync-delete-rule-cm
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    generate:
+      apiVersion: v1
+      kind: ConfigMap
+      name: mytestcm
+      namespace: "{{request.object.metadata.name}}"
+      synchronize: true
+      clone:
+        namespace: default
+        name: mytestcm
+---
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: default
+type: Opaque
+---
+apiVersion: v1
+data:
+  color: yellow
+kind: ConfigMap
+metadata:
+  namespace: default
+  name: mytestcm

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-rule/singlerule.yaml

@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: cpol-clone-sync-delete-rule
+spec:
+  rules:
+  - name: cpol-clone-sync-delete-rule-cm
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    generate:
+      apiVersion: v1
+      kind: ConfigMap
+      name: mytestcm
+      namespace: "{{request.object.metadata.name}}"
+      synchronize: true
+      clone:
+        namespace: default
+        name: mytestcm

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/00-sleep.yaml

@@ -0,0 +1,5 @@
+# A pre-test sleep is needed here due to https://github.com/kudobuilder/kuttl/pull/422
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 5

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-ready.yaml

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/02-resource.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- ns.yaml
+assert:
+- cloned.yaml

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/03-deletesource.yaml

@@ -0,0 +1,7 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: v1
+  kind: Secret
+  name: regcred
+  namespace: default

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/04-sleep.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 5

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/05-assert.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: myfoons
+type: Opaque

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/99-cleanup.yaml

@@ -0,0 +1,5 @@
+# This clean-up stage is necessary because of https://github.com/kyverno/kyverno/issues/5101
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete ur -A --all

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test ensures that deletion of the source (upstream) resource used by a ClusterPolicy `generate` rule with sync enabled using a clone declaration does NOT cause deletion of downstream/cloned resources.
+
+## Expected Behavior
+
+After the source is deleted, the downstream resources should remain. If the downstream resource remains, the test passes. If the downstream resource is deleted, the test fails.
+
+## Reference Issue(s)
+
+N/A

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/cloned.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: myfoons
+type: Opaque

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/ns.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: myfoons

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/policy-ready.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: cpol-clone-sync-delete-source
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-delete-source/policy.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: default
+type: Opaque
+---
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: cpol-clone-sync-delete-source
+spec:
+  rules:
+  - name: cpol-clone-sync-delete-source-secret
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: regcred
+      namespace: "{{request.object.metadata.name}}"
+      synchronize: true
+      clone:
+        namespace: default
+        name: regcred
+---

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/00-sleep.yaml

@@ -0,0 +1,5 @@
+# A pre-test sleep is needed here due to https://github.com/kudobuilder/kuttl/pull/422
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 5

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-ready.yaml

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/02-resource.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- ns.yaml
+assert:
+- cloned.yaml

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/03-modifydownstream.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- editeddownstream.yaml
+assert:
+- origsecret.yaml

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/99-cleanup.yaml

@@ -0,0 +1,5 @@
+# This clean-up stage is necessary because of https://github.com/kyverno/kyverno/issues/5101
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete ur -A --all

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test ensures that modification of the downstream (cloned/generated) resource used by a ClusterPolicy `generate` rule with sync enabled using a clone declaration causes those changes to be reverted and synchronized from the state of the upstream/source.
+
+## Expected Behavior
+
+After the downstream resource is modified, the changes should be reverted after synchronization occurs. If the downstream resource is synced with the state of the source resource, the test passes. If the downstream resource remains in a modified state, the test fails.
+
+## Reference Issue(s)
+
+N/A

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/cloned.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: myfoons
+type: Opaque

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/editeddownstream.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: bm90YmFjaGhlcmU=
+kind: Secret
+metadata:
+  name: regcred
+  namespace: myfoons
+type: Opaque

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/ns.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: myfoons

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/origsecret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: myfoons
+type: Opaque

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/policy-ready.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: cpol-clone-sync-modify-downstream
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-downstream/policy.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: default
+type: Opaque
+---
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: cpol-clone-sync-modify-downstream
+spec:
+  rules:
+  - name: cpol-clone-sync-modify-downstream-secret
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: regcred
+      namespace: "{{request.object.metadata.name}}"
+      synchronize: true
+      clone:
+        namespace: default
+        name: regcred
+---

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/01-policy.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-ready.yaml

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/02-resource.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- ns.yaml
+assert:
+- cloned.yaml

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/03-modifysource.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- editedsource.yaml
+assert:
+- updatedsecret.yaml

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/99-cleanup.yaml

@@ -0,0 +1,5 @@
+# This clean-up stage is necessary because of https://github.com/kyverno/kyverno/issues/5101
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete ur -A --all

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test ensures that modification of the source (upstream) resource used by a ClusterPolicy `generate` rule with sync enabled using a clone declaration causes those changes to be synced/propagated downstream.
+
+## Expected Behavior
+
+After the source is modified, the downstream resources should be synced to reflect those modifications. If the downstream resource reflects the changes made to the source, the test passes. If the downstream resource remains unsynced, the test fails.
+
+## Reference Issue(s)
+
+5411

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/cloned.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: myfoons
+type: Opaque

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/editedsource.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: aGVyZWFyZXNvbWVjb29sY2hhbmdlcw==
+kind: Secret
+metadata:
+  name: regcred
+  namespace: default
+type: Opaque

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/ns.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: myfoons

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/policy-ready.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: cpol-clone-sync-modify-source
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/policy.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: default
+type: Opaque
+---
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: cpol-clone-sync-modify-source
+spec:
+  rules:
+  - name: cpol-clone-sync-modify-source-secret
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: regcred
+      namespace: "{{request.object.metadata.name}}"
+      synchronize: true
+      clone:
+        namespace: default
+        name: regcred
+---

test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync/cpol-clone-sync-modify-source/updatedsecret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: aGVyZWFyZXNvbWVjb29sY2hhbmdlcw==
+kind: Secret
+metadata:
+  name: regcred
+  namespace: myfoons
+type: Opaque

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-create/99-cleanup.yaml

@@ -2,4 +2,6 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 commands:
-  - command: kubectl delete ur -A --all
+  - script: |
+      kubectl delete ur -A --all
+      kubectl delete -f cloned-secret.yaml --ignore-not-found=true

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/99-cleanup.yaml

@@ -2,4 +2,6 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 commands:
-  - command: kubectl delete ur -A --all
+  - script: |
+      kubectl delete ur -A --all
+      kubectl delete -f cloned-secret.yaml --ignore-not-found=true

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/99-cleanup.yaml

@@ -2,4 +2,6 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 commands:
-  - command: kubectl delete ur -A --all
+  - script: |
+      kubectl delete ur -A --all
+      kubectl delete -f cloned-secret.yaml --ignore-not-found=true

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/99-cleanup.yaml

@@ -2,4 +2,6 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 commands:
-  - command: kubectl delete ur -A --all
+  - script: |
+      kubectl delete ur -A --all
+      kubectl delete -f cloned-secret.yaml,cloned-limitrange.yaml --ignore-not-found=true

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/99-cleanup.yaml

@@ -2,4 +2,6 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 commands:
-  - command: kubectl delete ur -A --all
+  - script: |
+      kubectl delete ur -A --all
+      kubectl delete -f cloned-secret.yaml --ignore-not-found=true

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/99-cleanup.yaml

@@ -2,4 +2,6 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 commands:
-  - command: kubectl delete ur -A --all
+  - script: |
+      kubectl delete ur -A --all
+      kubectl delete -f cloned-secret.yaml --ignore-not-found=true

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/99-cleanup.yaml

@@ -2,4 +2,6 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 commands:
-  - command: kubectl delete ur -A --all
+  - script: |
+      kubectl delete ur -A --all
+      kubectl delete -f cloned-secret.yaml --ignore-not-found=true

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/01-create.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- manifests.yaml
+assert:
+- policy-ready.yaml

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/02-resource.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- create-cm.yaml
+assert:
+- cloned-secret.yaml

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/03-delete-policy.yaml

@@ -0,0 +1,7 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: kyverno.io/v2beta1
+  kind: Policy
+  name: pol-clone-sync-delete-policy
+  namespace: default

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/04-sleep.yaml

@@ -0,0 +1,5 @@
+# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 5

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/05-assert.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: newsecret
+  namespace: default

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/99-cleanup.yaml

@@ -0,0 +1,5 @@
+# This clean-up stage is necessary because of https://github.com/kyverno/kyverno/issues/5101
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete ur -A --all

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test checks to ensure that deletion of a Policy (Namespaced) generate rule, clone declaration, with sync enabled, does NOT result in the downstream resource's deletion.
+
+## Expected Behavior
+
+The downstream (generated) resource is expected to remain if the Policy is deleted. If it is not deleted, the test passes. If it is deleted, the test fails.
+
+## Reference Issue(s)
+
+N/A

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/cloned-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: newsecret
+  namespace: default
+type: Opaque

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/create-cm.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mycm
+  namespace: default
+data:
+  food: cheese
+  day: monday
+  color: red

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/manifests.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: default
+type: Opaque
+---
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-clone-sync-delete-policy
+  namespace: default
+spec:
+  rules:
+  - name: pol-clone-sync-delete-policy-cm
+    match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: newsecret
+      namespace: default
+      synchronize: true
+      clone:
+        name: regcred
+        namespace: default

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-policy/policy-ready.yaml

@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-clone-sync-delete-policy
+  namespace: default
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/01-create.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- manifests.yaml
+assert:
+- policy-ready.yaml

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/02-resource.yaml

@@ -0,0 +1,7 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- create-cm.yaml
+assert:
+- cloned-secret.yaml
+- cloned-limitrange.yaml

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/03-delete-rule.yaml

@@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-clone-sync-delete-rule
+  namespace: default
+spec:
+  rules:
+  - name: pol-clone-sync-delete-rule-lr
+    match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    generate:
+      apiVersion: v1
+      kind: LimitRange
+      name: genlr
+      namespace: default
+      synchronize: true
+      clone:
+        name: sourcelr
+        namespace: default

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/04-sleep.yaml

@@ -0,0 +1,5 @@
+# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 5

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/05-assert.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: newsecret
+  namespace: default
+---
+apiVersion: v1
+kind: LimitRange
+metadata:
+  name: genlr
+  namespace: default

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/99-cleanup.yaml

@@ -0,0 +1,5 @@
+# This clean-up stage is necessary because of https://github.com/kyverno/kyverno/issues/5101
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete ur -A --all

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test checks to ensure that deletion of a rule in a Policy (Namespaced) generate rule, clone declaration, with sync enabled, does NOT result in the downstream resource's deletion.
+
+## Expected Behavior
+
+The downstream (generated) resource is expected to remain if the corresponding rule within a Policy is deleted. If it is not deleted, the test passes. If it is deleted, the test fails.
+
+## Reference Issue(s)
+
+N/A

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/cloned-limitrange.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: LimitRange
+metadata:
+  name: genlr
+  namespace: default

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/cloned-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: newsecret
+  namespace: default
+type: Opaque

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/create-cm.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mycm
+  namespace: default
+data:
+  food: cheese
+  day: monday
+  color: red

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/manifests.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: default
+type: Opaque
+---
+apiVersion: v1
+kind: LimitRange
+metadata:
+  name: sourcelr
+  namespace: default
+spec:
+  limits:
+  - type: Container
+    default:
+      cpu: 500m
+    defaultRequest:
+      cpu: 500m
+    max:
+      cpu: "1"
+    min:
+      cpu: 100m
+---
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-clone-sync-delete-rule
+  namespace: default
+spec:
+  rules:
+  - name: pol-clone-sync-delete-rule-cm
+    match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: newsecret
+      namespace: default
+      synchronize: true
+      clone:
+        name: regcred
+        namespace: default
+  - name: pol-clone-nosync-delete-rule-lr
+    match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    generate:
+      apiVersion: v1
+      kind: LimitRange
+      name: genlr
+      namespace: default
+      synchronize: false
+      clone:
+        name: sourcelr
+        namespace: default

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-delete-rule/policy-ready.yaml

@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-clone-sync-delete-rule
+  namespace: default
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-invalid/01-script-try-create1.yaml

@@ -0,0 +1,13 @@
+## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+    if kubectl apply -f policy1.yaml
+    then 
+      echo "Tested failed. Policy was created when it shouldn't have been."
+      exit 1 
+    else 
+      echo "Test succeeded. Policy was not created as intended."
+      exit 0
+    fi

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-invalid/02-script-try-create2.yaml

@@ -0,0 +1,13 @@
+## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+    if kubectl apply -f policy2.yaml
+    then 
+      echo "Tested failed. Policy was created when it shouldn't have been."
+      exit 1 
+    else 
+      echo "Test succeeded. Policy was not created as intended."
+      exit 0
+    fi

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-invalid/README.md

@@ -0,0 +1,13 @@
+## Description
+
+This test performs two checks to ensure that a "bad" Policy, one in which a user may attempt to cross-Namespace clone a resource, is blocked from creation. The first variant attempts to clone a Secret from an outside Namespace into the Namespace where the Policy is defined. The second variant inverts this to try and clone a Secret co-located in the same Namespace as the Policy to an outside Namespace. Both of these are invalid and must be blocked.
+
+This test is basically identical to a similar one in which sync is disabled and the results should be the same. In this test, the setting of `sync` is irrelevant yet is tested here for completeness.
+
+## Expected Behavior
+
+Both "bad" (invalid) Policy should fail to be created. If all the creations are blocked, the test succeeds. If any creation is allowed, the test fails.
+
+## Reference Issue(s)
+
+5099

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-invalid/policy1.yaml

@@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-clone-sync-invalid
+  namespace: default
+spec:
+  rules:
+  - name: pol-clone-sync-invalid-rule
+    match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: newsecret
+      namespace: default
+      synchronize: true
+      clone:
+        name: regcred
+        namespace: foo

test/conformance/kuttl/generate/policy/standard/clone/sync/pol-clone-sync-invalid/policy2.yaml

@@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-clone-sync-invalid
+  namespace: default
+spec:
+  rules:
+  - name: pol-clone-sync-invalid-rule
+    match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: newsecret
+      namespace: foo
+      synchronize: true
+      clone:
+        name: regcred
+        namespace: default

test/conformance/kuttl/kuttl-test.yaml

@@ -8,6 +8,10 @@ testDirs:
 - ./test/conformance/kuttl/generate/clusterpolicy/standard/clone/sync
 - ./test/conformance/kuttl/generate/clusterpolicy/standard/data/sync
 - ./test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync
+- ./test/conformance/kuttl/generate/policy/standard/clone/nosync
+- ./test/conformance/kuttl/generate/policy/standard/clone/sync
+# - ./test/conformance/kuttl/generate/policy/standard/data/sync
+# - ./test/conformance/kuttl/generate/policy/standard/data/nosync
 - ./test/conformance/kuttl/generate/clusterpolicy/cornercases
 # Mutate tests
 - ./test/conformance/kuttl/mutate/clusterpolicy/standard
@@ -16,6 +20,7 @@ testDirs:
 # Validate tests
 - ./test/conformance/kuttl/validate/clusterpolicy/standard/audit
 - ./test/conformance/kuttl/validate/clusterpolicy/standard/enforce
+- ./test/conformance/kuttl/validate/clusterpolicy/standard/wildcard
 - ./test/conformance/kuttl/validate/clusterpolicy/cornercases
 - ./test/conformance/kuttl/validate/cleanuppolicy
 # Verify image tests