Complete all basic kuttl tests for generate rules, clone and no-sync (#5400)

* add pol-clone-nosync-create and pol-clone-nosync-invalid tests

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add pol-clone-nosync-delete-downstream

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add pol-clone-nosync-modify-downstream

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add pol-clone-nosync-delete-source

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add pol-clone-nosync-modify-source

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add pol-clone-nosync-delete-rule

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* add pol-clone-nosync-delete-policy

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

Signed-off-by: Chip Zoller <chipzoller@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-create/01-create.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- manifests.yaml
+assert:
+- policy-ready.yaml

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-create/02-resource.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- create-cm.yaml
+assert:
+- cloned-secret.yaml

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-create/99-cleanup.yaml

@@ -0,0 +1,5 @@
+# This clean-up stage is necessary because of https://github.com/kyverno/kyverno/issues/5101
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete ur -A --all

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-create/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test checks the basic creation behavior of a generate rule in a Policy (Namespaced) using a clone declaration with synchronize disabled.
+
+## Expected Behavior
+
+A resource should be generated via clone in the same Namespace as where the Policy is created. If the resource is created, the test passes. If the resource is not, the test fails.
+
+## Reference Issue(s)
+
+N/A

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-create/cloned-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: newsecret
+  namespace: default
+type: Opaque

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-create/create-cm.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mycm
+  namespace: default
+data:
+  food: cheese
+  day: monday
+  color: red

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-create/manifests.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: default
+type: Opaque
+---
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-clone-nosync-create-policy
+  namespace: default
+spec:
+  rules:
+  - name: pol-clone-nosync-create-rule
+    match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: newsecret
+      namespace: default
+      synchronize: false
+      clone:
+        name: regcred
+        namespace: default

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-create/policy-ready.yaml

@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-clone-nosync-create-policy
+  namespace: default
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/01-create.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- manifests.yaml
+assert:
+- policy-ready.yaml

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/02-resource.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- create-cm.yaml
+assert:
+- cloned-secret.yaml

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/03-delete-downstream.yaml

@@ -0,0 +1,7 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: v1
+  kind: Secret
+  name: newsecret
+  namespace: default

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/04-sleep.yaml

@@ -0,0 +1,5 @@
+# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 5

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/05-errors.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: newsecret
+  namespace: default

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/99-cleanup.yaml

@@ -0,0 +1,5 @@
+# This clean-up stage is necessary because of https://github.com/kyverno/kyverno/issues/5101
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete ur -A --all

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test checks to ensure that deletion of a downstream (generated) resource resulting from a Policy (Namespaced) generate rule, clone declaration, with sync disabled, does NOT result the downstream resource's recreation.
+
+## Expected Behavior
+
+The deleted downstream resource should remain deleted. If it is not recreated, the test passes. If it is cloned again from source, the test fails.
+
+## Reference Issue(s)
+
+N/A

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/cloned-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: newsecret
+  namespace: default
+type: Opaque

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/create-cm.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mycm
+  namespace: default
+data:
+  food: cheese
+  day: monday
+  color: red

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/manifests.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: default
+type: Opaque
+---
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-clone-nosync-create-policy
+  namespace: default
+spec:
+  rules:
+  - name: pol-clone-nosync-create-rule
+    match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: newsecret
+      namespace: default
+      synchronize: false
+      clone:
+        name: regcred
+        namespace: default

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-downstream/policy-ready.yaml

@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-clone-nosync-create-policy
+  namespace: default
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/01-create.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- manifests.yaml
+assert:
+- policy-ready.yaml

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/02-resource.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- create-cm.yaml
+assert:
+- cloned-secret.yaml

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/03-delete-policy.yaml

@@ -0,0 +1,7 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: kyverno.io/v2beta1
+  kind: Policy
+  name: pol-clone-nosync-delete-policy
+  namespace: default

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/04-sleep.yaml

@@ -0,0 +1,5 @@
+# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 5

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/05-assert.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: newsecret
+  namespace: default

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/99-cleanup.yaml

@@ -0,0 +1,5 @@
+# This clean-up stage is necessary because of https://github.com/kyverno/kyverno/issues/5101
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete ur -A --all

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test checks to ensure that deletion of a Policy (Namespaced) generate rule, clone declaration, with sync disabled, does NOT result in the downstream resource's deletion.
+
+## Expected Behavior
+
+The downstream (generated) resource is expected to remain if the Policy is deleted. If it is not deleted, the test passes. If it is deleted, the test fails.
+
+## Reference Issue(s)
+
+N/A

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/cloned-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: newsecret
+  namespace: default
+type: Opaque

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/create-cm.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mycm
+  namespace: default
+data:
+  food: cheese
+  day: monday
+  color: red

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/manifests.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: default
+type: Opaque
+---
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-clone-nosync-delete-policy
+  namespace: default
+spec:
+  rules:
+  - name: pol-clone-nosync-delete-policy-cm
+    match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: newsecret
+      namespace: default
+      synchronize: false
+      clone:
+        name: regcred
+        namespace: default

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-policy/policy-ready.yaml

@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-clone-nosync-delete-policy
+  namespace: default
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/01-create.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- manifests.yaml
+assert:
+- policy-ready.yaml

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/02-resource.yaml

@@ -0,0 +1,7 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- create-cm.yaml
+assert:
+- cloned-secret.yaml
+- cloned-limitrange.yaml

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/03-delete-rule.yaml

@@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-clone-nosync-delete-rule
+  namespace: default
+spec:
+  rules:
+  - name: pol-clone-nosync-delete-rule-lr
+    match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    generate:
+      apiVersion: v1
+      kind: LimitRange
+      name: genlr
+      namespace: default
+      synchronize: false
+      clone:
+        name: sourcelr
+        namespace: default

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/04-sleep.yaml

@@ -0,0 +1,5 @@
+# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 5

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/05-assert.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: newsecret
+  namespace: default
+---
+apiVersion: v1
+kind: LimitRange
+metadata:
+  name: genlr
+  namespace: default

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/99-cleanup.yaml

@@ -0,0 +1,5 @@
+# This clean-up stage is necessary because of https://github.com/kyverno/kyverno/issues/5101
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete ur -A --all

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test checks to ensure that deletion of a rule in a Policy (Namespaced) generate rule, clone declaration, with sync disabled, does NOT result in the downstream resource's deletion.
+
+## Expected Behavior
+
+The downstream (generated) resource is expected to remain if the corresponding rule within a Policy is deleted. If it is not deleted, the test passes. If it is deleted, the test fails.
+
+## Reference Issue(s)
+
+N/A

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/cloned-limitrange.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: LimitRange
+metadata:
+  name: genlr
+  namespace: default

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/cloned-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: newsecret
+  namespace: default
+type: Opaque

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/create-cm.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mycm
+  namespace: default
+data:
+  food: cheese
+  day: monday
+  color: red

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/manifests.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: default
+type: Opaque
+---
+apiVersion: v1
+kind: LimitRange
+metadata:
+  name: sourcelr
+  namespace: default
+spec:
+  limits:
+  - type: Container
+    default:
+      cpu: 500m
+    defaultRequest:
+      cpu: 500m
+    max:
+      cpu: "1"
+    min:
+      cpu: 100m
+---
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-clone-nosync-delete-rule
+  namespace: default
+spec:
+  rules:
+  - name: pol-clone-nosync-delete-rule-cm
+    match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: newsecret
+      namespace: default
+      synchronize: false
+      clone:
+        name: regcred
+        namespace: default
+  - name: pol-clone-nosync-delete-rule-lr
+    match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    generate:
+      apiVersion: v1
+      kind: LimitRange
+      name: genlr
+      namespace: default
+      synchronize: false
+      clone:
+        name: sourcelr
+        namespace: default

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-rule/policy-ready.yaml

@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-clone-nosync-delete-rule
+  namespace: default
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/01-create.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- manifests.yaml
+assert:
+- policy-ready.yaml

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/02-resource.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- create-cm.yaml
+assert:
+- cloned-secret.yaml

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/03-delete-source.yaml

@@ -0,0 +1,7 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: v1
+  kind: Secret
+  name: regcred
+  namespace: default

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/04-sleep.yaml

@@ -0,0 +1,5 @@
+# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 5

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/05-assert.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: newsecret
+  namespace: default

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/99-cleanup.yaml

@@ -0,0 +1,5 @@
+# This clean-up stage is necessary because of https://github.com/kyverno/kyverno/issues/5101
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete ur -A --all

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test checks to ensure that deletion of the source (upstream) resource used by a Policy (Namespaced) generate rule, clone declaration, with sync disabled, does NOT result in the downstream resource's deletion.
+
+## Expected Behavior
+
+The deleted downstream resource should remain in place. If it is still present after the source deletion, the test passes. If it is deleted, the test fails.
+
+## Reference Issue(s)
+
+N/A

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/cloned-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: newsecret
+  namespace: default
+type: Opaque

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/create-cm.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mycm
+  namespace: default
+data:
+  food: cheese
+  day: monday
+  color: red

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/manifests.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: default
+type: Opaque
+---
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-clone-nosync-delete-source
+  namespace: default
+spec:
+  rules:
+  - name: pol-clone-nosync-create-rule
+    match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: newsecret
+      namespace: default
+      synchronize: false
+      clone:
+        name: regcred
+        namespace: default

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-delete-source/policy-ready.yaml

@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-clone-nosync-delete-source
+  namespace: default
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/01-script-try-create1.yaml

@@ -0,0 +1,13 @@
+## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+    if kubectl apply -f policy1.yaml
+    then 
+      echo "Tested failed. Policy was created when it shouldn't have been."
+      exit 1 
+    else 
+      echo "Test succeeded. Policy was not created as intended."
+      exit 0
+    fi

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/02-script-try-create2.yaml

@@ -0,0 +1,13 @@
+## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+    if kubectl apply -f policy2.yaml
+    then 
+      echo "Tested failed. Policy was created when it shouldn't have been."
+      exit 1 
+    else 
+      echo "Test succeeded. Policy was not created as intended."
+      exit 0
+    fi

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test performs two checks to ensure that a "bad" Policy, one in which a user may attempt to cross-Namespace clone a resource, is blocked from creation. The first variant attempts to clone a Secret from an outside Namespace into the Namespace where the Policy is defined. The second variant inverts this to try and clone a Secret co-located in the same Namespace as the Policy to an outside Namespace. Both of these are invalid and must be blocked.
+
+## Expected Behavior
+
+Both "bad" (invalid) Policy should fail to be created. If all the creations are blocked, the test succeeds. If any creation is allowed, the test fails.
+
+## Reference Issue(s)
+
+5099

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/policy1.yaml

@@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-clone-nosync-invalid
+  namespace: default
+spec:
+  rules:
+  - name: pol-clone-nosync-invalid-rule
+    match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: newsecret
+      namespace: default
+      synchronize: false
+      clone:
+        name: regcred
+        namespace: foo

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-invalid/policy2.yaml

@@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-clone-nosync-invalid
+  namespace: default
+spec:
+  rules:
+  - name: pol-clone-nosync-invalid-rule
+    match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: newsecret
+      namespace: foo
+      synchronize: false
+      clone:
+        name: regcred
+        namespace: default

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/01-create.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- manifests.yaml
+assert:
+- policy-ready.yaml

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/02-resource.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- create-cm.yaml
+assert:
+- cloned-secret.yaml

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/03-modify-downstream.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: dGhpc2hhc2JlZW5tb2RpZmllZA==
+kind: Secret
+metadata:
+  name: newsecret
+  namespace: default
+type: Opaque

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/04-sleep.yaml

@@ -0,0 +1,5 @@
+# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 5

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/05-assert.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: dGhpc2hhc2JlZW5tb2RpZmllZA==
+kind: Secret
+metadata:
+  name: newsecret
+  namespace: default
+type: Opaque

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/99-cleanup.yaml

@@ -0,0 +1,5 @@
+# This clean-up stage is necessary because of https://github.com/kyverno/kyverno/issues/5101
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete ur -A --all

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test checks to ensure that modification of a downstream (generated) resource resulting from a Policy (Namespaced) generate rule, clone declaration, with sync disabled, does NOT result in those modifications being reverted with the contents of the source resource.
+
+## Expected Behavior
+
+The downstream resource, once modified, should remain as-is. If it remains as-is based on the last modification, the test passes. If it is anything else than how it was last modified, the test fails.
+
+## Reference Issue(s)
+
+N/A

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/cloned-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: newsecret
+  namespace: default
+type: Opaque

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/create-cm.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mycm
+  namespace: default
+data:
+  food: cheese
+  day: monday
+  color: red

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/manifests.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: default
+type: Opaque
+---
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-clone-nosync-modify-downstream
+  namespace: default
+spec:
+  rules:
+  - name: pol-clone-nosync-modify-downstream-rule
+    match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: newsecret
+      namespace: default
+      synchronize: false
+      clone:
+        name: regcred
+        namespace: default

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-downstream/policy-ready.yaml

@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-clone-nosync-modify-downstream
+  namespace: default
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/01-create.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- manifests.yaml
+assert:
+- policy-ready.yaml

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/02-resource.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- create-cm.yaml
+assert:
+- cloned-secret.yaml

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/03-modify-source.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: dGhpc2hhc2JlZW5tb2RpZmllZA==
+kind: Secret
+metadata:
+  name: regcred
+  namespace: default
+type: Opaque

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/04-sleep.yaml

@@ -0,0 +1,5 @@
+# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 5

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/05-assert.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: newsecret
+  namespace: default
+type: Opaque

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/99-cleanup.yaml

@@ -0,0 +1,5 @@
+# This clean-up stage is necessary because of https://github.com/kyverno/kyverno/issues/5101
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl delete ur -A --all

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test checks to ensure that modification of a source (upstream) resource used by a Policy (Namespaced) generate rule, clone declaration, with sync disabled, does NOT result in those modifications being synced to the downstream resource.
+
+## Expected Behavior
+
+The source resource, once modified, should not cause any cloned (downstream) resources to be changed. If the downstream resource remains as-is, the test passes. If it is anything else other than how it looked when originally created, the test fails.
+
+## Reference Issue(s)
+
+N/A

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/cloned-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: newsecret
+  namespace: default
+type: Opaque

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/create-cm.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mycm
+  namespace: default
+data:
+  food: cheese
+  day: monday
+  color: red

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/manifests.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+data:
+  foo: YmFy
+kind: Secret
+metadata:
+  name: regcred
+  namespace: default
+type: Opaque
+---
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-clone-nosync-modify-source
+  namespace: default
+spec:
+  rules:
+  - name: pol-clone-nosync-modify-source-rule
+    match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: newsecret
+      namespace: default
+      synchronize: false
+      clone:
+        name: regcred
+        namespace: default

test/conformance/kuttl/generate/policy/standard/clone/nosync/pol-clone-nosync-modify-source/policy-ready.yaml

@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-clone-nosync-modify-source
+  namespace: default
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready