chore: add tests that use spec.webhookConfiguration (#10526)

* chore: add tests that use spec.webhookConfiguration

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix chainsaw tests

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

---------

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

api/kyverno/v1/spec_types.go

@@ -119,8 +119,8 @@ type Spec struct {
 	WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"`
 }
 
-func (s *Spec) CustomWebhookConfiguration() bool {
+func (s *Spec) CustomWebhookMatchConditions() bool {
-	return s.WebhookConfiguration != nil
+	return s.WebhookConfiguration != nil && len(s.WebhookConfiguration.MatchConditions) != 0
 }
 
 func (s *Spec) SetRules(rules []Rule) {

api/kyverno/v2beta1/spec_types.go

@@ -81,8 +81,8 @@ type Spec struct {
 	WebhookConfiguration *kyvernov1.WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"`
 }
 
-func (s *Spec) CustomWebhookConfiguration() bool {
+func (s *Spec) CustomWebhookMatchConditions() bool {
-	return s.WebhookConfiguration != nil
+	return s.WebhookConfiguration != nil && len(s.WebhookConfiguration.MatchConditions) != 0
 }
 
 func (s *Spec) SetRules(rules []Rule) {

pkg/controllers/policycache/controller.go

@@ -113,7 +113,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
 		}
 		return err
 	}
-	if policy.AdmissionProcessingEnabled() && !policy.GetSpec().CustomWebhookConfiguration() {
+	if policy.AdmissionProcessingEnabled() && !policy.GetSpec().CustomWebhookMatchConditions() {
 		if policy.IsReady() {
 			return c.cache.Set(key, policy, c.client.Discovery())
 		} else {

pkg/controllers/webhook/controller.go

@@ -702,7 +702,7 @@ func (c *controller) buildResourceMutatingWebhookConfiguration(ctx context.Conte
 			if p.AdmissionProcessingEnabled() {
 				spec := p.GetSpec()
 				if spec.HasMutateStandard() || spec.HasVerifyImages() {
-					if spec.CustomWebhookConfiguration() {
+					if spec.CustomWebhookMatchConditions() {
 						fineGrainedIgnore := newWebhookPerPolicy(c.defaultTimeout, ignore, cfg.GetMatchConditions(), p)
 						fineGrainedFail := newWebhookPerPolicy(c.defaultTimeout, fail, cfg.GetMatchConditions(), p)
 						if spec.GetFailurePolicy(ctx) == kyvernov1.Ignore {
@@ -871,7 +871,7 @@ func (c *controller) buildResourceValidatingWebhookConfiguration(ctx context.Con
 			if p.AdmissionProcessingEnabled() {
 				spec := p.GetSpec()
 				if spec.HasValidate() || spec.HasGenerate() || spec.HasMutateExisting() || spec.HasVerifyImageChecks() || spec.HasVerifyManifests() {
-					if spec.CustomWebhookConfiguration() {
+					if spec.CustomWebhookMatchConditions() {
 						fineGrainedIgnore := newWebhookPerPolicy(c.defaultTimeout, ignore, cfg.GetMatchConditions(), p)
 						fineGrainedFail := newWebhookPerPolicy(c.defaultTimeout, fail, cfg.GetMatchConditions(), p)
 						if spec.GetFailurePolicy(ctx) == kyvernov1.Ignore {

pkg/controllers/webhook/utils.go

@@ -65,7 +65,7 @@ func newWebhookPerPolicy(timeout int32, failurePolicy admissionregistrationv1.Fa
 		Namespace: policy.GetNamespace(),
 		Name:      policy.GetName(),
 	}
-	if policy.GetSpec().CustomWebhookConfiguration() {
+	if policy.GetSpec().CustomWebhookMatchConditions() {
 		webhook.matchConditions = policy.GetSpec().GetMatchConditions()
 	}
 	return webhook

pkg/validation/policy/validate.go

@@ -133,7 +133,7 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf
 	spec := policy.GetSpec()
 	background := spec.BackgroundProcessingEnabled()
 	mutateExistingOnPolicyUpdate := spec.GetMutateExistingOnPolicyUpdate()
-	if policy.GetSpec().CustomWebhookConfiguration() &&
+	if policy.GetSpec().CustomWebhookMatchConditions() &&
 		!kubeutils.HigherThanKubernetesVersion(client.GetKubeClient().Discovery(), logging.GlobalLogger(), 1, 27, 0) {
 		return warnings, fmt.Errorf("custom webhook configurations are only supported in kubernetes version 1.27.0 and above")
 	}

test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/README.md

@@ -0,0 +1,7 @@
+## Description
+
+This test creates a policy with `failurePolicy: Fail` but the configuration has `forceWebhookFailurePolicyIgnore: true`.
+
+## Expected Behavior
+
+Webhooks should be configured with `failurePolicy: Ignore` regardless of the failure policy configured in the policies.

test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/chainsaw-test.yaml

@@ -0,0 +1,17 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: fail
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy-assert.yaml
+  - name: step-02
+    try:
+    - assert:
+        file: webhooks-assert.yaml

test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/policy-assert.yaml

@@ -0,0 +1,19 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-labels
+status:
+  conditions:
+    - reason: Succeeded
+      status: "True"
+      type: Ready
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-labels
+status:
+  conditions:
+    - reason: Succeeded
+      status: "True"
+      type: Ready

test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/policy.yaml

@@ -0,0 +1,47 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-labels
+  annotations:
+    pod-policies.kyverno.io/autogen-controllers: none
+spec:
+  failurePolicy: Fail
+  validationFailureAction: Enforce
+  background: false
+  rules:
+    - name: require-team
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      validate:
+        message: 'The label `team` is required.'
+        pattern:
+          metadata:
+            labels:
+              team: '?*'
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-labels
+spec:
+  failurePolicy: Fail
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: add-labels
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+          - Service
+          - ConfigMap
+          - Secret
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          labels:
+            foo: bar

test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/webhooks-assert.yaml

@@ -0,0 +1,39 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    webhook.kyverno.io/managed-by: kyverno
+  name: kyverno-resource-validating-webhook-cfg
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: kyverno-svc
+      namespace: kyverno
+      path: /validate/ignore
+      port: 443
+  failurePolicy: Ignore
+  matchPolicy: Equivalent
+  name: validate.kyverno.svc-ignore
+  sideEffects: NoneOnDryRun
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  labels:
+    webhook.kyverno.io/managed-by: kyverno
+  name: kyverno-resource-mutating-webhook-cfg
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: kyverno-svc
+      namespace: kyverno
+      path: /mutate/ignore
+      port: 443
+  failurePolicy: Ignore
+  matchPolicy: Equivalent
+  name: mutate.kyverno.svc-ignore
+  sideEffects: NoneOnDryRun

test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/policy.yaml

@@ -5,7 +5,6 @@ metadata:
   annotations:
     pod-policies.kyverno.io/autogen-controllers: none
 spec:
-  failurePolicy: Fail
   validationFailureAction: Enforce
   background: false
   rules:
@@ -21,13 +20,14 @@ spec:
           metadata:
             labels:
               team: '?*'
+  webhookConfiguration:
+    failurePolicy: Fail
 ---
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
   name: add-labels
 spec:
-  failurePolicy: Fail
   validationFailureAction: Enforce
   background: false
   rules:
@@ -45,3 +45,5 @@ spec:
         metadata:
           labels:
             foo: bar
+  webhookConfiguration:
+    failurePolicy: Fail

test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/README.md

@@ -0,0 +1,7 @@
+## Description
+
+This test tries to create policies with invalid timeouts (`< 1` or `> 30`).
+
+## Expected Behavior
+
+Policies should be rejected.

test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/chainsaw-test.yaml

@@ -0,0 +1,19 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: invalid-timeout
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: policy-1.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: policy-2.yaml

test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/policy-1.yaml

@@ -0,0 +1,16 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: deny
+spec:
+  validationFailureAction: Audit
+  webhookTimeoutSeconds: -1
+  rules:
+    - name: deny
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      validate:
+        deny: {}

test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/policy-2.yaml

@@ -0,0 +1,16 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: deny
+spec:
+  validationFailureAction: Audit
+  webhookTimeoutSeconds: 31
+  rules:
+    - name: deny
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      validate:
+        deny: {}

test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-1.yaml

@@ -4,7 +4,6 @@ metadata:
   name: deny
 spec:
   validationFailureAction: Audit
-  webhookTimeoutSeconds: -1
   rules:
     - name: deny
       match:
@@ -14,3 +13,5 @@ spec:
                 - Pod
       validate:
         deny: {}
+  webhookConfiguration:
+    timeoutSeconds: -1

test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-2.yaml

@@ -4,7 +4,6 @@ metadata:
   name: deny
 spec:
   validationFailureAction: Audit
-  webhookTimeoutSeconds: 31
   rules:
     - name: deny
       match:
@@ -14,3 +13,5 @@ spec:
                 - Pod
       validate:
         deny: {}
+  webhookConfiguration:
+    timeoutSeconds: 31

test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test is migrated from e2e. It tests basic YAML manifest signature validation functionality.
+
+## Expected Behavior
+
+The `test-deployment` (defined in `bad.yaml`) should fail because it matches the policy conditions yet has not been signed while the `test-deployment` (defined in `02-good-deployment.yaml`) should pass because it also matches yet has been signed and the signature is valid according to the public key defined in the policy.
+
+## Reference Issue(s)
+
+N/A

test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/bad.yaml

@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: nginx
+  name: test-deployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+        - image: nginx:1.14.2
+          name: nginx
+          ports:
+            - containerPort: 80

test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/chainsaw-step-02-apply-1-1.yaml

@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    cosign.sigstore.dev/message: H4sIAAAAAAAA/wBaAaX+H4sIAAAAAAAA/+ySz27bMAzGffZT8AUcSf6TpDrvuMMOw64DazOeEP2bxBZtn35wnXhegOW4oYB/F9rg930gQYlnTOIU7EApC/8mlDye7c9xqNk/Stc49902rn1ppZRy9OKr6IOLiXI2fqwYUzW+KXmQDw9tUx8FU+ZqoGjDqyPPu1d0tigm775t3+th371XWc//E12zL1Rbq042XacOhWzquusKkMU/4CkzpkLKdH4awh1dZjyd7vQvuyz1g4DRfKOUTfAaMMYsnlV5Nn7Q8Gk5Y+mIcUBGXQJYfCSbpy+YDBr8aPxLCeDRkYabF1DmSP0kThSt6TFrUCVAJks9hzTHOOT+x+dV7k0yk4sWmS7q1TAT9g/jjRXgOsBEHzyj8ZRW8gqMw5EuFq12qt3VS/e61u+8mRgSr0LmoCX+S0is4SjL/33djY2Njb/zKwAA//+MAMwjAAgAAAEAAP//7NcJ9loBAAA=
+    cosign.sigstore.dev/signature: MEUCICLCfb3LGKXcdKV3gTXl6qba3T2goZMbVX/54gyNR05UAiEAlvPuWVsCPuBx5wVqvtyT7hr/AfR9Fl7cNLDACaNIbx8=
+  labels:
+    app: nginx
+  name: test-deployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - image: nginx:1.14.2
+        name: nginx
+        ports:
+        - containerPort: 80

test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/chainsaw-test.yaml

@@ -0,0 +1,23 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: yaml-signing
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy-ready.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: chainsaw-step-02-apply-1-1.yaml
+  - name: step-03
+    try:
+    - script:
+        content: "if kubectl apply -f bad.yaml\nthen \n  echo \"Tested failed. Deployment
+          was created when it shouldn't have been.\"\n  exit 1 \nelse \n  echo \"Test
+          succeeded. Deployment was not created as intended.\"\n  exit 0\nfi\n"

test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/policy-ready.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: validate-resources
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/policy.yaml

@@ -0,0 +1,49 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: validate-resources
+spec:
+  validationFailureAction: Enforce
+  background: false
+  webhookTimeoutSeconds: 30
+  failurePolicy: Fail  
+  rules:
+    - name: validate-resources
+      match:
+        any:
+        - resources:
+            kinds:
+              - Deployment
+              - Pod
+            name: test*
+      exclude:
+        any:
+        - resources:
+            kinds:
+              - Pod
+          subjects:
+          - kind: ServiceAccount
+            namespace: kube-system
+            name: replicaset-controller
+        - resources:
+            kinds:
+              - ReplicaSet
+          subjects:
+          - kind: ServiceAccount
+            namespace: kube-system
+            name: deployment-controller
+      validate:
+        manifests:
+          attestors:
+          - entries:
+            - keys: 
+                publicKeys:  |-
+                  -----BEGIN PUBLIC KEY-----
+                  MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY
+                  BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng==
+                  -----END PUBLIC KEY-----
+                rekor:
+                  url: https://rekor.sigstore.dev
+                  ignoreTlog: true
+                ctlog:
+                  ignoreSCT: true

test/conformance/chainsaw/validate/e2e/yaml-signing/policy.yaml

@@ -5,8 +5,6 @@ metadata:
 spec:
   validationFailureAction: Enforce
   background: false
-  webhookTimeoutSeconds: 30
-  failurePolicy: Fail  
   rules:
     - name: validate-resources
       match:
@@ -47,3 +45,6 @@ spec:
                   ignoreTlog: true
                 ctlog:
                   ignoreSCT: true
+  webhookConfiguration:
+    timeoutSeconds: 30
+    failurePolicy: Fail 

test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/README.md

@@ -0,0 +1,10 @@
+## Description
+
+This test creates a policy to verify manifests signatures.
+The policy specifies that two signatures are expected to be valid.
+
+## Expected Behavior
+
+Resource with no signature should be rejected.
+Resource with one signature should be rejected.
+Resource with two signatures should be accepted.

test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/chainsaw-test.yaml

@@ -0,0 +1,32 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: multi-signatures
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy-assert.yaml
+  - name: step-02
+    try:
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: resource-no-signature.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: resource-one-signature.yaml
+    - apply:
+        file: resource-two-signatures.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: resource-bad-signatures.yaml

test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: validate-yaml
+status:
+  conditions:
+    - reason: Succeeded
+      status: "True"
+      type: Ready

test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/policy.yaml

@@ -0,0 +1,42 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: validate-yaml
+spec:
+  validationFailureAction: Enforce
+  background: false
+  webhookTimeoutSeconds: 30
+  failurePolicy: Fail  
+  rules:
+    - name: validate-yaml
+      match:
+        any:
+        - resources:
+            kinds:
+            - Service
+      validate:
+        manifests:
+          attestors:
+          - entries:
+            - keys:
+                publicKeys: |-
+                    -----BEGIN PUBLIC KEY-----
+                    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY
+                    BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng==
+                    -----END PUBLIC KEY-----
+                rekor:
+                  url: https://rekor.sigstore.dev
+                  ignoreTlog: true
+                ctlog:
+                  ignoreSCT: true
+            - keys:
+                publicKeys: |-
+                    -----BEGIN PUBLIC KEY-----
+                    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE8uGVnyDWPPlB7M5KOHRzxzPHtAy
+                    FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A==
+                    -----END PUBLIC KEY-----
+                rekor:
+                  url: https://rekor.sigstore.dev
+                  ignoreTlog: true
+                ctlog:
+                  ignoreSCT: true

test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-bad-signatures.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    cosign.sigstore.dev/message: H4sIAAAAAAAA/ySKTarDMAwG9zrFd4HAewT6o13puhBo6V44opgmtrBEoLcvcXfDzIjlpzbPtTC2f3rnMjPu2raclFYNmSWECSiyKiPUY/BfHslN096stvAdho6M0x8BgLUaNdWF8bhO3YS0l8bUp/N4PBDgumiK2rgPYsa4fS5m9A0AAP//mX2z9ZsAAAA=
+    cosign.sigstore.dev/signature: MEYCIQDMIHC26nBdO/GeFZpP1CNdmGVO41w5P0PCN4DemLk/mgIhAJ04E76kz25pkUXHxrfKIWVKuD+KGw5TStPNWZPCqPLK
+    cosign.sigstore.dev/signature_1: MEQCIDZ7YUjwtSvjgaOLaXQiT2F7P00FUC+QZqI8DcBjMlgVAiAMojKmnl7TRkqpPMXBsz6rWIMU8VpfItcQ5QrLKLQRHg==
+  name: test-service3
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 9376
+  selector:
+    app: NotMyApp

test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-no-signature.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: test-service1
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 9376
+  selector:
+    app: MyApp

test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-one-signature.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    cosign.sigstore.dev/message: H4sIAAAAAAAA/wAuAdH+H4sIAAAAAAAA/+yPPW7rMBCEVesUewE90aJ+bHYPqQMYiJE2YKS1IlgUid21E/v0geggVeDK7vQ1M+RMsUPI/kgtZjz0mbjw72zdmNwXpZSqyzJqU1dRVXF9R6t1siq11rouikYnShdNrRJQd77jT44slhKl6HDs/I0ei93vb+Q/W341P1nK937skDg/V3lVrvXb5Li5VO+duHZz+HJOf37M5X7Kd3nrXSBkHqY+E0tZf8lQ4UYXVVPrrnjA9BkbhlckHvxk4LRKD8PUGXhBOg0tpg7FdlasSQEm69CAIEvG17hIOWA7Z8GT8GyyaA2sVQoAEMiLb/1oYPe0jT9iqUfZxtJGN3UKwDhiK55MLNgQDDyf/4eQPmjxwsLCwsLMdwAAAP//a1+4aAAIAAABAAD//9BEPkguAQAA
+    cosign.sigstore.dev/signature: MEUCIGsd5kBomJgAJKbzoaoaDt5sWGSdA9EPGon4XY3Jmg9XAiEAwtqhN7tRzXNP3y0l5h2nxzg0WRnitCONiPi+BSP1e5Y=
+  name: test-service2
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 9376
+  selector:
+    app: MyApp

test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-two-signatures.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    cosign.sigstore.dev/message: H4sIAAAAAAAA/ySKTarDMAwG9zrFd4HAewT6o13puhBo6V44opgmtrBEoLcvcXfDzIjlpzbPtTC2f3rnMjPu2raclFYNmSWECSiyKiPUY/BfHslN096stvAdho6M0x8BgLUaNdWF8bhO3YS0l8bUp/N4PBDgumiK2rgPYsa4fS5m9A0AAP//mX2z9ZsAAAA=
+    cosign.sigstore.dev/signature: MEYCIQDMIHC26nBdO/GeFZpP1CNdmGVO41w5P0PCN4DemLk/mgIhAJ04E76kz25pkUXHxrfKIWVKuD+KGw5TStPNWZPCqPLK
+    cosign.sigstore.dev/signature_1: MEQCIDZ7YUjwtSvjgaOLaXQiT2F7P00FUC+QZqI8DcBjMlgVAiAMojKmnl7TRkqpPMXBsz6rWIMU8VpfItcQ5QrLKLQRHg==
+  name: test-service3
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 9376
+  selector:
+    app: MyApp

test/conformance/chainsaw/verify-manifests/multi-signatures/policy.yaml

@@ -4,9 +4,7 @@ metadata:
   name: validate-yaml
 spec:
   validationFailureAction: Enforce
-  background: false
+  background: false  
-  webhookTimeoutSeconds: 30
-  failurePolicy: Fail  
   rules:
     - name: validate-yaml
       match:
@@ -40,3 +38,6 @@ spec:
                   ignoreTlog: true
                 ctlog:
                   ignoreSCT: true
+  webhookConfiguration:
+    timeoutSeconds: 30
+    failurePolicy: Fail

test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/README.md

@@ -0,0 +1,10 @@
+## Description
+
+This test creates a policy to verify manifests signatures.
+The policy specifies that at least one signature is expected to be valid.
+
+## Expected Behavior
+
+Resource with no signature should be rejected.
+Resource with one signature should be accepted.
+Resource with two signatures should be accepted.

test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/chainsaw-test.yaml

@@ -0,0 +1,29 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: single-signature
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy-assert.yaml
+  - name: step-02
+    try:
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: resource-no-signature.yaml
+    - apply:
+        file: resource-one-signature.yaml
+    - apply:
+        file: resource-two-signatures.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: resource-bad-signatures.yaml

test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: validate-yaml
+status:
+  conditions:
+    - reason: Succeeded
+      status: "True"
+      type: Ready

test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/policy.yaml

@@ -0,0 +1,33 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: validate-yaml
+spec:
+  validationFailureAction: Enforce
+  background: false
+  webhookTimeoutSeconds: 30
+  failurePolicy: Fail  
+  rules:
+    - name: validate-yaml
+      match:
+        any:
+        - resources:
+            kinds:
+            - Service
+      validate:
+        manifests:
+          attestors:
+          - count: 1
+            entries:
+            - keys:
+                publicKeys: |-
+                    -----BEGIN PUBLIC KEY-----
+                    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY
+                    BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng==
+                    -----END PUBLIC KEY-----
+            - keys:
+                publicKeys: |-
+                    -----BEGIN PUBLIC KEY-----
+                    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE8uGVnyDWPPlB7M5KOHRzxzPHtAy
+                    FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A==
+                    -----END PUBLIC KEY-----

test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-bad-signatures.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    cosign.sigstore.dev/message: H4sIAAAAAAAA/ySKTarDMAwG9zrFd4HAewT6o13puhBo6V44opgmtrBEoLcvcXfDzIjlpzbPtTC2f3rnMjPu2raclFYNmSWECSiyKiPUY/BfHslN096stvAdho6M0x8BgLUaNdWF8bhO3YS0l8bUp/N4PBDgumiK2rgPYsa4fS5m9A0AAP//mX2z9ZsAAAA=
+    cosign.sigstore.dev/signature: MEYCIQDMIHC26nBdO/GeFZpP1CNdmGVO41w5P0PCN4DemLk/mgIhAJ04E76kz25pkUXHxrfKIWVKuD+KGw5TStPNWZPCqPLK
+    cosign.sigstore.dev/signature_1: MEQCIDZ7YUjwtSvjgaOLaXQiT2F7P00FUC+QZqI8DcBjMlgVAiAMojKmnl7TRkqpPMXBsz6rWIMU8VpfItcQ5QrLKLQRHg==
+  name: test-service3
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 9376
+  selector:
+    app: NotMyApp

test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-no-signature.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: test-service1
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 9376
+  selector:
+    app: MyApp

test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-one-signature.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    cosign.sigstore.dev/message: H4sIAAAAAAAA/wAuAdH+H4sIAAAAAAAA/+yPPW7rMBCEVesUewE90aJ+bHYPqQMYiJE2YKS1IlgUid21E/v0geggVeDK7vQ1M+RMsUPI/kgtZjz0mbjw72zdmNwXpZSqyzJqU1dRVXF9R6t1siq11rouikYnShdNrRJQd77jT44slhKl6HDs/I0ei93vb+Q/W341P1nK937skDg/V3lVrvXb5Li5VO+duHZz+HJOf37M5X7Kd3nrXSBkHqY+E0tZf8lQ4UYXVVPrrnjA9BkbhlckHvxk4LRKD8PUGXhBOg0tpg7FdlasSQEm69CAIEvG17hIOWA7Z8GT8GyyaA2sVQoAEMiLb/1oYPe0jT9iqUfZxtJGN3UKwDhiK55MLNgQDDyf/4eQPmjxwsLCwsLMdwAAAP//a1+4aAAIAAABAAD//9BEPkguAQAA
+    cosign.sigstore.dev/signature: MEUCIGsd5kBomJgAJKbzoaoaDt5sWGSdA9EPGon4XY3Jmg9XAiEAwtqhN7tRzXNP3y0l5h2nxzg0WRnitCONiPi+BSP1e5Y=
+  name: test-service2
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 9376
+  selector:
+    app: MyApp

test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-two-signatures.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    cosign.sigstore.dev/message: H4sIAAAAAAAA/ySKTarDMAwG9zrFd4HAewT6o13puhBo6V44opgmtrBEoLcvcXfDzIjlpzbPtTC2f3rnMjPu2raclFYNmSWECSiyKiPUY/BfHslN096stvAdho6M0x8BgLUaNdWF8bhO3YS0l8bUp/N4PBDgumiK2rgPYsa4fS5m9A0AAP//mX2z9ZsAAAA=
+    cosign.sigstore.dev/signature: MEYCIQDMIHC26nBdO/GeFZpP1CNdmGVO41w5P0PCN4DemLk/mgIhAJ04E76kz25pkUXHxrfKIWVKuD+KGw5TStPNWZPCqPLK
+    cosign.sigstore.dev/signature_1: MEQCIDZ7YUjwtSvjgaOLaXQiT2F7P00FUC+QZqI8DcBjMlgVAiAMojKmnl7TRkqpPMXBsz6rWIMU8VpfItcQ5QrLKLQRHg==
+  name: test-service3
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 9376
+  selector:
+    app: MyApp

test/conformance/chainsaw/verify-manifests/single-signature/policy.yaml

@@ -4,9 +4,7 @@ metadata:
   name: validate-yaml
 spec:
   validationFailureAction: Enforce
-  background: false
+  background: false 
-  webhookTimeoutSeconds: 30
-  failurePolicy: Fail  
   rules:
     - name: validate-yaml
       match:
@@ -31,3 +29,6 @@ spec:
                     MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE8uGVnyDWPPlB7M5KOHRzxzPHtAy
                     FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A==
                     -----END PUBLIC KEY-----
+  webhookConfiguration:
+    timeoutSeconds: 30
+    failurePolicy: Fail

test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/README.md

@@ -0,0 +1,11 @@
+## Description
+
+This test verifies that resource creation is not blocked if the `failurePolicy` is set to `Ignore`, when there is an error resolving context variables.
+
+## Expected Behavior
+
+The pod should be created successfully.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/6742

test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/bad-pod.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-fail
+  namespace: failure-policy-test-noconfigmap-diffimage-success
+spec:
+  containers:
+  - image: ghcr.io/kyverno/test-verify-image:signed
+    name: test-fail

test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/chainsaw-step-02-apply-1.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: failure-policy-test-noconfigmap-diffimage-success

test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/chainsaw-test.yaml

@@ -0,0 +1,23 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: failure-policy-test-noconfigmap-diffimage-success
+spec:
+  timeouts:
+    delete: 2m
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy-ready.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: chainsaw-step-02-apply-1.yaml
+  - name: step-03
+    try:
+    - apply:
+        file: bad-pod.yaml

test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/policy-ready.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: image-verify-polset-failurepolicy-ignore
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/policy.yaml

@@ -0,0 +1,37 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    pod-policies.kyverno.io/autogen-controllers: none
+  name: image-verify-polset-failurepolicy-ignore
+spec:
+  background: false
+  failurePolicy: Ignore
+  rules:
+    - context:
+        - configMap:
+            name: myconfigmap
+            namespace: mynamespace
+          name: myconfigmap
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      name: image-verify-pol1
+      verifyImages:
+        - imageReferences:
+            - ghcr.io/*
+          mutateDigest: false
+          verifyDigest: false
+          attestors:
+            - entries:
+                - keys:
+                    publicKeys: '{{myconfigmap.data.configmapkey}}'
+                    rekor:
+                      url: https://rekor.sigstore.dev
+                      ignoreTlog: true
+                    ctlog:
+                      ignoreSCT: true
+  validationFailureAction: Audit
+  webhookTimeoutSeconds: 30

test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml

@@ -6,7 +6,6 @@ metadata:
   name: image-verify-polset-failurepolicy-ignore
 spec:
   background: false
-  failurePolicy: Ignore
   rules:
     - context:
         - configMap:
@@ -34,4 +33,6 @@ spec:
                     ctlog:
                       ignoreSCT: true
   validationFailureAction: Audit
-  webhookTimeoutSeconds: 30
+  webhookConfiguration:
+    timeoutSeconds: 30
+    failurePolicy: Ignore