orient tests to simple, icr.io, -vuln tests

Signed-off-by: Stuart Hayton <[email protected]>

Makefile

@@ -75,7 +75,7 @@ e2e.local: helm.install.local e2e.quick
 
 e2e.local.ics: helm.install.local e2e.quick.ics
 
-e2e.quick: e2e.quick.trust.imagepolicy e2e.quick.trust.clusterimagepolicy e2e.quick.wildcards e2e.quick.generic e2e.quick.simple.imagepolicy e2e.quick.vulnerability
+e2e.quick: e2e.quick.trust.imagepolicy e2e.quick.trust.clusterimagepolicy e2e.quick.wildcards e2e.quick.generic e2e.quick.simple.imagepolicy e2e.quick.simple.clusterimagepolicy
 e2e.quick.ics: e2e.quick.trust.imagepolicy e2e.quick.trust.clusterimagepolicy e2e.quick.armada e2e.quick.wildcards e2e.quick.generic e2e.quick.simple.imagepolicy
 	-kubectl delete namespace $$(kubectl get namespaces | grep '[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*' | awk '{ print $$1 }' )
 
@@ -99,16 +99,17 @@ e2e.quick.generic:
 	go test -v ./test/e2e --no-install --generic
 	-kubectl delete namespace $$(kubectl get namespaces | grep '[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*' | awk '{ print $$1 }' )
 
+e2e.quick.simple.clusterimagepolicy:
+	go test -v ./test/e2e --no-install --simple-cluster-image-policy
+	-kubectl delete namespace secretnamespace
+	-kubectl delete namespace $$(kubectl get namespaces | grep '[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*' | awk '{ print $$1 }' )
+
 e2e.quick.simple.imagepolicy:
 	-kubectl delete namespace secretnamespace
 	go test -v ./test/e2e --no-install --simple-image-policy
 	-kubectl delete namespace secretnamespace
 	-kubectl delete namespace $$(kubectl get namespaces | grep '[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*' | awk '{ print $$1 }' )
 
-e2e.quick.vulnerability:
-	go test -v ./test/e2e --no-install --vulnerability
-	-kubectl delete namespace $$(kubectl get namespaces | grep '[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*' | awk '{ print $$1 }' )
-
 e2e.clean: helm.clean
 
 .PHONY: code-generator regenerate

scripts/install-on-docker

@@ -5,7 +5,7 @@
 kubectl create secret docker-registry ${PULLSECRET} --docker-username iamapikey --docker-password "${PORTIERIS_PULL_APIKEY}" --docker-server ${REG}
 # make a secret that e2e tests can use to pull test images, do notary and get va results
 # e2e tests copy this to the test namespaces
-kubectl create secret docker-registry all-icr-io --docker-username iamapikey --docker-password "${PORTIERIS_TESTIMAGE_APIKEY}" --docker-server de.icr.io 
+kubectl create secret docker-registry all-icr-io --docker-username iamapikey --docker-password "${PORTIERIS_TESTIMAGE_APIKEY}" --docker-server icr.io 
 
 kubectl create ns portieris
 kubectl get secret ${PULLSECRET} -o yaml | sed 's/namespace: default/namespace: portieris/' | kubectl create -f - 

test/e2e/main_test.go

@@ -1,4 +1,4 @@
-// Copyright 2018,2021 Portieris Authors.
+// Copyright 2018,2023 Portieris Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -32,7 +32,7 @@ var (
 
 	noInstall bool
 
-	testTrustImagePolicy, testTrustClusterImagePolicy, testArmada, testVAImagePolicy, testVAClusterImagePolicy, testWildcardImagePolicy, testGeneric, testSimpleImagePolicy, testVulnerability bool
+	testTrustImagePolicy, testTrustClusterImagePolicy, testArmada, testVAImagePolicy, testWildcardImagePolicy, testGeneric, testSimpleImagePolicy, testSimpleClusterImagePolicy bool
 )
 
 const (
@@ -47,12 +47,10 @@ func TestMain(m *testing.M) {
 	flag.BoolVar(&testTrustImagePolicy, "trust-image-policy", false, "runs trust tests for image policies")
 	flag.BoolVar(&testTrustClusterImagePolicy, "trust-cluster-image-policy", false, "runs trust tests for cluster image policies")
 	flag.BoolVar(&testArmada, "armada", false, "runs tests for Armada based installation")
-	flag.BoolVar(&testVAImagePolicy, "va-image-policy", false, "runs va tests for image policies")
-	flag.BoolVar(&testVAClusterImagePolicy, "va-cluster-image-policy", false, "runs va tests for cluster image policies")
 	flag.BoolVar(&testWildcardImagePolicy, "wildcards-image-policy", false, "runs tests for wildcards in image policies")
 	flag.BoolVar(&testGeneric, "generic", false, "runs generic enforment tests")
 	flag.BoolVar(&testSimpleImagePolicy, "simple-image-policy", false, "runs tests for simple signing policies")
-	flag.BoolVar(&testVulnerability, "vulnerability", false, "runs tests for vulnerability enforcement")
+	flag.BoolVar(&testSimpleClusterImagePolicy, "simple-cluster-image-policy", false, "runs tests for simple signing policies")
 
 	flag.Parse()
 

test/e2e/notary.ibm.clusterimagepolicy_test.go

@@ -20,93 +20,6 @@ import (
 	"github.com/IBM/portieris/test/e2e/utils"
 )
 
-func TestNotary_ClusterImagePolicyRepositories_AllowAllDenyAll(t *testing.T) {
-	utils.CheckIfTesting(t, testTrustClusterImagePolicy)
-	if defaultClusterPolicy := utils.DeleteThenReturnClusterImagePolicy(t, framework, "default"); defaultClusterPolicy != nil {
-		defer framework.CreateClusterImagePolicy(defaultClusterPolicy)
-	}
-
-	t.Run("Allow all images", func(t *testing.T) {
-		clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/allow-all.yaml")
-		utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-unsigned.yaml", namespace.Name)
-		utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name)
-	})
-	t.Run("Deny all images when no cluster image policy is present", func(t *testing.T) {
-		namespace, err := framework.CreateNamespaceWithIPS("deny-all")
-		if err != nil {
-			t.Fatalf("error creating deny-all namespace: %v", err)
-		}
-		defer framework.DeleteNamespace(namespace.Name)
-		utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-unsigned.yaml", namespace.Name)
-	})
-}
-
-func TestNotary_ClusterImagePolicyRepositories_BasicTrust(t *testing.T) {
-	utils.CheckIfTesting(t, testTrustClusterImagePolicy)
-	if defaultClusterPolicy := utils.DeleteThenReturnClusterImagePolicy(t, framework, "default"); defaultClusterPolicy != nil {
-		defer framework.CreateClusterImagePolicy(defaultClusterPolicy)
-	}
-
-	t.Run("Allow signed images when trust enabled", func(t *testing.T) {
-		clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/allow-signed.yaml")
-		utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name)
-		utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name)
-	})
-	t.Run("Deny unsigned images when trust enabled", func(t *testing.T) {
-		clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/allow-signed.yaml")
-		utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-unsigned.yaml", namespace.Name)
-		utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name)
-	})
-}
-
-func TestNotary_ClusterImagePolicyRepositories_TrustPinning(t *testing.T) {
-	utils.CheckIfTesting(t, testTrustClusterImagePolicy)
-	if defaultClusterPolicy := utils.DeleteThenReturnClusterImagePolicy(t, framework, "default"); defaultClusterPolicy != nil {
-		defer framework.CreateClusterImagePolicy(defaultClusterPolicy)
-	}
-
-	t.Run("Allow images signed by the correct single signer when trust enabled", func(t *testing.T) {
-		clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/pinned-signer1.yaml")
-		utils.CreateSecret(t, framework, "./testdata/secret/signer1.pubkey.yaml", namespace.Name)
-		utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name)
-		utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name)
-	})
-	t.Run("Allow images signed the correct multiple signers and when trust enabled", func(t *testing.T) {
-		clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/pinned-multi.yaml")
-		utils.CreateSecret(t, framework, "./testdata/secret/signer1.pubkey.yaml", namespace.Name)
-		utils.CreateSecret(t, framework, "./testdata/secret/signer2.pubkey.yaml", namespace.Name)
-		utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-multisigned.yaml", namespace.Name)
-		utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name)
-	})
-	t.Run("Deny images signed by the wrong signer when trust enabled", func(t *testing.T) {
-		clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/pinned-signer2.yaml")
-		utils.CreateSecret(t, framework, "./testdata/secret/signer2.pubkey.yaml", namespace.Name)
-		utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name)
-		utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name)
-	})
-	t.Run("Deny images signed by a single signer when multiple are required when trust enabled", func(t *testing.T) {
-		clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/pinned-multi.yaml")
-		utils.CreateSecret(t, framework, "./testdata/secret/signer1.pubkey.yaml", namespace.Name)
-		utils.CreateSecret(t, framework, "./testdata/secret/signer2.pubkey.yaml", namespace.Name)
-		utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name)
-		utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name)
-	})
-}
-
-func TestNotary_ClusterImagePolicyRepositories_TrustPinningMultiContainers(t *testing.T) {
-	utils.CheckIfTesting(t, testTrustClusterImagePolicy)
-	t.Run("Allow when both containers fulfill the policy", func(t *testing.T) {
-		clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/allow-signed.yaml")
-		utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed-signed.yaml", namespace.Name)
-		utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name)
-	})
-	t.Run("Deny when one container fails to fulfill the policy", func(t *testing.T) {
-		clusterImagePolicy, namespace := utils.CreateClusterImagePolicyAndNamespace(t, framework, "./testdata/clusterimagepolicy/allow-signed.yaml")
-		utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-signed-unsigned.yaml", namespace.Name)
-		utils.CleanUpClusterImagePolicyTest(t, framework, clusterImagePolicy.Name, namespace.Name)
-	})
-}
-
 // Temporary check until other registries are supported.
 func TestNotary_ClusterImagePolicyRepositories_ThirdPartyTrust(t *testing.T) {
 	utils.CheckIfTesting(t, testTrustClusterImagePolicy)

test/e2e/notary.ibm.imagepolicy_test.go

@@ -20,96 +20,6 @@ import (
 	"github.com/IBM/portieris/test/e2e/utils"
 )
 
-func TestNotary_ImagePolicyRepositories_AllowAllDenyAll(t *testing.T) {
-	utils.CheckIfTesting(t, testTrustImagePolicy)
-	if defaultClusterPolicy := utils.DeleteThenReturnClusterImagePolicy(t, framework, "default"); defaultClusterPolicy != nil {
-		defer framework.CreateClusterImagePolicy(defaultClusterPolicy)
-	}
-
-	t.Run("Allow all images", func(t *testing.T) {
-		t.Parallel()
-		namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-all.yaml", "")
-		utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-unsigned.yaml", namespace.Name)
-		utils.CleanUpImagePolicyTest(t, framework, namespace.Name)
-	})
-	t.Run("Deny all images when no image policy is present", func(t *testing.T) {
-		t.Parallel()
-		namespace, err := framework.CreateNamespaceWithIPS("deny-all")
-		if err != nil {
-			t.Fatalf("error creating deny-all namespace: %v", err)
-		}
-		utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-unsigned.yaml", namespace.Name)
-		utils.CleanUpImagePolicyTest(t, framework, namespace.Name)
-	})
-
-}
-
-func TestNotary_ImagePolicyRepositories_BasicTrust(t *testing.T) {
-	utils.CheckIfTesting(t, testTrustImagePolicy)
-	t.Run("Allow signed images when trust enabled", func(t *testing.T) {
-		t.Parallel()
-		namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "")
-		utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name)
-		utils.CleanUpImagePolicyTest(t, framework, namespace.Name)
-	})
-	t.Run("Deny unsigned images when trust enabled", func(t *testing.T) {
-		t.Parallel()
-		namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "")
-		utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-unsigned.yaml", namespace.Name)
-		utils.CleanUpImagePolicyTest(t, framework, namespace.Name)
-	})
-}
-
-func TestNotary_ImagePolicyRepositories_TrustPinning(t *testing.T) {
-	utils.CheckIfTesting(t, testTrustImagePolicy)
-	t.Run("Allow images signed by the correct single signer when trust enabled", func(t *testing.T) {
-		t.Parallel()
-		namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/pinned-signer1.yaml", "")
-		utils.CreateSecret(t, framework, "./testdata/secret/signer1.pubkey.yaml", namespace.Name)
-		utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name)
-		utils.CleanUpImagePolicyTest(t, framework, namespace.Name)
-	})
-	t.Run("Allow images signed the correct multiple signers and when trust enabled", func(t *testing.T) {
-		t.Parallel()
-		namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/pinned-multi.yaml", "")
-		utils.CreateSecret(t, framework, "./testdata/secret/signer1.pubkey.yaml", namespace.Name)
-		utils.CreateSecret(t, framework, "./testdata/secret/signer2.pubkey.yaml", namespace.Name)
-		utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-multisigned.yaml", namespace.Name)
-		utils.CleanUpImagePolicyTest(t, framework, namespace.Name)
-	})
-	t.Run("Deny images signed by the wrong signer when trust enabled", func(t *testing.T) {
-		t.Parallel()
-		namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/pinned-signer2.yaml", "")
-		utils.CreateSecret(t, framework, "./testdata/secret/signer2.pubkey.yaml", namespace.Name)
-		utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name)
-		utils.CleanUpImagePolicyTest(t, framework, namespace.Name)
-	})
-	t.Run("Deny images signed by a single signer when multiple are required when trust enabled", func(t *testing.T) {
-		t.Parallel()
-		namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/pinned-multi.yaml", "")
-		utils.CreateSecret(t, framework, "./testdata/secret/signer1.pubkey.yaml", namespace.Name)
-		utils.CreateSecret(t, framework, "./testdata/secret/signer2.pubkey.yaml", namespace.Name)
-		utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-signed.yaml", namespace.Name)
-		utils.CleanUpImagePolicyTest(t, framework, namespace.Name)
-	})
-}
-
-func TestNotary_ImagePolicyRepositories_TrustPinningMultiContainers(t *testing.T) {
-	utils.CheckIfTesting(t, testTrustImagePolicy)
-	t.Run("Allow when both containers fulfill the policy", func(t *testing.T) {
-		t.Parallel()
-		namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "")
-		utils.TestDeploymentRunnable(t, framework, "./testdata/deployment/global-nginx-signed-signed.yaml", namespace.Name)
-		utils.CleanUpImagePolicyTest(t, framework, namespace.Name)
-	})
-	t.Run("Deny when one container fails to fulfill the policy", func(t *testing.T) {
-		t.Parallel()
-		namespace := utils.CreateImagePolicyInstalledNamespace(t, framework, "./testdata/imagepolicy/allow-signed.yaml", "")
-		utils.TestDeploymentNotRunnable(t, framework, "./testdata/deployment/global-nginx-signed-unsigned.yaml", namespace.Name)
-		utils.CleanUpImagePolicyTest(t, framework, namespace.Name)
-	})
-}
-
 // Temporary check until other registries are supported.
 func TestNotary_ImagePolicyRepositories_ThirdPartyTrust(t *testing.T) {
 	utils.CheckIfTesting(t, testTrustImagePolicy)