add chainsaw test, fix lint

linode · Dec 2, 2024 · 8b13390 · 8b13390
1 parent 0436294
commit 8b13390
Show file tree

Hide file tree

Showing 9 changed files with 187 additions and 1 deletion.
diff --git a/e2e/linodefirewall-controller/linodefirewall-addressset/assert-addressset.yaml b/e2e/linodefirewall-controller/linodefirewall-addressset/assert-addressset.yaml
@@ -0,0 +1,9 @@
+apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
+kind: AddressSet
+metadata:
+  name: ($firewall)-addrset
+spec:
+  ipv4:
+  - "10.0.0.0/8"
+  ipv6:
+  - ::/0
diff --git a/e2e/linodefirewall-controller/linodefirewall-addressset/assert-capi-resources.yaml b/e2e/linodefirewall-controller/linodefirewall-addressset/assert-capi-resources.yaml
@@ -0,0 +1,15 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: capi-controller-manager
+  namespace: capi-system
+status:
+  availableReplicas: 1
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: capl-controller-manager
+  namespace: capl-system
+status:
+  availableReplicas: 1
diff --git a/e2e/linodefirewall-controller/linodefirewall-addressset/assert-firewall.yaml b/e2e/linodefirewall-controller/linodefirewall-addressset/assert-firewall.yaml
@@ -0,0 +1,17 @@
+apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
+kind: LinodeFirewall
+metadata:
+  name: ($firewall)
+spec:
+  enabled: true
+  inboundPolicy: DROP
+  inboundRules:
+    - action: ACCEPT
+      label: test
+      ports: "1-65535"
+      protocol: "TCP"
+      addressSetRefs:
+      - name: ($firewall)-addrset
+        kind: AddressSet
+status:
+  ready: true
diff --git a/e2e/linodefirewall-controller/linodefirewall-addressset/chainsaw-test.yaml b/e2e/linodefirewall-controller/linodefirewall-addressset/chainsaw-test.yaml
@@ -0,0 +1,96 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: minimal-linodefirewall
+  # Label to trigger the test on every PR
+  labels:
+    all:
+    quick:
+    linodefirewall:
+spec:
+  bindings:
+    # A short identifier for the E2E test run
+    - name: run
+      value: (join('-', ['e2e', 'addrset-firewall', env('GIT_REF')]))
+    - name: firewall
+      # Format the firewall name into a valid Kubernetes object name
+      value: (trim((truncate(($run), `63`)), '-'))
+  template: true
+  steps:
+    - name: Check if CAPI provider resources exist
+      try:
+        - assert:
+            file: assert-capi-resources.yaml
+    - name: Create AddressSet
+      try:
+        - apply:
+            file: create-addressset.yaml
+        - assert:
+            file: assert-addressset.yaml
+      catch:
+        - describe:
+            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
+            kind: AddressSet
+    - name: Create LinodeFirewall
+      try:
+        - apply:
+            file: create-firewall.yaml
+        - assert:
+            file: assert-firewall.yaml
+      catch:
+        - describe:
+            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
+            kind: LinodeFirewall
+    - name: Check if the Firewall was created
+      try:
+        - script:
+            env:
+              - name: FILTER
+                value: (to_string({"label":($firewall)}))
+            content: |
+              set -e
+              curl -s \
+                -H "Authorization: Bearer $LINODE_TOKEN" \
+                -H "X-Filter: $FILTER" \
+                -H "Content-Type: application/json" \
+                "https://api.linode.com/v4/networking/firewalls"
+            check:
+              ($error): ~
+              (json_parse($stdout)):
+                results: 1
+    - name: Delete Firewall
+      try:
+        - delete:
+            ref:
+              apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
+              kind: LinodeFirewall
+              name: ($firewall)
+        - error:
+            file: check-firewall-deletion.yaml
+    - name: Delete AddressSet
+      try:
+        - delete:
+            ref:
+              apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
+              kind: AddressSet
+              name: ($firewall)-addrset
+        - error:
+            file: check-addressset-deletion.yaml
+    - name: Check if the Firewall was deleted
+      try:
+        - script:
+            env:
+              - name: FILTER
+                value: (to_string({"label":($firewall)}))
+            content: |
+              set -e
+              curl -s \
+                -H "Authorization: Bearer $LINODE_TOKEN" \
+                -H "X-Filter: $FILTER" \
+                -H "Content-Type: application/json" \
+                "https://api.linode.com/v4/networking/firewalls"
+            check:
+              ($error): ~
+              (json_parse($stdout)):
+                results: 0
diff --git a/e2e/linodefirewall-controller/linodefirewall-addressset/check-addressset-deletion.yaml b/e2e/linodefirewall-controller/linodefirewall-addressset/check-addressset-deletion.yaml
@@ -0,0 +1,9 @@
+apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
+kind: AddressSet
+metadata:
+  name: ($firewall)-addrset
+spec:
+  ipv4:
+  - "10.0.0.0/8"
+  ipv6:
+  - ::/0
diff --git a/e2e/linodefirewall-controller/linodefirewall-addressset/check-firewall-deletion.yaml b/e2e/linodefirewall-controller/linodefirewall-addressset/check-firewall-deletion.yaml
@@ -0,0 +1,16 @@
+apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
+kind: LinodeFirewall
+metadata:
+  name: ($firewall)
+spec:
+  enabled: true
+  inboundPolicy: DROP
+  inboundRules:
+    - action: ACCEPT
+      label: test
+      ports: "1-65535"
+      protocol: "TCP"
+      addressSetRefs:
+      - name: ($firewall)-addrset
+        kind: AddressSet
+
diff --git a/e2e/linodefirewall-controller/linodefirewall-addressset/create-addressset.yaml b/e2e/linodefirewall-controller/linodefirewall-addressset/create-addressset.yaml
@@ -0,0 +1,9 @@
+apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
+kind: AddressSet
+metadata:
+  name: ($firewall)-addrset
+spec:
+  ipv4:
+  - "10.0.0.0/8"
+  ipv6:
+  - ::/0
diff --git a/e2e/linodefirewall-controller/linodefirewall-addressset/create-firewall.yaml b/e2e/linodefirewall-controller/linodefirewall-addressset/create-firewall.yaml
@@ -0,0 +1,15 @@
+apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
+kind: LinodeFirewall
+metadata:
+  name: ($firewall)
+spec:
+  enabled: true
+  inboundPolicy: DROP
+  inboundRules:
+    - action: ACCEPT
+      label: test
+      ports: "1-65535"
+      protocol: "TCP"
+      addressSetRefs:
+      - name: ($firewall)-addrset
+        kind: AddressSet
diff --git a/internal/controller/linodefirewall_controller_helpers.go b/internal/controller/linodefirewall_controller_helpers.go
@@ -186,7 +186,7 @@ func processInboundRule(ctx context.Context, k8sClient clients.K8sClient, log lo
 }
 
 // processOutboundRule handles a single outbound rule
-func processOutboundRule(ctx context.Context, k8sClient clients.K8sClient, log logr.Logger, rule infrav1alpha2.FirewallRule, fwNS string, outboundPolicy string, createOpts *linodego.FirewallCreateOptions) {
+func processOutboundRule(ctx context.Context, k8sClient clients.K8sClient, log logr.Logger, rule infrav1alpha2.FirewallRule, fwNS, outboundPolicy string, createOpts *linodego.FirewallCreateOptions) {
 	var ruleIPv4s []string
 	var ruleIPv6s []string
 	if rule.Addresses != nil {