feat(test): enable webhook server for the envtests.

Updates the integration test running in envtest environment to install
and run the webhook server to perform their actual validation code.

Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>

internal/controller/admissionpolicy_controller_test.go

@@ -61,7 +61,6 @@ var _ = Describe("AdmissionPolicy controller", Label("real-cluster"), func() {
 				withName(policyName).
 				withNamespace(policyNamespace).
 				withPolicyServer(policyServerName).
-				withMutating(false).
 				build()
 			Expect(k8sClient.Create(ctx, policy)).To(Succeed())
 		})

internal/controller/admissionpolicygroup_controller_test.go

@@ -55,7 +55,11 @@ var _ = Describe("AdmissionPolicyGroup controller", Label("real-cluster"), func(
 			createPolicyServerAndWaitForItsService(ctx, newPolicyServerFactory().withName(policyServerName).build())
 
 			policyName = newName("validating-policy")
-			policy = newAdmissionPolicyGroupFactory().withName(policyName).withNamespace(policyNamespace).withPolicyServer(policyServerName).build()
+			policy = newAdmissionPolicyGroupFactory().
+				withName(policyName).
+				withNamespace(policyNamespace).
+				withPolicyServer(policyServerName).
+				build()
 			Expect(k8sClient.Create(ctx, policy)).To(Succeed())
 		})
 

internal/controller/factories_test.go

@@ -21,12 +21,24 @@ type admissionPolicyFactory struct {
 
 func newAdmissionPolicyFactory() *admissionPolicyFactory {
 	return &admissionPolicyFactory{
-		name:         newName("validating-policy"),
-		namespace:    "",
+		name:         newName("admission-policy"),
+		namespace:    "default",
 		policyServer: "",
 		mutating:     false,
-		rules:        []admissionregistrationv1.RuleWithOperations{},
-		module:       "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5",
+		rules: []admissionregistrationv1.RuleWithOperations{
+			{
+				Operations: []admissionregistrationv1.OperationType{
+					admissionregistrationv1.Create,
+					admissionregistrationv1.Update,
+				},
+				Rule: admissionregistrationv1.Rule{
+					APIGroups:   []string{""},
+					APIVersions: []string{"v1"},
+					Resources:   []string{"Pods"},
+				},
+			},
+		},
+		module: "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5",
 	}
 }
 
@@ -84,20 +96,34 @@ func (fac *admissionPolicyFactory) build() *policiesv1.AdmissionPolicy {
 }
 
 type clusterAdmissionPolicyFactory struct {
-	name         string
-	policyServer string
-	mutating     bool
-	rules        []admissionregistrationv1.RuleWithOperations
-	module       string
+	name                  string
+	policyServer          string
+	mutating              bool
+	rules                 []admissionregistrationv1.RuleWithOperations
+	module                string
+	contextAwareResources []policiesv1.ContextAwareResource
 }
 
 func newClusterAdmissionPolicyFactory() *clusterAdmissionPolicyFactory {
 	return &clusterAdmissionPolicyFactory{
-		name:         newName("validating-cluster-policy"),
+		name:         newName("cluster-admission"),
 		policyServer: "",
 		mutating:     false,
-		rules:        []admissionregistrationv1.RuleWithOperations{},
-		module:       "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5",
+		rules: []admissionregistrationv1.RuleWithOperations{
+			{
+				Operations: []admissionregistrationv1.OperationType{
+					admissionregistrationv1.Create,
+					admissionregistrationv1.Update,
+				},
+				Rule: admissionregistrationv1.Rule{
+					APIGroups:   []string{""},
+					APIVersions: []string{"v1"},
+					Resources:   []string{"Pods"},
+				},
+			},
+		},
+		module:                "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5",
+		contextAwareResources: []policiesv1.ContextAwareResource{},
 	}
 }
 
@@ -116,6 +142,11 @@ func (fac *clusterAdmissionPolicyFactory) withMutating(mutating bool) *clusterAd
 	return fac
 }
 
+func (fac *clusterAdmissionPolicyFactory) withContextAwareResources(resources []policiesv1.ContextAwareResource) *clusterAdmissionPolicyFactory {
+	fac.contextAwareResources = resources
+	return fac
+}
+
 func (fac *clusterAdmissionPolicyFactory) build() *policiesv1.ClusterAdmissionPolicy {
 	clusterAdmissionPolicy := policiesv1.ClusterAdmissionPolicy{
 		ObjectMeta: metav1.ObjectMeta{
@@ -130,6 +161,7 @@ func (fac *clusterAdmissionPolicyFactory) build() *policiesv1.ClusterAdmissionPo
 				integrationTestsFinalizer,
 			}},
 		Spec: policiesv1.ClusterAdmissionPolicySpec{
+			ContextAwareResources: fac.contextAwareResources,
 			PolicySpec: policiesv1.PolicySpec{
 				PolicyServer: fac.policyServer,
 				Module:       fac.module,
@@ -182,16 +214,38 @@ func (fac *policyServerBuilder) build() *policiesv1.PolicyServer {
 }
 
 type admissionPolicyGroupFactory struct {
-	name         string
-	namespace    string
-	policyServer string
+	name          string
+	namespace     string
+	policyServer  string
+	rules         []admissionregistrationv1.RuleWithOperations
+	expression    string
+	policyMembers policiesv1.PolicyGroupMembers
 }
 
 func newAdmissionPolicyGroupFactory() *admissionPolicyGroupFactory {
 	return &admissionPolicyGroupFactory{
-		name:         newName("validating-policygroup"),
-		namespace:    "",
+		name:         newName("admissing-policy-group"),
+		namespace:    "default",
 		policyServer: "",
+		rules: []admissionregistrationv1.RuleWithOperations{
+			{
+				Operations: []admissionregistrationv1.OperationType{
+					admissionregistrationv1.Create,
+					admissionregistrationv1.Update,
+				},
+				Rule: admissionregistrationv1.Rule{
+					APIGroups:   []string{""},
+					APIVersions: []string{"v1"},
+					Resources:   []string{"Pods"},
+				},
+			},
+		},
+		expression: "pod_privileged()",
+		policyMembers: policiesv1.PolicyGroupMembers{
+			"pod_privileged": {
+				Module: "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5",
+			},
+		},
 	}
 }
 
@@ -211,7 +265,7 @@ func (fac *admissionPolicyGroupFactory) withPolicyServer(policyServer string) *a
 }
 
 func (fac *admissionPolicyGroupFactory) build() *policiesv1.AdmissionPolicyGroup {
-	admissionPolicy := policiesv1.AdmissionPolicyGroup{
+	return &policiesv1.AdmissionPolicyGroup{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      fac.name,
 			Namespace: fac.namespace,
@@ -228,30 +282,51 @@ func (fac *admissionPolicyGroupFactory) build() *policiesv1.AdmissionPolicyGroup
 		Spec: policiesv1.AdmissionPolicyGroupSpec{
 			PolicyGroupSpec: policiesv1.PolicyGroupSpec{
 				PolicyServer: fac.policyServer,
-				Policies: policiesv1.PolicyGroupMembers{
-					"pod-privileged": {
-						Module: "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5",
-					},
-				},
-				Rules: []admissionregistrationv1.RuleWithOperations{},
+				Policies:     fac.policyMembers,
+				Expression:   fac.expression,
+				Rules:        fac.rules,
 				MatchConditions: []admissionregistrationv1.MatchCondition{
 					{Name: "noop", Expression: "true"},
 				},
 			},
 		},
 	}
-	return &admissionPolicy
 }
 
 type clusterAdmissionPolicyGroupFactory struct {
-	name         string
-	policyServer string
+	name          string
+	policyServer  string
+	rules         []admissionregistrationv1.RuleWithOperations
+	expression    string
+	policyMembers policiesv1.PolicyGroupMembers
 }
 
 func newClusterAdmissionPolicyGroupFactory() *clusterAdmissionPolicyGroupFactory {
 	return &clusterAdmissionPolicyGroupFactory{
-		name:         newName("validating-policygroup"),
+		name:         newName("cluster-admission-policy-group"),
 		policyServer: "",
+		rules: []admissionregistrationv1.RuleWithOperations{
+			{
+				Operations: []admissionregistrationv1.OperationType{
+					admissionregistrationv1.Create,
+					admissionregistrationv1.Update,
+				},
+				Rule: admissionregistrationv1.Rule{
+					APIGroups:   []string{""},
+					APIVersions: []string{"v1"},
+					Resources:   []string{"Pods"},
+				},
+			},
+		},
+		expression: "pod_privileged() && user_group_psp()",
+		policyMembers: policiesv1.PolicyGroupMembers{
+			"pod_privileged": {
+				Module: "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5",
+			},
+			"user_group_psp": {
+				Module: "registry://ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+			},
+		},
 	}
 }
 
@@ -265,6 +340,11 @@ func (fac *clusterAdmissionPolicyGroupFactory) withPolicyServer(policyServer str
 	return fac
 }
 
+func (fac *clusterAdmissionPolicyGroupFactory) withMembers(members policiesv1.PolicyGroupMembers) *clusterAdmissionPolicyGroupFactory {
+	fac.policyMembers = members
+	return fac
+}
+
 func (fac *clusterAdmissionPolicyGroupFactory) build() *policiesv1.ClusterAdmissionPolicyGroup {
 	clusterAdmissionPolicy := policiesv1.ClusterAdmissionPolicyGroup{
 		ObjectMeta: metav1.ObjectMeta{
@@ -281,19 +361,13 @@ func (fac *clusterAdmissionPolicyGroupFactory) build() *policiesv1.ClusterAdmiss
 		},
 		Spec: policiesv1.ClusterAdmissionPolicyGroupSpec{
 			PolicyGroupSpec: policiesv1.PolicyGroupSpec{
-				Rules:        []admissionregistrationv1.RuleWithOperations{},
 				PolicyServer: fac.policyServer,
+				Policies:     fac.policyMembers,
+				Expression:   fac.expression,
+				Rules:        fac.rules,
 				MatchConditions: []admissionregistrationv1.MatchCondition{
 					{Name: "noop", Expression: "true"},
 				},
-				Policies: policiesv1.PolicyGroupMembers{
-					"pod-privileged": {
-						Module: "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5",
-					},
-					"user-group-psp": {
-						Module: "registry://ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
-					},
-				},
 			},
 		},
 	}

internal/controller/policyserver_controller_configmap.go

@@ -189,6 +189,7 @@ func buildPolicyGroupMembers(policies policiesv1.PolicyGroupMembers) map[string]
 func buildPoliciesMap(admissionPolicies []policiesv1.Policy) policyConfigEntryMap {
 	policies := policyConfigEntryMap{}
 	for _, admissionPolicy := range admissionPolicies {
+
 		configEntry := policyServerConfigEntry{
 			NamespacedName: types.NamespacedName{
 				Namespace: admissionPolicy.GetNamespace(),

internal/controller/policyserver_controller_test.go

@@ -247,44 +247,54 @@ var _ = Describe("PolicyServer controller", func() {
 			policyServer := newPolicyServerFactory().withName(policyServerName).build()
 			createPolicyServerAndWaitForItsService(ctx, policyServer)
 
-			admissionPolicy := newAdmissionPolicyFactory().withName(newName("admission-policy")).withNamespace("default").withPolicyServer(policyServerName).build()
+			admissionPolicy := newAdmissionPolicyFactory().
+				withPolicyServer(policyServerName).
+				build()
 			Expect(k8sClient.Create(ctx, admissionPolicy)).To(Succeed())
 
-			clusterAdmissionPolicy := newClusterAdmissionPolicyFactory().withName(newName("cluster-admission")).withPolicyServer(policyServerName).withMutating(false).build()
-			clusterAdmissionPolicy.Spec.ContextAwareResources = []policiesv1.ContextAwareResource{
-				{
-					APIVersion: "v1",
-					Kind:       "Pod",
-				},
-				{
-					APIVersion: "v1",
-					Kind:       "Deployment",
-				},
-			}
+			clusterAdmissionPolicy := newClusterAdmissionPolicyFactory().
+				withPolicyServer(policyServerName).
+				withContextAwareResources([]policiesv1.ContextAwareResource{
+					{
+						APIVersion: "v1",
+						Kind:       "Pod",
+					},
+					{
+						APIVersion: "v1",
+						Kind:       "Deployment",
+					},
+				}).
+				build()
 			Expect(k8sClient.Create(ctx, clusterAdmissionPolicy)).To(Succeed())
 
-			admissionPolicyGroup := newAdmissionPolicyGroupFactory().withName(newName("admissing-policy-group")).withNamespace("default").withPolicyServer(policyServerName).build()
+			admissionPolicyGroup := newAdmissionPolicyGroupFactory().
+				withPolicyServer(policyServerName).
+				build()
 			Expect(k8sClient.Create(ctx, admissionPolicyGroup)).To(Succeed())
 
-			clusterPolicyGroup := newClusterAdmissionPolicyGroupFactory().withName(newName("cluster-admission-policy-group")).withPolicyServer(policyServerName).build()
-			podPrivilegedPolicy := clusterPolicyGroup.Spec.Policies["pod-privileged"]
-			podPrivilegedPolicy.ContextAwareResources = []policiesv1.ContextAwareResource{
-				{
-					APIVersion: "v1",
-					Kind:       "Pod",
-				},
-			}
-			clusterPolicyGroup.Spec.Policies["pod-privileged"] = podPrivilegedPolicy
-
-			userGroupPolicy := clusterPolicyGroup.Spec.Policies["user-group-psp"]
-			userGroupPolicy.ContextAwareResources = []policiesv1.ContextAwareResource{
-				{
-					APIVersion: "v1",
-					Kind:       "Deployment",
-				},
-			}
-			clusterPolicyGroup.Spec.Policies["user-group-psp"] = userGroupPolicy
-
+			clusterPolicyGroup := newClusterAdmissionPolicyGroupFactory().
+				withPolicyServer(policyServerName).
+				withMembers(policiesv1.PolicyGroupMembers{
+					"pod_privileged": {
+						Module: "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5",
+						ContextAwareResources: []policiesv1.ContextAwareResource{
+							{
+								APIVersion: "v1",
+								Kind:       "Pod",
+							},
+						},
+					},
+					"user_group_psp": {
+						Module: "registry://ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+						ContextAwareResources: []policiesv1.ContextAwareResource{
+							{
+								APIVersion: "v1",
+								Kind:       "Deployment",
+							},
+						},
+					},
+				}).
+				build()
 			Expect(k8sClient.Create(ctx, clusterPolicyGroup)).To(Succeed())
 
 			policiesMap := policyConfigEntryMap{}
@@ -393,8 +403,8 @@ var _ = Describe("PolicyServer controller", func() {
 									"Name":      Equal(admissionPolicyGroup.GetName()),
 								}),
 								"policies": MatchKeys(IgnoreExtras, Keys{
-									"pod-privileged": MatchKeys(IgnoreExtras, Keys{
-										"module": Equal(admissionPolicyGroup.GetPolicyGroupMembers()["pod-privileged"].Module),
+									"pod_privileged": MatchKeys(IgnoreExtras, Keys{
+										"module": Equal(admissionPolicyGroup.GetPolicyGroupMembers()["pod_privileged"].Module),
 									}),
 								}),
 								"policyMode": Equal(string(admissionPolicyGroup.GetPolicyMode())),
@@ -407,16 +417,16 @@ var _ = Describe("PolicyServer controller", func() {
 									"Name":      Equal(clusterPolicyGroup.GetName()),
 								}),
 								"policies": MatchKeys(IgnoreExtras, Keys{
-									"pod-privileged": MatchAllKeys(Keys{
-										"module":   Equal(clusterPolicyGroup.GetPolicyGroupMembers()["pod-privileged"].Module),
+									"pod_privileged": MatchAllKeys(Keys{
+										"module":   Equal(clusterPolicyGroup.GetPolicyGroupMembers()["pod_privileged"].Module),
 										"settings": Ignore(),
 										"contextAwareResources": And(ContainElement(MatchAllKeys(Keys{
 											"apiVersion": Equal("v1"),
 											"kind":       Equal("Pod"),
 										})), HaveLen(1)),
 									}),
-									"user-group-psp": MatchAllKeys(Keys{
-										"module":   Equal(clusterPolicyGroup.GetPolicyGroupMembers()["user-group-psp"].Module),
+									"user_group_psp": MatchAllKeys(Keys{
+										"module":   Equal(clusterPolicyGroup.GetPolicyGroupMembers()["user_group_psp"].Module),
 										"settings": Ignore(),
 										"contextAwareResources": And(ContainElement(MatchAllKeys(Keys{
 											"apiVersion": Equal("v1"),
@@ -688,7 +698,7 @@ var _ = Describe("PolicyServer controller", func() {
 			}, timeout, pollInterval).Should(Succeed())
 
 			policyName := newName("validating-policy")
-			policy := newClusterAdmissionPolicyFactory().withName(policyName).withPolicyServer(policyServerName).withMutating(false).build()
+			policy := newClusterAdmissionPolicyFactory().withName(policyName).withPolicyServer(policyServerName).build()
 			Expect(k8sClient.Create(ctx, policy)).To(Succeed())
 
 			Eventually(func() error {