test: add new e2e test cases for kubectl plugin

Signed-off-by: Venkatesh Jayagopal <venkatesh.jayagopal@suse.com>

Author: venkateshjayagopal

test/e2e/e2e_suite_test.go

@@ -2,9 +2,16 @@ package e2e_test
 
 import (
 	"context"
+	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
+	"io"
 	"log/slog"
+	"net/http"
 	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
 	"slices"
 	"strings"
 	"testing"
@@ -116,10 +123,12 @@ func getCharts() []helmChart {
 
 func TestMain(m *testing.M) {
 	charts := getCharts()
+
 	commonSetupFuncs := []env.Func{
 		// we uninstall here as a defensive check but nothing should be left behind
 		uninstallHelmRepos(charts),
 		installHelmRepos(charts),
+		installKubectlRuntimeEnforcer(),
 	}
 
 	commonFinishFuncs := []env.Func{
@@ -257,3 +266,157 @@ func installHelmRepos(charts []helmChart) env.Func {
 		return ctx, nil
 	}
 }
+
+// installKubectlRuntimeEnforcer downloads and installs the kubectl runtime-enforcer plugin
+func installKubectlRuntimeEnforcer() env.Func {
+	return func(ctx context.Context, config *envconf.Config) (context.Context, error) {
+	// runtime-enforcer version
+	version := "v0.6.0"
+	installDir := "/usr/local/bin"
+	
+	logger := slog.New(slog.NewJSONHandler(os.Stdout, nil))
+	goos := runtime.GOOS
+	goarch := runtime.GOARCH
+
+	if !isSupportedPlatform(goos, goarch) {
+		return ctx, fmt.Errorf("unsupported platform: %s/%s (supported: linux/amd64, linux/arm64, darwin/amd64, darwin/arm64)", goos, goarch)
+	}
+
+	logger.InfoContext(ctx, "Downloading and installing kubectl runtime-enforcer plugin.")
+
+	pluginName := "kubectl-runtime_enforcer"
+	binaryName := fmt.Sprintf("%s-%s-%s", pluginName, goos, goarch)
+	downloadURL := fmt.Sprintf("https://github.com/rancher-sandbox/runtime-enforcer/releases/download/%s/%s", version, binaryName)
+	checksumURL := fmt.Sprintf("%s.sha256", downloadURL)
+
+	tempDir, err := os.MkdirTemp("", "runtime-enforcer-install-")
+	if err != nil {
+		return ctx, fmt.Errorf("failed to create temp directory: %w", err)
+	}
+	defer os.RemoveAll(tempDir)
+
+	binaryPath := filepath.Join(tempDir, binaryName)
+	checksumPath := filepath.Join(tempDir, binaryName+".sha256")
+
+	if err := downloadFile(downloadURL, binaryPath); err != nil {
+		return ctx, fmt.Errorf("failed to download binary: %w", err)
+	}
+
+	if err := downloadFile(checksumURL, checksumPath); err != nil {
+		return ctx, fmt.Errorf("failed to download checksum: %w", err)
+	}
+
+	if err := verifyChecksum(binaryPath, checksumPath); err != nil {
+		return ctx, fmt.Errorf("checksum verification failed: %w", err)
+	}
+
+	if err := os.Chmod(binaryPath, 0755); err != nil {
+		return ctx, fmt.Errorf("failed to make binary executable: %w", err)
+	}
+
+	installPath := filepath.Join(installDir, pluginName)
+	if err := moveFile(binaryPath, installPath); err != nil {
+		return ctx, fmt.Errorf("failed to install binary: %w", err)
+	}
+
+	cmd := exec.Command(pluginName, "-v")
+	if output, err := cmd.CombinedOutput(); err != nil {
+		return ctx, fmt.Errorf("installation verification failed: %w\nOutput: %s", err, string(output))
+	}
+
+	return ctx, nil
+	}
+}
+
+func isSupportedPlatform(goos, goarch string) bool {
+	supported := map[string][]string{
+		"linux":  {"amd64", "arm64"},
+		"darwin": {"amd64", "arm64"},
+	}
+
+	if archs, ok := supported[goos]; ok {
+		for _, arch := range archs {
+			if arch == goarch {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func downloadFile(url, filepath string) error {
+	resp, err := http.Get(url)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("bad status: %s", resp.Status)
+	}
+
+	out, err := os.Create(filepath)
+	if err != nil {
+		return err
+	}
+	defer out.Close()
+
+	_, err = io.Copy(out, resp.Body)
+	return err
+}
+
+func verifyChecksum(binaryPath, checksumPath string) error {
+	checksumData, err := os.ReadFile(checksumPath)
+	if err != nil {
+		return err
+	}
+
+	var expected string
+	fmt.Sscanf(string(checksumData), "%s", &expected)
+
+	file, err := os.Open(binaryPath)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+
+	hash := sha256.New()
+	if _, err := io.Copy(hash, file); err != nil {
+		return err
+	}
+	actual := hex.EncodeToString(hash.Sum(nil))
+
+	if actual != expected {
+		return fmt.Errorf("checksum mismatch: expected %s, got %s", expected, actual)
+	}
+
+	return nil
+}
+
+func moveFile(src, dst string) error {
+	if err := os.Rename(src, dst); err == nil {
+		return nil
+	}
+
+	srcFile, err := os.Open(src)
+	if err != nil {
+		return err
+	}
+	defer srcFile.Close()
+
+	dstFile, err := os.Create(dst)
+	if err != nil {
+		return err
+	}
+	defer dstFile.Close()
+
+	if _, err := io.Copy(dstFile, srcFile); err != nil {
+		return err
+	}
+
+	if err := dstFile.Sync(); err != nil {
+		return err
+	}
+
+	return os.Remove(src)
+}

test/e2e/e2e_test.go

@@ -64,3 +64,34 @@ func TestOtelCollector(t *testing.T) {
 
 	testEnv.Test(t, getOtelCollectorTest())
 }
+
+func TestKubectlPluginProposalPromoteTest(t *testing.T) {
+	t.Log("test kubectl runtime-enforcer proposal promote PROPOSAL_NAME [flags]")
+
+	testEnv.Test(t, getKubectlPluginProposalPromoteTest())
+}
+
+func TestKubectlPluginPolicyModeTest(t *testing.T) {
+	t.Log("test kubectl runtime-enforcer policy monitor POLICY_NAME [flags]")
+
+	testEnv.Test(t, getKubectlPluginPolicyModeTest())
+}
+
+func TestKubectlPluginPolicyExecAllowTest(t *testing.T) {
+	t.Log("test kubectl runtime-enforcer policy allow POLICY_NAME <container-name> <executable-name> [<executable-name>...] [flags]")
+
+	testEnv.Test(t, getKubectlPluginPolicyExecAllowTest())
+}
+
+func TestKubectlPluginPolicyExecDenyTest(t *testing.T) {
+	t.Log("test kubectl runtime-enforcer policy deny POLICY_NAME <container-name> <executable-name> [<executable-name>...] [flags]")
+
+	testEnv.Test(t, getKubectlPluginPolicyExecDenyTest())
+}
+
+func TestKubectlPluginErrorHandlingTest(t *testing.T) {
+	t.Log("test kubectl runtime-enforcer ERROR handling")
+
+	testEnv.Test(t, getKubectlPluginErrorHandlingTest())
+}
+