Merge pull request #611 from dottorblaster/opensuse-bci-e2e

test(e2e): switch from Ubuntu to openSUSE BCI images

Author: dottorblaster

docs/yaml/ubuntu-deployment.yaml docs/yaml/opensuse-deployment.yamldocs/yaml/ubuntu-deployment.yaml renamed to docs/yaml/opensuse-deployment.yaml

@@ -1,22 +1,22 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: ubuntu-deployment
+  name: opensuse-deployment
   labels:
-    app: ubuntu-deployment
+    app: opensuse-deployment
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: ubuntu-deployment
+      app: opensuse-deployment
   template:
     metadata:
       labels:
-        app: ubuntu-deployment
+        app: opensuse-deployment
     spec:
       containers:
-      - name: ubuntu
-        image: ubuntu:24.04
+      - name: opensuse
+        image: registry.opensuse.org/opensuse/bci/bci-ci:latest
         # We create a while loop to continually run sleep and ls.
         # This way we can detect two groups of processes in our test:
         # - process snapshot (bash)

test/e2e/enforcement_test.go

@@ -28,7 +28,7 @@ func getEnforcementOnNewPodsTest() types.Feature {
 					Spec: v1alpha1.WorkloadPolicySpec{
 						Mode: policymode.ProtectString,
 						RulesByContainer: map[string]*v1alpha1.WorkloadPolicyRules{
-							"ubuntu": {
+							"opensuse": {
 								Executables: v1alpha1.WorkloadPolicyExecutables{
 									Allowed: []string{
 										"/usr/bin/ls",
@@ -44,10 +44,10 @@ func getEnforcementOnNewPodsTest() types.Feature {
 				// 1. Create the resource and wait for it to be deployed.
 				createAndWaitWP(ctx, t, policy.DeepCopy())
 				// 2. Deploy test pods
-				createAndWaitUbuntuDeployment(ctx, t, withPolicy("test-policy"))
+				createAndWaitOpensuseDeployment(ctx, t, withPolicy("test-policy"))
 
 				// 3. Run command in the pod and verify the result.
-				podName, err := findUbuntuDeploymentPod(ctx)
+				podName, err := findOpensuseDeploymentPod(ctx)
 				require.NoError(t, err)
 
 				expectedResults := []struct {
@@ -59,7 +59,7 @@ func getEnforcementOnNewPodsTest() types.Feature {
 						Allowed:  true,
 					},
 					{
-						Commands: []string{"/usr/bin/apt", "update"},
+						Commands: []string{"/usr/bin/zypper", "refresh"},
 						Allowed:  false,
 					},
 				}
@@ -68,14 +68,14 @@ func getEnforcementOnNewPodsTest() types.Feature {
 					t.Log("running:", expectedResult.Commands)
 
 					if expectedResult.Allowed {
-						requireExecAllowedInCurrentNamespace(ctx, t, podName, "ubuntu", expectedResult.Commands)
+						requireExecAllowedInCurrentNamespace(ctx, t, podName, "opensuse", expectedResult.Commands)
 					} else {
-						requireExecBlockedInCurrentNamespace(ctx, t, podName, "ubuntu", expectedResult.Commands)
+						requireExecBlockedInCurrentNamespace(ctx, t, podName, "opensuse", expectedResult.Commands)
 					}
 				}
 
 				// 4. Delete test Deployment
-				deleteUbuntuDeployment(ctx, t)
+				deleteOpensuseDeployment(ctx, t)
 
 				// 5. Delete WorkloadPolicy and wait for it to be gone.
 				deleteAndWaitWP(ctx, t, &policy)

test/e2e/helpers_test.go

@@ -24,12 +24,12 @@ import (
 )
 
 const (
-	defaultHelmTimeout       = time.Minute * 5
-	defaultOperationTimeout  = time.Minute
-	testFolder               = "./testdata"
-	ubuntuDeploymentManifest = "ubuntu-deployment.yaml"
-	ubuntuDeploymentName     = "ubuntu-deployment"
-	operationNotPermittedMsg = "operation not permitted"
+	defaultHelmTimeout         = time.Minute * 5
+	defaultOperationTimeout    = time.Minute
+	testFolder                 = "./testdata"
+	opensuseDeploymentManifest = "opensuse-deployment.yaml"
+	opensuseDeploymentName     = "opensuse-deployment"
+	operationNotPermittedMsg   = "operation not permitted"
 )
 
 type key string
@@ -150,7 +150,7 @@ func waitForWorkloadPolicyStatusToBeUpdated(
 }
 
 ////////////////////
-// Ubuntu deployment helpers
+// Opensuse deployment helpers
 ////////////////////
 
 //nolint:unparam // we want to keep the flexibility to support different policy name.
@@ -162,67 +162,67 @@ func withPolicy(policyName string) decoder.DecodeOption {
 	})
 }
 
-func createAndWaitUbuntuDeployment(
+func createAndWaitOpensuseDeployment(
 	ctx context.Context,
 	t *testing.T,
 	options ...decoder.DecodeOption,
 ) {
 	t.Helper()
-	t.Log("installing test Ubuntu deployment")
+	t.Log("installing test Opensuse deployment")
 	namespace := getNamespace(ctx)
 	decodeOptions := append([]decoder.DecodeOption{decoder.MutateNamespace(namespace)}, options...)
 	err := decoder.ApplyWithManifestDir(
 		ctx,
 		getClient(ctx),
 		testFolder,
-		ubuntuDeploymentManifest,
+		opensuseDeploymentManifest,
 		[]resources.CreateOption{},
 		decodeOptions...,
 	)
-	require.NoError(t, err, "failed to create ubuntu deployment")
+	require.NoError(t, err, "failed to create opensuse deployment")
 
-	// Wait for ubuntu deployment to become available
+	// Wait for opensuse deployment to become available
 	err = wait.For(
-		conditions.New(getClient(ctx)).DeploymentAvailable(ubuntuDeploymentName, namespace),
+		conditions.New(getClient(ctx)).DeploymentAvailable(opensuseDeploymentName, namespace),
 		wait.WithTimeout(defaultOperationTimeout),
 	)
-	require.NoError(t, err, "ubuntu deployment should become available")
+	require.NoError(t, err, "opensuse deployment should become available")
 }
 
-func deleteUbuntuDeployment(ctx context.Context, t *testing.T) {
+func deleteOpensuseDeployment(ctx context.Context, t *testing.T) {
 	t.Helper()
-	t.Log("deleting test Ubuntu deployment")
+	t.Log("deleting test Opensuse deployment")
 	// With foreground cascading deletion the Deployment resource is only removed
 	// once all its owned pods have been terminated, so a single wait on the deployment is enough.
 	err := decoder.DeleteWithManifestDir(
 		ctx,
 		getClient(ctx),
 		testFolder,
-		ubuntuDeploymentManifest,
+		opensuseDeploymentManifest,
 		[]resources.DeleteOption{
 			resources.WithDeletePropagation("Foreground"),
 		},
 		decoder.MutateNamespace(getNamespace(ctx)),
 	)
 	require.NoError(t, err, "failed to delete test data")
 
-	waitForUbuntuDeploymentDeleted(ctx, t)
+	waitForOpensuseDeploymentDeleted(ctx, t)
 }
 
-func waitForUbuntuDeploymentDeleted(ctx context.Context, t *testing.T) {
+func waitForOpensuseDeploymentDeleted(ctx context.Context, t *testing.T) {
 	t.Helper()
-	t.Log("waiting for Ubuntu deployment to be deleted")
+	t.Log("waiting for Opensuse deployment to be deleted")
 	deployment := &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      ubuntuDeploymentName,
+			Name:      opensuseDeploymentName,
 			Namespace: getNamespace(ctx),
 		},
 	}
 	err := wait.For(
 		conditions.New(getClient(ctx)).ResourceDeleted(deployment),
 		wait.WithTimeout(defaultOperationTimeout),
 	)
-	require.NoError(t, err, "ubuntu deployment should be deleted")
+	require.NoError(t, err, "opensuse deployment should be deleted")
 }
 
 func findPodByPrefix(ctx context.Context, namespace string, prefix string) (string, error) {
@@ -242,8 +242,8 @@ func findPodByPrefix(ctx context.Context, namespace string, prefix string) (stri
 	return "", fmt.Errorf("pod with prefix %q not found in namespace %q", prefix, namespace)
 }
 
-func findUbuntuDeploymentPod(ctx context.Context) (string, error) {
-	return findPodByPrefix(ctx, getNamespace(ctx), ubuntuDeploymentName)
+func findOpensuseDeploymentPod(ctx context.Context) (string, error) {
+	return findPodByPrefix(ctx, getNamespace(ctx), opensuseDeploymentName)
 }
 
 func execInCurrentNamespace(
@@ -293,7 +293,7 @@ func requireExecBlockedInCurrentNamespace(
 	require.Contains(t, stderr, operationNotPermittedMsg)
 }
 
-func verifyUbuntuLearnedProcesses(values []string) bool {
+func verifyOpensuseLearnedProcesses(values []string) bool {
 	return slices.Contains(values, "/usr/bin/bash") &&
 		slices.Contains(values, "/usr/bin/ls") &&
 		slices.Contains(values, "/usr/bin/sleep")

test/e2e/learning_mode_test.go

@@ -60,39 +60,39 @@ func getLearningModeTest() types.Feature {
 					"DaemonSet": {
 						ParseFunc: func() k8s.Object {
 							var daemonset appsv1.DaemonSet
-							err := decoder.DecodeFile(testdata, "ubuntu-daemonset.yaml", &daemonset)
+							err := decoder.DecodeFile(testdata, "opensuse-daemonset.yaml", &daemonset)
 							require.NoError(t, err)
 							return &daemonset
 						},
 					},
 					"Deployment": {
 						ParseFunc: func() k8s.Object {
 							var deployment appsv1.Deployment
-							err := decoder.DecodeFile(testdata, "ubuntu-deployment.yaml", &deployment)
+							err := decoder.DecodeFile(testdata, "opensuse-deployment.yaml", &deployment)
 							require.NoError(t, err)
 							return &deployment
 						},
 					},
 					"StatefulSet": {
 						ParseFunc: func() k8s.Object {
 							var statefulset appsv1.StatefulSet
-							err := decoder.DecodeFile(testdata, "ubuntu-statefulset.yaml", &statefulset)
+							err := decoder.DecodeFile(testdata, "opensuse-statefulset.yaml", &statefulset)
 							require.NoError(t, err)
 							return &statefulset
 						},
 					},
 					"Job": {
 						ParseFunc: func() k8s.Object {
 							var job batchv1.Job
-							err := decoder.DecodeFile(testdata, "ubuntu-job.yaml", &job)
+							err := decoder.DecodeFile(testdata, "opensuse-job.yaml", &job)
 							require.NoError(t, err)
 							return &job
 						},
 					},
 					"CronJob": {
 						ParseFunc: func() k8s.Object {
 							var cronjob batchv1.CronJob
-							err := decoder.DecodeFile(testdata, "ubuntu-cronjob.yaml", &cronjob)
+							err := decoder.DecodeFile(testdata, "opensuse-cronjob.yaml", &cronjob)
 							require.NoError(t, err)
 							return &cronjob
 						},
@@ -134,12 +134,12 @@ func getLearningModeTest() types.Feature {
 
 							t.Log("proposal: ", proposal)
 
-							rules, ok := proposal.Spec.RulesByContainer["ubuntu"]
+							rules, ok := proposal.Spec.RulesByContainer["opensuse"]
 							if !ok {
 								return false
 							}
 
-							return verifyUbuntuLearnedProcesses(rules.Executables.Allowed)
+							return verifyOpensuseLearnedProcesses(rules.Executables.Allowed)
 						}),
 						wait.WithTimeout(defaultOperationTimeout),
 					)
@@ -185,12 +185,12 @@ func getNoLearningModeTest() types.Feature {
 				return context.WithValue(ctx, key("namespace"), disabledNS)
 			}).
 		Assess("required resources become available", IfRequiredResourcesAreCreated).
-		Assess("install ubuntu deployment in disabled namespace", func(ctx context.Context, t *testing.T, _ *envconf.Config) context.Context {
-			createAndWaitUbuntuDeployment(ctx, t)
+		Assess("install opensuse deployment in disabled namespace", func(ctx context.Context, t *testing.T, _ *envconf.Config) context.Context {
+			createAndWaitOpensuseDeployment(ctx, t)
 			return ctx
 		}).
-		Assess("no proposal for ubuntu deployment", func(ctx context.Context, t *testing.T, _ *envconf.Config) context.Context {
-			proposalName, err := proposalutils.GetWorkloadPolicyProposalName("Deployment", ubuntuDeploymentName)
+		Assess("no proposal for opensuse deployment", func(ctx context.Context, t *testing.T, _ *envconf.Config) context.Context {
+			proposalName, err := proposalutils.GetWorkloadPolicyProposalName("Deployment", opensuseDeploymentName)
 			require.NoError(t, err)
 
 			proposal := v1alpha1.WorkloadPolicyProposal{
@@ -222,7 +222,7 @@ func getNoLearningModeTest() types.Feature {
 			return ctx
 		}).
 		Teardown(func(ctx context.Context, t *testing.T, _ *envconf.Config) context.Context {
-			deleteUbuntuDeployment(ctx, t)
+			deleteOpensuseDeployment(ctx, t)
 			return ctx
 		}).Feature()
 }