Merge branch 'main' into check-deprecated-apis-cel

.github/actions/run-tests/action.yaml

@@ -0,0 +1,16 @@
+name: "Runs E2E Tests"
+description: "Runs E2E tests using chainsaw"
+inputs:
+  tests:
+    description: "Test regex"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Install Chainsaw
+      uses: kyverno/action-install-chainsaw@5d00c353f61f44f3b492c673420202d1b1374c3f # v0.2.6
+    - name: Test with Chainsaw
+      shell: bash
+      run: |
+        set -e
+        chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ inputs.tests }}' --no-color=false

.github/actions/setup-env/action.yaml

@@ -0,0 +1,51 @@
+name: "Setup Environment for E2E Tests"
+description: "Sets up the environment for the E2E workflows"
+inputs:
+  k8s-version:
+    description: "Kubernetes version"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Setup Go
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+      with:
+        go-version: ~1.21.1
+    - name: Install Tools
+      shell: bash
+      run: |
+        set -e
+        curl -LO "https://dl.k8s.io/release/${{ inputs.k8s-version }}/bin/linux/amd64/kubectl"
+        sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
+    - name: Install kind
+      shell: bash
+      run: |
+        set -e
+        # For AMD64 / x86_64
+        [ $(uname -m) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64
+        # For ARM64
+        [ $(uname -m) = aarch64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-arm64
+        chmod +x ./kind
+        sudo mv ./kind /usr/local/bin/kind
+    - name: Install latest Kyverno CLI
+      uses: kyverno/action-install-cli@fcee92fca5c883169ef9927acf543e0b5fc58289 # v0.2.0
+    - name: Create kind cluster
+      shell: bash
+      run: |
+        set -e
+        kind create cluster --image kindest/node:${{ inputs.k8s-version }} --config ./.github/kind.yml
+    - name: Install latest kyverno
+      shell: bash
+      run: |
+        set -e
+        kubectl create -f https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml
+    - name: Wait for kyverno ready
+      shell: bash
+      run: |
+        set -e
+        kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s
+    - name: Install CRDs
+      shell: bash
+      run: |
+        set -e
+        kubectl apply -f ./.chainsaw/crds

.github/workflows/cel-test.yml

@@ -0,0 +1,65 @@
+name: E2E Tests - CEL
+
+permissions: {}
+
+on:
+  workflow_dispatch: {}
+  pull_request:
+    branches:
+      - 'main'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  chainsaw:
+    strategy:
+      fail-fast: false
+      matrix:
+        k8s-version:
+          - name: v1.25
+            version: v1.25.16
+          - name: v1.26
+            version: v1.26.14
+          - name: v1.27
+            version: v1.27.11
+          - name: v1.28
+            version: v1.28.7
+          - name: v1.29
+            version: v1.29.2
+        tests:
+          - ^argo-cel$
+          - ^aws-cel$
+          - ^best-practices-cel$
+          - ^consul-cel$
+          - ^flux-cel$
+          - ^istio-cel$
+          - ^kasten-cel$
+          - ^kubecost-cel$
+          - ^linkerd-cel$
+          - ^nginx-ingress-cel$
+          - ^openshift-cel$
+          - ^other-cel$/^a
+          - ^other-cel$/^[b-d]
+          - ^other-cel$/^[e-l]
+          - ^other-cel$/^[m-q]
+          - ^other-cel$/^re[c-q]
+          - ^other-cel$/^res
+          - ^other-cel$/^[s-z]
+          - ^pod-security-cel$
+          - ^psa-cel$
+          - ^traefik-cel$
+    runs-on: ubuntu-latest
+    name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Setup Environment
+        uses: ./.github/actions/setup-env
+        with:
+          k8s-version: ${{ matrix.k8s-version.version }}
+      - name: Run CEL Tests
+        uses: ./.github/actions/run-tests
+        with:
+          tests: ${{ matrix.tests }}

.github/workflows/test.yml

@@ -30,104 +30,46 @@ jobs:
             version: v1.29.2
         tests:
           - ^argo$
-          - ^argo-cel$
           - ^aws$
-          - ^aws-cel$
           - ^best-practices$
-          - ^best-practices-cel$
           - ^castai$
           - ^cert-manager$
           - ^cleanup$
           - ^consul$
-          - ^consul-cel$
           - ^external-secret-operator$
           - ^flux$
-          - ^flux-cel$
           - ^istio$
-          - ^istio-cel$
           - ^karpenter$
           - ^kasten$
-          - ^kasten-cel$
           - ^kubecost$
-          - ^kubecost-cel$
           - ^kubeops$
           - ^kubevirt$
           - ^linkerd$
-          - ^linkerd-cel$
           - ^nginx-ingress$
-          - ^nginx-ingress-cel$
           - ^openshift$
-          - ^openshift-cel$
           - ^other$/^a
-          - ^other-cel$/^a
           - ^other$/^[b-d]
-          - ^other-cel$/^[b-d]
           - ^other$/^[e-l]
-          - ^other-cel$/^[e-l]
           - ^other$/^[m-q]
-          - ^other-cel$/^[m-q]
           - ^other$/^re[c-q]
-          - ^other-cel$/^re[c-q]
           - ^other$/^res
-          - ^other-cel$/^res
           - ^other$/^[s-z]
-          - ^other-cel$/^[s-z]
           - ^pod-security$
-          - ^pod-security-cel$
           - ^psa$
-          - ^psa-cel$
           - ^psp-migration$
           - ^tekton$
           - ^traefik$
-          - ^traefik-cel$
           - ^velero$
     runs-on: ubuntu-latest
     name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }}
     steps:
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - name: Setup Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+      - name: Setup Environment
+        uses: ./.github/actions/setup-env
         with:
-          go-version: ~1.21.1
-      - name: Install Tools
-        run: |
-          set -e
-          curl -LO "https://dl.k8s.io/release/${{ matrix.k8s-version.version }}/bin/linux/amd64/kubectl"
-          sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
-      - name: Install kind
-        shell: bash
-        run: |
-          set -e
-          # For AMD64 / x86_64
-          [ $(uname -m) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64
-          # For ARM64
-          [ $(uname -m) = aarch64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-arm64
-          chmod +x ./kind
-          sudo mv ./kind /usr/local/bin/kind
-      - name: Install latest Kyverno CLI
-        uses: kyverno/action-install-cli@fcee92fca5c883169ef9927acf543e0b5fc58289 # v0.2.0
-      - name: Create kind cluster
-        run: |
-          set -e
-          kind create cluster --image kindest/node:${{ matrix.k8s-version.version }} --config ./.github/kind.yml
-      - name: Install latest kyverno
-        run: |
-          set -e
-          kubectl create -f https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml
-      - name: Wait for kyverno ready
-        run: |
-          set -e
-          kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s
-      - name: Install CRDs
-        run: |
-          set -e
-          kubectl apply -f ./.chainsaw/crds
-      - name: Install Chainsaw
-        uses: kyverno/action-install-chainsaw@5d00c353f61f44f3b492c673420202d1b1374c3f # v0.2.6
-      - name: Test with Chainsaw
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          set -e
-          chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ matrix.tests }}' --no-color=false
+          k8s-version: ${{ matrix.k8s-version.version }}
+      - name: Run Tests
+        uses: ./.github/actions/run-tests
+        with:
+          tests: ${{ matrix.tests }}

flux-cel/verify-git-repositories/.kyverno-test/kyverno-test.yaml

@@ -5,8 +5,8 @@ metadata:
 policies:
 - ../verify-git-repositories.yaml
 resources:
-- ../.chainsaw-test/good-gitrepositories.yaml
-- ../.chainsaw-test/bad-gitrepositories.yaml
+- ../.chainsaw-test-rename-after-issue-10313-fix/good-gitrepositories.yaml
+- ../.chainsaw-test-rename-after-issue-10313-fix/bad-gitrepositories.yaml
 results:
 - policy: verify-git-repositories
   rule: github-repositories-only

other/verify-image-with-multi-keys/artifacthub-pkg.yml

@@ -12,11 +12,11 @@ keywords:
   - kyverno
   - Software Supply Chain Security
 readme: |
-  There may be multiple keys used to sign images based on the parties involved in the creation process. This image verification policy requires the named image be signed by two separate keys. It will search for a global "production" key in a ConfigMap called `key` in the `default` Namespace and also a Namespace key in the same ConfigMap.
+  There may be multiple keys used to sign images based on the parties involved in the creation process. This image verification policy requires the named image be signed by two separate keys. It will search for a global "production" key in a ConfigMap called `keys` in the `default` Namespace and also a Namespace key in the same ConfigMap.
   
   Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
 annotations:
   kyverno/category: "Software Supply Chain Security"
   kyverno/kubernetesVersion: "1.23"
   kyverno/subject: "Pod"
-digest: 14cc8946fcc7d3141270826f036b28226c88c5d8e93ba475b1523e90512a281b
+digest: 512b32c2d9e2bcf48907258ca01ff675efb4ed0d1967351ad161e50b20512d56

other/verify-image-with-multi-keys/verify-image-with-multi-keys.yaml

@@ -15,7 +15,7 @@ metadata:
       the parties involved in the creation process. This image
       verification policy requires the named image be signed by
       two separate keys. It will search for a global "production"
-      key in a ConfigMap called `key` in the `default` Namespace
+      key in a ConfigMap called `keys` in the `default` Namespace
       and also a Namespace key in the same ConfigMap.
 spec:
   validationFailureAction: enforce
@@ -42,4 +42,4 @@ spec:
           - keys: 
               publicKeys: "{{ keys.data.production }}"
           - keys: 
-              publicKeys: "{{ keys.data.{{request.namespace}} }}"
+              publicKeys: "{{ keys.data.{{request.namespace}} }}"