add rego test

add conftest to build bump client-go v0.23.3 fix release ver in docs add test, fix workflow update workflow name, quiet wget add orderedmap to go.mod add proper test fix test again test fix proper failing test fixes #11 run tests on k8s with api changes + goreleaser workflow run tests on k8s with api changes export gopath for test runs manually delete kind cluster manually delete kind cluster use separate kind cluster names increase verbosity use master for kind action try forking revert kind changes
coopernetes · Feb 6, 2022 · 7b35841 · 7b35841
1 parent cee6b34
commit 7b35841
Show file tree

Hide file tree

Showing 8 changed files with 584 additions and 31 deletions.
diff --git a/.github/workflows/go.yml → .github/workflows/build.yml b/.github/workflows/go.yml → .github/workflows/build.yml
@@ -1,20 +1,19 @@
-name: Go
-on: [push]
+name: Go & K8s build
+on:
+  push:
+    branches:
+      - "*"
 jobs:
-
   build:
-    name: Build
     runs-on: ubuntu-latest
     steps:
-    - name: Set up Go 1.13
+    - name: Set up Go 1.17.6
       uses: actions/setup-go@v1
       with:
-        go-version: 1.13
+        go-version: 1.17.6
       id: go
-
     - name: Check out code into the Go module directory
       uses: actions/checkout@v2
-
     - name: Get dependencies & install
       run: |
         go get -v -t -d ./...
@@ -23,13 +22,15 @@ jobs:
             dep ensure
         fi
         go install -v .
-
-    - uses: engineerd/[email protected]
+        curl -fsSLO https://github.com/open-policy-agent/conftest/releases/download/v0.30.0/conftest_0.30.0_Linux_x86_64.tar.gz
+        tar -C /usr/local/bin -xzvf conftest_0.30.0_Linux_x86_64.tar.gz
+        wget -q https://github.com/instrumenta/kubeval/releases/latest/download/kubeval-linux-amd64.tar.gz
+        tar xf kubeval-linux-amd64.tar.gz
+        sudo cp kubeval /usr/local/bin
+    - name: Setup kind
+      uses: engineerd/[email protected]
     - name: Run Kubernetes tests
       run: |
         kubectl cluster-info
-        wget -q --show-progress https://github.com/instrumenta/kubeval/releases/latest/download/kubeval-linux-amd64.tar.gz
-        tar xf kubeval-linux-amd64.tar.gz
-        sudo cp kubeval /usr/local/bin
-        export PATH="$(go env GOPATH)/bin:$PATH" 
+        export PATH="$(go env GOPATH)/bin:$PATH"
         tests/k8s.sh
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,29 @@
+name: release
+on:
+  push:
+    tags:
+      - "v*"
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      -
+        name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.17.6
+      -
+        name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v2
+        with:
+          # either 'goreleaser' (default) or 'goreleaser-pro'
+          distribution: goreleaser
+          version: latest
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/README.md b/README.md
@@ -16,8 +16,8 @@ This utility was inspired by [this original bash implementation](https://stackov
 Download the latest [release](https://github.com/coopernetes/kube-role-gen/releases):
 
 ```bash
-wget https://github.com/coopernetes/kube-role-gen/releases/download/v0.0.1/kube-role-gen_0.0.1_Linux_x86_64.tar.gz
-tar xf kube-role-gen_0.0.1_Linux_x86_64.tar.gz
+wget https://github.com/coopernetes/kube-role-gen/releases/download/v0.0.2/kube-role-gen_0.0.2_Linux_x86_64.tar.gz
+tar xf kube-role-gen_0.0.2_Linux_x86_64.tar.gz
 mv kube-role-gen /usr/local/bin/
 ```
 

diff --git a/go.mod b/go.mod
@@ -3,16 +3,14 @@ module github.com/coopernetes/kube-role-gen
 go 1.13
 
 require (
-	github.com/elliotchance/orderedmap v1.3.0
-	github.com/googleapis/gnostic v0.3.1 // indirect
-	golang.org/x/crypto v0.0.0-20200117160349-530e935923ad // indirect
-	golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa // indirect
-	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect
-	golang.org/x/sys v0.0.0-20200113162924-86b910548bc1 // indirect
-	golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect
-	gopkg.in/yaml.v2 v2.2.8 // indirect
-	k8s.io/api v0.17.2
-	k8s.io/apimachinery v0.17.2
-	k8s.io/client-go v0.0.0-20200118233946-a432bd9ba7da
-	k8s.io/utils v0.0.0-20200117235808-5f6fbceb4c31 // indirect
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible // indirect
+	github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96 // indirect
+	github.com/elliotchance/orderedmap v1.4.0 // indirect
+	github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501 // indirect
+	github.com/gophercloud/gophercloud v0.1.0 // indirect
+	k8s.io/api v0.23.3
+	k8s.io/apimachinery v0.23.3
+	k8s.io/client-go v0.23.3
+	k8s.io/klog v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e // indirect
 )
diff --git a/go.sum b/go.sum
diff --git a/main.go b/main.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"log"
 	"os"
+	"sort"
 	"path/filepath"
 	"strings"
 	"github.com/elliotchance/orderedmap"
@@ -63,7 +64,6 @@ func main() {
 			groupOnly = "core"
 		}
 
-		resourceList := make([]string, 0)
 		resourcesByVerb := make(map[string][]string)
 		for _, apiResource := range apiResourceList.APIResources {
 			if enableVerboseLogging {
@@ -72,11 +72,11 @@ func main() {
 					apiResource.Verbs.String())
 			}
 
-			resourceList = append(resourceList, apiResource.Name)
 			verbList := make([]string, 0)
 			for _, verb := range apiResource.Verbs {
 				verbList = append(verbList, verb)
 			}
+			sort.Strings(verbList)
 			verbString := strings.Join(verbList[:], ",")
 			if value,ok := resourcesByVerb[verbString]; ok {
 				resourcesByVerb[verbString] = append(value, apiResource.Name)
@@ -90,7 +90,19 @@ func main() {
 			sb.WriteString(groupOnly)
 			sb.WriteString("!")
 			sb.WriteString(k)
-			resourcesByGroupAndVerb.Set(sb.String(), resourcesByVerb[k])
+			if resourceVal,exists := resourcesByGroupAndVerb.Get(sb.String()); exists {
+				resourceSetMap := make(map[string]bool);
+				for _,r := range resourceVal.([]string) {
+					resourceSetMap[r] = true
+				}
+				for _,r := range resourcesByVerb[k] {
+					resourceSetMap[r] = true
+				}
+				resourceSet := mapSetToList(resourceSetMap)
+				resourcesByGroupAndVerb.Set(sb.String(), resourceSet)
+			} else {
+				resourcesByGroupAndVerb.Set(sb.String(), resourcesByVerb[k])
+			}
 		}
 	}
 

diff --git a/tests/gh-11.rego b/tests/gh-11.rego
@@ -0,0 +1,12 @@
+package main
+
+deny[msg] {
+	input.rules[i].apiGroups[_] == "batch"
+	not valid_batch(input.rules[i].resources)
+	msg := "Must contain all batch resources"
+}
+
+valid_batch(resources) {
+  startswith(resources[_], "cronjobs")
+  startswith(resources[_], "jobs")
+}
diff --git a/tests/k8s.sh b/tests/k8s.sh
@@ -4,3 +4,4 @@ IFS=$'\n\t'
 
 kube-role-gen | kubeval -
 kube-role-gen | kubectl apply --validate -f -
+kube-role-gen | conftest test --policy tests/gh-11.rego -