From f60c643e8fda451976959765afb0b3a9567598cd Mon Sep 17 00:00:00 2001
From: Markus Rudy <mr@edgeless.systems>
Date: Mon, 24 Jun 2024 08:54:06 +0200
Subject: [PATCH] e2e: add genpolicy regression tests

---
 .../{e2e_getdents.yml => e2e_regression.yml}  | 29 +++++---
 e2e/genpolicy/genpolicy_test.go               | 73 +++++++++++++++++++
 internal/kuberesource/sets.go                 | 32 ++++++++
 packages/by-name/contrast/package.nix         |  2 +-
 4 files changed, 124 insertions(+), 12 deletions(-)
 rename .github/workflows/{e2e_getdents.yml => e2e_regression.yml} (79%)
 create mode 100644 e2e/genpolicy/genpolicy_test.go

diff --git a/.github/workflows/e2e_getdents.yml b/.github/workflows/e2e_regression.yml
similarity index 79%
rename from .github/workflows/e2e_getdents.yml
rename to .github/workflows/e2e_regression.yml
index 2e298927d8..401a20a7c3 100644
--- a/.github/workflows/e2e_getdents.yml
+++ b/.github/workflows/e2e_regression.yml
@@ -1,13 +1,15 @@
-name: e2e test getdents
+name: regression tests
 
 on:
-    workflow_dispatch:
-      inputs:
-        skip-undeploy:
-          description: "Skip undeploy"
-          required: false
-          type: boolean
-          default: false
+  schedule:
+    - cron: "16 6 * * 6" # 6:16 on Saturdays
+  workflow_dispatch:
+    inputs:
+      skip-undeploy:
+        description: "Skip undeploy"
+        required: false
+        type: boolean
+        default: false
 
 env:
   container_registry: ghcr.io/edgelesssys
@@ -15,11 +17,16 @@ env:
   DO_NOT_TRACK: 1
 
 jobs:
-  test:
+  regression-test:
     runs-on: ubuntu-22.04
     permissions:
       contents: read
       packages: write
+    strategy:
+      matrix:
+        case:
+        - getdents
+        - genpolicy
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - uses: ./.github/actions/setup_nix
@@ -49,9 +56,9 @@ jobs:
       - name: Build and prepare deployments
         run: |
           just node-installer
-      - name: E2E Test
+      - name: Run regression test
         run: |
-          nix shell .#contrast.e2e --command getdents.test -test.v \
+          nix shell .#contrast.e2e --command ${{ matrix.case }}.test -test.v \
             --image-replacements workspace/just.containerlookup \
             --namespace-file workspace/e2e.namespace \
             --skip-undeploy="${{ inputs.skip-undeploy && 'true' || 'false' }}"
diff --git a/e2e/genpolicy/genpolicy_test.go b/e2e/genpolicy/genpolicy_test.go
new file mode 100644
index 0000000000..d361526299
--- /dev/null
+++ b/e2e/genpolicy/genpolicy_test.go
@@ -0,0 +1,73 @@
+// Copyright 2024 Edgeless Systems GmbH
+// SPDX-License-Identifier: AGPL-3.0-only
+
+//go:build e2e
+
+package genpolicy
+
+import (
+	"bytes"
+	"context"
+	"flag"
+	"io"
+	"os"
+	"path"
+	"testing"
+	"time"
+
+	"github.com/edgelesssys/contrast/cli/cmd"
+	"github.com/edgelesssys/contrast/e2e/internal/contrasttest"
+	"github.com/edgelesssys/contrast/e2e/internal/kubeclient"
+	"github.com/edgelesssys/contrast/internal/kuberesource"
+	"github.com/stretchr/testify/require"
+)
+
+var (
+	imageReplacementsFile, namespaceFile string
+	skipUndeploy                         bool
+)
+
+// TestGenpolicy runs regression tests for generated policies.
+func TestGenpolicy(t *testing.T) {
+	testCases := kuberesource.GenpolicyRegressionTests()
+
+	for name, deploy := range testCases {
+		t.Run(name, func(t *testing.T) {
+			ct := contrasttest.New(t, imageReplacementsFile, namespaceFile, skipUndeploy)
+
+			ct.Init(t, []any{deploy})
+
+			require.True(t, t.Run("generate", func(t *testing.T) {
+				require := require.New(t)
+				args := []string{
+					"--workspace-dir", ct.WorkDir,
+					"--skip-initializer",
+					path.Join(ct.WorkDir, "resources.yaml"),
+				}
+				generate := cmd.NewGenerateCmd()
+				generate.Flags().String("workspace-dir", "", "") // Make generate aware of root flags
+				generate.SetArgs(args)
+				generate.SetOut(io.Discard)
+				errBuf := &bytes.Buffer{}
+				generate.SetErr(errBuf)
+
+				require.NoError(generate.Execute(), "generate failed:\n%s", errBuf.String())
+			}), "contrast generate needs to succeed for subsequent tests")
+
+			require.True(t, t.Run("apply", ct.Apply), "Kubernetes resources need to be applied for subsequent tests")
+
+			ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
+			t.Cleanup(cancel)
+			require.NoError(t, ct.Kubeclient.WaitFor(ctx, kubeclient.Deployment{}, ct.Namespace, name))
+		})
+	}
+}
+
+func TestMain(m *testing.M) {
+	flag.StringVar(&imageReplacementsFile, "image-replacements", "", "path to image replacements file")
+	flag.StringVar(&namespaceFile, "namespace-file", "", "file to store the namespace in")
+	flag.BoolVar(&skipUndeploy, "skip-undeploy", false, "skip undeploy step in the test")
+	flag.Parse()
+
+	os.Exit(m.Run())
+}
diff --git a/internal/kuberesource/sets.go b/internal/kuberesource/sets.go
index 66121d7d58..49fe04c80a 100644
--- a/internal/kuberesource/sets.go
+++ b/internal/kuberesource/sets.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 
 	"k8s.io/apimachinery/pkg/util/intstr"
+	applyappsv1 "k8s.io/client-go/applyconfigurations/apps/v1"
 	applycorev1 "k8s.io/client-go/applyconfigurations/core/v1"
 )
 
@@ -151,6 +152,37 @@ func GetDEnts() ([]any, error) {
 	return []any{tester}, nil
 }
 
+// GenpolicyRegressionTests returns deployments for regression testing genpolicy.
+func GenpolicyRegressionTests() map[string]*applyappsv1.DeploymentApplyConfiguration {
+	out := make(map[string]*applyappsv1.DeploymentApplyConfiguration)
+
+	// Reproduces https://github.com/edgelesssys/contrast/issues/624.
+	badLayer := "bad-layer"
+	out[badLayer] = Deployment(badLayer, "").
+		WithSpec(DeploymentSpec().
+			WithReplicas(1).
+			WithSelector(LabelSelector().
+				WithMatchLabels(map[string]string{"app.kubernetes.io/name": badLayer}),
+			).
+			WithTemplate(PodTemplateSpec().
+				WithLabels(map[string]string{"app.kubernetes.io/name": badLayer}).
+				WithSpec(PodSpec().
+					WithRuntimeClassName(runtimeHandler).
+					WithContainers(
+						Container().
+							WithName(badLayer).
+							WithImage("docker.io/library/httpd:2.4.59-bookworm@sha256:10182d88d7fbc5161ae0f6f758cba7adc56d4aae2dc950e51d72c0cf68967cea").
+							WithResources(ResourceRequirements().
+								WithMemoryLimitAndRequest(50),
+							),
+					),
+				),
+			),
+		)
+
+	return out
+}
+
 // Emojivoto returns resources for deploying Emojivoto application.
 func Emojivoto(smMode serviceMeshMode) []any {
 	ns := ""
diff --git a/packages/by-name/contrast/package.nix b/packages/by-name/contrast/package.nix
index 354569dea8..47dcf4db9f 100644
--- a/packages/by-name/contrast/package.nix
+++ b/packages/by-name/contrast/package.nix
@@ -24,7 +24,7 @@ let
       "-X github.com/edgelesssys/contrast/internal/kuberesource.runtimeHandler=${runtimeHandler}"
     ];
 
-    subPackages = [ "e2e/getdents" "e2e/openssl" "e2e/servicemesh" "e2e/release" ];
+    subPackages = [ "e2e/genpolicy" "e2e/getdents" "e2e/openssl" "e2e/servicemesh" "e2e/release" ];
   };
 
   launchDigest = builtins.readFile "${runtime-class-files}/launch-digest.hex";