diff --git a/tests/airgap.rs b/tests/airgap.rs new file mode 100644 index 00000000..2e1ec410 --- /dev/null +++ b/tests/airgap.rs @@ -0,0 +1,111 @@ +use assert_cmd::Command; +use std::path::{Path, PathBuf}; +use tempfile::tempdir; +use testcontainers::{clients, core::WaitFor}; + +mod common; + +#[test] +fn test_airgap() { + let tempdir = tempdir().unwrap(); + let project_root = PathBuf::from(env!("CARGO_MANIFEST_DIR")); + + // Run registry + let docker = clients::Cli::default(); + let registry_image = testcontainers::GenericImage::new("docker.io/library/registry", "2") + .with_wait_for(WaitFor::message_on_stderr("listening on ")); + let testcontainer = docker.run(registry_image); + let port = testcontainer.get_host_port_ipv4(5000); + + // Save policies + let mut save_policies_script = setup_airgap_script_command( + &project_root.join("scripts/kubewarden-save-policies.sh"), + tempdir.path(), + ); + save_policies_script + .arg("--policies-list") + .arg(project_root.join("tests/data/airgap/policies.txt")) + .arg("--policies") + .arg(tempdir.path().join("policies.tar.gz")) + .assert() + .success(); + + // Remove policies from store + let mut kwctl = common::setup_command(tempdir.path()); + kwctl + .arg("rm") + .arg("registry://ghcr.io/kubewarden/tests/pod-privileged:v0.1.9") + .assert() + .success(); + + let mut kwctl = common::setup_command(tempdir.path()); + kwctl + .arg("rm") + .arg("https://github.com/kubewarden/pod-privileged-policy/releases/download/v0.1.6/policy.wasm") + .assert() + .success(); + + // Create sources.yml + let sources_yaml = format!( + r#" + insecure_sources: + - "localhost:{}" + "#, + port + ); + std::fs::write(tempdir.path().join("sources.yml"), sources_yaml).unwrap(); + + // Load policies + let mut load_policies_script = setup_airgap_script_command( + &project_root.join("scripts/kubewarden-load-policies.sh"), + tempdir.path(), + ); + load_policies_script + .arg("--policies") + .arg(tempdir.path().join("policies.tar.gz")) + .arg("--policies-list") + .arg(project_root.join("tests/data/airgap/policies.txt")) + .arg("--registry") + .arg(format!("localhost:{}", port)) + .arg("--sources-path") + .arg(tempdir.path().join("sources.yml")) + .assert() + .success(); + + // Verify policies in local registry + let mut kwctl = common::setup_command(tempdir.path()); + kwctl + .arg("pull") + .arg(format!( + "registry://localhost:{}/kubewarden/tests/pod-privileged:v0.1.9", + port + )) + .arg("--sources-path") + .arg(tempdir.path().join("sources.yml")) + .assert() + .success(); + + let mut kwctl = common::setup_command(tempdir.path()); + kwctl + .arg("pull") + .arg(format!( + "registry://localhost:{}/kubewarden/pod-privileged-policy/releases/download/v0.1.6/policy.wasm ", + port + )) + .arg("--sources-path") + .arg(tempdir.path().join("sources.yml")) + .assert() + .success(); +} + +fn setup_airgap_script_command(script: &Path, tempdir: &Path) -> Command { + let mut cmd = Command::new(script); + + cmd.current_dir(tempdir) + .env("XDG_CONFIG_HOME", tempdir.join(".config")) + .env("XDG_CACHE_HOME", tempdir.join(".cache")) + .env("XDG_DATA_HOME", tempdir.join(".local/share")) + .env("KWCTL_CMD", env!("CARGO_BIN_EXE_kwctl")); + + cmd +} diff --git a/tests/data/airgap/insecure.yml b/tests/data/airgap/insecure.yml deleted file mode 100644 index 6311068a..00000000 --- a/tests/data/airgap/insecure.yml +++ /dev/null @@ -1,2 +0,0 @@ -insecure_sources: - - localhost:5000 diff --git a/tests/secure_supply_chain_e2e.rs b/tests/secure_supply_chain_e2e.rs index ac30c16a..60015a44 100644 --- a/tests/secure_supply_chain_e2e.rs +++ b/tests/secure_supply_chain_e2e.rs @@ -5,7 +5,7 @@ use rstest::rstest; use std::{fs, path::Path}; use tempfile::tempdir; -pub mod common; +mod common; fn cosign_initialize(path: &Path) { let mut cmd = Command::new("cosign");