test(e2e): add AKS e2e for the v2 gatekeeper provider (notation + AKV)#2636
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2636 +/- ##
=======================================
Coverage 78.62% 78.62%
=======================================
Files 105 105
Lines 4664 4664
=======================================
Hits 3667 3667
Misses 848 848
Partials 149 149 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
Adds an AKS end-to-end test flow for the Ratify v2 Gatekeeper provider (config.ratify.dev/v2alpha1 Executor CRD), including deployment via the deployments/ratify-gatekeeper-provider Helm chart configured for Azure Key Vault-backed Notation certs and Azure Workload Identity, then runs a reduced Bats suite that validates admission and mutation behavior.
Changes:
- Add v2 Gatekeeper
ConstraintTemplate/Constraintfor Ratify verification using the v2 provider response shape (succeeded). - Convert the AKS Bats suite to the v2 constraint artifacts and focus it on notation+AKV and mutation tests.
- Convert the AKS CI script to build/push the v2 provider image, import the notation cert into AKV, deploy Gatekeeper + the v2 provider chart with static TLS + workload identity, and run the Bats tests.
- Parameterize the Key Vault Administrator role assignment principal type to support local runs authenticated as a user.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
scripts/azure-ci-test.sh |
Switch AKS e2e provisioning/deploy/test flow to the v2 gatekeeper-provider Helm chart (AKV Notation cert + workload identity + static TLS). |
scripts/create-azure-resources.sh |
Allow overriding AKV role-assignment --assignee-principal-type via AZURE_SP_PRINCIPAL_TYPE for local runs. |
test/bats/azure-test.bats |
Replace prior AKS e2e coverage with v2-focused notation AKV admission + tag→digest mutation tests. |
test/bats/tests/config/v2/constrainttemplate.yaml |
Introduce v2 constraint template rego targeting ratify-gatekeeper-provider and checking succeeded. |
test/bats/tests/config/v2/constraint.yaml |
Add v2 RatifyVerification constraint for Pods in default namespace (deny on failure). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
ddabb1f to
e1b9afa
Compare
|
the pr is not related to excutor crd, rename it? |
e1b9afa to
b924845
Compare
b924845 to
e37c263
Compare
1c85f19 to
e7c3cef
Compare
Deploy the ratify-gatekeeper-provider chart on AKS with Azure Workload Identity and an AKV-backed notation certificate, and run the notation-AKV admission and tag-to-digest mutation tests. Convert scripts/azure-ci-test.sh to the v2 deploy path, parameterize the Key Vault admin role principal type via AZURE_SP_PRINCIPAL_TYPE for local user runs, and add the v2 Gatekeeper ConstraintTemplate/Constraint. Scoped to AKS/AKV-specific coverage; generic verifier cases are covered by the kind base-test.bats v2 migration. Cosign-on-AKV and executor-patch cases are planned follow-ups. Signed-off-by: Charles Wu <yuewu2@microsoft.com>
e7c3cef to
d99099b
Compare
Summary
Add an end-to-end (e2e) test for the Ratify v2 gatekeeper provider (
config.ratify.dev/v2alpha1ExecutorCRD) on AKS, following the existing v1 AKS e2e structure. The provider is deployed from thedeployments/ratify-gatekeeper-providerHelm chart with an Azure Key Vault backed notation certificate and Azure Workload Identity for registry access.Since
mainis the v2 line, the existing AKS artifacts are converted in place (no parallel v2 files), mirroring the approach used for the k8s e2e migration.Changes
scripts/azure-ci-test.sh— converted to the v2 deploy path: build & push theratify-gatekeeper-providerimage to ACR, import the notation cert into AKV, deploy Gatekeeper + the v2 provider chart (notation AKV cert + workload identity, static TLS), then run the notation bats suite.serviceAccount.nameis overridden toratify-adminto match the federated-credential subject.test/bats/azure-test.bats— converted to v2 notation/AKV scope: signed image (AKV cert) is admitted, unsigned is rejected, plus a tag→digest mutation test. Uses the v2 constraint template/constraint.test/bats/tests/config/v2/constrainttemplate.yaml/constraint.yaml— v2 GatekeeperConstraintTemplate+RatifyVerificationconstraint. The rego targets providerratify-gatekeeper-providerand reads the v2 response fieldsucceeded.scripts/create-azure-resources.sh— parameterize the Key Vault Administrator role--assignee-principal-typeviaAZURE_SP_PRINCIPAL_TYPE(defaultServicePrincipal, unchanged for CI) so local runs authenticated as aUserwork.Validation
Ran the full flow live on AKS (subscription-provisioned RG → ACR → AKV → AKS, then deploy + tests, then cleanup):
Notes
<registry>/notation) — the notation verifier rejects registry-only scopes.