Run fuzz tests for generated API schemas (#235)

Signed-off-by: Tamal Saha <tamal@appscode.com>

.github/workflows/ci.yml

@@ -70,6 +70,8 @@ jobs:
         kubectl wait --for=condition=Ready nodes --all --timeout=5m
         kubectl get nodes
         echo
+        kubectl version
+        echo
         echo "installing local-path provisioner ..."
         kubectl delete storageclass --all
         kubectl apply -f https://github.com/rancher/local-path-provisioner/raw/v0.0.11/deploy/local-path-storage.yaml
@@ -84,7 +86,8 @@ jobs:
         export KUBECONFIG="$(kind get kubeconfig-path)"
         make ct TEST_CHARTS=charts/vault-operator
         echo
-        kubectl apply -f https://github.com/kubevault/operator/raw/master/api/crds/catalog.kubevault.com_vaultserverversions.yaml
+        kubectl delete crds --all
+        kubectl apply -f https://github.com/kubevault/operator/raw/master/api/crds/catalog.kubevault.com_vaultserverversions.yaml --validate=false
         kubectl wait --for=condition=NamesAccepted crds --all --timeout=5m
         make ct TEST_CHARTS=charts/vault-catalog
 

api/crds/engine.kubevault.com_awsroles.yaml

@@ -65,6 +65,8 @@ spec:
             policy:
               description: Specifies the IAM policy in JSON format.
               type: object
+              x-kubernetes-embedded-resource: true
+              x-kubernetes-preserve-unknown-fields: true
             policyARNs:
               description: Specifies the ARNs of the AWS managed policies to be attached
                 to IAM users when they are requested. Valid only when credential_type

api/crds/engine.kubevault.com_mongodbroles.yaml

@@ -67,6 +67,8 @@ spec:
                     is NOT secret or secured in any way and should NEVER be used to
                     hold sensitive information."
                   type: object
+                  x-kubernetes-embedded-resource: true
+                  x-kubernetes-preserve-unknown-fields: true
               required:
               - name
               - namespace

api/crds/engine.kubevault.com_mysqlroles.yaml

@@ -67,6 +67,8 @@ spec:
                     is NOT secret or secured in any way and should NEVER be used to
                     hold sensitive information."
                   type: object
+                  x-kubernetes-embedded-resource: true
+                  x-kubernetes-preserve-unknown-fields: true
               required:
               - name
               - namespace

api/crds/engine.kubevault.com_postgresroles.yaml

@@ -67,6 +67,8 @@ spec:
                     is NOT secret or secured in any way and should NEVER be used to
                     hold sensitive information."
                   type: object
+                  x-kubernetes-embedded-resource: true
+                  x-kubernetes-preserve-unknown-fields: true
               required:
               - name
               - namespace

api/crds/engine.kubevault.com_secretengines.yaml

@@ -148,6 +148,8 @@ spec:
                         field is NOT secret or secured in any way and should NEVER
                         be used to hold sensitive information."
                       type: object
+                      x-kubernetes-embedded-resource: true
+                      x-kubernetes-preserve-unknown-fields: true
                   required:
                   - name
                   - namespace
@@ -191,6 +193,8 @@ spec:
                         field is NOT secret or secured in any way and should NEVER
                         be used to hold sensitive information."
                       type: object
+                      x-kubernetes-embedded-resource: true
+                      x-kubernetes-preserve-unknown-fields: true
                   required:
                   - name
                   - namespace
@@ -247,6 +251,8 @@ spec:
                         field is NOT secret or secured in any way and should NEVER
                         be used to hold sensitive information."
                       type: object
+                      x-kubernetes-embedded-resource: true
+                      x-kubernetes-preserve-unknown-fields: true
                   required:
                   - name
                   - namespace

api/crds/policy.kubevault.com_vaultpolicies.yaml

@@ -51,6 +51,8 @@ spec:
             policy:
               description: Policy specifies a vault policy in json format.
               type: object
+              x-kubernetes-embedded-resource: true
+              x-kubernetes-preserve-unknown-fields: true
             policyDocument:
               description: 'PolicyDocument specifies a vault policy in hcl format.
                 For example: path "secret/*" {   capabilities = ["create", "read",

apis/catalog/fuzzer/fuzzer.go

@@ -0,0 +1,33 @@
+/*
+Copyright The KubeVault Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package fuzzer
+
+import (
+	"kubevault.dev/operator/apis/catalog/v1alpha1"
+
+	fuzz "github.com/google/gofuzz"
+	runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
+)
+
+// Funcs returns the fuzzer functions for this api group.
+var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
+	return []interface{}{
+		func(s *v1alpha1.VaultServerVersion, c fuzz.Continue) {
+			c.FuzzNoCustom(s) // fuzz self without calling this function again
+		},
+	}
+}

apis/catalog/install/pruning_test.go

@@ -0,0 +1,32 @@
+/*
+Copyright The KubeVault Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package install
+
+import (
+	"testing"
+
+	"kubevault.dev/operator/apis/catalog/fuzzer"
+	"kubevault.dev/operator/apis/catalog/v1alpha1"
+
+	clientsetscheme "k8s.io/client-go/kubernetes/scheme"
+	crdfuzz "kmodules.xyz/crd-schema-fuzz"
+)
+
+func TestPruneTypes(t *testing.T) {
+	Install(clientsetscheme.Scheme)
+	crdfuzz.SchemaFuzzTestForV1beta1CRD(t, clientsetscheme.Scheme, v1alpha1.VaultServerVersion{}.CustomResourceDefinition(), fuzzer.Funcs)
+}

apis/engine/fuzzer/fuzzer.go

@@ -0,0 +1,63 @@
+/*
+Copyright The KubeVault Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package fuzzer
+
+import (
+	"kubevault.dev/operator/apis/engine/v1alpha1"
+
+	fuzz "github.com/google/gofuzz"
+	runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
+)
+
+// Funcs returns the fuzzer functions for this api group.
+var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
+	return []interface{}{
+		func(s *v1alpha1.SecretEngine, c fuzz.Continue) {
+			c.FuzzNoCustom(s) // fuzz self without calling this function again
+		},
+		func(s *v1alpha1.AWSRole, c fuzz.Continue) {
+			c.FuzzNoCustom(s) // fuzz self without calling this function again
+		},
+		func(s *v1alpha1.AWSAccessKeyRequest, c fuzz.Continue) {
+			c.FuzzNoCustom(s) // fuzz self without calling this function again
+		},
+		func(s *v1alpha1.AzureRole, c fuzz.Continue) {
+			c.FuzzNoCustom(s) // fuzz self without calling this function again
+		},
+		func(s *v1alpha1.AzureAccessKeyRequest, c fuzz.Continue) {
+			c.FuzzNoCustom(s) // fuzz self without calling this function again
+		},
+		func(s *v1alpha1.GCPRole, c fuzz.Continue) {
+			c.FuzzNoCustom(s) // fuzz self without calling this function again
+		},
+		func(s *v1alpha1.GCPAccessKeyRequest, c fuzz.Continue) {
+			c.FuzzNoCustom(s) // fuzz self without calling this function again
+		},
+		func(s *v1alpha1.DatabaseAccessRequest, c fuzz.Continue) {
+			c.FuzzNoCustom(s) // fuzz self without calling this function again
+		},
+		func(s *v1alpha1.MongoDBRole, c fuzz.Continue) {
+			c.FuzzNoCustom(s) // fuzz self without calling this function again
+		},
+		func(s *v1alpha1.MySQLRole, c fuzz.Continue) {
+			c.FuzzNoCustom(s) // fuzz self without calling this function again
+		},
+		func(s *v1alpha1.PostgresRole, c fuzz.Continue) {
+			c.FuzzNoCustom(s) // fuzz self without calling this function again
+		},
+	}
+}

apis/engine/install/pruning_test.go

@@ -0,0 +1,43 @@
+/*
+Copyright The KubeVault Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package install
+
+import (
+	"testing"
+
+	"kubevault.dev/operator/apis/engine/fuzzer"
+	"kubevault.dev/operator/apis/engine/v1alpha1"
+
+	clientsetscheme "k8s.io/client-go/kubernetes/scheme"
+	crdfuzz "kmodules.xyz/crd-schema-fuzz"
+)
+
+func TestPruneTypes(t *testing.T) {
+	Install(clientsetscheme.Scheme)
+
+	crdfuzz.SchemaFuzzTestForV1beta1CRD(t, clientsetscheme.Scheme, v1alpha1.SecretEngine{}.CustomResourceDefinition(), fuzzer.Funcs)
+	crdfuzz.SchemaFuzzTestForV1beta1CRD(t, clientsetscheme.Scheme, v1alpha1.AWSRole{}.CustomResourceDefinition(), fuzzer.Funcs)
+	crdfuzz.SchemaFuzzTestForV1beta1CRD(t, clientsetscheme.Scheme, v1alpha1.AWSAccessKeyRequest{}.CustomResourceDefinition(), fuzzer.Funcs)
+	crdfuzz.SchemaFuzzTestForV1beta1CRD(t, clientsetscheme.Scheme, v1alpha1.AzureRole{}.CustomResourceDefinition(), fuzzer.Funcs)
+	crdfuzz.SchemaFuzzTestForV1beta1CRD(t, clientsetscheme.Scheme, v1alpha1.AzureAccessKeyRequest{}.CustomResourceDefinition(), fuzzer.Funcs)
+	crdfuzz.SchemaFuzzTestForV1beta1CRD(t, clientsetscheme.Scheme, v1alpha1.GCPRole{}.CustomResourceDefinition(), fuzzer.Funcs)
+	crdfuzz.SchemaFuzzTestForV1beta1CRD(t, clientsetscheme.Scheme, v1alpha1.GCPAccessKeyRequest{}.CustomResourceDefinition(), fuzzer.Funcs)
+	crdfuzz.SchemaFuzzTestForV1beta1CRD(t, clientsetscheme.Scheme, v1alpha1.DatabaseAccessRequest{}.CustomResourceDefinition(), fuzzer.Funcs)
+	crdfuzz.SchemaFuzzTestForV1beta1CRD(t, clientsetscheme.Scheme, v1alpha1.MongoDBRole{}.CustomResourceDefinition(), fuzzer.Funcs)
+	crdfuzz.SchemaFuzzTestForV1beta1CRD(t, clientsetscheme.Scheme, v1alpha1.MySQLRole{}.CustomResourceDefinition(), fuzzer.Funcs)
+	crdfuzz.SchemaFuzzTestForV1beta1CRD(t, clientsetscheme.Scheme, v1alpha1.PostgresRole{}.CustomResourceDefinition(), fuzzer.Funcs)
+}

apis/engine/v1alpha1/aws_role_types.go

@@ -86,6 +86,8 @@ type AWSRoleSpec struct {
 
 	// Specifies the IAM policy in JSON format.
 	// +optional
+	// +kubebuilder:validation:EmbeddedResource
+	// +kubebuilder:pruning:PreserveUnknownFields
 	Policy *runtime.RawExtension `json:"policy,omitempty" protobuf:"bytes,7,opt,name=policy"`
 
 	// The default TTL for STS credentials. When a TTL is not specified when STS credentials are requested,

apis/kubevault/fuzzer/fuzzer.go

@@ -0,0 +1,33 @@
+/*
+Copyright The KubeVault Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package fuzzer
+
+import (
+	"kubevault.dev/operator/apis/kubevault/v1alpha1"
+
+	fuzz "github.com/google/gofuzz"
+	runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
+)
+
+// Funcs returns the fuzzer functions for this api group.
+var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
+	return []interface{}{
+		func(s *v1alpha1.VaultServer, c fuzz.Continue) {
+			c.FuzzNoCustom(s) // fuzz self without calling this function again
+		},
+	}
+}

apis/kubevault/install/pruning_test.go

@@ -0,0 +1,32 @@
+/*
+Copyright The KubeVault Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package install
+
+import (
+	"testing"
+
+	"kubevault.dev/operator/apis/kubevault/fuzzer"
+	"kubevault.dev/operator/apis/kubevault/v1alpha1"
+
+	clientsetscheme "k8s.io/client-go/kubernetes/scheme"
+	crdfuzz "kmodules.xyz/crd-schema-fuzz"
+)
+
+func TestPruneTypes(t *testing.T) {
+	Install(clientsetscheme.Scheme)
+	crdfuzz.SchemaFuzzTestForV1beta1CRD(t, clientsetscheme.Scheme, v1alpha1.VaultServer{}.CustomResourceDefinition(), fuzzer.Funcs)
+}

apis/policy/fuzzer/fuzzer.go

@@ -0,0 +1,36 @@
+/*
+Copyright The KubeVault Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package fuzzer
+
+import (
+	"kubevault.dev/operator/apis/policy/v1alpha1"
+
+	fuzz "github.com/google/gofuzz"
+	runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer"
+)
+
+// Funcs returns the fuzzer functions for this api group.
+var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
+	return []interface{}{
+		func(s *v1alpha1.VaultPolicy, c fuzz.Continue) {
+			c.FuzzNoCustom(s) // fuzz self without calling this function again
+		},
+		func(s *v1alpha1.VaultPolicyBinding, c fuzz.Continue) {
+			c.FuzzNoCustom(s) // fuzz self without calling this function again
+		},
+	}
+}