From 98b56c2937fd667b1099a1f34988f327ac0c8d24 Mon Sep 17 00:00:00 2001 From: Chris Burns <29541485+ChrisJBurns@users.noreply.github.com> Date: Mon, 17 Nov 2025 23:27:02 +0000 Subject: [PATCH] removes authz-configmap e2e test as its already covered in int tests Signed-off-by: Chris Burns <29541485+ChrisJBurns@users.noreply.github.com> --- .../assert-mcpserver-pod-running.yaml | 9 - .../assert-mcpserver-running.yaml | 7 - .../authz-configmap/chainsaw-test.yaml | 239 ------------------ .../authz-configmap/mcpserver-authz.yaml | 30 --- 4 files changed, 285 deletions(-) delete mode 100644 test/e2e/chainsaw/operator/single-tenancy/test-scenarios/authz-configmap/assert-mcpserver-pod-running.yaml delete mode 100644 test/e2e/chainsaw/operator/single-tenancy/test-scenarios/authz-configmap/assert-mcpserver-running.yaml delete mode 100644 test/e2e/chainsaw/operator/single-tenancy/test-scenarios/authz-configmap/chainsaw-test.yaml delete mode 100644 test/e2e/chainsaw/operator/single-tenancy/test-scenarios/authz-configmap/mcpserver-authz.yaml diff --git a/test/e2e/chainsaw/operator/single-tenancy/test-scenarios/authz-configmap/assert-mcpserver-pod-running.yaml b/test/e2e/chainsaw/operator/single-tenancy/test-scenarios/authz-configmap/assert-mcpserver-pod-running.yaml deleted file mode 100644 index 9ff0b5d8b..000000000 --- a/test/e2e/chainsaw/operator/single-tenancy/test-scenarios/authz-configmap/assert-mcpserver-pod-running.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - namespace: toolhive-system - labels: - app: mcpserver - app.kubernetes.io/instance: authz-configmap-test -status: - phase: Running \ No newline at end of file diff --git a/test/e2e/chainsaw/operator/single-tenancy/test-scenarios/authz-configmap/assert-mcpserver-running.yaml b/test/e2e/chainsaw/operator/single-tenancy/test-scenarios/authz-configmap/assert-mcpserver-running.yaml deleted file mode 100644 index 8c4b5372d..000000000 --- a/test/e2e/chainsaw/operator/single-tenancy/test-scenarios/authz-configmap/assert-mcpserver-running.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: toolhive.stacklok.dev/v1alpha1 -kind: MCPServer -metadata: - name: authz-configmap-test - namespace: toolhive-system -status: - phase: Running \ No newline at end of file diff --git a/test/e2e/chainsaw/operator/single-tenancy/test-scenarios/authz-configmap/chainsaw-test.yaml b/test/e2e/chainsaw/operator/single-tenancy/test-scenarios/authz-configmap/chainsaw-test.yaml deleted file mode 100644 index bcef22c00..000000000 --- a/test/e2e/chainsaw/operator/single-tenancy/test-scenarios/authz-configmap/chainsaw-test.yaml +++ /dev/null @@ -1,239 +0,0 @@ -apiVersion: chainsaw.kyverno.io/v1alpha1 -kind: Test -metadata: - name: authz-configmap-test -spec: - description: Test that authorization configuration is correctly generated in ConfigMap - steps: - - name: enable-configmap-mode - try: - - script: - content: | - echo "Setting TOOLHIVE_USE_CONFIGMAP=true on operator deployment..." - - # Use strategic merge patch to add the environment variable to existing env array - kubectl patch deployment toolhive-operator -n toolhive-system --type='strategic' -p='{"spec":{"template":{"spec":{"containers":[{"name":"manager","env":[{"name":"TOOLHIVE_USE_CONFIGMAP","value":"true"}]}]}}}}' - - # Wait for rollout to complete - kubectl rollout status deployment/toolhive-operator -n toolhive-system --timeout=60s - - # Verify the environment variable was set - echo "Verifying TOOLHIVE_USE_CONFIGMAP environment variable is set..." - ENV_VAR=$(kubectl get deployment toolhive-operator -n toolhive-system -o jsonpath='{.spec.template.spec.containers[?(@.name=="manager")].env[?(@.name=="TOOLHIVE_USE_CONFIGMAP")].value}') - if [ "$ENV_VAR" = "true" ]; then - echo "✓ TOOLHIVE_USE_CONFIGMAP=true verified on operator deployment" - else - echo "✗ Failed to set TOOLHIVE_USE_CONFIGMAP environment variable" - exit 1 - fi - timeout: 120s - - - name: create-mcpserver-with-authz - try: - - apply: - file: mcpserver-authz.yaml - - assert: - file: assert-mcpserver-running.yaml - timeout: 120s - - - name: verify-pod-running - try: - - assert: - file: assert-mcpserver-pod-running.yaml - timeout: 120s - - - name: verify-configmap-authz-config - try: - - script: - content: | - echo "Verifying ConfigMap authorization configuration..." - - # Wait for ConfigMap to be created - for i in $(seq 1 10); do - if kubectl get configmap -n toolhive-system -l toolhive.stacklok.io/mcp-server=authz-configmap-test >/dev/null 2>&1; then - echo "✓ ConfigMap exists" - break - fi - echo " Waiting for ConfigMap... (attempt $i/10)" - sleep 2 - done - - # Get the ConfigMap and extract the runconfig.json - CONFIGMAP_JSON=$(kubectl get configmap -n toolhive-system -l toolhive.stacklok.io/mcp-server=authz-configmap-test -o jsonpath='{.items[0].data.runconfig\.json}' 2>/dev/null || echo "") - - if [ -z "$CONFIGMAP_JSON" ]; then - echo "✗ ConfigMap does not contain runconfig.json data" - kubectl get configmap -n toolhive-system -l toolhive.stacklok.io/mcp-server=authz-configmap-test -o yaml - exit 1 - fi - - echo "$CONFIGMAP_JSON" > /tmp/runconfig.json - - # Verify authorization configuration is present in runconfig.json - if ! echo "$CONFIGMAP_JSON" | jq -e '.authz_config' > /dev/null 2>&1; then - echo "✗ authz_config section not found in runconfig.json" - exit 1 - fi - echo "✓ authz_config section found" - - # Verify version - VERSION=$(echo "$CONFIGMAP_JSON" | jq -r '.authz_config.version // empty') - if [ "$VERSION" != "v1" ]; then - echo "✗ Authorization config version mismatch. Expected: 'v1', Got: '$VERSION'" - exit 1 - fi - echo "✓ Authorization config version verified" - - # Verify type - TYPE=$(echo "$CONFIGMAP_JSON" | jq -r '.authz_config.type // empty') - if [ "$TYPE" != "cedarv1" ]; then - echo "✗ Authorization config type mismatch. Expected: 'cedarv1', Got: '$TYPE'" - exit 1 - fi - echo "✓ Authorization config type verified" - - # Verify cedar config exists - if ! echo "$CONFIGMAP_JSON" | jq -e '.authz_config.cedar' > /dev/null 2>&1; then - echo "✗ cedar configuration section not found" - exit 1 - fi - echo "✓ Cedar configuration section found" - - # Verify policies exist and have correct count - POLICIES_COUNT=$(echo "$CONFIGMAP_JSON" | jq '.authz_config.cedar.policies | length') - if [ "$POLICIES_COUNT" != "3" ]; then - echo "✗ Policies count mismatch. Expected: 3, Got: $POLICIES_COUNT" - exit 1 - fi - echo "✓ Policies count verified: $POLICIES_COUNT policies" - - # Verify specific policies exist - WEATHER_POLICY=$(echo "$CONFIGMAP_JSON" | jq -r '.authz_config.cedar.policies[] | select(contains("weather"))') - if [ -z "$WEATHER_POLICY" ]; then - echo "✗ Weather tool policy not found" - exit 1 - fi - echo "✓ Weather tool policy found" - - GREETING_POLICY=$(echo "$CONFIGMAP_JSON" | jq -r '.authz_config.cedar.policies[] | select(contains("greeting"))') - if [ -z "$GREETING_POLICY" ]; then - echo "✗ Greeting prompt policy not found" - exit 1 - fi - echo "✓ Greeting prompt policy found" - - FORBID_POLICY=$(echo "$CONFIGMAP_JSON" | jq -r '.authz_config.cedar.policies[] | select(contains("forbid"))') - if [ -z "$FORBID_POLICY" ]; then - echo "✗ Forbid policy not found" - exit 1 - fi - echo "✓ Forbid policy found" - - # Verify entities JSON exists and contains users - ENTITIES_JSON=$(echo "$CONFIGMAP_JSON" | jq -r '.authz_config.cedar.entities_json // empty') - if [ -z "$ENTITIES_JSON" ]; then - echo "✗ Entities JSON not found" - exit 1 - fi - - # Parse the entities JSON and verify it contains entities - ENTITIES_COUNT=$(echo "$ENTITIES_JSON" | jq '. | length') - if [ "$ENTITIES_COUNT" != "2" ]; then - echo "✗ Entities count mismatch. Expected: 2, Got: $ENTITIES_COUNT" - exit 1 - fi - echo "✓ Entities JSON verified with $ENTITIES_COUNT entities" - - echo "✅ All authorization configuration fields verified successfully in ConfigMap" - timeout: 60s - - - name: verify-proxyrunner-reads-configmap-authz - try: - - script: - content: | - echo "Verifying proxyrunner reads authorization config from ConfigMap..." - - # Get the deployment to verify it uses volume mounting - DEPLOYMENT_ARGS=$(kubectl get deployment authz-configmap-test -n toolhive-system -o jsonpath='{.spec.template.spec.containers[0].args}' 2>/dev/null || echo "") - VOLUME_MOUNTS=$(kubectl get deployment authz-configmap-test -n toolhive-system -o jsonpath='{.spec.template.spec.containers[0].volumeMounts}' 2>/dev/null || echo "") - VOLUMES=$(kubectl get deployment authz-configmap-test -n toolhive-system -o jsonpath='{.spec.template.spec.volumes}' 2>/dev/null || echo "") - - if [ -z "$DEPLOYMENT_ARGS" ]; then - echo "✗ Could not find deployment arguments" - exit 1 - fi - - echo "✓ Using volume mounting for configuration" - - # Verify ConfigMap volume is mounted - echo "Verifying ConfigMap volume mounting..." - if echo "$VOLUME_MOUNTS" | jq -e '.[] | select(.name=="runconfig" and .mountPath=="/etc/runconfig" and .readOnly==true)' > /dev/null 2>&1; then - echo "✓ runconfig volume mount found at /etc/runconfig" - else - echo "✗ runconfig volume mount not found or incorrect configuration" - echo "Volume mounts: $VOLUME_MOUNTS" - exit 1 - fi - - # Check for ConfigMap volume source - if echo "$VOLUMES" | jq -e '.[] | select(.name=="runconfig" and .configMap.name=="authz-configmap-test-runconfig")' > /dev/null 2>&1; then - echo "✓ ConfigMap volume source found referencing authz-configmap-test-runconfig" - else - echo "✗ ConfigMap volume source not found or incorrect configuration" - echo "Volumes: $VOLUMES" - exit 1 - fi - - # Verify no authorization flags are present (they should be read from ConfigMap) - if echo "$DEPLOYMENT_ARGS" | grep -q "\--authz-config"; then - echo "✗ --authz-config flag found in deployment arguments (should not be present when using ConfigMap)" - echo "Deployment args: $DEPLOYMENT_ARGS" - exit 1 - fi - echo "✓ No --authz-config flags found in deployment arguments (correct for ConfigMap mode)" - - # Get pod logs to verify authorization is working - echo "Checking pod logs for authorization initialization..." - POD_NAME=$(kubectl get pods -n toolhive-system -l app.kubernetes.io/instance=authz-configmap-test -o jsonpath='{.items[0].metadata.name}' 2>/dev/null) - - if [ -z "$POD_NAME" ]; then - echo "✗ Could not find pod for authz-configmap-test" - exit 1 - fi - - # Wait a moment for the pod to initialize - sleep 5 - - # Check logs for authorization-related messages - LOGS=$(kubectl logs "$POD_NAME" -n toolhive-system --tail=50 2>/dev/null || echo "") - - if [ -z "$LOGS" ]; then - echo "⚠️ Could not retrieve pod logs (pod may still be initializing)" - else - echo "✓ Pod logs retrieved for verification" - # Look for any authorization-related log messages - if echo "$LOGS" | grep -i "authz\|authorization"; then - echo "✓ Found authorization-related log entries" - else - echo "ℹ️ No specific authorization log entries found (this may be expected)" - fi - fi - - echo "✅ Proxyrunner ConfigMap integration verified successfully" - timeout: 60s - - - name: cleanup-configmap-mode - try: - - script: - content: | - echo "Cleaning up ConfigMap mode..." - - # Wait for ConfigMap to be deleted - kubectl wait --for=delete configmap -l toolhive.stacklok.io/mcp-server=authz-configmap-test -n toolhive-system --timeout=60s || true - - # Disable ConfigMap mode to avoid affecting subsequent tests - echo "Disabling ConfigMap mode..." - kubectl patch deployment toolhive-operator -n toolhive-system --type='strategic' -p='{"spec":{"template":{"spec":{"containers":[{"name":"manager","env":[{"name":"TOOLHIVE_USE_CONFIGMAP","value":"false"}]}]}}}}' - kubectl rollout status deployment/toolhive-operator -n toolhive-system --timeout=60s - echo "✓ ConfigMap mode cleanup completed" - timeout: 120s \ No newline at end of file diff --git a/test/e2e/chainsaw/operator/single-tenancy/test-scenarios/authz-configmap/mcpserver-authz.yaml b/test/e2e/chainsaw/operator/single-tenancy/test-scenarios/authz-configmap/mcpserver-authz.yaml deleted file mode 100644 index 75c63e172..000000000 --- a/test/e2e/chainsaw/operator/single-tenancy/test-scenarios/authz-configmap/mcpserver-authz.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: toolhive.stacklok.dev/v1alpha1 -kind: MCPServer -metadata: - name: authz-configmap-test - namespace: toolhive-system -spec: - image: ghcr.io/stackloklabs/yardstick/yardstick-server:0.0.2 - transport: stdio - proxyPort: 8080 - - # Inline authorization configuration to test ConfigMap generation - authzConfig: - type: inline - inline: - policies: - - 'permit(principal, action == Action::"call_tool", resource == Tool::"weather");' - - 'permit(principal, action == Action::"get_prompt", resource == Prompt::"greeting");' - - 'forbid(principal, action == Action::"call_tool", resource == Tool::"sensitive_data");' - entitiesJson: '[{"uid": {"type": "User", "id": "user1"}, "attrs": {"role": "viewer"}}, {"uid": {"type": "User", "id": "admin"}, "attrs": {"role": "admin"}}]' - - permissionProfile: - type: builtin - name: network - resources: - limits: - cpu: "100m" - memory: "128Mi" - requests: - cpu: "50m" - memory: "64Mi" \ No newline at end of file