simplify the cel expression

Signed-off-by: Lavish pal <[email protected]>

.github/actions/run-tests/action.yaml

@@ -0,0 +1,16 @@
+name: "Runs E2E Tests"
+description: "Runs E2E tests using chainsaw"
+inputs:
+  tests:
+    description: "Test regex"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Install Chainsaw
+      uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8
+    - name: Test with Chainsaw
+      shell: bash
+      run: |
+        set -e
+        chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ inputs.tests }}' --no-color=false

.github/actions/setup-env/action.yaml

@@ -0,0 +1,51 @@
+name: "Setup Environment for E2E Tests"
+description: "Sets up the environment for the E2E workflows"
+inputs:
+  k8s-version:
+    description: "Kubernetes version"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Setup Go
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+      with:
+        go-version: ~1.21.1
+    - name: Install Tools
+      shell: bash
+      run: |
+        set -e
+        curl -LO "https://dl.k8s.io/release/${{ inputs.k8s-version }}/bin/linux/amd64/kubectl"
+        sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
+    - name: Install kind
+      shell: bash
+      run: |
+        set -e
+        # For AMD64 / x86_64
+        [ $(uname -m) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64
+        # For ARM64
+        [ $(uname -m) = aarch64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-arm64
+        chmod +x ./kind
+        sudo mv ./kind /usr/local/bin/kind
+    - name: Install latest Kyverno CLI
+      uses: kyverno/action-install-cli@fcee92fca5c883169ef9927acf543e0b5fc58289 # v0.2.0
+    - name: Create kind cluster
+      shell: bash
+      run: |
+        set -e
+        kind create cluster --image kindest/node:${{ inputs.k8s-version }} --config ./.github/kind.yml
+    - name: Install latest kyverno
+      shell: bash
+      run: |
+        set -e
+        kubectl create -f https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml
+    - name: Wait for kyverno ready
+      shell: bash
+      run: |
+        set -e
+        kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s
+    - name: Install CRDs
+      shell: bash
+      run: |
+        set -e
+        kubectl apply -f ./.chainsaw/crds

.github/workflows/cel-test.yml

@@ -0,0 +1,65 @@
+name: E2E Tests - CEL
+
+permissions: {}
+
+on:
+  workflow_dispatch: {}
+  pull_request:
+    branches:
+      - 'main'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  chainsaw:
+    strategy:
+      fail-fast: false
+      matrix:
+        k8s-version:
+          - name: v1.25
+            version: v1.25.16
+          - name: v1.26
+            version: v1.26.14
+          - name: v1.27
+            version: v1.27.11
+          - name: v1.28
+            version: v1.28.7
+          - name: v1.29
+            version: v1.29.2
+        tests:
+          - ^argo-cel$
+          - ^aws-cel$
+          - ^best-practices-cel$
+          - ^consul-cel$
+          - ^flux-cel$
+          - ^istio-cel$
+          - ^kasten-cel$
+          - ^kubecost-cel$
+          - ^linkerd-cel$
+          - ^nginx-ingress-cel$
+          - ^openshift-cel$
+          - ^other-cel$/^a
+          - ^other-cel$/^[b-d]
+          - ^other-cel$/^[e-l]
+          - ^other-cel$/^[m-q]
+          - ^other-cel$/^re[c-q]
+          - ^other-cel$/^res
+          - ^other-cel$/^[s-z]
+          - ^pod-security-cel$
+          - ^psa-cel$
+          - ^traefik-cel$
+    runs-on: ubuntu-latest
+    name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Setup Environment
+        uses: ./.github/actions/setup-env
+        with:
+          k8s-version: ${{ matrix.k8s-version.version }}
+      - name: Run CEL Tests
+        uses: ./.github/actions/run-tests
+        with:
+          tests: ${{ matrix.tests }}

.github/workflows/test.yml

@@ -30,104 +30,46 @@ jobs:
             version: v1.29.2
         tests:
           - ^argo$
-          - ^argo-cel$
           - ^aws$
-          - ^aws-cel$
           - ^best-practices$
-          - ^best-practices-cel$
           - ^castai$
           - ^cert-manager$
           - ^cleanup$
           - ^consul$
-          - ^consul-cel$
           - ^external-secret-operator$
           - ^flux$
-          - ^flux-cel$
           - ^istio$
-          - ^istio-cel$
           - ^karpenter$
           - ^kasten$
-          - ^kasten-cel$
           - ^kubecost$
-          - ^kubecost-cel$
           - ^kubeops$
           - ^kubevirt$
           - ^linkerd$
-          - ^linkerd-cel$
           - ^nginx-ingress$
-          - ^nginx-ingress-cel$
           - ^openshift$
-          - ^openshift-cel$
           - ^other$/^a
-          - ^other-cel$/^a
           - ^other$/^[b-d]
-          - ^other-cel$/^[b-d]
           - ^other$/^[e-l]
-          - ^other-cel$/^[e-l]
           - ^other$/^[m-q]
-          - ^other-cel$/^[m-q]
           - ^other$/^re[c-q]
-          - ^other-cel$/^re[c-q]
           - ^other$/^res
-          - ^other-cel$/^res
           - ^other$/^[s-z]
-          - ^other-cel$/^[s-z]
           - ^pod-security$
-          - ^pod-security-cel$
           - ^psa$
-          - ^psa-cel$
           - ^psp-migration$
           - ^tekton$
           - ^traefik$
-          - ^traefik-cel$
           - ^velero$
     runs-on: ubuntu-latest
     name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }}
     steps:
       - name: Checkout
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - name: Setup Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+      - name: Setup Environment
+        uses: ./.github/actions/setup-env
         with:
-          go-version: ~1.21.1
-      - name: Install Tools
-        run: |
-          set -e
-          curl -LO "https://dl.k8s.io/release/${{ matrix.k8s-version.version }}/bin/linux/amd64/kubectl"
-          sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
-      - name: Install kind
-        shell: bash
-        run: |
-          set -e
-          # For AMD64 / x86_64
-          [ $(uname -m) = x86_64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-amd64
-          # For ARM64
-          [ $(uname -m) = aarch64 ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.20.0/kind-linux-arm64
-          chmod +x ./kind
-          sudo mv ./kind /usr/local/bin/kind
-      - name: Install latest Kyverno CLI
-        uses: kyverno/action-install-cli@fcee92fca5c883169ef9927acf543e0b5fc58289 # v0.2.0
-      - name: Create kind cluster
-        run: |
-          set -e
-          kind create cluster --image kindest/node:${{ matrix.k8s-version.version }} --config ./.github/kind.yml
-      - name: Install latest kyverno
-        run: |
-          set -e
-          kubectl create -f https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml
-      - name: Wait for kyverno ready
-        run: |
-          set -e
-          kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s
-      - name: Install CRDs
-        run: |
-          set -e
-          kubectl apply -f ./.chainsaw/crds
-      - name: Install Chainsaw
-        uses: kyverno/action-install-chainsaw@5d00c353f61f44f3b492c673420202d1b1374c3f # v0.2.6
-      - name: Test with Chainsaw
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          set -e
-          chainsaw test --config .chainsaw.yaml --include-test-regex '^chainsaw$/${{ matrix.tests }}' --no-color=false
+          k8s-version: ${{ matrix.k8s-version.version }}
+      - name: Run Tests
+        uses: ./.github/actions/run-tests
+        with:
+          tests: ${{ matrix.tests }}

flux-cel/verify-git-repositories/.kyverno-test/kyverno-test.yaml

@@ -5,8 +5,8 @@ metadata:
 policies:
 - ../verify-git-repositories.yaml
 resources:
-- ../.chainsaw-test/good-gitrepositories.yaml
-- ../.chainsaw-test/bad-gitrepositories.yaml
+- ../.chainsaw-test-rename-after-issue-10313-fix/good-gitrepositories.yaml
+- ../.chainsaw-test-rename-after-issue-10313-fix/bad-gitrepositories.yaml
 results:
 - policy: verify-git-repositories
   rule: github-repositories-only

istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-1.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    istio.io/dataplane-mode: ambient
+  name: istio-test-en-ns

istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-2.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    istio.io/dataplane-mode: other
+  name: istio-test-dis-ns

istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-3.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-test-none-ns

istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-step-02-apply-4.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    foo: bar
+  name: istio-test-alt-ns

istio/add-ambient-mode-namespace/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,34 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: add-ambient-mode-namespace
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../add-ambient-mode-namespace.yaml
+    - assert:
+        file: policy-ready.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: chainsaw-step-02-apply-1.yaml
+    - apply:
+        file: chainsaw-step-02-apply-2.yaml
+    - apply:
+        file: chainsaw-step-02-apply-3.yaml
+    - apply:
+        file: chainsaw-step-02-apply-4.yaml
+  - name: step-03
+    try:
+    - assert:
+        file: patched-ns-alt.yaml
+    - assert:
+        file: patched-ns-disabled.yaml
+    - assert:
+        file: patched-ns-enabled.yaml
+    - assert:
+        file: patched-ns-none.yaml

istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-alt.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    foo: bar
+    istio.io/dataplane-mode: ambient
+  name: istio-test-alt-ns

istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-disabled.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    istio.io/dataplane-mode: ambient
+  name: istio-test-dis-ns

istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-enabled.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    istio.io/dataplane-mode: ambient
+  name: istio-test-en-ns

istio/add-ambient-mode-namespace/.chainsaw-test/patched-ns-none.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    istio.io/dataplane-mode: ambient
+  name: istio-test-none-ns

istio/add-ambient-mode-namespace/.chainsaw-test/policy-ready.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-ambient-mode-namespace
+status:
+  ready: true

istio/add-ambient-mode-namespace/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,21 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: add-ambient-mode-namespace
+policies:
+- ../add-ambient-mode-namespace.yaml
+resources:
+- ../.chainsaw-test/patched-ns-disabled.yaml
+- ../.chainsaw-test/patched-ns-enabled.yaml
+- ../.chainsaw-test/patched-ns-alt.yaml
+- ../.chainsaw-test/patched-ns-none.yaml
+results:
+- policy: add-ambient-mode-namespace
+  rule: check-ambient-mode-enabled
+  kind: Namespace
+  resources:
+  - istio-test-none-ns
+  - istio-test-dis-ns
+  - istio-test-en-ns
+  - istio-test-alt-ns
+  result: pass