From 58ad7eec8df5e77d11c80f9fdb81a0fc48b66019 Mon Sep 17 00:00:00 2001
From: biswajit-9776 <115724497+biswajit-9776@users.noreply.github.com>
Date: Mon, 12 Aug 2024 16:01:41 +0530
Subject: [PATCH] Added tests to tests/gh-actions to enable baseline and
 restricted PSS (#2819)

* Patched PSS labels to multi_tenancy

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>

* Added script in gh-actions to patch PSS/static/baseline/pacthes

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>

* Added PSS scripts for both baseline and restricted labels of static namespaces and renamed directories

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>

* Added tests to enable PSS in gh-actions

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>

* Added workflow test for PSS labels

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>

* Fixed indentation

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>

---------

Signed-off-by: biswajit-9776 <biswajitpatt139@gmail.com>
---
 .github/workflows/pss_test.yaml               | 35 +++++++++++++++++++
 .../PSS/static/baseline/kustomization.yaml    |  6 ++--
 .../{dex-labels.yaml => auth-labels.yaml}     |  0
 ...o-labels.yaml => istio-system-labels.yaml} |  0
 .../PSS/static/restricted/kustomization.yaml  |  5 ++-
 .../{dex-labels.yaml => auth-labels.yaml}     |  0
 ...o-labels.yaml => istio-system-labels.yaml} |  0
 tests/gh-actions/enable_baseline_PSS.sh       | 10 ++++++
 tests/gh-actions/enable_restricted_PSS.sh     | 10 ++++++
 9 files changed, 60 insertions(+), 6 deletions(-)
 create mode 100644 .github/workflows/pss_test.yaml
 rename contrib/security/PSS/static/baseline/patches/{dex-labels.yaml => auth-labels.yaml} (100%)
 rename contrib/security/PSS/static/baseline/patches/{istio-labels.yaml => istio-system-labels.yaml} (100%)
 rename contrib/security/PSS/static/restricted/patches/{dex-labels.yaml => auth-labels.yaml} (100%)
 rename contrib/security/PSS/static/restricted/patches/{istio-labels.yaml => istio-system-labels.yaml} (100%)
 create mode 100755 tests/gh-actions/enable_baseline_PSS.sh
 create mode 100755 tests/gh-actions/enable_restricted_PSS.sh

diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
new file mode 100644
index 0000000000..9aded5a7f5
--- /dev/null
+++ b/.github/workflows/pss_test.yaml
@@ -0,0 +1,35 @@
+name: Appy PSS labels to namespaces
+on:
+  pull_request:
+    paths:
+    - .github/workflows/*
+    - tests/gh-actions/kind-cluster.yaml
+    - apps/profiles/upstream/**
+    - common/dex/**
+    - common/cert-manager/**
+    - common/oidc-client/oauth2-proxy/**
+    - common/istio*/**
+    - tests/gh-actions/install_istio_with_ext_auth.sh
+    - tests/gh-actions/install_multitenancy.sh
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Install KinD
+      run: ./tests/gh-actions/install_kind.sh
+
+    - name: Create KinD Cluster
+      run: kind create cluster --config tests/gh-actions/kind-cluster.yaml
+
+    - name: Install kustomize
+      run: ./tests/gh-actions/install_kustomize.sh
+
+    - name: Install kubectl
+      run: ./tests/gh-actions/install_kubectl.sh
+
+    - name: Applying Pod Security Standards baseline levels for static namespaces
+      run: ./tests/gh-actions/enable_baseline_PSS.sh
diff --git a/contrib/security/PSS/static/baseline/kustomization.yaml b/contrib/security/PSS/static/baseline/kustomization.yaml
index ec133f809c..4550b10fcb 100644
--- a/contrib/security/PSS/static/baseline/kustomization.yaml
+++ b/contrib/security/PSS/static/baseline/kustomization.yaml
@@ -3,7 +3,7 @@ kind: Component
 
 patches:
 - path: patches/kubeflow-labels.yaml
-- path: patches/istio-labels.yaml
+- path: patches/istio-system-labels.yaml
 - path: patches/cert-manager-labels.yaml
-- path: patches/dex-labels.yaml
-- path: patches/oauth2-proxy-labels.yaml
\ No newline at end of file
+- path: patches/auth-labels.yaml
+- path: patches/oauth2-proxy-labels.yaml
diff --git a/contrib/security/PSS/static/baseline/patches/dex-labels.yaml b/contrib/security/PSS/static/baseline/patches/auth-labels.yaml
similarity index 100%
rename from contrib/security/PSS/static/baseline/patches/dex-labels.yaml
rename to contrib/security/PSS/static/baseline/patches/auth-labels.yaml
diff --git a/contrib/security/PSS/static/baseline/patches/istio-labels.yaml b/contrib/security/PSS/static/baseline/patches/istio-system-labels.yaml
similarity index 100%
rename from contrib/security/PSS/static/baseline/patches/istio-labels.yaml
rename to contrib/security/PSS/static/baseline/patches/istio-system-labels.yaml
diff --git a/contrib/security/PSS/static/restricted/kustomization.yaml b/contrib/security/PSS/static/restricted/kustomization.yaml
index f42ff9746b..4550b10fcb 100644
--- a/contrib/security/PSS/static/restricted/kustomization.yaml
+++ b/contrib/security/PSS/static/restricted/kustomization.yaml
@@ -3,8 +3,7 @@ kind: Component
 
 patches:
 - path: patches/kubeflow-labels.yaml
-- path: patches/istio-labels.yaml
+- path: patches/istio-system-labels.yaml
 - path: patches/cert-manager-labels.yaml
-- path: patches/dex-labels.yaml
+- path: patches/auth-labels.yaml
 - path: patches/oauth2-proxy-labels.yaml
-- path: patches/istio-labels.yaml
diff --git a/contrib/security/PSS/static/restricted/patches/dex-labels.yaml b/contrib/security/PSS/static/restricted/patches/auth-labels.yaml
similarity index 100%
rename from contrib/security/PSS/static/restricted/patches/dex-labels.yaml
rename to contrib/security/PSS/static/restricted/patches/auth-labels.yaml
diff --git a/contrib/security/PSS/static/restricted/patches/istio-labels.yaml b/contrib/security/PSS/static/restricted/patches/istio-system-labels.yaml
similarity index 100%
rename from contrib/security/PSS/static/restricted/patches/istio-labels.yaml
rename to contrib/security/PSS/static/restricted/patches/istio-system-labels.yaml
diff --git a/tests/gh-actions/enable_baseline_PSS.sh b/tests/gh-actions/enable_baseline_PSS.sh
new file mode 100755
index 0000000000..94bbcbad1c
--- /dev/null
+++ b/tests/gh-actions/enable_baseline_PSS.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow")
+
+for NAMESPACE in "${NAMESPACES[@]}"; do
+    if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
+        echo "Patching the PSS-baseline labels for namespace $NAMESPACE..."
+        kubectl patch namespace $NAMESPACE --patch-file ./contrib/security/PSS/static/baseline/patches/${NAMESPACE}-labels.yaml
+    fi
+done
diff --git a/tests/gh-actions/enable_restricted_PSS.sh b/tests/gh-actions/enable_restricted_PSS.sh
new file mode 100755
index 0000000000..5c17ce2ea9
--- /dev/null
+++ b/tests/gh-actions/enable_restricted_PSS.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow")
+
+for NAMESPACE in "${NAMESPACES[@]}"; do
+    if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
+        echo "Patching the PSS-restricted labels for namespace $NAMESPACE..."
+        kubectl patch namespace $NAMESPACE --patch-file ./contrib/security/PSS/static/restricted/patches/${NAMESPACE}-labels.yaml
+    fi
+done