test: Add HTTP-CEL chainsaw test with test server #12692

yrsuthari · 2025-04-10T02:09:43Z

Add chainsaw conformance test for HTTP-CEL in ClusterPolicy validation with a dedicated test-server deployment. The test covers HTTP GET and POST methods, header validation, and response body handling.

Explanation

This PR adds a new chainsaw conformance test for the HTTP-CEL feature in ClusterPolicy validation. The test validates that HTTP-CEL expressions can properly perform GET and POST requests, validate headers, and process response bodies through a dedicated test server deployment.

Related issue

Closes #10544

Milestone of this PR

Documentation (required for features)

My PR contains new or altered behavior to Kyverno.

I have sent the draft PR to add or update the documentation and the link is:

What type of PR is this

/kind test

Proposed Changes

This PR adds a comprehensive test for HTTP-CEL functionality in ClusterPolicy validations. It includes:

A dedicated test server deployment and service for HTTP endpoint testing
A ClusterPolicy with HTTP-CEL expressions that test GET and POST methods
Validation of header parameters and response body handling
Proper assertions to verify the test server is working as expected

Proof Manifests

# Test Server Deployment and Service
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-server
  namespace: http-cel-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test-server
  template:
    metadata:
      labels:
        app: test-server
    spec:
      containers:
      - name: test-server
        image: kyverno/test-server:latest
        ports:
        - containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
  name: test-server
  namespace: http-cel-test
spec:
  selector:
    app: test-server
  ports:
  - port: 8080
    targetPort: 8080
  type: ClusterIP

Checklist

I have read the contributing guidelines.
I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
This is a bug fix and I have added unit tests that prove my fix is effective.
This is a feature and I have added CLI tests that are applicable.
My PR needs to be cherry picked to a specific release branch which is .
My PR contains new or altered behavior to Kyverno and
- CLI support should be added and my PR doesn't contain that functionality.

yrsuthari · 2025-04-10T02:12:18Z

@JimBugwadia PTAL. Thanks!

fjogeleit · 2025-04-16T12:23:39Z

Hey, how does your PR relate to #10544?

If this PR relates to #12690 (which you mentioned in the readme) some clarification:

Our HTTP CEL lib is not available for the Policy and ClusterPolicy type. Only for our new ImageValidatingPolicy and ValidatingPolicy types
The Signature of our HTTP CEL lib is different to the one you used in your expression.

You can checkout https://github.com/kyverno/kyverno/tree/main/test/conformance/chainsaw/validating-policies/context/api-call as reference.

yrsuthari · 2025-05-02T08:18:29Z

Hey, how does your PR relate to #10544?

If this PR relates to #12690 (which you mentioned in the readme) some clarification:
1. Our HTTP CEL lib is not available for the Policy and ClusterPolicy type. Only for our new ImageValidatingPolicy and ValidatingPolicy types

2. The Signature of our HTTP CEL lib is different to the one you used in your expression.
You can checkout https://github.com/kyverno/kyverno/tree/main/test/conformance/chainsaw/validating-policies/context/api-call as reference.

@fjogeleit Thank you for the feedback on the HTTP-CEL tests! I've addressed all your concerns:

Replaced ClusterPolicy with ValidatingPolicy as you correctly pointed out that HTTP CEL library is only available for ValidatingPolicy and ImageValidatingPolicy types
Updated the HTTP CEL function signatures to match the current implementation:
- Changed from previous format to the correct http.Get() and http.Post() style
- Properly handling the response structure with status field
- Correctly referencing body fields in validations
Restructured the policy following the reference you provided:
- Using variables section for HTTP call definitions
- Using validations section for response validation

Tested the implementation by adapting to use httpbin.org pattern endpoints similar to the reference implementation

I've manually tested these changes and confirmed the HTTP CEL functionality works correctly with various scenarios (GET/POST, headers handling, response validation). The test passes successfully with the updated ValidatingPolicy format.
Could you please review the changes when you have a chance? Thanks again for your guidance!

Add chainsaw conformance test for HTTP-CEL in ValidatingPolicy validation with a dedicated test-server deployment. The test covers HTTP GET and POST methods, header validation, and response body handling. Fixes kyverno#12690 Signed-off-by: Yogi Suthari <yrsuthari@gmail.com>

codecov · 2025-05-09T09:26:28Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 15.18%. Comparing base (cb00503) to head (6ffffdc).

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #12692   +/-   ##
=======================================
  Coverage   15.18%   15.18%           
=======================================
  Files         966      966           
  Lines      103434   103434           
=======================================
  Hits        15703    15703           
  Misses      86000    86000           
  Partials     1731     1731

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

yrsuthari · 2025-05-23T06:23:49Z

est passes successfully with the updated ValidatingPolicy for

@fjogeleit Looking for an update and review on this PR. I am hoping this can be merged!

yrsuthari requested review from eddycharly, realshuting and MariamFahmy98 as code owners April 10, 2025 02:09

dosubot bot added the size:L This PR changes 100-499 lines, ignoring generated files. label Apr 10, 2025

yrsuthari mentioned this pull request Apr 11, 2025

Adding myself to contributors kyverno/community#35

Merged

yrsuthari force-pushed the feature/http-cel-test branch from 44c1e22 to b76c66d Compare May 2, 2025 08:20

dosubot bot added size:XL This PR changes 500-999 lines, ignoring generated files. and removed size:L This PR changes 100-499 lines, ignoring generated files. labels May 2, 2025

yrsuthari force-pushed the feature/http-cel-test branch from b76c66d to be784c9 Compare May 2, 2025 08:23

dosubot bot added size:L This PR changes 100-499 lines, ignoring generated files. and removed size:XL This PR changes 500-999 lines, ignoring generated files. labels May 2, 2025

yrsuthari and others added 2 commits May 2, 2025 13:54

Merge branch 'main' into feature/http-cel-test

8ae1f66

Merge branch 'main' into feature/http-cel-test

3c2d18d

Merge branch 'main' into feature/http-cel-test

ca915d9

fjogeleit and others added 5 commits May 26, 2025 11:32

Merge branch 'main' into feature/http-cel-test

d8444b0

Merge branch 'main' into feature/http-cel-test

841549f

Merge branch 'main' into feature/http-cel-test

ce308b4

Merge branch 'main' into feature/http-cel-test

a814994

Merge branch 'main' into feature/http-cel-test

6ffffdc

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

test: Add HTTP-CEL chainsaw test with test server #12692

test: Add HTTP-CEL chainsaw test with test server #12692

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

test: Add HTTP-CEL chainsaw test with test server #12692

Are you sure you want to change the base?

test: Add HTTP-CEL chainsaw test with test server #12692

Uh oh!

Conversation

Explanation

Related issue

Milestone of this PR

Documentation (required for features)

What type of PR is this

Proposed Changes

Proof Manifests

Checklist

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Codecov Report

Uh oh!

Uh oh!

Uh oh!