kyverno · yrsuthari · May 2, 2025 · May 2, 2025 · May 9, 2025 · May 9, 2025
@@ -0,0 +1,18 @@
+## Description
+
+This test validates the HTTP CEL library functionality in Kyverno ValidatingPolicy. It tests various HTTP operations including:
+- GET requests with and without headers
+- POST requests with and without headers
+- Response status code and body validation
+
+## Expected Behavior
+
+The policy should be able to:
+1. Make HTTP GET requests and process responses
+2. Make HTTP POST requests and process responses
+3. Send and validate HTTP headers
+4. Handle various response status codes and body formats
+
+## Related Issue
+
+https://github.com/kyverno/kyverno/issues/12690 
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-pod
+  namespace: http-cel-test
+status:
+  phase: Running 
@@ -0,0 +1,62 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: http-cel
+spec:
+  namespace: http-cel-test
+  skipDelete: true
+  steps:
+  - name: create namespace
+    try:
+    - apply:
+        file: namespace.yaml
+  - name: deploy test server
+    try:
+    - apply:
+        file: test-server.yaml
+    - assert:
+        file: test-server.yaml
+  - name: wait for test server
+    try:
+    - script:
+        content: |
+          kubectl wait --for=condition=available deployment/test-server -n http-cel-test --timeout=120s
+          echo "Test server is available"
+          kubectl get pods -l app=test-server -n http-cel-test -o wide
+          echo "Test server pod details"
+          kubectl describe pods -l app=test-server -n http-cel-test
+          echo "Test server logs"
+          kubectl logs -l app=test-server -n http-cel-test
+          echo "Test server service"
+          kubectl get svc test-server -n http-cel-test -o wide
+          echo "Testing server endpoint"
+          kubectl run curl --image=curlimages/curl -n http-cel-test -- curl -s http://test-server:8080/health
+          sleep 30
+  - name: create policy
+    use:
+      template: ../../../../../_step-templates/validating-policy-ready.yaml
+      with:
+        bindings:
+        - name: file
+          value: policy.yaml
+  - name: wait policy ready
+    use:
+      template: ../../../../../_step-templates/validating-policy-ready.yaml
+      with:
+        bindings:
+        - name: name
+          value: http-cel-test
+  - name: create test pod
+    try:
+    - apply:
+        file: test-pod.yaml
+    - assert:
+        file: test-pod.yaml
+    - script:
+        content: |
+          echo "Test pod details"
+          kubectl get pods test-pod -n http-cel-test -o wide
+          echo "Test pod description"
+          kubectl describe pods test-pod -n http-cel-test
+          echo "Test server logs"
+          kubectl logs -l app=test-server -n http-cel-test 
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: http-cel-test 
@@ -0,0 +1,59 @@
+apiVersion: policies.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: http-cel-test
+spec:
+  validationActions:
+    - Deny
+  matchConstraints:
+    resourceRules:
+      - apiGroups: [""]
+        apiVersions: ["v1"]
+        resources: ["pods"]
+        operations: ["CREATE", "UPDATE"]
+  variables:
+    - name: healthResponse
+      expression: >-
+        http.Get("http://test-server.http-cel-test:8080/health")
+    - name: echoResponse
+      expression: >-
+        http.Get("http://test-server.http-cel-test:8080/echo")
+    - name: authResponse
+      expression: >-
+        http.Get("http://test-server.http-cel-test:8080/auth", {"Authorization": "Bearer test-token"})
+    - name: dataPostResponse
+      expression: >-
+        http.Post("http://test-server.http-cel-test:8080/data", {"key": "value"})
+    - name: dataPostWithHeadersResponse
+      expression: >-
+        http.Post("http://test-server.http-cel-test:8080/data", {"key": "value"}, {"Content-Type": "application/json"})
+  validations:
+    # Health check validation
+    - expression: variables.healthResponse.status == 200
+      message: "HTTP GET health check failed with status code != 200"
+    - expression: variables.healthResponse.body.status == "ok"
+      message: "HTTP GET health check failed with invalid response body"
+
+    # Echo validation
+    - expression: variables.echoResponse.status == 200
+      message: "HTTP GET echo test failed with status code != 200"
+    - expression: variables.echoResponse.body.method == "GET"
+      message: "HTTP GET echo test failed with incorrect method in response"
+
+    # Auth validation
+    - expression: variables.authResponse.status == 200
      message: "HTTP GET auth test failed with status code != 200"
+    - expression: variables.authResponse.body.headers.authorization == "Bearer test-token"
+      message: "HTTP GET auth test failed with incorrect authorization header"
+
+    # Data POST validation
+    - expression: variables.dataPostResponse.status == 200
+      message: "HTTP POST data test failed with status code != 200"
+    - expression: variables.dataPostResponse.body.method == "POST"
+      message: "HTTP POST data test failed with incorrect method in response"
+
+    # Data POST with headers validation
+    - expression: variables.dataPostWithHeadersResponse.status == 200
+      message: "HTTP POST with headers data test failed with status code != 200"
+    - expression: variables.dataPostWithHeadersResponse.body.headers["content-type"] == "application/json"
+      message: "HTTP POST with headers data test failed with incorrect content-type header" 
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-pod
+  namespace: http-cel-test
+  labels:
+    app: http-test
+    environment: testing
+    test-type: http-cel
+spec:
+  containers:
+  - name: test-container
+    image: nginx:latest
+    ports:
+    - containerPort: 80 
@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-server
+  namespace: http-cel-test
+spec:
+  selector:
+    matchLabels:
+      app: test-server
+  template:
+    metadata:
+      labels:
+        app: test-server
+    spec:
+      containers:
+      - name: test-server
+        image: kyverno/test-server:latest
+        ports:
+        - containerPort: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: test-server
+  namespace: http-cel-test
+spec:
+  selector:
+    app: test-server
+  ports:
+  - port: 8080
+    targetPort: 8080
+  type: ClusterIP
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test-server-config
+  namespace: http-cel-test
+data:
+  health: |
+    {"status": "ok"}
+  echo: |
+    {"method": "GET"}
+  auth: |
+    {"authenticated": true}
+  data: |
+    {"success": true}