update rapid dast lca test

tests/dast/.chainsaw.yaml

@@ -0,0 +1,13 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/configuration-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Configuration
+metadata:
+  name: configuration
+spec:
+  parallel: 4
+  timeouts:
+    assert: 6m0s
+    cleanup: 5m0s
+    delete: 5m0s
+    error: 5m0s
+    apply: 10s

tests/dast/Dockerfile

@@ -0,0 +1,31 @@
+FROM golang:1.21
+
+# Copy the repository files
+COPY . /tmp/telco-dast-qe
+
+WORKDIR /tmp
+
+# Set the Go path and Go cache environment variables
+ENV GOPATH=/tmp/go
+ENV GOBIN=/tmp/go/bin
+ENV GOCACHE=/tmp/.cache/go-build
+ENV PATH=$PATH:$GOBIN
+
+# Create the /tmp/go/bin and build cache directories, and grant read and write permissions to all users
+RUN mkdir -p /tmp/go/bin $GOCACHE \
+    && chmod -R 777 /tmp/go/bin $GOPATH $GOCACHE
+
+# Install dependencies required by test cases and debugging
+RUN apt-get update && apt-get install -y jq vim libreadline-dev
+
+# Install Chainsaw e2e testing tool
+RUN go install github.com/kyverno/[email protected]
+
+# Install kubectl and oc
+RUN curl -LO https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/latest/openshift-client-linux.tar.gz \
+    && tar -xzf openshift-client-linux.tar.gz \
+    && chmod +x oc kubectl \
+    && mv oc kubectl /usr/local/bin/
+
+# Set the working directory
+WORKDIR /tmp/telco-dast-qe

tests/dast/rapid-lca/00-assert.yaml

@@ -0,0 +1,15 @@
+apiVersion: project.openshift.io/v1
+kind: Project
+metadata:
+  labels:
+    kubernetes.io/metadata.name: rapidast-lca
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged
+    security.openshift.io/scc.podSecurityLabelSync: "false"
+  name: rapidast-lca
+spec:
+  finalizers:
+    - kubernetes
+status:
+  phase: Active

tests/dast/rapid-lca/00-create-project.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: rapidast-lca
+  labels:
+    security.openshift.io/scc.podSecurityLabelSync: "false"
+    pod-security.kubernetes.io/enforce: "privileged"
+    pod-security.kubernetes.io/audit: "privileged"
+    pod-security.kubernetes.io/warn: "privileged"

tests/dast/rapid-lca/01-assert.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: privileged-sa
+  namespace: rapidast-lca
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rapidast-lca-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:privileged
+subjects:
+  - kind: ServiceAccount
+    name: privileged-sa
+    namespace: rapidast-lca
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rapidast-lca-cluster-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: privileged-sa
+    namespace: rapidast-lca

tests/dast/rapid-lca/01-create-sa.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: privileged-sa
+  namespace: rapidast-lca
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rapidast-lca-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:privileged
+subjects:
+  - kind: ServiceAccount
+    name: privileged-sa
+    namespace: rapidast-lca
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rapidast-lca-cluster-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: privileged-sa
+    namespace: rapidast-lca

tests/dast/rapid-lca/02-assert.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: rapidast-configmap
+  namespace: rapidast-lca

tests/dast/rapid-lca/02-create-rapidast-config.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: ./create_rapidast_configmap.sh

tests/dast/rapid-lca/03-assert.yaml

@@ -0,0 +1,7 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: rapidast-job
+  namespace: rapidast-lca
+status:
+  succeeded: 1

tests/dast/rapid-lca/03-rapidast-job.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: rapidast-pvc
+  namespace: rapidast-lca
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  volumeMode: Filesystem
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: rapidast-job
+  namespace: rapidast-lca
+spec:
+  backoffLimit: 3
+  completionMode: NonIndexed
+  completions: 1
+  parallelism: 1
+  suspend: false
+  template:
+    metadata:
+      labels:
+        job-name: rapidast-job
+      name: rapidast-job
+    spec:
+      serviceAccount: privileged-sa
+      serviceAccountName: privileged-sa
+      containers:
+        - command:
+            - sh
+            - -c
+            - rapidast.py --log-level debug --config /helm/config/rapidastconfig.yaml && find /opt/rapidast/results/lca -name zap-report.json -exec cat {} \;
+            image: quay.io/redhatproductsecurity/rapidast:latest
+            imagePullPolicy: Always
+            name: rapidast-chart
+            resources: {}
+            securityContext:
+            privileged: true
+            terminationMessagePath: /dev/termination-log
+            terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /helm/config
+              name: config-volume
+            - mountPath: /opt/rapidast/results/
+              name: results-volume
+      dnsPolicy: ClusterFirst
+      restartPolicy: Never
+      schedulerName: default-scheduler
+      terminationGracePeriodSeconds: 30
+      volumes:
+        - configMap:
+            defaultMode: 420
+            name: rapidast-configmap
+          name: config-volume
+        - name: results-volume
+          persistentVolumeClaim:
+          claimName: rapidast-pvc

tests/dast/rapid-lca/04-assert.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 180
+commands:
+ - script: ./tests/e2e-rh-sdl/rapidast-lca/results.sh

tests/dast/rapid-lca/chainsaw-test.yaml

@@ -0,0 +1,56 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: rapidast-lca
+spec:
+  steps:
+    - name: step-00
+      try:
+    - apply:
+        file: 00-create-project.yaml
+    - assert:
+        file: 00-assert.yaml
+    - name: step-01
+      try:
+    - apply:
+        file: 01-create-sa.yaml
+    - assert:
+        file: 01-assert.yaml
+    - name: step-02
+      try:
+    - script:
+        timeout: 30s
+        content: ./create_rapidast_configmap.sh
+    - assert:
+        file: 02-assert.yaml
+    - name: step-03
+      try:
+    - apply:
+        file: 03-rapidast-job.yaml
+    - assert:
+        file: 03-assert.yaml
+    - name: step-04
+      try:
+    - script:
+        timeout: 6m
+        content: ./results.sh
+      finally:
+        - command:
+          timeout: 1m
+          entrypoint: oc
+          args:
+            - -n
+            - rapidast-lca
+            - delete
+            - pod
+            - rapiterm-lca
+        - command:
+          timeout: 1m
+          entrypoint: oc
+          args:
+            - -n
+            - rapidast-lca
+            - delete
+            - pod
+            - --selector=batch.kubernetes.io/job-name=rapidast-job

tests/dast/rapid-lca/create_rapidast_configmap.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+
+lca_token=$(oc create token privileged-sa -n rapidast-lca)
+
+# Define the content for the ConfigMap
+configmap_content=$(cat <<EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: rapidast-configmap
+  namespace: rapidast-lca
+data:
+  rapidastconfig.yaml: |
+    config:
+      configVersion: 4
+
+    application:
+      shortName: "lca"
+      url: "https://kubernetes.default.svc"
+
+    general:
+      authentication:
+        type: "http_header"
+        parameters:
+          name: "Authorization"
+          value: "Bearer ${lca_token}"
+      container:
+        type: "none"
+
+    scanners:
+      zap:
+        apiScan:
+          apis:
+            apiUrl: "https://kubernetes.default.svc/openapi/v3/apis/lca.openshift.io/v1alpha1"
+        passiveScan:
+          disabledRules: "2,10015,10027,10096,10024,10054"
+        activeScan:
+          policy: "Operator-scan"
+        miscOptions:
+          enableUI: False
+          updateAddons: False
+EOF
+)
+
+# Create the ConfigMap
+echo "$configmap_content" | oc -n rapidast-lca create -f -
+