From 93826ff90cd32b6b13bfe4706971f4eb901b3200 Mon Sep 17 00:00:00 2001
From: Xynnn007 <xynnn@linux.alibaba.com>
Date: Fri, 9 May 2025 17:28:35 +0800
Subject: [PATCH] tests: update negative test log assertions

After moving image pulling from kata-agent to CDH, the failed image pull
error messages have been slightly changed. This commit is to apply for
the change.

Note that in original and current image-rs implementation, both no key
or wrong key will result in a same error information.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
---
 .../kubernetes/k8s-guest-pull-image-authenticated.bats       | 4 ++--
 .../kubernetes/k8s-guest-pull-image-encrypted.bats           | 5 ++---
 .../kubernetes/k8s-guest-pull-image-signature.bats           | 4 ++--
 tests/integration/kubernetes/k8s-initdata.bats               | 2 +-
 4 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats b/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats
index 27b71dbdb4..3dd2cdbbd4 100644
--- a/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats
+++ b/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats
@@ -87,7 +87,7 @@ function setup_kbs_credentials() {
     echo "Pod ${kata_pod}: $(cat ${kata_pod})"
 
     assert_pod_fail "${kata_pod}"
-    assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image"
+    assert_logs_contain "${node}" kata "${node_start_time}" "Not authorized"
 }
 
 @test "Test that creating a container from an authenticated image, with no credentials fails" {
@@ -100,7 +100,7 @@ function setup_kbs_credentials() {
     echo "Pod ${kata_pod}: $(cat ${kata_pod})"
 
     assert_pod_fail "${kata_pod}"
-    assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image"
+    assert_logs_contain "${node}" kata "${node_start_time}" "Not authorized"
 }
 
 teardown() {
diff --git a/tests/integration/kubernetes/k8s-guest-pull-image-encrypted.bats b/tests/integration/kubernetes/k8s-guest-pull-image-encrypted.bats
index 564769bf31..a398766838 100644
--- a/tests/integration/kubernetes/k8s-guest-pull-image-encrypted.bats
+++ b/tests/integration/kubernetes/k8s-guest-pull-image-encrypted.bats
@@ -52,8 +52,7 @@ function setup_kbs_decryption_key() {
     echo "Pod ${kata_pod}: $(cat ${kata_pod})"
 
     assert_pod_fail "${kata_pod}"
-    assert_logs_contain "${node}" kata "${node_start_time}" 'decrypt image (unwrap key) failed'
-    assert_logs_contain "${node}" kata "${node_start_time}" 'kms interface when get KEK failed'
+    assert_logs_contain "${node}" kata "${node_start_time}" 'Failed to decrypt the image layer, please ensure that the decryption key is placed and correct'
 }
 
 
@@ -80,7 +79,7 @@ function setup_kbs_decryption_key() {
     echo "Pod ${kata_pod}: $(cat ${kata_pod})"
 
     assert_pod_fail "${kata_pod}"
-    assert_logs_contain "${node}" kata "${node_start_time}" 'decrypt image (unwrap key) failed'
+    assert_logs_contain "${node}" kata "${node_start_time}" 'Failed to decrypt the image layer, please ensure that the decryption key is placed and correct'
 }
 
 teardown() {
diff --git a/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats b/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats
index 5276e8ec72..8741b107eb 100644
--- a/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats
+++ b/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats
@@ -97,7 +97,7 @@ EOF
     echo "Pod ${kata_pod}: $(cat ${kata_pod})"
 
     assert_pod_fail "${kata_pod}"
-    assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image"
+    assert_logs_contain "${node}" kata "${node_start_time}" "Image policy rejected: Denied by policy"
 }
 
 @test "Create a pod from a signed image, on a 'restricted registry' is successful" {
@@ -123,7 +123,7 @@ EOF
     echo "Pod ${kata_pod}: $(cat ${kata_pod})"
 
     assert_pod_fail "${kata_pod}"
-    assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image"
+    assert_logs_contain "${node}" kata "${node_start_time}" "Image policy rejected: Denied by policy"
 }
 
 @test "Create a pod from an unsigned image, on a 'restricted registry' works if policy files isn't set" {
diff --git a/tests/integration/kubernetes/k8s-initdata.bats b/tests/integration/kubernetes/k8s-initdata.bats
index d98f207471..5921cbdb94 100644
--- a/tests/integration/kubernetes/k8s-initdata.bats
+++ b/tests/integration/kubernetes/k8s-initdata.bats
@@ -165,7 +165,7 @@ EOF
     echo "Pod ${kata_pod}: $(cat ${kata_pod})"
 
     assert_pod_fail "${kata_pod}"
-    assert_logs_contain "${node}" kata "${node_start_time}" "failed to pull image"
+    assert_logs_contain "${node}" kata "${node_start_time}" "Image policy rejected: Denied by policy"
 }
 
 @test "Test that creating a container from an rejected image not configured by initdata, fails according to CDH error" {