tests: update tests that manually set policy

Use new initdata annotation instead

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>

tests/integration/kubernetes/k8s-policy-hard-coded.bats

@@ -18,9 +18,9 @@ setup() {
 
 @test "Kubectl exec rejected by policy" {
 	# Add to the YAML file a policy that rejects ExecProcessRequest.
-	allow_all_except_exec_policy=$(base64 -w 0 "${pod_config_dir}/allow-all-except-exec-process.rego")
+	allow_all_except_exec_policy=$(encode_policy_in_init_data "${pod_config_dir}/allow-all-except-exec-process.rego")
 	yq -i \
-		".metadata.annotations.\"io.katacontainers.config.agent.policy\" = \"${allow_all_except_exec_policy}\"" \
+		".metadata.annotations.\"io.katacontainers.config.hypervisor.cc_init_data\" = \"${allow_all_except_exec_policy}\"" \
 		"${pod_yaml}"
 
 	# Create the pod
@@ -45,10 +45,9 @@ setup() {
 	# Warning: this is an insecure policy that shouldn't be used when protecting the confidentiality
 	#          of a pod is important. However, this policy could be useful while debugging a pod.
 	policy_text=$(printf "package agent_policy\ndefault AllowRequestsFailingPolicy := true")
-	policy_base64=$(echo "${policy_text}" | base64 -w 0 -)
-
+	policy_base64=$(encode_policy_in_init_data "$policy_text")
 	yq -i \
-		".metadata.annotations.\"io.katacontainers.config.agent.policy\" = \"${policy_base64}\"" \
+		".metadata.annotations.\"io.katacontainers.config.hypervisor.cc_init_data\" = \"${policy_base64}\"" \
 		"${pod_yaml}"
 
 	# Create the pod

tests/integration/kubernetes/k8s-policy-pod.bats

@@ -211,7 +211,7 @@ test_pod_policy_error() {
 		"--runtime-class-names=other-${runtime_class_name}"
 
 	# Check that the pod yaml does not contain a policy annotation.
-	run ! grep -q "io.katacontainers.config.agent.policy" "${testcase_pre_generate_pod_yaml}"
+	run ! grep -q "io.katacontainers.config.hypervisor.cc_init_data" "${testcase_pre_generate_pod_yaml}"
 }
 
 @test "ExecProcessRequest tests" {

tests/integration/kubernetes/tests_common.sh

@@ -34,9 +34,7 @@ export dragonball_limitations="https://github.com/kata-containers/kata-container
 # overwrite it.
 export KUBECONFIG="${KUBECONFIG:-${HOME}/.kube/config}"
 
-# ALLOW_ALL_POLICY is a Rego policy that allows all the Agent ttrpc requests.
 K8S_TEST_DIR="${kubernetes_dir:-"${BATS_TEST_DIRNAME}"}"
-ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY:-$(base64 -w 0 "${K8S_TEST_DIR}/../../../src/kata-opa/allow-all.rego")}"
 
 AUTO_GENERATE_POLICY="${AUTO_GENERATE_POLICY:-}"
 GENPOLICY_PULL_METHOD="${GENPOLICY_PULL_METHOD:-}"
@@ -294,6 +292,31 @@ hard_coded_policy_tests_enabled() {
 	[[ "${enabled}" == "yes" ]]
 }
 
+encode_policy_in_init_data() {
+  local input="$1"   # either a filename or a policy
+  local POLICY
+
+  # if input is a file, read its contents
+  if [[ -f "$input" ]]; then
+    POLICY="$(< "$input")"
+  else
+    POLICY="$input"
+  fi
+
+  cat <<EOF | gzip -c | base64
+version = "0.1.0"
+algorithm = "sha256"
+
+[data]
+"policy.rego" = '''
+$POLICY
+'''
+EOF
+}
+
+# ALLOW_ALL_POLICY is a Rego policy that allows all the Agent ttrpc requests.
+ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY:-$(encode_policy_in_init_data "${K8S_TEST_DIR}/../../../src/kata-opa/allow-all.rego")}"
+
 add_allow_all_policy_to_yaml() {
 	hard_coded_policy_tests_enabled || return 0
 
@@ -305,18 +328,17 @@ add_allow_all_policy_to_yaml() {
 	resource_kind=$(yq .kind "${yaml_file}" | head -1)
 
 	case "${resource_kind}" in
-
 	Pod)
 		info "Adding allow all policy to ${resource_kind} from ${yaml_file}"
 		yq -i \
-			".metadata.annotations.\"io.katacontainers.config.agent.policy\" = \"${ALLOW_ALL_POLICY}\"" \
+			".metadata.annotations.\"io.katacontainers.config.hypervisor.cc_init_data\" = \"${ALLOW_ALL_POLICY}\"" \
       "${yaml_file}"
 		;;
 
 	Deployment|Job|ReplicationController)
 		info "Adding allow all policy to ${resource_kind} from ${yaml_file}"
 		yq -i \
-			".spec.template.metadata.annotations.\"io.katacontainers.config.agent.policy\" = \"${ALLOW_ALL_POLICY}\"" \
+			".spec.template.metadata.annotations.\"io.katacontainers.config.hypervisor.cc_init_data\" = \"${ALLOW_ALL_POLICY}\"" \
       "${yaml_file}"
 		;;