From ce7b9ac99acbe0164c0e6ca7ea35497fa00d217e Mon Sep 17 00:00:00 2001
From: Cosmin Cojocar <ccojocar@google.com>
Date: Tue, 3 Dec 2024 12:52:41 +0000
Subject: [PATCH] Remove the apparmor e2e test from test suite since is covered
 by hack/ci/e2e-apparmor test

Change-Id: I6e0df97860c205b97cd67a1545237e895c523b04
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
---
 hack/ci/e2e-ubuntu.sh               |   5 +-
 test/e2e_test.go                    |   4 -
 test/suite_test.go                  |  28 -----
 test/tc_apparmor_base_usage_test.go | 155 ----------------------------
 4 files changed, 2 insertions(+), 190 deletions(-)
 delete mode 100644 test/tc_apparmor_base_usage_test.go

diff --git a/hack/ci/e2e-ubuntu.sh b/hack/ci/e2e-ubuntu.sh
index 884e951e2e..69b494ade3 100755
--- a/hack/ci/e2e-ubuntu.sh
+++ b/hack/ci/e2e-ubuntu.sh
@@ -18,11 +18,10 @@ set -euo pipefail
 export E2E_CLUSTER_TYPE=vanilla
 export E2E_TEST_LOG_ENRICHER=true
 export E2E_TEST_SECCOMP=false
-export E2E_TEST_APPARMOR=true
 export E2E_TEST_FLAKY_TESTS_ONLY=${E2E_TEST_FLAKY_TESTS_ONLY:-false}
 
 if "${E2E_TEST_FLAKY_TESTS_ONLY}"; then
-	make test-flaky-e2e
+  make test-flaky-e2e
 else
-	make test-e2e
+  make test-e2e
 fi
diff --git a/test/e2e_test.go b/test/e2e_test.go
index 537ccaf1bb..335cd0d244 100644
--- a/test/e2e_test.go
+++ b/test/e2e_test.go
@@ -115,10 +115,6 @@ func (e *e2e) TestSecurityProfilesOperator() {
 			"SELinux: Metrics (update, delete)",
 			e.testCaseSelinuxMetrics,
 		},
-		{
-			"AppArmor: base case (install policy, run pod and delete)",
-			e.testCaseAppArmorBaseUsage,
-		},
 		{
 			"SPOD: Update SELinux flag",
 			e.testCaseSPODUpdateSelinux,
diff --git a/test/suite_test.go b/test/suite_test.go
index 1e06dec61f..12c51f6e34 100644
--- a/test/suite_test.go
+++ b/test/suite_test.go
@@ -55,7 +55,6 @@ var (
 	envSkipFlakyTests            = os.Getenv("E2E_SKIP_FLAKY_TESTS")
 	envSkipNamespacedTests       = os.Getenv("E2E_SKIP_NAMESPACED_TESTS")
 	envSelinuxTestsEnabled       = os.Getenv("E2E_TEST_SELINUX")
-	envApparmorTestsEnabled      = os.Getenv("E2E_TEST_APPARMOR")
 	envLogEnricherTestsEnabled   = os.Getenv("E2E_TEST_LOG_ENRICHER")
 	envSeccompTestsEnabled       = os.Getenv("E2E_TEST_SECCOMP")
 	envBpfRecorderTestsEnabled   = os.Getenv("E2E_TEST_BPF_RECORDER")
@@ -99,7 +98,6 @@ type e2e struct {
 	nodeRootfsPrefix      string
 	operatorManifest      string
 	selinuxEnabled        bool
-	apparmorEnabled       bool
 	logEnricherEnabled    bool
 	testSeccomp           bool
 	bpfRecorderEnabled    bool
@@ -150,10 +148,6 @@ func TestSuite(t *testing.T) {
 	if err != nil {
 		selinuxEnabled = false
 	}
-	apparmorEnabled, err := strconv.ParseBool(envApparmorTestsEnabled)
-	if err != nil {
-		apparmorEnabled = false
-	}
 	logEnricherEnabled, err := strconv.ParseBool(envLogEnricherTestsEnabled)
 	if err != nil {
 		logEnricherEnabled = false
@@ -215,7 +209,6 @@ func TestSuite(t *testing.T) {
 				containerRuntime:    containerRuntime,
 				nodeRootfsPrefix:    nodeRootfsPrefix,
 				selinuxEnabled:      selinuxEnabled,
-				apparmorEnabled:     apparmorEnabled,
 				logEnricherEnabled:  logEnricherEnabled,
 				testSeccomp:         testSeccomp,
 				selinuxdImage:       selinuxdImage,
@@ -249,7 +242,6 @@ func TestSuite(t *testing.T) {
 				containerRuntime:    containerRuntime,
 				nodeRootfsPrefix:    nodeRootfsPrefix,
 				selinuxEnabled:      selinuxEnabled,
-				apparmorEnabled:     apparmorEnabled,
 				logEnricherEnabled:  logEnricherEnabled,
 				testSeccomp:         testSeccomp,
 				selinuxdImage:       selinuxdImage,
@@ -277,7 +269,6 @@ func TestSuite(t *testing.T) {
 				containerRuntime:    containerRuntime,
 				nodeRootfsPrefix:    nodeRootfsPrefix,
 				selinuxEnabled:      selinuxEnabled,
-				apparmorEnabled:     apparmorEnabled,
 				logEnricherEnabled:  logEnricherEnabled,
 				testSeccomp:         testSeccomp,
 				selinuxdImage:       selinuxdImage,
@@ -710,13 +701,6 @@ func (e *e2e) selinuxOnlyTestCase() {
 	e.enableSelinuxInSpod()
 }
 
-func (e *e2e) apparmorOnlyTestCase() {
-	if !e.apparmorEnabled {
-		e.T().Skip("Skipping AppArmor-related test")
-	}
-	e.enableApparmorInSpod()
-}
-
 func (e *e2e) enableSelinuxInSpod() {
 	selinuxEnabledInSPODDS := e.kubectlOperatorNS("get", "ds", "spod", "-o", "yaml")
 	if !strings.Contains(selinuxEnabledInSPODDS, "--with-selinux=true") {
@@ -733,18 +717,6 @@ func (e *e2e) enableSelinuxInSpod() {
 	}
 }
 
-func (e *e2e) enableApparmorInSpod() {
-	apparmorEnabledInSPODDS := e.kubectlOperatorNS("get", "ds", "spod", "-o", "yaml")
-	if !strings.Contains(apparmorEnabledInSPODDS, "--with-apparmor=true") {
-		e.logf("Enable AppArmor in SPOD")
-		e.kubectlOperatorNS("patch", "spod", "spod", "-p", `{"spec":{"enableAppArmor": true}}`, "--type=merge")
-		time.Sleep(defaultWaitTime)
-		e.waitInOperatorNSFor("condition=ready", "spod", "spod")
-
-		e.kubectlOperatorNS("rollout", "status", "ds", "spod", "--timeout", defaultSelinuxOpTimeout)
-	}
-}
-
 func (e *e2e) logEnricherOnlyTestCase() {
 	if !e.logEnricherEnabled {
 		e.T().Skip("Skipping log-enricher related test")
diff --git a/test/tc_apparmor_base_usage_test.go b/test/tc_apparmor_base_usage_test.go
deleted file mode 100644
index bc4522d20c..0000000000
--- a/test/tc_apparmor_base_usage_test.go
+++ /dev/null
@@ -1,155 +0,0 @@
-/*
-Copyright 2023 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package e2e_test
-
-import (
-	"fmt"
-	"strings"
-	"time"
-)
-
-const (
-	defaultAppArmorOpTimeout = "60s"
-	errorloggerProfile       = `
-apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
-kind: AppArmorProfile
-metadata:
-  name: aa-errorlogger-profile
-spec:
-  abstract:
-    filesystem:
-      readOnlyPaths: []
-      writeOnlyPaths: []
-      readWritePaths: []
-`
-
-	aaPodWithPolicyFmt = `
-apiVersion: v1
-kind: Pod
-metadata:
-  name: aa-errorlogger
-  annotations:
-    container.apparmor.security.beta.kubernetes.io/errorlogger: localhost/%s
-spec:
-  containers:
-  - name: errorlogger
-    image: "registry.access.redhat.com/ubi9/ubi-minimal:latest"
-    command: ["/bin/bash"]
-    args: [ "-c","set -eux; echo 'Hello AppArmor!' && sleep 1h" ]
-  restartPolicy: Never
-`
-)
-
-func (e *e2e) testCaseAppArmorBaseUsage(nodes []string) {
-	e.apparmorOnlyTestCase()
-
-	e.logf("The 'errorlogger' workload should be able to use AppArmor profile")
-
-	e.logf("creating profile")
-	e.writeAndCreate(errorloggerProfile, "errorlogger-profile.yml")
-
-	profileName := "aa-errorlogger-profile"
-
-	e.logf("assert profile is installed")
-	e.assertAppArmorProfileIsInstalled(nodes, profileName, maxNodeIterations, sleepBetweenIterations)
-
-	e.logf("creating workload")
-
-	podWithPolicy := fmt.Sprintf(aaPodWithPolicyFmt, profileName)
-	e.writeAndCreate(podWithPolicy, "pod-w-profile.yml")
-
-	podName := "aa-errorlogger"
-
-	e.waitFor("condition=ready", "pod", podName)
-
-	e.logf("the workload should be running")
-	podWithPolicyPhase := e.kubectl(
-		"get", "pods", podName, "-o", "jsonpath={.status.phase}")
-	e.Truef(strings.EqualFold(podWithPolicyPhase, "running"),
-		"The pod without profile's phase should be 'Running', instead it's: %s",
-		podWithPolicyPhase)
-
-	e.logf("cleaning up")
-
-	e.logf("removing workload")
-	e.kubectl("delete", "pod", podName)
-
-	e.logf("removing profile")
-	e.kubectl("delete", "apparmorprofile", profileName)
-
-	e.logf("assert profile was removed")
-	e.assertAppArmorProfileIsRemoved(nodes, profileName, maxNodeIterations, sleepBetweenIterations)
-}
-
-func (e *e2e) assertAppArmorProfileIsInstalled(
-	nodes []string, profile string, nodeIterations int, sleep time.Duration,
-) {
-	for i := range nodeIterations {
-		var missingPolName string
-
-		for _, node := range nodes {
-			allLoaddedProfiles := e.execNode(node, "sudo", "aa-status")
-			loadedProifles := []string{}
-			for _, p := range strings.Split(allLoaddedProfiles, "\n") {
-				p = strings.TrimSpace(p)
-				loadedProifles = append(loadedProifles, p)
-			}
-			if !e.sliceContainsString(loadedProifles, profile) {
-				missingPolName = node
-				break
-			}
-		}
-
-		if missingPolName != "" {
-			if i == nodeIterations-1 {
-				e.Fail(fmt.Sprintf(
-					"The AppArmorProfile %s wasn't found in the %s node",
-					profile, missingPolName,
-				))
-			} else {
-				e.logf("The profile %s wasn't found, trying again", profile)
-				time.Sleep(sleep)
-			}
-		}
-	}
-}
-
-func (e *e2e) assertAppArmorProfileIsRemoved(nodes []string, profile string, nodeIterations int, sleep time.Duration) {
-	for i := range nodeIterations {
-		var missingPolName string
-
-		for _, node := range nodes {
-			loadedProfiles := e.execNode(node, "sudo", "cat", "/sys/kernel/security/apparmor/profiles")
-			if e.sliceContainsString(strings.Split(loadedProfiles, "\n"), profile) {
-				missingPolName = node
-				break
-			}
-		}
-
-		if missingPolName != "" {
-			if i == nodeIterations-1 {
-				e.Fail(fmt.Sprintf(
-					"The AppArmor errorlogger was found in the %s node with the name %s",
-					missingPolName, profile,
-				))
-			} else {
-				e.logf("the profile was still present, trying again")
-				time.Sleep(sleep)
-			}
-		}
-	}
-}