Add python chaining support, rename chaining functional tests to all match

Author: gamingrobot

manifests/examples/testing/scenarios/namespaced/injection-dotnetchaining.yaml renamed to manifests/examples/testing/scenarios/namespaced/chaining-dotnet.yaml

@@ -1,14 +1,14 @@
 apiVersion: agents.contrastsecurity.com/v1beta1
 kind: AgentInjector
 metadata:
-  name: injection-dotnetchaining
+  name: chaining-dotnet
 spec:
   enabled: true
   type: dotnet-core
   selector:
     labels:
       - name: app
-        value: injection-dotnetchaining
+        value: chaining-dotnet
   image:
     pullPolicy: Never
   connection:
@@ -19,20 +19,20 @@ spec:
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: injection-dotnetchaining
+  name: chaining-dotnet
   labels:
-    app: injection-dotnetchaining
+    app: chaining-dotnet
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: injection-dotnetchaining
+      app: chaining-dotnet
   strategy:
     type: Recreate
   template:
     metadata:
       labels:
-        app: injection-dotnetchaining
+        app: chaining-dotnet
     spec:
       containers:
         - image: k8s.gcr.io/pause:3.3

manifests/examples/testing/scenarios/namespaced/injection-flexchaining.yaml renamed to manifests/examples/testing/scenarios/namespaced/chaining-flex.yaml

@@ -1,14 +1,14 @@
 apiVersion: agents.contrastsecurity.com/v1beta1
 kind: AgentInjector
 metadata:
-  name: injection-flexchaining
+  name: chaining-flex
 spec:
   enabled: true
   type: flex
   selector:
     labels:
       - name: app
-        value: injection-flexchaining
+        value: chaining-flex
   image:
     pullPolicy: Never
   connection:
@@ -19,20 +19,20 @@ spec:
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: injection-flexchaining
+  name: chaining-flex
   labels:
-    app: injection-flexchaining
+    app: chaining-flex
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: injection-flexchaining
+      app: chaining-flex
   strategy:
     type: Recreate
   template:
     metadata:
       labels:
-        app: injection-flexchaining
+        app: chaining-flex
     spec:
       containers:
         - image: k8s.gcr.io/pause:3.3

manifests/examples/testing/scenarios/namespaced/injection-javatooloptions.yaml renamed to manifests/examples/testing/scenarios/namespaced/chaining-java.yaml

@@ -1,14 +1,14 @@
 apiVersion: agents.contrastsecurity.com/v1beta1
 kind: AgentInjector
 metadata:
-  name: injection-javatooloptions
+  name: chaining-java
 spec:
   enabled: true
   type: java
   selector:
     labels:
       - name: app
-        value: injection-javatooloptions
+        value: chaining-java
   image:
     pullPolicy: Never
   connection:
@@ -19,20 +19,20 @@ spec:
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: injection-javatooloptions
+  name: chaining-java
   labels:
-    app: injection-javatooloptions
+    app: chaining-java
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: injection-javatooloptions
+      app: chaining-java
   strategy:
     type: Recreate
   template:
     metadata:
       labels:
-        app: injection-javatooloptions
+        app: chaining-java
     spec:
       containers:
         - image: k8s.gcr.io/pause:3.3

manifests/examples/testing/scenarios/namespaced/chaining-python.yaml

@@ -0,0 +1,42 @@
+apiVersion: agents.contrastsecurity.com/v1beta1
+kind: AgentInjector
+metadata:
+  name: chaining-python
+spec:
+  enabled: true
+  type: python
+  selector:
+    labels:
+      - name: app
+        value: chaining-python
+  image:
+    pullPolicy: Never
+  connection:
+    name: testing-agent-connection
+  configuration:
+    name: testing-agent-configuration
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: chaining-python
+  labels:
+    app: chaining-python
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: chaining-python
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: chaining-python
+    spec:
+      containers:
+        - image: k8s.gcr.io/pause:3.3
+          name: pause
+          env:
+            - name: PYTHONPATH
+              value: something

manifests/examples/testing/scenarios/namespaced/kustomization.yaml

@@ -11,20 +11,21 @@ resources:
   - ./glob-selecting.yaml
   - ./init-container-overrides.yaml
   - ./injection-dotnet.yaml
-  - ./injection-dotnetchaining.yaml
   - ./injection-dummy.yaml
   - ./injection-java.yaml
-  - ./injection-javatooloptions.yaml
   - ./injection-nodejs-require.yaml
   - ./injection-nodejs-import.yaml
   - ./injection-php.yaml
   - ./injection-python.yaml
   - ./injection-flex.yaml
-  - ./injection-flexchaining.yaml
   - ./missing-deps.yaml
   - ./multiple-images.yaml
   - ./namespace.yaml
   - ./type-daemonset.yaml
   - ./type-deployment.yaml
   - ./type-statefulset.yaml
   - ./unmatched.yaml
+  - ./chaining-dotnet.yaml
+  - ./chaining-flex.yaml
+  - ./chaining-java.yaml
+  - ./chaining-python.yaml

src/Contrast.K8s.AgentOperator/Core/Reactions/Injecting/Patching/Agents/PythonAgentPatcher.cs

@@ -1,10 +1,12 @@
 // Contrast Security, Inc licenses this file to you under the Apache 2.0 License.
 // See the LICENSE file in the project root for more information.
 
-using System.Collections.Generic;
+using Contrast.K8s.AgentOperator.Core.Reactions.Injecting.Patching.Utility;
 using Contrast.K8s.AgentOperator.Core.State.Resources.Primitives;
 using Contrast.K8s.AgentOperator.Options;
 using k8s.Models;
+using System;
+using System.Collections.Generic;
 
 namespace Contrast.K8s.AgentOperator.Core.Reactions.Injecting.Patching.Agents;
 
@@ -20,7 +22,7 @@ public PythonAgentPatcher(InjectorOptions injectorOptions)
 
     public IEnumerable<V1EnvVar> GenerateEnvVars(PatchingContext context)
     {
-        yield return new V1EnvVar("PYTHONPATH", $"{context.AgentMountPath}:{context.AgentMountPath}/contrast/loader");
+        yield return new V1EnvVar("PYTHONPATH", GetAgentPythonPath(context));
         if (_injectorOptions.EnablePythonRewriter)
         {
             yield return new V1EnvVar("CONTRAST__AGENT__PYTHON__REWRITE", "true");
@@ -29,4 +31,21 @@ public IEnumerable<V1EnvVar> GenerateEnvVars(PatchingContext context)
         yield return new V1EnvVar("CONTRAST__AGENT__LOGGER__PATH", $"{context.WritableMountPath}/logs/contrast_agent.log");
         yield return new V1EnvVar("CONTRAST_INSTALLATION_TOOL", "KUBERNETES_OPERATOR");
     }
+
+    public void PatchContainer(V1Container container, PatchingContext context)
+    {
+        // Only modify this if CONTRAST_EXISTING_PYTHONPATH isn't already set. This is to prevent infinite loops.
+        if (container.Env.FirstOrDefault("PYTHONPATH") is { Value: { } currentPath }
+            && !string.IsNullOrWhiteSpace(currentPath)
+            && !currentPath.Contains("contrast/loader", StringComparison.OrdinalIgnoreCase)
+            && container.Env.FirstOrDefault("CONTRAST_EXISTING_PYTHONPATH") is null)
+        {
+            container.Env.AddOrUpdate(new V1EnvVar("CONTRAST_EXISTING_PYTHONPATH", currentPath));
+            container.Env.AddOrUpdate(new V1EnvVar("PYTHONPATH",
+                $"{GetAgentPythonPath(context)}:{currentPath}"));
+        }
+    }
+
+    private static string GetAgentPythonPath(PatchingContext context) => $"{context.AgentMountPath}:{context.AgentMountPath}/contrast/loader";
+
 }

tests/Contrast.K8s.AgentOperator.FunctionalTests/Scenarios/Injection/Agents/DotnetChainingInjectionTests.cs renamed to tests/Contrast.K8s.AgentOperator.FunctionalTests/Scenarios/Injection/Chaining/DotnetChainingInjectionTests.cs

@@ -8,11 +8,11 @@
 using Xunit;
 using Xunit.Abstractions;
 
-namespace Contrast.K8s.AgentOperator.FunctionalTests.Scenarios.Injection.Agents;
+namespace Contrast.K8s.AgentOperator.FunctionalTests.Scenarios.Injection.Chaining;
 
 public class DotnetChainingInjectionTests : IClassFixture<TestingContext>
 {
-    private const string ScenarioName = "injection-dotnetchaining";
+    private const string ScenarioName = "chaining-dotnet";
 
     private readonly TestingContext _context;
 

tests/Contrast.K8s.AgentOperator.FunctionalTests/Scenarios/Injection/Agents/FlexChainingInjectionTests.cs renamed to tests/Contrast.K8s.AgentOperator.FunctionalTests/Scenarios/Injection/Chaining/FlexChainingInjectionTests.cs

@@ -8,11 +8,11 @@
 using Xunit;
 using Xunit.Abstractions;
 
-namespace Contrast.K8s.AgentOperator.FunctionalTests.Scenarios.Injection.Agents;
+namespace Contrast.K8s.AgentOperator.FunctionalTests.Scenarios.Injection.Chaining;
 
 public class FlexChainingInjectionTests : IClassFixture<TestingContext>
 {
-    private const string ScenarioName = "injection-flexchaining";
+    private const string ScenarioName = "chaining-flex";
 
     private readonly TestingContext _context;
 

tests/Contrast.K8s.AgentOperator.FunctionalTests/Scenarios/Injection/Agents/JavaToolOptionsInjectionTests.cs renamed to tests/Contrast.K8s.AgentOperator.FunctionalTests/Scenarios/Injection/Chaining/JavaChainingInjectionTests.cs

@@ -8,15 +8,15 @@
 using Xunit;
 using Xunit.Abstractions;
 
-namespace Contrast.K8s.AgentOperator.FunctionalTests.Scenarios.Injection.Agents;
+namespace Contrast.K8s.AgentOperator.FunctionalTests.Scenarios.Injection.Chaining;
 
-public class JavaToolOptionsInjectionTests : IClassFixture<TestingContext>
+public class JavaChainingInjectionTests : IClassFixture<TestingContext>
 {
-    private const string ScenarioName = "injection-javatooloptions";
+    private const string ScenarioName = "chaining-java";
 
     private readonly TestingContext _context;
 
-    public JavaToolOptionsInjectionTests(TestingContext context, ITestOutputHelper outputHelper)
+    public JavaChainingInjectionTests(TestingContext context, ITestOutputHelper outputHelper)
     {
         _context = context;
         _context.RegisterOutput(outputHelper);

tests/Contrast.K8s.AgentOperator.FunctionalTests/Scenarios/Injection/Chaining/PythonChainingInjectionTests.cs

@@ -0,0 +1,44 @@
+// Contrast Security, Inc licenses this file to you under the Apache 2.0 License.
+// See the LICENSE file in the project root for more information.
+
+using System.Threading.Tasks;
+using Contrast.K8s.AgentOperator.FunctionalTests.Fixtures;
+using FluentAssertions;
+using FluentAssertions.Execution;
+using Xunit;
+using Xunit.Abstractions;
+
+namespace Contrast.K8s.AgentOperator.FunctionalTests.Scenarios.Injection.Chaining;
+
+public class PythonChainingInjectionTests : IClassFixture<TestingContext>
+{
+    private const string ScenarioName = "chaining-python";
+
+    private readonly TestingContext _context;
+
+    public PythonChainingInjectionTests(TestingContext context, ITestOutputHelper outputHelper)
+    {
+        _context = context;
+        _context.RegisterOutput(outputHelper);
+    }
+
+    [Fact]
+    public async Task When_injected_then_pod_should_have_agent_injection_chaining_environment_variables()
+    {
+        var client = await _context.GetClient();
+
+        // Act
+        var result = await client.GetInjectedPodByPrefix(ScenarioName);
+
+        // Assert
+        using (new AssertionScope())
+        {
+            var container = result.Spec.Containers.Should().ContainSingle().Subject;
+
+            container.Env.Should().Contain(x => x.Name == "PYTHONPATH")
+                .Which.Value.Should().Be("/contrast/agent:/contrast/agent/contrast/loader:something");
+            container.Env.Should().Contain(x => x.Name == "CONTRAST_EXISTING_PYTHONPATH")
+                .Which.Value.Should().Be("something");
+        }
+    }
+}