From 0d25e504a15c2864188093885c27bd3575c6a64d Mon Sep 17 00:00:00 2001 From: sigalsax Date: Mon, 3 Aug 2020 16:12:15 +0300 Subject: [PATCH] Add integration tests and their associated utils Add integration tests as per detailed in [solution design](https://github.com/cyberark/secrets-provider-for-k8s/blob/master/design/milestone_1_2_design_doc.md) Add helper utils for items needed to build the helm charts and get end to end successfully --- deploy/2_create_app_namespace.sh | 5 +- ...EST_ID_17_helm_job_deploys_successfully.sh | 33 ++++++++++++ ...helm_multiple_provider_multiple_secrets.sh | 52 +++++++++++++++++++ ...D_19_helm_multiple_provider_same_secret.sh | 42 +++++++++++++++ ..._20_helm_service_account_does_not_exist.sh | 28 ++++++++++ deploy/utils.sh | 46 ++++++++++++++-- 6 files changed, 198 insertions(+), 8 deletions(-) create mode 100755 deploy/test/test_cases/TEST_ID_17_helm_job_deploys_successfully.sh create mode 100755 deploy/test/test_cases/TEST_ID_18_helm_multiple_provider_multiple_secrets.sh create mode 100755 deploy/test/test_cases/TEST_ID_19_helm_multiple_provider_same_secret.sh create mode 100755 deploy/test/test_cases/TEST_ID_20_helm_service_account_does_not_exist.sh diff --git a/deploy/2_create_app_namespace.sh b/deploy/2_create_app_namespace.sh index 7979e4da7..c31e32732 100755 --- a/deploy/2_create_app_namespace.sh +++ b/deploy/2_create_app_namespace.sh @@ -31,10 +31,7 @@ if [[ "$PLATFORM" = "openshift" ]]; then CONFIG_DIR="config/openshift" fi - -if [ "${HELM_TESTS}" = "false" ]; then - wait_for_it 600 "./$CONFIG_DIR/app-conjur-authenticator-role-binding.sh.yml | $cli_without_timeout apply -f -" -fi +wait_for_it 600 "./$CONFIG_DIR/app-conjur-authenticator-role-binding.sh.yml | $cli_without_timeout apply -f -" if [[ $PLATFORM == openshift ]]; then # add permissions for Conjur admin user diff --git a/deploy/test/test_cases/TEST_ID_17_helm_job_deploys_successfully.sh b/deploy/test/test_cases/TEST_ID_17_helm_job_deploys_successfully.sh new file mode 100755 index 000000000..190833a18 --- /dev/null +++ b/deploy/test/test_cases/TEST_ID_17_helm_job_deploys_successfully.sh @@ -0,0 +1,33 @@ +#!/bin/bash +set -euxo pipefail + +# This test verifies that the Secrets Provider Job deploys successfully and Conjur secret appears in pod +# TODO verify Job start up and completed logs + +set_namespace $CONJUR_NAMESPACE_NAME + +# Configure authn and login Conjur urls +configure_env_url + +# Fetch SSL cert from Conjur/DAP +fetch_ssl + +# Save cert for later setting in Helm +$cli_with_timeout "exec ${conjur_pod_name} --namespace $CONJUR_NAMESPACE_NAME cat $cert_location" > "conjur.pem" + +set_namespace $APP_NAMESPACE_NAME + +pushd ../../../ + fill_helm_chart + helm install -f "cyberark-secrets-provider-for-kubernetes/ci/test-values.yaml" cyberark-secrets-provider-for-kubernetes ./cyberark-secrets-provider-for-kubernetes --set-file environment.conjur.sslCertificate.value="deploy/test/test_cases/conjur.pem" +popd + +# Check for Job completion +helm_chart_name="cyberark-secrets-provider-for-kubernetes" +$cli_with_timeout wait --for=condition=complete job/$helm_chart_name + +# Deploy app to test against +deploy_helm_app +pod_name=$($cli_with_timeout get pods --namespace=$APP_NAMESPACE_NAME --selector app=test-env --no-headers | awk '{print $1}' ) +verify_secret_value_in_pod $pod_name "TEST_SECRET" "supersecret" + diff --git a/deploy/test/test_cases/TEST_ID_18_helm_multiple_provider_multiple_secrets.sh b/deploy/test/test_cases/TEST_ID_18_helm_multiple_provider_multiple_secrets.sh new file mode 100755 index 000000000..cc18755d0 --- /dev/null +++ b/deploy/test/test_cases/TEST_ID_18_helm_multiple_provider_multiple_secrets.sh @@ -0,0 +1,52 @@ +#!/bin/bash +set -euxo pipefail + +# This test verifies that two Secrets Provider Jobs deploy successfully in the same namespace +# TODO verify Job start up and completed logs + +set_namespace $CONJUR_NAMESPACE_NAME + +# Configure authn and login Conjur urls +configure_env_url + +# Fetch SSL cert from Conjur/DAP +fetch_ssl + +# Save cert for later setting in Helm +$cli_with_timeout "exec ${conjur_pod_name} --namespace $CONJUR_NAMESPACE_NAME cat $cert_location" > "conjur.pem" + +set_namespace $APP_NAMESPACE_NAME + +# Create second secret +echo "Create second secret" +$cli_with_timeout create -f ../helm-props/k8s_secrets_two.yml +set_secret secrets/test_secret_two some-secret-2 + +pushd ../../../ + fill_helm_chart + helm install -f "cyberark-secrets-provider-for-kubernetes/ci/test-values.yaml" cyberark-secrets-provider-for-kubernetes ./cyberark-secrets-provider-for-kubernetes --set-file environment.conjur.sslCertificate.value="deploy/test/test_cases/conjur.pem" + + export SECRETS_PROVIDER_ROLE=secrets-provider-role-two + export SECRETS_PROVIDER_ROLE_BINDING=secrets-provider-role-binding-two + export SERVICE_ACCOUNT=secrets-provider-service-account-two + export K8S_SECRETS=test-k8s-secret-two + export SECRETS_PROVIDER_SSL_CONFIG_MAP=secrets-provider-ssl-config-map-two + fill_helm_chart "-two" + helm install -f "cyberark-secrets-provider-for-kubernetes/ci/test-values-two.yaml" cyberark-secrets-provider-for-kubernetes-two ./cyberark-secrets-provider-for-kubernetes --set-file environment.conjur.sslCertificate.value="deploy/test/test_cases/conjur.pem" +popd + +# Check for Job completion +helm_chart_name="cyberark-secrets-provider-for-kubernetes" +$cli_with_timeout wait --for=condition=complete job/$helm_chart_name + +helm_chart_name="cyberark-secrets-provider-for-kubernetes-two" +$cli_with_timeout wait --for=condition=complete job/$helm_chart_name + +# Deploy app to test against +deploy_helm_app +pod_name=$($cli_with_timeout get pods --namespace=$APP_NAMESPACE_NAME --selector app=test-env --no-headers | awk '{print $1}' | head -1) +verify_secret_value_in_pod $pod_name "TEST_SECRET" "supersecret" + +deploy_helm_app "-two" +pod_name=$($cli_with_timeout get pods --namespace=$APP_NAMESPACE_NAME --selector app=test-env-two --no-headers | awk '{print $1}' | head -1) +verify_secret_value_in_pod $pod_name "TEST_SECRET-two" "some-secret-2" diff --git a/deploy/test/test_cases/TEST_ID_19_helm_multiple_provider_same_secret.sh b/deploy/test/test_cases/TEST_ID_19_helm_multiple_provider_same_secret.sh new file mode 100755 index 000000000..567861fa7 --- /dev/null +++ b/deploy/test/test_cases/TEST_ID_19_helm_multiple_provider_same_secret.sh @@ -0,0 +1,42 @@ +#!/bin/bash +set -euxo pipefail + +# This test verifies that two Secrets Provider Jobs deploy successfully in the same namespace and access the same Conjur secret and update the same K8s Secret +# TODO verify Job start up and completed logs + +set_namespace $CONJUR_NAMESPACE_NAME + +# Configure authn and login Conjur urls +configure_env_url + +# Fetch SSL cert from Conjur/DAP +fetch_ssl + +# Save cert for later setting in Helm +$cli_with_timeout "exec ${conjur_pod_name} --namespace $CONJUR_NAMESPACE_NAME cat $cert_location" > "conjur.pem" + +set_namespace $APP_NAMESPACE_NAME + +pushd ../../../ + fill_helm_chart + helm install -f "cyberark-secrets-provider-for-kubernetes/ci/test-values.yaml" cyberark-secrets-provider-for-kubernetes ./cyberark-secrets-provider-for-kubernetes --set-file environment.conjur.sslCertificate.value="deploy/test/test_cases/conjur.pem" + + export SECRETS_PROVIDER_ROLE=secrets-provider-role-two + export SECRETS_PROVIDER_ROLE_BINDING=secrets-provider-role-binding-two + export SERVICE_ACCOUNT=secrets-provider-service-account-two + export SECRETS_PROVIDER_SSL_CONFIG_MAP=secrets-provider-ssl-config-map-two + fill_helm_chart "-two" + helm install -f "cyberark-secrets-provider-for-kubernetes/ci/test-values-two.yaml" cyberark-secrets-provider-for-kubernetes-two ./cyberark-secrets-provider-for-kubernetes --set-file environment.conjur.sslCertificate.value="deploy/test/test_cases/conjur.pem" +popd + +# Check for Job completion +helm_chart_name="cyberark-secrets-provider-for-kubernetes" +$cli_with_timeout wait --for=condition=complete job/$helm_chart_name + +helm_chart_name="cyberark-secrets-provider-for-kubernetes-two" +$cli_with_timeout wait --for=condition=complete job/$helm_chart_name + +# Deploy app to test against +deploy_helm_app +pod_name=$($cli_with_timeout get pods --namespace=$APP_NAMESPACE_NAME --selector app=test-env --no-headers | awk '{print $1}' | head -1) +verify_secret_value_in_pod $pod_name "TEST_SECRET" "supersecret" diff --git a/deploy/test/test_cases/TEST_ID_20_helm_service_account_does_not_exist.sh b/deploy/test/test_cases/TEST_ID_20_helm_service_account_does_not_exist.sh new file mode 100755 index 000000000..6a6d58088 --- /dev/null +++ b/deploy/test/test_cases/TEST_ID_20_helm_service_account_does_not_exist.sh @@ -0,0 +1,28 @@ +#!/bin/bash +set -euxo pipefail + +# This test verifies that when the user declares that they will provide their own Service Account but that Service Account does not exist in their environment that the Job will fail +# TODO verify Job start up and completed logs + +set_namespace $CONJUR_NAMESPACE_NAME + +# Configure authn and login Conjur urls +configure_env_url + +# Fetch SSL cert from Conjur/DAP +fetch_ssl + +# Save cert for later setting in Helm +$cli_with_timeout "exec ${conjur_pod_name} --namespace $CONJUR_NAMESPACE_NAME cat $cert_location" > "conjur.pem" + +set_namespace $APP_NAMESPACE_NAME + +pushd ../../../ + export CREATE_SERVICE_ACCOUNT="false" + + fill_helm_chart + helm install -f "cyberark-secrets-provider-for-kubernetes/ci/test-values.yaml" cyberark-secrets-provider-for-kubernetes ./cyberark-secrets-provider-for-kubernetes --set-file environment.conjur.sslCertificate.value="deploy/test/test_cases/conjur.pem" +popd + +helm_chart_name="cyberark-secrets-provider-for-kubernetes" +$cli_with_timeout "describe job $helm_chart_name | grep 'error looking up service account'" diff --git a/deploy/utils.sh b/deploy/utils.sh index 2999dc5fb..f56d6c2c0 100644 --- a/deploy/utils.sh +++ b/deploy/utils.sh @@ -1,6 +1,3 @@ -#!/bin/bash -set -xeuo pipefail - export KEY_VALUE_NOT_EXIST=" " wait_for_it() { @@ -144,7 +141,7 @@ configure_cli_pod() { $cli_with_timeout exec $conjur_cli_pod -- conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD } -function deploy_env { +function configure_env_url { conjur_node_name="conjur-cluster" if [ "$CONJUR_DEPLOYMENT" = "dap" ]; then conjur_node_name="conjur-follower" @@ -157,6 +154,47 @@ function deploy_env { export CONJUR_APPLIANCE_URL=$conjur_appliance_url export CONJUR_AUTHN_URL=$conjur_authenticator_url +} + +function fetch_ssl { + selector="role=follower" + cert_location="/opt/conjur/etc/ssl/conjur.pem" + if [ "$CONJUR_DEPLOYMENT" = "oss" ]; then + selector="app=conjur-cli" + export cert_location="/root/conjur-${CONJUR_ACCOUNT}.pem" + fi + + export conjur_pod_name=$($cli_with_timeout get pods --selector=$selector --namespace $CONJUR_NAMESPACE_NAME --no-headers | awk '{ print $1 }' | head -1) +} + +function fill_helm_chart () { + id=${1:-""} + sed -e "s#{{ SECRETS_PROVIDER_ROLE }}#${SECRETS_PROVIDER_ROLE:-"secrets-provider-role"}#g" \ + -e "s#{{ SECRETS_PROVIDER_ROLE_BINDING }}#${SECRETS_PROVIDER_ROLE_BINDING:-"secrets-provider-role-binding"}#g" \ + -e "s#{{ CREATE_SERVICE_ACCOUNT }}#${CREATE_SERVICE_ACCOUNT:-"true"}#g" \ + -e "s#{{ SERVICE_ACCOUNT }}#${SERVICE_ACCOUNT:-"secrets-provider-service-account"}#g" \ + -e "s#{{ K8S_SECRETS }}#${K8S_SECRETS:-"test-k8s-secret"}#g" \ + -e "s#{{ CONJUR_ACCOUNT }}#${CONJUR_ACCOUNT:-"cucumber"}#g" \ + -e "s#{{ CONJUR_APPLIANCE_URL }}#${CONJUR_APPLIANCE_URL:-"https://conjur-follower.${CONJUR_NAMESPACE_NAME}.svc.cluster.local/api"}#g" \ + -e "s#{{ CONJUR_AUTHN_URL }}#${CONJUR_AUTHN_URL:-"https://conjur-follower.${CONJUR_NAMESPACE_NAME}.svc.cluster.local/api/authn-k8s/${AUTHENTICATOR_ID}"}#g" \ + -e "s#{{ CONJUR_AUTHN_LOGIN }}# ${CONJUR_AUTHN_LOGIN:-"host/conjur/authn-k8s/${AUTHENTICATOR_ID}/apps/${APP_NAMESPACE_NAME}/*/*"}#g" \ + -e "s#{{ SECRETS_PROVIDER_SSL_CONFIG_MAP }}# ${SECRETS_PROVIDER_SSL_CONFIG_MAP:-"secrets-provider-ssl-config-map"}#g" \ + "cyberark-secrets-provider-for-kubernetes/ci/test-values-template.yaml" > "cyberark-secrets-provider-for-kubernetes/ci/test-values${id}.yaml" +} + +function deploy_helm_app() { + unset K8S_SECRETS + unset SERVICE_ACCOUNT + + id=${1:-""} + sed -e "s#{{ SERVICE_ACCOUNT }}#${SERVICE_ACCOUNT:-"secrets-provider-service-account$id"}#g" "../helm-props/k8s/helm-app.yaml" | + sed -e "s#{{ K8S_SECRETS }}#${K8S_SECRETS:-"test-k8s-secret$id"}#g" | + sed -e "s#{{ ID }}#${id}#g" | + $cli_with_timeout create -f - +} + +function deploy_env { + configure_env_url echo "Running Deployment Manifest"