Add Milestone Job integration tests for Helm Chart

Add Helm chart test flow Add vanilla flow for deployment with Helm
cyberark · Aug 2, 2020 · 8419795 · 8419795
1 parent a1b0947
commit 8419795
Show file tree

Hide file tree

Showing 11 changed files with 165 additions and 22 deletions.
diff --git a/bootstrap.env b/bootstrap.env
@@ -22,4 +22,7 @@ export APP_NAMESPACE_NAME=app-$UNIQUE_TEST_ID
 # export STOP_RUNNING_ENV=true
 # export CONJUR_ACCOUNT=cucumber
 # export CONJUR_LOG_LEVEL=debug
+# export CONJUR_AUTHENTICATORS=authn-k8s/${AUTHENTICATOR_ID}
+# Uncomment to run HELM tests
+# export HELM_TESTS=true
 
diff --git a/deploy/2_create_app_namespace.sh b/deploy/2_create_app_namespace.sh
@@ -31,7 +31,10 @@ if [[ "$PLATFORM" = "openshift" ]]; then
     CONFIG_DIR="config/openshift"
 fi
 
-wait_for_it 600  "./$CONFIG_DIR/app-conjur-authenticator-role-binding.sh.yml | $cli_without_timeout apply -f -"
+
+if [ "${HELM_TESTS}" = "false" ]; then
+  wait_for_it 600  "./$CONFIG_DIR/app-conjur-authenticator-role-binding.sh.yml | $cli_without_timeout apply -f -"
+fi
 
 if [[ $PLATFORM == openshift ]]; then
   # add permissions for Conjur admin user

diff --git a/deploy/run_with_summon.sh b/deploy/run_with_summon.sh
@@ -59,7 +59,7 @@ ssl_cert=$($cli_with_timeout "exec ${conjur_pod_name} --namespace $CONJUR_NAMESP
 
 export CONJUR_SSL_CERTIFICATE=$ssl_cert
 
-if [ "${DEV}" = "false"  ]; then
+if [ "${DEV}" = "false" || "${HELM_TESTS}" = "true"  ]; then
   pushd ./test/test_cases > /dev/null
     ./run_tests.sh
   popd > /dev/null

diff --git a/deploy/teardown_resources.sh b/deploy/teardown_resources.sh
@@ -7,6 +7,15 @@ set -euxo pipefail
 set_namespace $CONJUR_NAMESPACE_NAME
 
 configure_cli_pod
+
+if [ "${HELM_TESTS}" = "true" ]; then
+  helm_chart_name="secrets-provider"
+  # Remove pem across runs
+  rm conjur.pem
+
+  helm delete $helm_chart_name
+fi
+
 if [ "${DEV}" = "false" ]; then
   $cli_with_timeout "exec $(get_conjur_cli_pod_name) -- conjur variable values add secrets/test_secret \"supersecret\""
 fi

diff --git a/deploy/test/helm-props/k8s/helm-app.yaml b/deploy/test/helm-props/k8s/helm-app.yaml
@@ -0,0 +1,29 @@
+# This app is created to run end-to-end with the Secrets Provider Job
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: test-env
+  name: test-env
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: test-env
+  template:
+    metadata:
+      labels:
+        app: test-env
+    spec:
+      serviceAccountName: secrets-provider-service-account
+      containers:
+      - image: centos:7
+        name: test-app
+        command: ["sleep"]
+        args: ["infinity"]
+        env:
+        - name: TEST_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: test-k8s-secret
+              key: secret
diff --git a/deploy/test/helm-props/k8s_secrets.yml b/deploy/test/helm-props/k8s_secrets.yml
@@ -0,0 +1,9 @@
+# Not to be shipped. Created for end-to-end testing
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test-k8s-secret
+type: Opaque
+stringData:
+  conjur-map: |-
+    secret: secrets/test_secret
diff --git a/deploy/test/helm-props/openshift/helm-app.yaml b/deploy/test/helm-props/openshift/helm-app.yaml
@@ -0,0 +1,26 @@
+# This app is created to run end-to-end with the Secrets Provider Job
+apiVersion: v1
+kind: DeploymentConfig
+metadata:
+  name: test-env
+spec:
+  replicas: 1
+  selector:
+    app: test-env
+  template:
+    metadata:
+      labels:
+        app: test-env
+    spec:
+      serviceAccountName:secrets-provider-service-account
+      containers:
+      - image: centos:7
+        name: test-app
+        command: ["sleep"]
+        args: ["infinity"]
+        env:
+        - name: TEST_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: test-k8s-secret
+              key: secret
diff --git a/deploy/test/test_cases/TEST_ID_17_helm_job_deploys_successfully.sh b/deploy/test/test_cases/TEST_ID_17_helm_job_deploys_successfully.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+set -euxo pipefail
+
+# This test verifies that the Secrets Provider Job is deployed successfully and Conjur secret appears in pod environment
+# separately deployed application
+
+set_namespace $CONJUR_NAMESPACE_NAME
+
+# Configure authn and login Conjur urls
+configure_env_url
+
+# Fetch SSL cert from Conjur/DAP
+fetch_ssl
+
+# Save cert for later setting in Helm
+$cli_with_timeout "exec ${conjur_pod_name} --namespace $CONJUR_NAMESPACE_NAME cat $cert_location" > "conjur.pem"
+
+set_namespace $APP_NAMESPACE_NAME
+
+pushd ../../../
+  sed -e "s#{{ SECRETS_PROVIDER_ROLE }}#${SECRETS_PROVIDER_ROLE:-"secrets-provider-role"}#g" \
+      -e "s#{{ SECRETS_PROVIDER_ROLE_BINDING }}#${SECRETS_PROVIDER_ROLE_BINDING:-"secrets-provider-role-binding"}#g" \
+      -e "s#{{ SERVICE_ACCOUNT_CREATE }}#${SERVICE_ACCOUNT_CREATE:-"true"}#g" \
+      -e "s#{{ SERVICE_ACCOUNT }}#${SERVICE_ACCOUNT:-"secrets-provider-service-account"}#g" \
+      -e "s#{{ K8S_SECRETS }}#${K8S_SECRETS:-"test-k8s-secret"}#g" \
+      -e "s#{{ CONJUR_ACCOUNT }}#${CONJUR_ACCOUNT:-"cucumber"}#g" \
+      -e "s#{{ CONJUR_APPLIANCE_URL }}#${CONJUR_APPLIANCE_URL:-"https://conjur-follower.${CONJUR_NAMESPACE_NAME}.svc.cluster.local/api"}#g" \
+      -e "s#{{ CONJUR_AUTHN_URL }}#${CONJUR_AUTHN_URL:-"https://conjur-follower.${CONJUR_NAMESPACE_NAME}.svc.cluster.local/api/authn-k8s/${AUTHENTICATOR_ID}"}#g" \
+      -e "s#{{ CONJUR_AUTHN_LOGIN }}# ${CONJUR_AUTHN_LOGIN:-"host/conjur/authn-k8s/${AUTHENTICATOR_ID}/apps/${APP_NAMESPACE_NAME}/*/*"}#g"  \
+      -e "s#{{ SECRETS_PROVIDER_SSL_CONFIG_MAP }}# ${SECRETS_PROVIDER_SSL_CONFIG_MAP:-"secrets-provider-ssl-config-map"}#g" \
+      "secrets-provider-chart/ci/test-values-template.yaml" > "secrets-provider-chart/ci/test-values.yaml"
+
+  helm install -f "secrets-provider-chart/ci/test-values.yaml" secrets-provider ./secrets-provider-chart --set-file environment.conjur.sslCertificate.value="deploy/test/test_cases/conjur.pem"
+popd
+
+CONFIG_DIR="../helm-props/k8s"
+if [[ "$PLATFORM" = "openshift" ]]; then
+    CONFIG_DIR="../helm-props/openshift"
+fi
+
+# Deploy app to test against
+kubectl apply -f ../helm-props/k8s/helm-app.yaml
+
+pod_name=$($cli_with_timeout get pods --namespace=$APP_NAMESPACE_NAME --selector app=test-env --no-headers | awk '{print $1}')
+verify_secret_value_in_pod $pod_name "TEST_SECRET" "some-secret"
+
+# Check for Job completion
+$cli_with_timeout wait --for=condition=complete job/secrets-provider
diff --git a/deploy/test/test_cases/run_tests.sh b/deploy/test/test_cases/run_tests.sh
@@ -24,11 +24,11 @@ times=1
 for c in {1..$times}
 do
   for filename in ./$TEST_NAME_PREFIX*.sh; do
-      announce "Running '$filename'."
-      ./test_case_setup.sh
-      $filename
-      ../../teardown_resources.sh
-      announce "Test '$filename' ended successfully"
+    announce "Running '$filename'."
+    ./test_case_setup.sh
+    $filename
+    ../../teardown_resources.sh
+    announce "Test '$filename' ended successfully"
   done
 done
 

diff --git a/deploy/test/test_cases/test_case_setup.sh b/deploy/test/test_cases/test_case_setup.sh
@@ -1,27 +1,28 @@
 #!/bin/bash
 set -euxo pipefail
 
-announce "Creating image pull secret."
+if [ "${DEV}" = "false" ]; then
+  announce "Creating image pull secret."
+  if [[ "${PLATFORM}" == "kubernetes" ]]; then
+   $cli_with_timeout delete --ignore-not-found secret dockerpullsecret
 
-if [[ "${PLATFORM}" == "kubernetes" ]]; then
-     $cli_with_timeout delete --ignore-not-found secret dockerpullsecret
-
-     $cli_with_timeout create secret docker-registry dockerpullsecret \
-      --docker-server=$DOCKER_REGISTRY_URL \
-      --docker-username=_ \
-      --docker-password=_ \
-      --docker-email=_
-elif [[ "$PLATFORM" == "openshift" ]]; then
+   $cli_with_timeout create secret docker-registry dockerpullsecret \
+    --docker-server=$DOCKER_REGISTRY_URL \
+    --docker-username=_ \
+    --docker-password=_ \
+    --docker-email=_
+  elif [[ "$PLATFORM" == "openshift" ]]; then
     $cli_with_timeout delete --ignore-not-found secrets dockerpullsecret
 
     # TODO: replace the following with `$cli create secret`
     $cli_with_timeout secrets new-dockercfg dockerpullsecret \
-          --docker-server=${DOCKER_REGISTRY_PATH} \
-          --docker-username=_ \
-          --docker-password=$($cli_with_timeout whoami -t) \
-          --docker-email=_
+      --docker-server=${DOCKER_REGISTRY_PATH} \
+      --docker-username=_ \
+      --docker-password=$($cli_with_timeout whoami -t) \
+      --docker-email=_
 
     $cli_with_timeout secrets add serviceaccount/default secrets/dockerpullsecret --for=pull
+  fi
 fi
 
 echo "Create secret k8s-secret"

diff --git a/deploy/utils.sh b/deploy/utils.sh
@@ -144,7 +144,7 @@ configure_cli_pod() {
   $cli_with_timeout exec $conjur_cli_pod -- conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD
 }
 
-function deploy_env {
+function configure_env_url {
   conjur_node_name="conjur-cluster"
   if [ "$CONJUR_DEPLOYMENT" = "dap" ]; then
       conjur_node_name="conjur-follower"
@@ -157,6 +157,21 @@ function deploy_env {
 
   export CONJUR_APPLIANCE_URL=$conjur_appliance_url
   export CONJUR_AUTHN_URL=$conjur_authenticator_url
+}
+
+function fetch_ssl {
+  selector="role=follower"
+  cert_location="/opt/conjur/etc/ssl/conjur.pem"
+  if [ "$CONJUR_DEPLOYMENT" = "oss" ]; then
+    selector="app=conjur-cli"
+    export cert_location="/root/conjur-${CONJUR_ACCOUNT}.pem"
+  fi
+
+  export conjur_pod_name=$($cli_with_timeout get pods --selector=$selector --namespace $CONJUR_NAMESPACE_NAME --no-headers | awk '{ print $1 }' | head -1)
+}
+
+function deploy_env {
+  configure_env_url
 
   echo "Running Deployment Manifest"