From 84197959fcdb155e91a921a59ae692aca187e140 Mon Sep 17 00:00:00 2001 From: sigalsax <ssax18@gmail.com> Date: Sun, 2 Aug 2020 16:09:16 +0300 Subject: [PATCH] Add Milestone Job integration tests for Helm Chart Add Helm chart test flow Add vanilla flow for deployment with Helm --- bootstrap.env | 3 ++ deploy/2_create_app_namespace.sh | 5 +- deploy/run_with_summon.sh | 2 +- deploy/teardown_resources.sh | 9 ++++ deploy/test/helm-props/k8s/helm-app.yaml | 29 +++++++++++ deploy/test/helm-props/k8s_secrets.yml | 9 ++++ .../test/helm-props/openshift/helm-app.yaml | 26 ++++++++++ ...EST_ID_17_helm_job_deploys_successfully.sh | 48 +++++++++++++++++++ deploy/test/test_cases/run_tests.sh | 10 ++-- deploy/test/test_cases/test_case_setup.sh | 29 +++++------ deploy/utils.sh | 17 ++++++- 11 files changed, 165 insertions(+), 22 deletions(-) create mode 100644 deploy/test/helm-props/k8s/helm-app.yaml create mode 100644 deploy/test/helm-props/k8s_secrets.yml create mode 100644 deploy/test/helm-props/openshift/helm-app.yaml create mode 100755 deploy/test/test_cases/TEST_ID_17_helm_job_deploys_successfully.sh diff --git a/bootstrap.env b/bootstrap.env index 15a2bdcf3..2708322c8 100644 --- a/bootstrap.env +++ b/bootstrap.env @@ -22,4 +22,7 @@ export APP_NAMESPACE_NAME=app-$UNIQUE_TEST_ID # export STOP_RUNNING_ENV=true # export CONJUR_ACCOUNT=cucumber # export CONJUR_LOG_LEVEL=debug +# export CONJUR_AUTHENTICATORS=authn-k8s/${AUTHENTICATOR_ID} +# Uncomment to run HELM tests +# export HELM_TESTS=true diff --git a/deploy/2_create_app_namespace.sh b/deploy/2_create_app_namespace.sh index c31e32732..7979e4da7 100755 --- a/deploy/2_create_app_namespace.sh +++ b/deploy/2_create_app_namespace.sh @@ -31,7 +31,10 @@ if [[ "$PLATFORM" = "openshift" ]]; then CONFIG_DIR="config/openshift" fi -wait_for_it 600 "./$CONFIG_DIR/app-conjur-authenticator-role-binding.sh.yml | $cli_without_timeout apply -f -" + +if [ "${HELM_TESTS}" = "false" ]; then + wait_for_it 600 "./$CONFIG_DIR/app-conjur-authenticator-role-binding.sh.yml | $cli_without_timeout apply -f -" +fi if [[ $PLATFORM == openshift ]]; then # add permissions for Conjur admin user diff --git a/deploy/run_with_summon.sh b/deploy/run_with_summon.sh index 7ff48b4f8..8551465e9 100755 --- a/deploy/run_with_summon.sh +++ b/deploy/run_with_summon.sh @@ -59,7 +59,7 @@ ssl_cert=$($cli_with_timeout "exec ${conjur_pod_name} --namespace $CONJUR_NAMESP export CONJUR_SSL_CERTIFICATE=$ssl_cert -if [ "${DEV}" = "false" ]; then +if [ "${DEV}" = "false" || "${HELM_TESTS}" = "true" ]; then pushd ./test/test_cases > /dev/null ./run_tests.sh popd > /dev/null diff --git a/deploy/teardown_resources.sh b/deploy/teardown_resources.sh index 920235c21..da5f7b180 100755 --- a/deploy/teardown_resources.sh +++ b/deploy/teardown_resources.sh @@ -7,6 +7,15 @@ set -euxo pipefail set_namespace $CONJUR_NAMESPACE_NAME configure_cli_pod + +if [ "${HELM_TESTS}" = "true" ]; then + helm_chart_name="secrets-provider" + # Remove pem across runs + rm conjur.pem + + helm delete $helm_chart_name +fi + if [ "${DEV}" = "false" ]; then $cli_with_timeout "exec $(get_conjur_cli_pod_name) -- conjur variable values add secrets/test_secret \"supersecret\"" fi diff --git a/deploy/test/helm-props/k8s/helm-app.yaml b/deploy/test/helm-props/k8s/helm-app.yaml new file mode 100644 index 000000000..46bb86015 --- /dev/null +++ b/deploy/test/helm-props/k8s/helm-app.yaml @@ -0,0 +1,29 @@ +# This app is created to run end-to-end with the Secrets Provider Job +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: test-env + name: test-env +spec: + replicas: 1 + selector: + matchLabels: + app: test-env + template: + metadata: + labels: + app: test-env + spec: + serviceAccountName: secrets-provider-service-account + containers: + - image: centos:7 + name: test-app + command: ["sleep"] + args: ["infinity"] + env: + - name: TEST_SECRET + valueFrom: + secretKeyRef: + name: test-k8s-secret + key: secret \ No newline at end of file diff --git a/deploy/test/helm-props/k8s_secrets.yml b/deploy/test/helm-props/k8s_secrets.yml new file mode 100644 index 000000000..db3b09d32 --- /dev/null +++ b/deploy/test/helm-props/k8s_secrets.yml @@ -0,0 +1,9 @@ +# Not to be shipped. Created for end-to-end testing +apiVersion: v1 +kind: Secret +metadata: + name: test-k8s-secret +type: Opaque +stringData: + conjur-map: |- + secret: secrets/test_secret diff --git a/deploy/test/helm-props/openshift/helm-app.yaml b/deploy/test/helm-props/openshift/helm-app.yaml new file mode 100644 index 000000000..2a457daa4 --- /dev/null +++ b/deploy/test/helm-props/openshift/helm-app.yaml @@ -0,0 +1,26 @@ +# This app is created to run end-to-end with the Secrets Provider Job +apiVersion: v1 +kind: DeploymentConfig +metadata: + name: test-env +spec: + replicas: 1 + selector: + app: test-env + template: + metadata: + labels: + app: test-env + spec: + serviceAccountName:secrets-provider-service-account + containers: + - image: centos:7 + name: test-app + command: ["sleep"] + args: ["infinity"] + env: + - name: TEST_SECRET + valueFrom: + secretKeyRef: + name: test-k8s-secret + key: secret \ No newline at end of file diff --git a/deploy/test/test_cases/TEST_ID_17_helm_job_deploys_successfully.sh b/deploy/test/test_cases/TEST_ID_17_helm_job_deploys_successfully.sh new file mode 100755 index 000000000..f6fe32f09 --- /dev/null +++ b/deploy/test/test_cases/TEST_ID_17_helm_job_deploys_successfully.sh @@ -0,0 +1,48 @@ +#!/bin/bash +set -euxo pipefail + +# This test verifies that the Secrets Provider Job is deployed successfully and Conjur secret appears in pod environment +# separately deployed application + +set_namespace $CONJUR_NAMESPACE_NAME + +# Configure authn and login Conjur urls +configure_env_url + +# Fetch SSL cert from Conjur/DAP +fetch_ssl + +# Save cert for later setting in Helm +$cli_with_timeout "exec ${conjur_pod_name} --namespace $CONJUR_NAMESPACE_NAME cat $cert_location" > "conjur.pem" + +set_namespace $APP_NAMESPACE_NAME + +pushd ../../../ + sed -e "s#{{ SECRETS_PROVIDER_ROLE }}#${SECRETS_PROVIDER_ROLE:-"secrets-provider-role"}#g" \ + -e "s#{{ SECRETS_PROVIDER_ROLE_BINDING }}#${SECRETS_PROVIDER_ROLE_BINDING:-"secrets-provider-role-binding"}#g" \ + -e "s#{{ SERVICE_ACCOUNT_CREATE }}#${SERVICE_ACCOUNT_CREATE:-"true"}#g" \ + -e "s#{{ SERVICE_ACCOUNT }}#${SERVICE_ACCOUNT:-"secrets-provider-service-account"}#g" \ + -e "s#{{ K8S_SECRETS }}#${K8S_SECRETS:-"test-k8s-secret"}#g" \ + -e "s#{{ CONJUR_ACCOUNT }}#${CONJUR_ACCOUNT:-"cucumber"}#g" \ + -e "s#{{ CONJUR_APPLIANCE_URL }}#${CONJUR_APPLIANCE_URL:-"https://conjur-follower.${CONJUR_NAMESPACE_NAME}.svc.cluster.local/api"}#g" \ + -e "s#{{ CONJUR_AUTHN_URL }}#${CONJUR_AUTHN_URL:-"https://conjur-follower.${CONJUR_NAMESPACE_NAME}.svc.cluster.local/api/authn-k8s/${AUTHENTICATOR_ID}"}#g" \ + -e "s#{{ CONJUR_AUTHN_LOGIN }}# ${CONJUR_AUTHN_LOGIN:-"host/conjur/authn-k8s/${AUTHENTICATOR_ID}/apps/${APP_NAMESPACE_NAME}/*/*"}#g" \ + -e "s#{{ SECRETS_PROVIDER_SSL_CONFIG_MAP }}# ${SECRETS_PROVIDER_SSL_CONFIG_MAP:-"secrets-provider-ssl-config-map"}#g" \ + "secrets-provider-chart/ci/test-values-template.yaml" > "secrets-provider-chart/ci/test-values.yaml" + + helm install -f "secrets-provider-chart/ci/test-values.yaml" secrets-provider ./secrets-provider-chart --set-file environment.conjur.sslCertificate.value="deploy/test/test_cases/conjur.pem" +popd + +CONFIG_DIR="../helm-props/k8s" +if [[ "$PLATFORM" = "openshift" ]]; then + CONFIG_DIR="../helm-props/openshift" +fi + +# Deploy app to test against +kubectl apply -f ../helm-props/k8s/helm-app.yaml + +pod_name=$($cli_with_timeout get pods --namespace=$APP_NAMESPACE_NAME --selector app=test-env --no-headers | awk '{print $1}') +verify_secret_value_in_pod $pod_name "TEST_SECRET" "some-secret" + +# Check for Job completion +$cli_with_timeout wait --for=condition=complete job/secrets-provider diff --git a/deploy/test/test_cases/run_tests.sh b/deploy/test/test_cases/run_tests.sh index 64c3fc6f9..927b884af 100755 --- a/deploy/test/test_cases/run_tests.sh +++ b/deploy/test/test_cases/run_tests.sh @@ -24,11 +24,11 @@ times=1 for c in {1..$times} do for filename in ./$TEST_NAME_PREFIX*.sh; do - announce "Running '$filename'." - ./test_case_setup.sh - $filename - ../../teardown_resources.sh - announce "Test '$filename' ended successfully" + announce "Running '$filename'." + ./test_case_setup.sh + $filename + ../../teardown_resources.sh + announce "Test '$filename' ended successfully" done done diff --git a/deploy/test/test_cases/test_case_setup.sh b/deploy/test/test_cases/test_case_setup.sh index 3aa85c882..1fed405a5 100755 --- a/deploy/test/test_cases/test_case_setup.sh +++ b/deploy/test/test_cases/test_case_setup.sh @@ -1,27 +1,28 @@ #!/bin/bash set -euxo pipefail -announce "Creating image pull secret." +if [ "${DEV}" = "false" ]; then + announce "Creating image pull secret." + if [[ "${PLATFORM}" == "kubernetes" ]]; then + $cli_with_timeout delete --ignore-not-found secret dockerpullsecret -if [[ "${PLATFORM}" == "kubernetes" ]]; then - $cli_with_timeout delete --ignore-not-found secret dockerpullsecret - - $cli_with_timeout create secret docker-registry dockerpullsecret \ - --docker-server=$DOCKER_REGISTRY_URL \ - --docker-username=_ \ - --docker-password=_ \ - --docker-email=_ -elif [[ "$PLATFORM" == "openshift" ]]; then + $cli_with_timeout create secret docker-registry dockerpullsecret \ + --docker-server=$DOCKER_REGISTRY_URL \ + --docker-username=_ \ + --docker-password=_ \ + --docker-email=_ + elif [[ "$PLATFORM" == "openshift" ]]; then $cli_with_timeout delete --ignore-not-found secrets dockerpullsecret # TODO: replace the following with `$cli create secret` $cli_with_timeout secrets new-dockercfg dockerpullsecret \ - --docker-server=${DOCKER_REGISTRY_PATH} \ - --docker-username=_ \ - --docker-password=$($cli_with_timeout whoami -t) \ - --docker-email=_ + --docker-server=${DOCKER_REGISTRY_PATH} \ + --docker-username=_ \ + --docker-password=$($cli_with_timeout whoami -t) \ + --docker-email=_ $cli_with_timeout secrets add serviceaccount/default secrets/dockerpullsecret --for=pull + fi fi echo "Create secret k8s-secret" diff --git a/deploy/utils.sh b/deploy/utils.sh index 2999dc5fb..5e15a00f4 100644 --- a/deploy/utils.sh +++ b/deploy/utils.sh @@ -144,7 +144,7 @@ configure_cli_pod() { $cli_with_timeout exec $conjur_cli_pod -- conjur authn login -u admin -p $CONJUR_ADMIN_PASSWORD } -function deploy_env { +function configure_env_url { conjur_node_name="conjur-cluster" if [ "$CONJUR_DEPLOYMENT" = "dap" ]; then conjur_node_name="conjur-follower" @@ -157,6 +157,21 @@ function deploy_env { export CONJUR_APPLIANCE_URL=$conjur_appliance_url export CONJUR_AUTHN_URL=$conjur_authenticator_url +} + +function fetch_ssl { + selector="role=follower" + cert_location="/opt/conjur/etc/ssl/conjur.pem" + if [ "$CONJUR_DEPLOYMENT" = "oss" ]; then + selector="app=conjur-cli" + export cert_location="/root/conjur-${CONJUR_ACCOUNT}.pem" + fi + + export conjur_pod_name=$($cli_with_timeout get pods --selector=$selector --namespace $CONJUR_NAMESPACE_NAME --no-headers | awk '{ print $1 }' | head -1) +} + +function deploy_env { + configure_env_url echo "Running Deployment Manifest"