From 004a504ba7622cc777e8e2a7de6f6f7c2d6b52b7 Mon Sep 17 00:00:00 2001
From: Joshua Duffney <jduffney@microsoft.com>
Date: Tue, 20 Aug 2024 10:23:26 -0500
Subject: [PATCH] tests: KeyManagementProvider refresh logic and certificate
 version validation

- Added a test to validate the refresher reconcile count with modified timing and Key Vault configuration.
- Implemented a test to ensure certificate version updates are correctly reflected in KeyManagementProvider after creating a new version in Azure Key Vault.
- Created a test to verify that a specified certificate version in KeyManagementProvider remains consistent after attempting to update the certificate in Azure Key Vault.
---
 scripts/azure-ci-test.sh  |  6 ++++--
 test/bats/azure-test.bats | 44 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+), 2 deletions(-)

diff --git a/scripts/azure-ci-test.sh b/scripts/azure-ci-test.sh
index 1589adec24..c5c7be9c56 100755
--- a/scripts/azure-ci-test.sh
+++ b/scripts/azure-ci-test.sh
@@ -142,7 +142,7 @@ trap cleanup EXIT
 main() {
   ./scripts/create-azure-resources.sh
   create_key_akv
-  
+
   local ACR_USER_NAME="00000000-0000-0000-0000-000000000000"
   local ACR_PASSWORD=$(az acr login --name ${ACR_NAME} --expose-token --output tsv --query accessToken)
   make e2e-azure-setup TEST_REGISTRY=$REGISTRY TEST_REGISTRY_USERNAME=${ACR_USER_NAME} TEST_REGISTRY_PASSWORD=${ACR_PASSWORD} KEYVAULT_KEY_NAME=${KEYVAULT_KEY_NAME} KEYVAULT_NAME=${KEYVAULT_NAME}
@@ -152,7 +152,9 @@ main() {
   deploy_gatekeeper
   deploy_ratify
 
-  TEST_REGISTRY=$REGISTRY bats -t ./test/bats/azure-test.bats
+  local IDENTITY_CLIENT_ID=$(az identity show --name ${USER_ASSIGNED_IDENTITY_NAME} --resource-group ${GROUP_NAME} --query 'clientId' -o tsv)
+  local VAULT_URI=$(az keyvault show --name ${KEYVAULT_NAME} --resource-group ${GROUP_NAME} --query "properties.vaultUri" -otsv)
+  TEST_REGISTRY=$REGISTRY IDENTITY_CLIENT_ID=$IDENTITY_CLIENT_ID VAULT_URI=$VAULT_URI bats -t ./test/bats/azure-test.bats
 }
 
 main
diff --git a/test/bats/azure-test.bats b/test/bats/azure-test.bats
index a30556dd7c..419540e7d3 100644
--- a/test/bats/azure-test.bats
+++ b/test/bats/azure-test.bats
@@ -318,3 +318,47 @@ SLEEP_TIME=1
     result=$(kubectl get pod mutate-demo --namespace default -o json | jq -r ".spec.containers[0].image" | grep @sha)
     assert_mutate_success
 }
+
+@test "validate refresher reconcile count" {
+    sed -i -e "s/keymanagementprovider-akv/kmp-akv-refresh/" \
+        -e "s/1m/1s/" \
+        -e "s/yourCertName/${NOTATION_PEM_NAME}/" \
+        -e '/version: yourCertVersion/d' \
+        -e "s|https://yourkeyvault.vault.azure.net/|${VAULT_URI}|" \
+        -e "s/tenantID:/tenantID: ${TENANT_ID}/" \
+        -e "s/clientID:/clientID: ${IDENTITY_CLIENT_ID}/" \
+        ./config/samples/clustered/kmp/config_v1beta1_keymanagementprovider_akv_refresh_enabled.yaml
+    run kubectl apply -f ./config/samples/clustered/kmp/config_v1beta1_keymanagementprovider_akv_refresh_enabled.yaml
+    assert_success
+    sleep 10
+    count=$(kubectl logs deployment/ratify -n gatekeeper-system | grep "Reconciled KeyManagementProvider" | wc -l)
+    [ $count -ge 4 ]
+}
+
+@test "validate certificate version update" {
+    result=$(kubectl get keymanagementprovider kmp-akv-refresh -o jsonpath='{.status.properties.Certificates[0].Version}')
+    az keyvault certificate get-default-policy -o json >>policy.json
+    wait_for_process 20 10 "az keyvault certificate create --vault-name $KEYVAULT_NAME --name $NOTATION_PEM_NAME --policy @policy.json"
+    sleep 15
+    run rm policy.json
+    refreshResult=$(kubectl get keymanagementprovider kmp-akv-refresh -o jsonpath='{.status.properties.Certificates[0].Version}')
+    [ "$result" != "$refreshResult" ]
+}
+
+@test "validate certificate specified version" {
+    teardown() {
+        echo "cleaning up"
+        wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete keymanagementprovider kmp-akv-refresh --ignore-not-found=true'
+        rm policy.json
+    }
+    version=$(az keyvault certificate show --vault-name $KEYVAULT_NAME --name $NOTATION_PEM_NAME --query 'sid' -o tsv | rev | cut -d'/' -f1 | rev)
+    sed -i -e "/name: ${NOTATION_PEM_NAME}/a \ \ \ \ \ \ \ \ version: ${version}" ./config/samples/clustered/kmp/config_v1beta1_keymanagementprovider_akv_refresh_enabled.yaml
+    run kubectl apply -f ./config/samples/clustered/kmp/config_v1beta1_keymanagementprovider_akv_refresh_enabled.yaml
+    assert_success
+    result=$(kubectl get keymanagementprovider kmp-akv-refresh -o jsonpath='{.status.properties.Certificates[0].Version}')
+    az keyvault certificate get-default-policy -o json >>policy.json
+    wait_for_process 20 10 "az keyvault certificate create --vault-name $KEYVAULT_NAME --name $NOTATION_PEM_NAME --policy @policy.json"
+    sleep 15
+    refreshResult=$(kubectl get keymanagementprovider kmp-akv-refresh -o jsonpath='{.status.properties.Certificates[0].Version}')
+    [ "$result" = "$refreshResult" ]
+}