Skip to content

Commit

Permalink
Add tests for KeyManagementProvider refresh logic and certificate ver…
Browse files Browse the repository at this point in the history
…sion validation

- Added a test to validate the refresher reconcile count with modified timing and Key Vault configuration.
- Implemented a test to ensure certificate version updates are correctly reflected in KeyManagementProvider after creating a new version in Azure Key Vault.
- Created a test to verify that a specified certificate version in KeyManagementProvider remains consistent after attempting to update the certificate in Azure Key Vault.
  • Loading branch information
duffney committed Aug 23, 2024
1 parent d0c04e4 commit a13a8d9
Show file tree
Hide file tree
Showing 2 changed files with 49 additions and 2 deletions.
6 changes: 4 additions & 2 deletions scripts/azure-ci-test.sh
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@ trap cleanup EXIT
main() {
./scripts/create-azure-resources.sh
create_key_akv

local ACR_USER_NAME="00000000-0000-0000-0000-000000000000"
local ACR_PASSWORD=$(az acr login --name ${ACR_NAME} --expose-token --output tsv --query accessToken)
make e2e-azure-setup TEST_REGISTRY=$REGISTRY TEST_REGISTRY_USERNAME=${ACR_USER_NAME} TEST_REGISTRY_PASSWORD=${ACR_PASSWORD} KEYVAULT_KEY_NAME=${KEYVAULT_KEY_NAME} KEYVAULT_NAME=${KEYVAULT_NAME}
Expand All @@ -152,7 +152,9 @@ main() {
deploy_gatekeeper
deploy_ratify

TEST_REGISTRY=$REGISTRY bats -t ./test/bats/azure-test.bats
local IDENTITY_CLIENT_ID=$(az identity show --name ${USER_ASSIGNED_IDENTITY_NAME} --resource-group ${GROUP_NAME} --query 'clientId' -o tsv)
local VAULT_URI=$(az keyvault show --name ${KEYVAULT_NAME} --resource-group ${GROUP_NAME} --query "properties.vaultUri" -otsv)
TEST_REGISTRY=$REGISTRY IDENTITY_CLIENT_ID=$IDENTITY_CLIENT_ID VAULT_URI=$VAULT_URI bats -t ./test/bats/azure-test.bats
}

main
45 changes: 45 additions & 0 deletions test/bats/azure-test.bats
Original file line number Diff line number Diff line change
Expand Up @@ -318,3 +318,48 @@ SLEEP_TIME=1
result=$(kubectl get pod mutate-demo --namespace default -o json | jq -r ".spec.containers[0].image" | grep @sha)
assert_mutate_success
}

@test "validate refresher reconcile count" {
sed -i -e "s/keymanagementprovider-akv/kmp-akv-refresh/" \
-e "s/1m/1s/" \
-e "s/yourCertName/${NOTATION_PEM_NAME}/" \
-e '/version: yourCertVersion/d' \
-e "s|https://yourkeyvault.vault.azure.net/|${VAULT_URI}|" \
-e "s/tenantID:/tenantID: ${TENANT_ID}/" \
-e "s/clientID:/clientID: ${IDENTITY_CLIENT_ID}/" \
./config/samples/clustered/kmp/config_v1beta1_keymanagementprovider_akv_refresh_enabled.yaml
run kubectl apply -f ./config/samples/clustered/kmp/config_v1beta1_keymanagementprovider_akv_refresh_enabled.yaml
assert_success
sleep 10
count=$(kubectl logs deployment/ratify -n gatekeeper-system | grep "Reconciled KeyManagementProvider" | wc -l)
[ $count -ge 4 ]
}

@test "validate certificate version update" {
result=$(kubectl get keymanagementprovider kmp-akv-refresh -o jsonpath='{.status.properties.Certificates[0].Version}')
az keyvault certificate get-default-policy -o json >>policy.json
wait_for_process 20 10 "az keyvault certificate create --vault-name $KEYVAULT_NAME --name $NOTATION_PEM_NAME --policy @policy.json"
sleep 15
run rm policy.json
refreshResult=$(kubectl get keymanagementprovider kmp-akv-refresh -o jsonpath='{.status.properties.Certificates[0].Version}')
[ "$result" != "$refreshResult" ]
}

@test "validate certificate specified version" {
teardown() {
echo "cleaning up"
wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete keymanagementprovider kmp-akv-refresh --ignore-not-found=true'
rm policy.json
}
version=$(az keyvault certificate show --vault-name $KEYVAULT_NAME --name $NOTATION_PEM_NAME --query 'sid' -o tsv | rev | cut -d'/' -f1 | rev)
sed -i -e "/name: ${NOTATION_PEM_NAME}/a \ \ \ \ \ \ \ \ version: ${version}" ./config/samples/clustered/kmp/config_v1beta1_keymanagementprovider_akv_refresh_enabled.yaml
config=$(cat ./config/samples/clustered/kmp/config_v1beta1_keymanagementprovider_akv_refresh_enabled.yaml)
run kubectl apply -f ./config/samples/clustered/kmp/config_v1beta1_keymanagementprovider_akv_refresh_enabled.yaml
assert_success
result=$(kubectl get keymanagementprovider kmp-akv-refresh -o jsonpath='{.status.properties.Certificates[0].Version}')
az keyvault certificate get-default-policy -o json >>policy.json
wait_for_process 20 10 "az keyvault certificate create --vault-name $KEYVAULT_NAME --name $NOTATION_PEM_NAME --policy @policy.json"
sleep 15
refreshResult=$(kubectl get keymanagementprovider kmp-akv-refresh -o jsonpath='{.status.properties.Certificates[0].Version}')
[ "$result" = "$refreshResult" ]
}

0 comments on commit a13a8d9

Please sign in to comment.