diff --git a/scripts/azure-ci-test.sh b/scripts/azure-ci-test.sh index 1589adec2..c5c7be9c5 100755 --- a/scripts/azure-ci-test.sh +++ b/scripts/azure-ci-test.sh @@ -142,7 +142,7 @@ trap cleanup EXIT main() { ./scripts/create-azure-resources.sh create_key_akv - + local ACR_USER_NAME="00000000-0000-0000-0000-000000000000" local ACR_PASSWORD=$(az acr login --name ${ACR_NAME} --expose-token --output tsv --query accessToken) make e2e-azure-setup TEST_REGISTRY=$REGISTRY TEST_REGISTRY_USERNAME=${ACR_USER_NAME} TEST_REGISTRY_PASSWORD=${ACR_PASSWORD} KEYVAULT_KEY_NAME=${KEYVAULT_KEY_NAME} KEYVAULT_NAME=${KEYVAULT_NAME} @@ -152,7 +152,9 @@ main() { deploy_gatekeeper deploy_ratify - TEST_REGISTRY=$REGISTRY bats -t ./test/bats/azure-test.bats + local IDENTITY_CLIENT_ID=$(az identity show --name ${USER_ASSIGNED_IDENTITY_NAME} --resource-group ${GROUP_NAME} --query 'clientId' -o tsv) + local VAULT_URI=$(az keyvault show --name ${KEYVAULT_NAME} --resource-group ${GROUP_NAME} --query "properties.vaultUri" -otsv) + TEST_REGISTRY=$REGISTRY IDENTITY_CLIENT_ID=$IDENTITY_CLIENT_ID VAULT_URI=$VAULT_URI bats -t ./test/bats/azure-test.bats } main diff --git a/test/bats/azure-test.bats b/test/bats/azure-test.bats index a30556dd7..9019c419a 100644 --- a/test/bats/azure-test.bats +++ b/test/bats/azure-test.bats @@ -318,3 +318,80 @@ SLEEP_TIME=1 result=$(kubectl get pod mutate-demo --namespace default -o json | jq -r ".spec.containers[0].image" | grep @sha) assert_mutate_success } + +@test "validate refresher reconcile count" { + teardown() { + echo "cleaning up" + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete keymanagementprovider kmp-akv-refresh --ignore-not-found=true' + rm test.yaml + } + sed -e "s/keymanagementprovider-akv/kmp-akv-refresh/" \ + -e "s/1m/1s/" \ + -e "s/yourCertName/${NOTATION_PEM_NAME}/" \ + -e '/version: yourCertVersion/d' \ + -e "s|https://yourkeyvault.vault.azure.net/|${VAULT_URI}|" \ + -e "s/tenantID:/tenantID: ${TENANT_ID}/" \ + -e "s/clientID:/clientID: ${IDENTITY_CLIENT_ID}/" \ + ./config/samples/clustered/kmp/config_v1beta1_keymanagementprovider_akv_refresh_enabled.yaml >test.yaml + run kubectl apply -f test.yaml + assert_success + sleep 10 + count=$(kubectl logs deployment/ratify -n gatekeeper-system | grep "Reconciled KeyManagementProvider" | wc -l) + [ $count -ge 4 ] +} + +@test "validate refresher updates kmp with latest certificate version" { + teardown() { + echo "cleaning up" + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete keymanagementprovider kmp-akv-refresh --ignore-not-found=true' + rm test.yaml + rm policy.json + } + sed -e "s/keymanagementprovider-akv/kmp-akv-refresh/" \ + -e "s/1m/5s/" \ + -e "s/yourCertName/${NOTATION_PEM_NAME}/" \ + -e '/version: yourCertVersion/d' \ + -e "s|https://yourkeyvault.vault.azure.net/|${VAULT_URI}|" \ + -e "s/tenantID:/tenantID: ${TENANT_ID}/" \ + -e "s/clientID:/clientID: ${IDENTITY_CLIENT_ID}/" \ + ./config/samples/clustered/kmp/config_v1beta1_keymanagementprovider_akv_refresh_enabled.yaml >test.yaml + run kubectl apply -f test.yaml + assert_success + sleep 5 + result=$(kubectl get keymanagementprovider kmp-akv-refresh -o jsonpath='{.status.properties.Certificates[0].Version}') + az keyvault certificate get-default-policy -o json >>policy.json + wait_for_process 20 10 "az keyvault certificate create --vault-name $KEYVAULT_NAME --name $NOTATION_PEM_NAME --policy @policy.json" + sleep 30 + refreshResult=$(kubectl get keymanagementprovider kmp-akv-refresh -o jsonpath='{.status.properties.Certificates[0].Version}') + [ "$result" != "$refreshResult" ] +} + +@test "validate certificate specified version" { + teardown() { + echo "cleaning up" + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete keymanagementprovider kmp-akv-refresh --ignore-not-found=true' + rm policy.json + rm test.yaml + } + sed -e "s/keymanagementprovider-akv/kmp-akv-refresh/" \ + -e "s/1m/1s/" \ + -e "s/yourCertName/${NOTATION_PEM_NAME}/" \ + -e '/version: yourCertVersion/d' \ + -e "s|https://yourkeyvault.vault.azure.net/|${VAULT_URI}|" \ + -e "s/tenantID:/tenantID: ${TENANT_ID}/" \ + -e "s/clientID:/clientID: ${IDENTITY_CLIENT_ID}/" \ + ./config/samples/clustered/kmp/config_v1beta1_keymanagementprovider_akv_refresh_enabled.yaml >test.yaml + version=$(az keyvault certificate show --vault-name $KEYVAULT_NAME --name $NOTATION_PEM_NAME --query 'sid' -o tsv | rev | cut -d'/' -f1 | rev) + sed -i \ + -e "/name: ${NOTATION_PEM_NAME}/a \ \ \ \ \ \ \ \ version: ${version}" \ + test.yaml + run kubectl apply -f test.yaml + assert_success + sleep 10 + result=$(kubectl get keymanagementprovider kmp-akv-refresh -o jsonpath='{.status.properties.Certificates[0].Version}') + az keyvault certificate get-default-policy -o json >>policy.json + wait_for_process 20 10 "az keyvault certificate create --vault-name $KEYVAULT_NAME --name $NOTATION_PEM_NAME --policy @policy.json" + sleep 30 + refreshResult=$(kubectl get keymanagementprovider kmp-akv-refresh -o jsonpath='{.status.properties.Certificates[0].Version}') + [ "$result" = "$refreshResult" ] +}