Skip to content

Commit

Permalink
Merge branch 'dev' into skalantari/add-description-for-notation-enabl…
Browse files Browse the repository at this point in the history
…ed-feature-in-helm-charts-readme
  • Loading branch information
binbin-li authored Sep 4, 2024
2 parents 19731bb + 1c52df8 commit cd7aab3
Show file tree
Hide file tree
Showing 2 changed files with 81 additions and 2 deletions.
6 changes: 4 additions & 2 deletions scripts/azure-ci-test.sh
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@ trap cleanup EXIT
main() {
./scripts/create-azure-resources.sh
create_key_akv

local ACR_USER_NAME="00000000-0000-0000-0000-000000000000"
local ACR_PASSWORD=$(az acr login --name ${ACR_NAME} --expose-token --output tsv --query accessToken)
make e2e-azure-setup TEST_REGISTRY=$REGISTRY TEST_REGISTRY_USERNAME=${ACR_USER_NAME} TEST_REGISTRY_PASSWORD=${ACR_PASSWORD} KEYVAULT_KEY_NAME=${KEYVAULT_KEY_NAME} KEYVAULT_NAME=${KEYVAULT_NAME}
Expand All @@ -152,7 +152,9 @@ main() {
deploy_gatekeeper
deploy_ratify

TEST_REGISTRY=$REGISTRY bats -t ./test/bats/azure-test.bats
local IDENTITY_CLIENT_ID=$(az identity show --name ${USER_ASSIGNED_IDENTITY_NAME} --resource-group ${GROUP_NAME} --query 'clientId' -o tsv)
local VAULT_URI=$(az keyvault show --name ${KEYVAULT_NAME} --resource-group ${GROUP_NAME} --query "properties.vaultUri" -otsv)
TEST_REGISTRY=$REGISTRY IDENTITY_CLIENT_ID=$IDENTITY_CLIENT_ID VAULT_URI=$VAULT_URI bats -t ./test/bats/azure-test.bats
}

main
77 changes: 77 additions & 0 deletions test/bats/azure-test.bats
Original file line number Diff line number Diff line change
Expand Up @@ -318,3 +318,80 @@ SLEEP_TIME=1
result=$(kubectl get pod mutate-demo --namespace default -o json | jq -r ".spec.containers[0].image" | grep @sha)
assert_mutate_success
}

@test "validate refresher reconcile count" {
teardown() {
echo "cleaning up"
wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete keymanagementprovider kmp-akv-refresh --ignore-not-found=true'
rm test.yaml
}
sed -e "s/keymanagementprovider-akv/kmp-akv-refresh/" \
-e "s/1m/1s/" \
-e "s/yourCertName/${NOTATION_PEM_NAME}/" \
-e '/version: yourCertVersion/d' \
-e "s|https://yourkeyvault.vault.azure.net/|${VAULT_URI}|" \
-e "s/tenantID:/tenantID: ${TENANT_ID}/" \
-e "s/clientID:/clientID: ${IDENTITY_CLIENT_ID}/" \
./config/samples/clustered/kmp/config_v1beta1_keymanagementprovider_akv_refresh_enabled.yaml >test.yaml
run kubectl apply -f test.yaml
assert_success
sleep 10
count=$(kubectl logs deployment/ratify -n gatekeeper-system | grep "Reconciled KeyManagementProvider" | wc -l)
[ $count -ge 4 ]
}

@test "validate refresher updates kmp with latest certificate version" {
teardown() {
echo "cleaning up"
wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete keymanagementprovider kmp-akv-refresh --ignore-not-found=true'
rm test.yaml
rm policy.json
}
sed -e "s/keymanagementprovider-akv/kmp-akv-refresh/" \
-e "s/1m/5s/" \
-e "s/yourCertName/${NOTATION_PEM_NAME}/" \
-e '/version: yourCertVersion/d' \
-e "s|https://yourkeyvault.vault.azure.net/|${VAULT_URI}|" \
-e "s/tenantID:/tenantID: ${TENANT_ID}/" \
-e "s/clientID:/clientID: ${IDENTITY_CLIENT_ID}/" \
./config/samples/clustered/kmp/config_v1beta1_keymanagementprovider_akv_refresh_enabled.yaml >test.yaml
run kubectl apply -f test.yaml
assert_success
sleep 5
result=$(kubectl get keymanagementprovider kmp-akv-refresh -o jsonpath='{.status.properties.Certificates[0].Version}')
az keyvault certificate get-default-policy -o json >>policy.json
wait_for_process 20 10 "az keyvault certificate create --vault-name $KEYVAULT_NAME --name $NOTATION_PEM_NAME --policy @policy.json"
sleep 30
refreshResult=$(kubectl get keymanagementprovider kmp-akv-refresh -o jsonpath='{.status.properties.Certificates[0].Version}')
[ "$result" != "$refreshResult" ]
}

@test "validate certificate specified version" {
teardown() {
echo "cleaning up"
wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete keymanagementprovider kmp-akv-refresh --ignore-not-found=true'
rm policy.json
rm test.yaml
}
sed -e "s/keymanagementprovider-akv/kmp-akv-refresh/" \
-e "s/1m/1s/" \
-e "s/yourCertName/${NOTATION_PEM_NAME}/" \
-e '/version: yourCertVersion/d' \
-e "s|https://yourkeyvault.vault.azure.net/|${VAULT_URI}|" \
-e "s/tenantID:/tenantID: ${TENANT_ID}/" \
-e "s/clientID:/clientID: ${IDENTITY_CLIENT_ID}/" \
./config/samples/clustered/kmp/config_v1beta1_keymanagementprovider_akv_refresh_enabled.yaml >test.yaml
version=$(az keyvault certificate show --vault-name $KEYVAULT_NAME --name $NOTATION_PEM_NAME --query 'sid' -o tsv | rev | cut -d'/' -f1 | rev)
sed -i \
-e "/name: ${NOTATION_PEM_NAME}/a \ \ \ \ \ \ \ \ version: ${version}" \
test.yaml
run kubectl apply -f test.yaml
assert_success
sleep 10
result=$(kubectl get keymanagementprovider kmp-akv-refresh -o jsonpath='{.status.properties.Certificates[0].Version}')
az keyvault certificate get-default-policy -o json >>policy.json
wait_for_process 20 10 "az keyvault certificate create --vault-name $KEYVAULT_NAME --name $NOTATION_PEM_NAME --policy @policy.json"
sleep 30
refreshResult=$(kubectl get keymanagementprovider kmp-akv-refresh -o jsonpath='{.status.properties.Certificates[0].Version}')
[ "$result" = "$refreshResult" ]
}

0 comments on commit cd7aab3

Please sign in to comment.