test: e2e tests for kmp refresh logic #1742
Conversation
duffney
requested review from
akashsinghal,
binbin-li,
jimmyraywv,
luisdlp,
susanshi and
toddysm
as code owners
|
Successful build: https://github.com/duffney/ratify/actions/runs/10528215388 |
duffney
changed the title
Codecov ReportAll modified and coverable lines are covered by tests ✅ |
duffney
changed the title
duffney
force-pushed
the
refresher-e2etests
branch
from
9e4a35d to
4e9d638
Compare
duffney
changed the title
duffney
force-pushed
the
refresher-e2etests
branch
from
4e9d638 to
9622f6d
Compare
test/bats/azure-test.bats
Outdated
| -e "s|https://yourkeyvault.vault.azure.net/|${VAULT_URI}|" \ | ||
| -e "s/tenantID:/tenantID: ${TENANT_ID}/" \ | ||
| -e "s/clientID:/clientID: ${IDENTITY_CLIENT_ID}/" \ | ||
| ./config/samples/clustered/kmp/config_v1beta1_keymanagementprovider_akv_refresh_enabled.yaml |
There was a problem hiding this comment.
could you redirect to a new file instead of updating in place?
Just add >your_file.yaml in the end.
There was a problem hiding this comment.
Can do. :) Does it matter where it's output? I was thinking .tests/bats/tests/config
There was a problem hiding this comment.
you can even just specify a file without path like test.yaml, and delete it after test completes.
| @@ -318,3 +318,47 @@ SLEEP_TIME=1 | |||
| result=$(kubectl get pod mutate-demo --namespace default -o json | jq -r ".spec.containers[0].image" | grep @sha) | |||
| assert_mutate_success | |||
| } | |||
|
|
|||
| @test "validate refresher reconcile count" { | |||
There was a problem hiding this comment.
wonder if we can add a teardown method to reset the refreshInterval after the test is done to avoid throttling on AKV.
There was a problem hiding this comment.
In the third test there is a teardown that deletes the KMP resource, which would only keep it alive until the final test finishes. However, I could add a clean up to each test and recreate the kmp within each test so it doesn't run longer than it needs to.
There was a problem hiding this comment.
QQ: does 👍 mean it's okay to delete it at the end in the final test or should I modify each test to create and delete the resource? :)
There was a problem hiding this comment.
In general, bats tests can be run independent of each other via the bats cli. We should try to keep tests independent and self-contained. I think we should add cleanup logic to each test. Just my opinion.
There was a problem hiding this comment.
Roger roger (StarWars reference) I'll get cleanup logic for each test added.
| sleep 15 | ||
| run rm policy.json | ||
| refreshResult=$(kubectl get keymanagementprovider kmp-akv-refresh -o jsonpath='{.status.properties.Certificates[0].Version}') | ||
| [ "$result" != "$refreshResult" ] |
There was a problem hiding this comment.
wonder the difference between it and
run []
assert_success
There was a problem hiding this comment.
result is the certificate version pulled from the kmp resources at the start of the test, which is the old version of the certificate. And refreshResult is the version pulled after a new version of the certificate has been created. I then use != ensure the version are not equal because if they are then the refresher didn't work.
My understanding that run and assert_success would only validate that the command ran successfully, which it would no matter what, as long as the resource existed. Please lmk if my understanding is incorrect and if I could use that instead. :)
There was a problem hiding this comment.
the assert_success checks the exit status, 0 if the run command holds true and 1 otherwise. And assert_success would return 1 to stop executing the test. Wonder if [ "$result" != "$refreshResult" ] behaves the same, as long as it will fail early we can keep it.
There was a problem hiding this comment.
That's a good question, I don't have the answer too. :) I'm not to familiar with bats.
test/bats/azure-test.bats
Outdated
| [ $count -ge 4 ] | ||
| } | ||
|
|
||
| @test "validate certificate version update" { |
There was a problem hiding this comment.
nit: the test description is not clear enough to me, wonder if you can provide more information.
There was a problem hiding this comment.
How about validate refresher updates kmp with latest certificate version?
There was a problem hiding this comment.
yeah, that makes more sense to me
duffney
force-pushed
the
refresher-e2etests
branch
3 times, most recently
from
8284f31 to
747fe5c
Compare
|
Just noticed a few comments aren't verified so I'll squash them into one and push those changes up after the open comments have been resolved. :) |
|
Hi @duffney, looks like this PR is also blocked due to unsigned commit. Could you take a look? thanks! |
duffney
force-pushed
the
refresher-e2etests
branch
from
bed5550 to
90d8d38
Compare
…idation - Added a test to validate the refresher reconcile count with modified timing and Key Vault configuration. - Implemented a test to ensure certificate version updates are correctly reflected in KeyManagementProvider after creating a new version in Azure Key Vault. - Created a test to verify that a specified certificate version in KeyManagementProvider remains consistent after attempting to update the certificate in Azure Key Vault. Signed-off-by: Joshua Duffney <[email protected]>
duffney
force-pushed
the
refresher-e2etests
branch
from
90d8d38 to
189d4e2
Compare
Signed-off-by: akashsinghal <[email protected]>
Description
End to end tests that validate the KMP refresh feature.
Which issue(s) this PR fixes (optional, using
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when the PR gets merged):Fixes #
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Please also list any relevant details for your test configuration
Checklist:
Post Merge Requirements
Helm Chart Change