-
Notifications
You must be signed in to change notification settings - Fork 48
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #517 from openshift-cherrypick-robot/cherry-pick-4…
…89-to-18.0-fr1 [18.0-fr1] Fernet rotation kuttl tests
- Loading branch information
Showing
11 changed files
with
118 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| #!/bin/sh | ||
| set -euxo pipefail | ||
|
|
||
| oc wait --for=condition=ready pod openstackclient --timeout=30s -n $NAMESPACE | ||
|
|
||
| alias openstack="oc exec -tn $NAMESPACE openstackclient -- openstack" | ||
|
|
||
| export OS_TOKEN=$(openstack token issue -f value -c id) | ||
|
|
||
| echo $OS_TOKEN > /tmp/temporary_test_token |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| #!/bin/sh | ||
| set -euxo pipefail | ||
|
|
||
| seconds=1 | ||
| while [ $seconds -le 30 ]; do | ||
| rotatedat=$(oc get secret keystone -n $NAMESPACE -o jsonpath="{.metadata.annotations['keystone\.openstack\.org/rotatedat']}") | ||
| if [ $rotatedat != "2009-11-10T23:00:00Z" ]; then | ||
| break | ||
| fi | ||
| sleep 1 | ||
| seconds=$(( $seconds + 1 )) | ||
| done | ||
|
|
||
| sleep 20 # make sure a rollout started | ||
|
|
||
| oc rollout status deployment/keystone -n $NAMESPACE | ||
|
|
||
| export OS_TOKEN=$(cat /tmp/temporary_test_token) | ||
|
|
||
| alias openstack="oc exec -tn $NAMESPACE openstackclient -- env -u OS_CLOUD - OS_AUTH_URL=http://keystone-public.keystone-kuttl-tests.svc:5000 OS_AUTH_TYPE=token OS_TOKEN=$OS_TOKEN openstack" | ||
|
|
||
| if openstack endpoint list 2>&1 | grep "Failed to validate token"; then | ||
| exit 1 | ||
| else | ||
| exit 0 | ||
| fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| ../../common/assert_sample_deployment.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| ../../common/keystoneapi_deploy.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| # create a test token, save it in /tmp/ | ||
| apiVersion: kuttl.dev/v1beta1 | ||
| kind: TestAssert | ||
| commands: | ||
| - script: ../../common/scripts/create_test_token.sh |
55 changes: 55 additions & 0 deletions
55
tests/kuttl/tests/fernet_rotation/01-deploy_openstackclient.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| apiVersion: v1 | ||
| kind: Pod | ||
| metadata: | ||
| annotations: | ||
| openshift.io/scc: anyuid | ||
| labels: | ||
| app: openstackclient | ||
| name: openstackclient | ||
| spec: | ||
| containers: | ||
| - args: | ||
| - --single-child | ||
| - -- | ||
| - /bin/bash | ||
| - -c | ||
| - /bin/sleep infinity | ||
| command: | ||
| - /bin/dumb-init | ||
| env: | ||
| - name: OS_CLOUD | ||
| value: default | ||
| image: quay.io/podified-antelope-centos9/openstack-openstackclient:current-podified | ||
| imagePullPolicy: IfNotPresent | ||
| name: openstackclient | ||
| resources: {} | ||
| securityContext: | ||
| capabilities: | ||
| drop: | ||
| - ALL | ||
| runAsGroup: 42401 | ||
| runAsNonRoot: true | ||
| runAsUser: 42401 | ||
| allowPrivilegeEscalation: false | ||
| seccompProfile: | ||
| type: RuntimeDefault | ||
| terminationMessagePath: /dev/termination-log | ||
| terminationMessagePolicy: File | ||
| volumeMounts: | ||
| - mountPath: /etc/openstack/clouds.yaml | ||
| name: openstack-config | ||
| subPath: clouds.yaml | ||
| - mountPath: /etc/openstack/secure.yaml | ||
| name: openstack-config-secret | ||
| subPath: secure.yaml | ||
| dnsPolicy: ClusterFirst | ||
| enableServiceLinks: true | ||
| volumes: | ||
| - configMap: | ||
| defaultMode: 420 | ||
| name: openstack-config | ||
| name: openstack-config | ||
| - name: openstack-config-secret | ||
| secret: | ||
| defaultMode: 420 | ||
| secretName: openstack-config-secret |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| # validate that token saved in previous step works | ||
| apiVersion: kuttl.dev/v1beta1 | ||
| kind: TestAssert | ||
| namespaced: true | ||
| commands: | ||
| - script: ../../common/scripts/validate_test_token.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| apiVersion: v1 | ||
| kind: Secret | ||
| metadata: | ||
| name: keystone | ||
| annotations: | ||
| keystone.openstack.org/rotatedat: "2009-11-10T23:00:00Z" |
6 changes: 6 additions & 0 deletions
6
tests/kuttl/tests/fernet_rotation/03-cleanup-openstackclient.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| apiVersion: kuttl.dev/v1beta1 | ||
| kind: TestStep | ||
| delete: | ||
| - apiVersion: v1 | ||
| kind: Pod | ||
| name: openstackclient |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| ../../common/cleanup-keystone.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| ../../common/errors_cleanup_keystone.yaml |