diff --git a/tests/kuttl/common/scripts/create_test_token.sh b/tests/kuttl/common/scripts/create_test_token.sh new file mode 100755 index 00000000..f73f3ef6 --- /dev/null +++ b/tests/kuttl/common/scripts/create_test_token.sh @@ -0,0 +1,10 @@ +#!/bin/sh +set -euxo pipefail + +oc wait --for=condition=ready pod openstackclient --timeout=30s -n $NAMESPACE + +alias openstack="oc exec -tn $NAMESPACE openstackclient -- openstack" + +export OS_TOKEN=$(openstack token issue -f value -c id) + +echo $OS_TOKEN > /tmp/temporary_test_token diff --git a/tests/kuttl/common/scripts/validate_test_token.sh b/tests/kuttl/common/scripts/validate_test_token.sh new file mode 100755 index 00000000..3c9fe201 --- /dev/null +++ b/tests/kuttl/common/scripts/validate_test_token.sh @@ -0,0 +1,26 @@ +#!/bin/sh +set -euxo pipefail + +seconds=1 +while [ $seconds -le 30 ]; do + rotatedat=$(oc get secret keystone -n $NAMESPACE -o jsonpath="{.metadata.annotations['keystone\.openstack\.org/rotatedat']}") + if [ $rotatedat != "2009-11-10T23:00:00Z" ]; then + break + fi + sleep 1 + seconds=$(( $seconds + 1 )) +done + +sleep 20 # make sure a rollout started + +oc rollout status deployment/keystone -n $NAMESPACE + +export OS_TOKEN=$(cat /tmp/temporary_test_token) + +alias openstack="oc exec -tn $NAMESPACE openstackclient -- env -u OS_CLOUD - OS_AUTH_URL=http://keystone-public.keystone-kuttl-tests.svc:5000 OS_AUTH_TYPE=token OS_TOKEN=$OS_TOKEN openstack" + +if openstack endpoint list 2>&1 | grep "Failed to validate token"; then + exit 1 +else + exit 0 +fi diff --git a/tests/kuttl/tests/fernet_rotation/00-assert.yaml b/tests/kuttl/tests/fernet_rotation/00-assert.yaml new file mode 120000 index 00000000..461654ea --- /dev/null +++ b/tests/kuttl/tests/fernet_rotation/00-assert.yaml @@ -0,0 +1 @@ +../../common/assert_sample_deployment.yaml \ No newline at end of file diff --git a/tests/kuttl/tests/fernet_rotation/00-deploy_keystone.yaml b/tests/kuttl/tests/fernet_rotation/00-deploy_keystone.yaml new file mode 120000 index 00000000..835e6c11 --- /dev/null +++ b/tests/kuttl/tests/fernet_rotation/00-deploy_keystone.yaml @@ -0,0 +1 @@ +../../common/keystoneapi_deploy.yaml \ No newline at end of file diff --git a/tests/kuttl/tests/fernet_rotation/01-assert.yaml b/tests/kuttl/tests/fernet_rotation/01-assert.yaml new file mode 100644 index 00000000..36f72c21 --- /dev/null +++ b/tests/kuttl/tests/fernet_rotation/01-assert.yaml @@ -0,0 +1,5 @@ +# create a test token, save it in /tmp/ +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +commands: + - script: ../../common/scripts/create_test_token.sh diff --git a/tests/kuttl/tests/fernet_rotation/01-deploy_openstackclient.yaml b/tests/kuttl/tests/fernet_rotation/01-deploy_openstackclient.yaml new file mode 100644 index 00000000..dabf3fe2 --- /dev/null +++ b/tests/kuttl/tests/fernet_rotation/01-deploy_openstackclient.yaml @@ -0,0 +1,55 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + openshift.io/scc: anyuid + labels: + app: openstackclient + name: openstackclient +spec: + containers: + - args: + - --single-child + - -- + - /bin/bash + - -c + - /bin/sleep infinity + command: + - /bin/dumb-init + env: + - name: OS_CLOUD + value: default + image: quay.io/podified-antelope-centos9/openstack-openstackclient:current-podified + imagePullPolicy: IfNotPresent + name: openstackclient + resources: {} + securityContext: + capabilities: + drop: + - ALL + runAsGroup: 42401 + runAsNonRoot: true + runAsUser: 42401 + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/openstack/clouds.yaml + name: openstack-config + subPath: clouds.yaml + - mountPath: /etc/openstack/secure.yaml + name: openstack-config-secret + subPath: secure.yaml + dnsPolicy: ClusterFirst + enableServiceLinks: true + volumes: + - configMap: + defaultMode: 420 + name: openstack-config + name: openstack-config + - name: openstack-config-secret + secret: + defaultMode: 420 + secretName: openstack-config-secret diff --git a/tests/kuttl/tests/fernet_rotation/02-assert.yaml b/tests/kuttl/tests/fernet_rotation/02-assert.yaml new file mode 100644 index 00000000..0749245b --- /dev/null +++ b/tests/kuttl/tests/fernet_rotation/02-assert.yaml @@ -0,0 +1,6 @@ +# validate that token saved in previous step works +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +namespaced: true +commands: + - script: ../../common/scripts/validate_test_token.sh diff --git a/tests/kuttl/tests/fernet_rotation/02-rotate_keys.yaml b/tests/kuttl/tests/fernet_rotation/02-rotate_keys.yaml new file mode 100644 index 00000000..178c4880 --- /dev/null +++ b/tests/kuttl/tests/fernet_rotation/02-rotate_keys.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Secret +metadata: + name: keystone + annotations: + keystone.openstack.org/rotatedat: "2009-11-10T23:00:00Z" diff --git a/tests/kuttl/tests/fernet_rotation/03-cleanup-openstackclient.yaml b/tests/kuttl/tests/fernet_rotation/03-cleanup-openstackclient.yaml new file mode 100644 index 00000000..ae84ba1c --- /dev/null +++ b/tests/kuttl/tests/fernet_rotation/03-cleanup-openstackclient.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: v1 + kind: Pod + name: openstackclient diff --git a/tests/kuttl/tests/fernet_rotation/04-cleanup-keystone.yaml b/tests/kuttl/tests/fernet_rotation/04-cleanup-keystone.yaml new file mode 120000 index 00000000..995da707 --- /dev/null +++ b/tests/kuttl/tests/fernet_rotation/04-cleanup-keystone.yaml @@ -0,0 +1 @@ +../../common/cleanup-keystone.yaml \ No newline at end of file diff --git a/tests/kuttl/tests/fernet_rotation/04-errors.yaml b/tests/kuttl/tests/fernet_rotation/04-errors.yaml new file mode 120000 index 00000000..82b31f18 --- /dev/null +++ b/tests/kuttl/tests/fernet_rotation/04-errors.yaml @@ -0,0 +1 @@ +../../common/errors_cleanup_keystone.yaml \ No newline at end of file