Fernet rotation kuttl tests

tests/kuttl/common/scripts/create_test_token.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+set -euxo pipefail
+
+alias openstack="oc exec -tn $NAMESPACE openstackclient -- openstack"
+
+export OS_TOKEN=$(openstack token issue -f value -c id)
+
+echo $OS_TOKEN > /tmp/temporary_test_token

tests/kuttl/common/scripts/validate_test_token.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+set -euxo pipefail
+
+export OS_TOKEN=$(cat /tmp/temporary_test_token)
+
+alias openstack="oc exec -tn $NAMESPACE openstackclient -- env OS_TOKEN=$OS_TOKEN openstack --os-auth-type token "
+
+openstack endpoint list > /dev/null

tests/kuttl/tests/fernet_rotation/00-assert.yaml

@@ -0,0 +1 @@
+../../common/assert_sample_deployment.yaml

tests/kuttl/tests/fernet_rotation/00-deploy_keystone.yaml

@@ -0,0 +1 @@
+../../common/keystoneapi_deploy.yaml

tests/kuttl/tests/fernet_rotation/01-assert.yaml

@@ -0,0 +1,5 @@
+# create a test token, save it in /tmp/
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+commands:
+  - script: $KEYSTONE_KUTTL_DIR/../common/scripts/create_test_token.sh

tests/kuttl/tests/fernet_rotation/01-deploy_openstackclient.yaml

@@ -0,0 +1,54 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    openshift.io/scc: anyuid
+  labels:
+    app: openstackclient
+  name: openstackclient
+spec:
+  containers:
+  - args:
+    - --single-child
+    - --
+    - /bin/bash
+    - -c
+    - /bin/sleep infinity
+    command:
+    - /bin/dumb-init
+    env:
+    - name: OS_CLOUD
+      value: default
+    imagePullPolicy: IfNotPresent
+    name: openstackclient
+    resources: {}
+    securityContext:
+       capabilities:
+         drop:
+         - ALL
+       runAsGroup: 42401
+       runAsNonRoot: true
+       runAsUser: 42401
+       allowPrivilegeEscalation: false
+       seccompProfile:
+         type: RuntimeDefault
+    terminationMessagePath: /dev/termination-log
+    terminationMessagePolicy: File
+    volumeMounts:
+    - mountPath: /etc/openstack/clouds.yaml
+      name: openstack-config
+      subPath: clouds.yaml
+    - mountPath: /etc/openstack/secure.yaml
+      name: openstack-config-secret
+      subPath: secure.yaml
+  dnsPolicy: ClusterFirst
+  enableServiceLinks: true
+  volumes:
+  - configMap:
+      defaultMode: 420
+      name: openstack-config
+    name: openstack-config
+  - name: openstack-config-secret
+    secret:
+      defaultMode: 420
+      secretName: openstack-config-secret

tests/kuttl/tests/fernet_rotation/02-assert.yaml

@@ -0,0 +1,6 @@
+# validate that token saved in previous step works
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+namespaced: true
+commands:
+  - script: $KEYSTONE_KUTTL_DIR/../common/scripts/validate_test_token.sh

tests/kuttl/tests/fernet_rotation/02-rotate_keys.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |
+      oc create -n $NAMESPACE job --from cronjob/keystone-fernet-cronjob rotation-job-test1

tests/kuttl/tests/fernet_rotation/03-assert.yaml

@@ -0,0 +1,7 @@
+# check job executed successfully
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+namespaced: true
+commands:
+  - script: |
+      oc wait -n $NAMESPACE --for=condition=complete --timeout=30s job/rotation-job-test1

tests/kuttl/tests/fernet_rotation/04-cleanup-keystone.yaml

@@ -0,0 +1 @@
+../../common/cleanup-keystone.yaml

tests/kuttl/tests/fernet_rotation/04-errors.yaml

@@ -0,0 +1 @@
+../../common/errors_cleanup_keystone.yaml