Merge pull request #977 from GabyCT/topic/k8scredentials

chavafg · web-flow · commit ffa5ce0c8b73 · 2018-12-14T09:43:24.000-06:00
test: K8s test to distribute credentials using secrets
diff --git a/integration/kubernetes/k8s-credentials-secrets.bats b/integration/kubernetes/k8s-credentials-secrets.bats
@@ -0,0 +1,56 @@
+#!/usr/bin/env bats
+#
+# Copyright (c) 2018 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+load "${BATS_TEST_DIRNAME}/../../.ci/lib.sh"
+
+setup() {
+	export KUBECONFIG=/etc/kubernetes/admin.conf
+	if sudo -E kubectl get runtimeclass | grep kata; then
+		pod_config_dir="${BATS_TEST_DIRNAME}/runtimeclass_workloads"
+	else
+		pod_config_dir="${BATS_TEST_DIRNAME}/untrusted_workloads"
+	fi
+}
+
+@test "Credentials using secrets" {
+	secret_name="test-secret"
+	pod_name="secret-test-pod"
+	second_pod_name="secret-envars-test-pod"
+
+	# Create the secret
+	sudo -E kubectl create -f "${pod_config_dir}/inject_secret.yaml"
+
+	# View information about the secret
+	sudo -E kubectl get secret "${secret_name}" -o yaml | grep "type: Opaque"
+
+	# Create a pod that has access to the secret through a volume
+	sudo -E kubectl create -f "${pod_config_dir}/pod-secret.yaml"
+
+	# Check pod creation
+	sudo -E kubectl wait --for=condition=Ready pod "$pod_name"
+
+	# List the files
+	cmd="ls /tmp/secret-volume"
+	sudo -E kubectl exec $pod_name -- sh -c "$cmd" | grep -w "password"
+	sudo -E kubectl exec $pod_name -- sh -c "$cmd" | grep -w "username"
+
+	# Create a pod that has access to the secret data through environment variables
+	sudo -E kubectl create -f "${pod_config_dir}/pod-secret-env.yaml"
+
+	# Check pod creation
+	sudo -E kubectl wait --for=condition=Ready pod "$second_pod_name"
+
+	# Display environment variables
+	second_cmd="printenv"
+	sudo -E kubectl exec $second_pod_name -- sh -c "$second_cmd" | grep -w "SECRET_USERNAME"
+	sudo -E kubectl exec $second_pod_name -- sh -c "$second_cmd" | grep -w "SECRET_PASSWORD"
+}
+
+teardown() {
+	sudo -E kubectl delete pod "$pod_name" "$second_pod_name"
+	sudo -E kubectl delete secret "$secret_name"
+}
diff --git a/integration/kubernetes/run_kubernetes_tests.sh b/integration/kubernetes/run_kubernetes_tests.sh
@@ -27,6 +27,7 @@ pushd "$kubernetes_dir"
 bats nginx.bats
 bats k8s-uts+ipc-ns.bats
 bats k8s-env.bats
+bats k8s-credentials-secrets.bats
 bats k8s-pid-ns.bats
 bats k8s-cpu-ns.bats
 bats k8s-parallel.bats
diff --git a/integration/kubernetes/runtimeclass_workloads/inject_secret.yaml b/integration/kubernetes/runtimeclass_workloads/inject_secret.yaml
@@ -0,0 +1,12 @@
+#
+# Copyright (c) 2018 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test-secret
+data:
+  username: bXktYXBw
+  password: Mzk1MjgkdmRnN0pi
diff --git a/integration/kubernetes/runtimeclass_workloads/pod-secret-env.yaml b/integration/kubernetes/runtimeclass_workloads/pod-secret-env.yaml
@@ -0,0 +1,26 @@
+#
+# Copyright (c) 2018 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+apiVersion: v1
+kind: Pod
+metadata:
+  name: secret-envars-test-pod
+spec:
+  runtimeClassName: kata
+  containers:
+  - name: envars-test-container
+    image: busybox
+    command: ["/bin/sh", "-c", "tail -f /dev/null"]
+    env:
+    - name: SECRET_USERNAME
+      valueFrom:
+        secretKeyRef:
+          name: test-secret
+          key: username
+    - name: SECRET_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: test-secret
+          key: password
diff --git a/integration/kubernetes/runtimeclass_workloads/pod-secret.yaml b/integration/kubernetes/runtimeclass_workloads/pod-secret.yaml
@@ -0,0 +1,24 @@
+#
+# Copyright (c) 2018 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+apiVersion: v1
+kind: Pod
+metadata:
+  name: secret-test-pod
+spec:
+  runtimeClassName: kata
+  containers:
+    - name: test-container
+      image: busybox
+      command: ["/bin/sh", "-c", "tail -f /dev/null"]
+      volumeMounts:
+          # name must match the volume name below
+          - name: secret-volume
+            mountPath: /tmp/secret-volume
+  # The secret data is exposed to Containers in the Pod through a Volume.
+  volumes:
+    - name: secret-volume
+      secret:
+        secretName: test-secret
diff --git a/integration/kubernetes/untrusted_workloads/inject_secret.yaml b/integration/kubernetes/untrusted_workloads/inject_secret.yaml
@@ -0,0 +1,12 @@
+#
+# Copyright (c) 2018 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test-secret
+data:
+  username: bXktYXBw
+  password: Mzk1MjgkdmRnN0pi
diff --git a/integration/kubernetes/untrusted_workloads/pod-secret-env.yaml b/integration/kubernetes/untrusted_workloads/pod-secret-env.yaml
@@ -0,0 +1,28 @@
+#
+# Copyright (c) 2018 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+apiVersion: v1
+kind: Pod
+metadata:
+  name: secret-envars-test-pod
+  annotations:
+    io.kubernetes.cri-o.TrustedSandbox: "false"
+    io.kubernetes.cri.untrusted-workload: "true"
+spec:
+  containers:
+  - name: envars-test-container
+    image: busybox
+    command: ["/bin/sh", "-c", "tail -f /dev/null"]
+    env:
+    - name: SECRET_USERNAME
+      valueFrom:
+        secretKeyRef:
+          name: test-secret
+          key: username
+    - name: SECRET_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: test-secret
+          key: password
diff --git a/integration/kubernetes/untrusted_workloads/pod-secret.yaml b/integration/kubernetes/untrusted_workloads/pod-secret.yaml
@@ -0,0 +1,26 @@
+#
+# Copyright (c) 2018 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+apiVersion: v1
+kind: Pod
+metadata:
+  name: secret-test-pod
+  annotations:
+    io.kubernetes.cri-o.TrustedSandbox: "false"
+    io.kubernetes.cri.untrusted-workload: "true"
+spec:
+  containers:
+    - name: test-container
+      image: busybox
+      command: ["/bin/sh", "-c", "tail -f /dev/null"]
+      volumeMounts:
+          # name must match the volume name below
+          - name: secret-volume
+            mountPath: /tmp/secret-volume
+  # The secret data is exposed to Containers in the Pod through a Volume.
+  volumes:
+    - name: secret-volume
+      secret:
+        secretName: test-secret
