add bats tests for alibabacloud secret store csi provider

kubernetes-sigs · May 19, 2023 · 32fe448 · 32fe448
1 parent 45588e2
commit 32fe448
Show file tree

Hide file tree

Showing 4 changed files with 108 additions and 0 deletions.
diff --git a/Makefile b/Makefile
@@ -97,6 +97,7 @@ KUBECTL := kubectl
 ENVSUBST := envsubst
 EKSCTL := eksctl
 YQ := yq
+ALIYUNCLI := aliyun
 
 # Test variables
 KIND_VERSION ?= 0.18.0
@@ -221,6 +222,9 @@ $(PROTOC): ## Install protoc
 $(YQ): ## Install yq for running the tests
 	curl -LO https://github.com/mikefarah/yq/releases/download/$(YQ_VERSION)/yq_linux_amd64 && chmod +x ./yq_linux_amd64 && mv yq_linux_amd64 /usr/local/bin/yq
 
+$(ALIYUNCLI): ## Install aliyun for running the tests
+	curl -LO https://github.com/aliyun/aliyun-cli/releases/download/v3.0.161/aliyun-cli-linux-3.0.161-amd64.tgz && tar xzvf aliyun-cli-linux-3.0.161-amd64.tgz && chmod +x ./aliyun && cp aliyun /usr/local/bin
+
 SHELLCHECK := $(TOOLS_BIN_DIR)/shellcheck-$(SHELLCHECK_VER)
 $(SHELLCHECK): OS := $(shell uname | tr '[:upper:]' '[:lower:]')
 $(SHELLCHECK): ARCH := $(shell uname -m)
@@ -489,6 +493,10 @@ e2e-akeyless:
 e2e-gcp:
 	bats -t test/bats/gcp.bats
 
+.PHONY: e2e-alibabacloud
+e2e-alibabacloud: $(ALIYUNCLI)
+	bats -t test/bats/alibabacloud.bats
+
 .PHONY: e2e-aws
 e2e-aws:
 	bats -t test/bats/aws.bats

diff --git a/test/bats/alibabacloud.bats b/test/bats/alibabacloud.bats
@@ -0,0 +1,66 @@
+#!/usr/bin/env bats
+
+load helpers
+
+WAIT_TIME=120
+SLEEP_TIME=1
+NAMESPACE=kube-system
+POD_NAME=alibabacloud-basic-test-mount
+BATS_TEST_DIR=test/bats/tests/alibabacloud
+
+setup() {
+  if [[ -z "${ALIBABACLOUD_ACCESS_KEY}" ]] || [[ -z "${ALIBABACLOUD_ACCESS_SECRET}" ]]; then
+    echo "Error: ram ak/sk is not provided" >&2
+    return 1
+  fi
+}
+
+setup_file() {
+    #Configure aliyun cli profile
+    aliyun configure set --profile akProfile --mode AK --region us-west-1 --access-key-id ${ALIBABACLOUD_ACCESS_KEY} --access-key-secret ${ALIBABACLOUD_ACCESS_SECRET}
+
+    #Create test secrets
+    aliyun kms CreateSecret --SecretName testBasic --SecretData testValue --VersionId v1
+}
+
+teardown_file() {
+    aliyun kms DeleteSecret --SecretName testBasic --ForceDeleteWithoutRecovery true
+}
+
+@test "secretproviderclasses crd is established" {
+    cmd="kubectl wait --namespace $NAMESPACE --for condition=established --timeout=60s crd/secretproviderclasses.secrets-store.csi.x-k8s.io"
+    wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd"
+
+    run kubectl get crd/secretproviderclasses.secrets-store.csi.x-k8s.io
+    assert_success
+}
+
+@test "create alibabacloud k8s secret" {
+    run kubectl create secret generic secrets-store-creds --from-literal access_key=${ALIBABACLOUD_ACCESS_KEY} --from-literal access_secret=${ALIBABACLOUD_ACCESS_SECRET} --namespace=$NAMESPACE
+    assert_success
+
+    # label the node publish secret ref secret
+    run kubectl label secret secrets-store-creds secrets-store.csi.k8s.io/used=true --namespace=$NAMESPACE
+    assert_success
+}
+
+@test "deploy alibabacloud secretproviderclass crd" {
+    envsubst < $BATS_TEST_DIR/secretproviderclass.yaml | kubectl --namespace $NAMESPACE apply -f -
+
+    cmd="kubectl --namespace $NAMESPACE get secretproviderclasses.secrets-store.csi.x-k8s.io/alibabacloud-basic-test-mount-spc -o yaml | grep alibabacloud"
+    wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd"
+}
+
+@test "CSI inline volume test with pod portability" {
+   kubectl --namespace $NAMESPACE  apply -f $BATS_TEST_DIR/pod-inline-volume-secretproviderclass.yaml
+   cmd="kubectl --namespace $NAMESPACE  wait --for=condition=Ready --timeout=60s pod/alibabacloud-basic-test-mount"
+   wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd"
+
+   run kubectl --namespace $NAMESPACE  get pod/$POD_NAME
+   assert_success
+}
+
+@test "CSI inline volume test with pod portability - read secrets manager secrets from pod" {
+    result=$(kubectl --namespace $NAMESPACE exec $POD_NAME -- cat /mnt/secrets-store/testBasic)
+    [[ "${result//$'\r'}" == "testValue" ]]
+}
diff --git a/test/bats/tests/alibabacloud/pod-inline-volume-secretproviderclass.yaml b/test/bats/tests/alibabacloud/pod-inline-volume-secretproviderclass.yaml
@@ -0,0 +1,25 @@
+kind: Pod
+apiVersion: v1
+metadata:
+  name: alibabacloud-basic-test-mount
+spec:
+  containers:
+    - image: registry.k8s.io/e2e-test-images/busybox:1.29-4
+      name: busybox
+      imagePullPolicy: IfNotPresent
+      command:
+        - "/bin/sleep"
+        - "10000"
+      volumeMounts:
+        - name: secrets-store-inline
+          mountPath: "/mnt/secrets-store"
+          readOnly: true
+  volumes:
+    - name: secrets-store-inline
+      csi:
+        driver: secrets-store.csi.k8s.io
+        readOnly: true
+        volumeAttributes:
+          secretProviderClass: "alibabacloud-basic-test-mount-spc"
+        nodePublishSecretRef:
+          name: secrets-store-creds
diff --git a/test/bats/tests/alibabacloud/secretproviderclass.yaml b/test/bats/tests/alibabacloud/secretproviderclass.yaml
@@ -0,0 +1,9 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: alibabacloud-basic-test-mount-spc
+spec:
+  provider: alibabacloud
+  parameters:
+    objects: |
+      - objectName: testBasic