diff --git a/Makefile b/Makefile index 39e189b71..f4e8a582d 100644 --- a/Makefile +++ b/Makefile @@ -97,6 +97,7 @@ KUBECTL := kubectl ENVSUBST := envsubst EKSCTL := eksctl YQ := yq +ALIYUNCLI := aliyun # Test variables KIND_VERSION ?= 0.18.0 @@ -221,6 +222,9 @@ $(PROTOC): ## Install protoc $(YQ): ## Install yq for running the tests curl -LO https://github.com/mikefarah/yq/releases/download/$(YQ_VERSION)/yq_linux_amd64 && chmod +x ./yq_linux_amd64 && mv yq_linux_amd64 /usr/local/bin/yq +$(ALIYUNCLI): ## Install aliyun for running the tests + curl -LO https://github.com/aliyun/aliyun-cli/releases/download/v3.0.161/aliyun-cli-linux-3.0.161-amd64.tgz && tar xzvf aliyun-cli-linux-3.0.161-amd64.tgz && chmod +x ./aliyun && cp aliyun /usr/local/bin + SHELLCHECK := $(TOOLS_BIN_DIR)/shellcheck-$(SHELLCHECK_VER) $(SHELLCHECK): OS := $(shell uname | tr '[:upper:]' '[:lower:]') $(SHELLCHECK): ARCH := $(shell uname -m) @@ -489,6 +493,10 @@ e2e-akeyless: e2e-gcp: bats -t test/bats/gcp.bats +.PHONY: e2e-alibabacloud +e2e-alibabacloud: $(ALIYUNCLI) + bats -t test/bats/alibabacloud.bats + .PHONY: e2e-aws e2e-aws: bats -t test/bats/aws.bats diff --git a/test/bats/alibabacloud.bats b/test/bats/alibabacloud.bats new file mode 100644 index 000000000..94dda6993 --- /dev/null +++ b/test/bats/alibabacloud.bats @@ -0,0 +1,66 @@ +#!/usr/bin/env bats + +load helpers + +WAIT_TIME=120 +SLEEP_TIME=1 +NAMESPACE=kube-system +POD_NAME=alibabacloud-basic-test-mount +BATS_TEST_DIR=test/bats/tests/alibabacloud + +setup() { + if [[ -z "${ALIBABACLOUD_ACCESS_KEY}" ]] || [[ -z "${ALIBABACLOUD_ACCESS_SECRET}" ]]; then + echo "Error: ram ak/sk is not provided" >&2 + return 1 + fi +} + +setup_file() { + #Configure aliyun cli profile + aliyun configure set --profile akProfile --mode AK --region us-west-1 --access-key-id ${ALIBABACLOUD_ACCESS_KEY} --access-key-secret ${ALIBABACLOUD_ACCESS_SECRET} + + #Create test secrets + aliyun kms CreateSecret --SecretName testBasic --SecretData testValue --VersionId v1 +} + +teardown_file() { + aliyun kms DeleteSecret --SecretName testBasic --ForceDeleteWithoutRecovery true +} + +@test "secretproviderclasses crd is established" { + cmd="kubectl wait --namespace $NAMESPACE --for condition=established --timeout=60s crd/secretproviderclasses.secrets-store.csi.x-k8s.io" + wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd" + + run kubectl get crd/secretproviderclasses.secrets-store.csi.x-k8s.io + assert_success +} + +@test "create alibabacloud k8s secret" { + run kubectl create secret generic secrets-store-creds --from-literal access_key=${ALIBABACLOUD_ACCESS_KEY} --from-literal access_secret=${ALIBABACLOUD_ACCESS_SECRET} --namespace=$NAMESPACE + assert_success + + # label the node publish secret ref secret + run kubectl label secret secrets-store-creds secrets-store.csi.k8s.io/used=true --namespace=$NAMESPACE + assert_success +} + +@test "deploy alibabacloud secretproviderclass crd" { + envsubst < $BATS_TEST_DIR/secretproviderclass.yaml | kubectl --namespace $NAMESPACE apply -f - + + cmd="kubectl --namespace $NAMESPACE get secretproviderclasses.secrets-store.csi.x-k8s.io/alibabacloud-basic-test-mount-spc -o yaml | grep alibabacloud" + wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd" +} + +@test "CSI inline volume test with pod portability" { + kubectl --namespace $NAMESPACE apply -f $BATS_TEST_DIR/pod-inline-volume-secretproviderclass.yaml + cmd="kubectl --namespace $NAMESPACE wait --for=condition=Ready --timeout=60s pod/alibabacloud-basic-test-mount" + wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd" + + run kubectl --namespace $NAMESPACE get pod/$POD_NAME + assert_success +} + +@test "CSI inline volume test with pod portability - read secrets manager secrets from pod" { + result=$(kubectl --namespace $NAMESPACE exec $POD_NAME -- cat /mnt/secrets-store/testBasic) + [[ "${result//$'\r'}" == "testValue" ]] +} diff --git a/test/bats/tests/alibabacloud/pod-inline-volume-secretproviderclass.yaml b/test/bats/tests/alibabacloud/pod-inline-volume-secretproviderclass.yaml new file mode 100644 index 000000000..0398701bd --- /dev/null +++ b/test/bats/tests/alibabacloud/pod-inline-volume-secretproviderclass.yaml @@ -0,0 +1,25 @@ +kind: Pod +apiVersion: v1 +metadata: + name: alibabacloud-basic-test-mount +spec: + containers: + - image: registry.k8s.io/e2e-test-images/busybox:1.29-4 + name: busybox + imagePullPolicy: IfNotPresent + command: + - "/bin/sleep" + - "10000" + volumeMounts: + - name: secrets-store-inline + mountPath: "/mnt/secrets-store" + readOnly: true + volumes: + - name: secrets-store-inline + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: "alibabacloud-basic-test-mount-spc" + nodePublishSecretRef: + name: secrets-store-creds diff --git a/test/bats/tests/alibabacloud/secretproviderclass.yaml b/test/bats/tests/alibabacloud/secretproviderclass.yaml new file mode 100644 index 000000000..1b23b209d --- /dev/null +++ b/test/bats/tests/alibabacloud/secretproviderclass.yaml @@ -0,0 +1,9 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: alibabacloud-basic-test-mount-spc +spec: + provider: alibabacloud + parameters: + objects: | + - objectName: testBasic