diff --git a/Makefile b/Makefile index 4af7c157c..6fd39d63d 100644 --- a/Makefile +++ b/Makefile @@ -97,6 +97,7 @@ KUBECTL := kubectl ENVSUBST := envsubst EKSCTL := eksctl YQ := yq +ALIYUNCLI := aliyun # Test variables KIND_VERSION ?= 0.18.0 @@ -221,6 +222,9 @@ $(PROTOC): ## Install protoc $(YQ): ## Install yq for running the tests curl -LO https://github.com/mikefarah/yq/releases/download/$(YQ_VERSION)/yq_linux_amd64 && chmod +x ./yq_linux_amd64 && mv yq_linux_amd64 /usr/local/bin/yq +$(ALIYUNCLI): ## Install aliyun for running the tests + curl -LO https://github.com/aliyun/aliyun-cli/releases/download/v3.0.161/aliyun-cli-linux-3.0.161-amd64.tgz && tar xzvf aliyun-cli-linux-3.0.161-amd64.tgz && chmod +x ./aliyun && cp aliyun /usr/local/bin + SHELLCHECK := $(TOOLS_BIN_DIR)/shellcheck-$(SHELLCHECK_VER) $(SHELLCHECK): OS := $(shell uname | tr '[:upper:]' '[:lower:]') $(SHELLCHECK): ARCH := $(shell uname -m) @@ -490,6 +494,10 @@ e2e-akeyless: e2e-gcp: bats -t test/bats/gcp.bats +.PHONY: e2e-alibabacloud +e2e-alibabacloud: $(ALIYUNCLI) + bats -t test/bats/alibabacloud.bats + .PHONY: e2e-aws e2e-aws: bats -t test/bats/aws.bats diff --git a/test/bats/alibabacloud.bats b/test/bats/alibabacloud.bats new file mode 100644 index 000000000..27e05f994 --- /dev/null +++ b/test/bats/alibabacloud.bats @@ -0,0 +1,70 @@ +#!/usr/bin/env bats + +load helpers + +WAIT_TIME=120 +SLEEP_TIME=1 +NAMESPACE=kube-system +POD_NAME=alibabacloud-basic-test-mount +BATS_TEST_DIR=test/bats/tests/alibabacloud +PROVIDER_YAML=https://raw.githubusercontent.com/AliyunContainerService/secrets-store-csi-driver-provider-alibaba-cloud/main/deployment/provider-alibabacloud-installer.yaml + +setup() { + if [[ -z "${ALIBABACLOUD_ACCESS_KEY}" ]] || [[ -z "${ALIBABACLOUD_ACCESS_SECRET}" ]]; then + echo "Error: ram ak/sk is not provided" >&2 + return 1 + fi +} + +setup_file() { + #Configure aliyun cli profile + aliyun configure set --profile akProfile --mode AK --region us-west-1 --access-key-id ${ALIBABACLOUD_ACCESS_KEY} --access-key-secret ${ALIBABACLOUD_ACCESS_SECRET} + + #Create test secrets + aliyun kms CreateSecret --SecretName testBasic --SecretData testValue --VersionId v1 +} + +teardown_file() { + aliyun kms DeleteSecret --SecretName testBasic --ForceDeleteWithoutRecovery true +} + +@test "install alibabacloud provider" { + run kubectl apply -f $PROVIDER_YAML --namespace $NAMESPACE + assert_success + + kubectl wait --for=condition=Ready --timeout=120s pod -l app=csi-secrets-store-provider-alibabacloud --namespace $NAMESPACE + + ALIBABACLOUD_PROVIDER_POD=$(kubectl get pod --namespace $NAMESPACE -l app=csi-secrets-store-provider-alibabacloud -o jsonpath="{.items[0].metadata.name}") + + run kubectl get pod/$ALIBABACLOUD_PROVIDER_POD --namespace $NAMESPACE + assert_success +} + +@test "secretproviderclasses crd is established" { + cmd="kubectl wait --namespace $NAMESPACE --for condition=established --timeout=60s crd/secretproviderclasses.secrets-store.csi.x-k8s.io" + wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd" + + run kubectl get crd/secretproviderclasses.secrets-store.csi.x-k8s.io + assert_success +} + +@test "deploy alibabacloud secretproviderclass crd" { + envsubst < $BATS_TEST_DIR/secretproviderclass.yaml | kubectl --namespace $NAMESPACE apply -f - + + cmd="kubectl --namespace $NAMESPACE get secretproviderclasses.secrets-store.csi.x-k8s.io/alibabacloud-basic-test-mount-spc -o yaml | grep alibabacloud" + wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd" +} + +@test "CSI inline volume test with pod portability" { + kubectl --namespace $NAMESPACE apply -f $BATS_TEST_DIR/pod-inline-volume-secretproviderclass.yaml + cmd="kubectl --namespace $NAMESPACE wait --for=condition=Ready --timeout=60s pod/alibabacloud-basic-test-mount" + wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd" + + run kubectl --namespace $NAMESPACE get pod/$POD_NAME + assert_success +} + +@test "CSI inline volume test with pod portability - read secrets manager secrets from pod" { + result=$(kubectl --namespace $NAMESPACE exec $POD_NAME -- cat /mnt/secrets-store/testBasic) + [[ "${result//$'\r'}" == "testValue" ]] +} diff --git a/test/bats/tests/alibabacloud/pod-inline-volume-secretproviderclass.yaml b/test/bats/tests/alibabacloud/pod-inline-volume-secretproviderclass.yaml new file mode 100644 index 000000000..0398701bd --- /dev/null +++ b/test/bats/tests/alibabacloud/pod-inline-volume-secretproviderclass.yaml @@ -0,0 +1,25 @@ +kind: Pod +apiVersion: v1 +metadata: + name: alibabacloud-basic-test-mount +spec: + containers: + - image: registry.k8s.io/e2e-test-images/busybox:1.29-4 + name: busybox + imagePullPolicy: IfNotPresent + command: + - "/bin/sleep" + - "10000" + volumeMounts: + - name: secrets-store-inline + mountPath: "/mnt/secrets-store" + readOnly: true + volumes: + - name: secrets-store-inline + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: "alibabacloud-basic-test-mount-spc" + nodePublishSecretRef: + name: secrets-store-creds diff --git a/test/bats/tests/alibabacloud/secretproviderclass.yaml b/test/bats/tests/alibabacloud/secretproviderclass.yaml new file mode 100644 index 000000000..1b23b209d --- /dev/null +++ b/test/bats/tests/alibabacloud/secretproviderclass.yaml @@ -0,0 +1,9 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: alibabacloud-basic-test-mount-spc +spec: + provider: alibabacloud + parameters: + objects: | + - objectName: testBasic