test: add green ldap + opa integration test

Squashed commit of the following: commit 5ba0132 Author: Razvan-Daniel Mihai <[email protected]> Date: Fri Nov 18 17:33:47 2022 +0100 Updates and cleanups. commit 2e7cd7a Author: Razvan-Daniel Mihai <[email protected]> Date: Fri Nov 18 16:58:10 2022 +0100 Remove OPA and update autocheck.py. commit 5f3aa96 Author: Razvan-Daniel Mihai <[email protected]> Date: Fri Nov 18 14:33:06 2022 +0100 Add leftover from previous comit and experiment with autocheck.py commit 71b9c43 Author: Razvan-Daniel Mihai <[email protected]> Date: Fri Nov 18 11:59:11 2022 +0100 Install openldap in the kuttl test namespace. commit 5e0e594 Author: Razvan-Daniel Mihai <[email protected]> Date: Thu Nov 17 17:47:39 2022 +0100 Almost working kuttl test (missing ldap users).
stackabletech · Nov 28, 2022 · c467de4 · c467de4
1 parent d50eeb4
commit c467de4
Show file tree

Hide file tree

Showing 20 changed files with 783 additions and 42 deletions.
diff --git a/05-install-druid.yaml b/05-install-druid.yaml
@@ -0,0 +1,158 @@
+---
+apiVersion: druid.stackable.tech/v1alpha1
+kind: DruidCluster
+metadata:
+  name: derby-druid
+spec:
+  version: 24.0.0-stackable0.2.0
+  clusterConfig:
+    authorization:
+      opa:
+        configMapName: test-opa
+        package: druid
+    deepStorage:
+      hdfs:
+        configMapName: druid-hdfs
+        directory: /druid
+    metadataStorageDatabase:
+      dbType: derby
+      connString: jdbc:derby://localhost:1527/var/druid/metadata.db;create=true
+      host: localhost
+      port: 1527
+    tls: null
+    zookeeperConfigMapName: druid-znode
+  brokers:
+    configOverrides:
+      runtime.properties:    
+        druid.auth.authenticatorChain: "[\"ldap\"]"
+        druid.auth.authenticator.ldap.type: basic
+        druid.auth.authenticator.ldap.enableCacheNotifications: 'true'
+        druid.auth.authenticator.ldap.credentialsValidator.type: ldap
+        druid.auth.authenticator.ldap.credentialsValidator.url: ldap://openldap:1389
+        druid.auth.authenticator.ldap.credentialsValidator.bindUser: uid=admin,ou=Users,dc=example,dc=org
+        druid.auth.authenticator.ldap.credentialsValidator.bindPassword: admin
+        druid.auth.authenticator.ldap.initialAdminPassword: admin
+        druid.auth.authenticator.ldap.initialInternalClientPassword: druidsystem
+        druid.auth.authenticator.ldap.credentialsValidator.baseDn: ou=Users,dc=example,dc=org
+        druid.auth.authenticator.ldap.credentialsValidator.userSearch: (&(uid=%s)(objectClass=inetOrgPerson))
+        druid.auth.authenticator.ldap.credentialsValidator.userAttribute: uid
+        druid.auth.authenticator.ldap.authorizeQueryContextParams: 'true'
+        # use the opa authorizer instead of ldap groups
+        #druid.auth.authenticator.ldap.authorizerName: OpaAuthorizer
+
+        # Escalator
+        druid.escalator.type: basic
+        druid.escalator.internalClientUsername: druid_system
+        druid.escalator.internalClientPassword: druidsystem
+        #druid.escalator.authorizerName: OpaAuthorizer
+    roleGroups:
+      default:
+        replicas: 1
+  coordinators:
+    configOverrides:
+      runtime.properties:
+        druid.auth.authenticatorChain: "[\"ldap\"]"
+        druid.auth.authenticator.ldap.type: basic
+        druid.auth.authenticator.ldap.enableCacheNotifications: 'true'
+        druid.auth.authenticator.ldap.credentialsValidator.type: ldap
+        druid.auth.authenticator.ldap.credentialsValidator.url: ldap://openldap:1389
+        druid.auth.authenticator.ldap.credentialsValidator.bindUser: uid=admin,ou=Users,dc=example,dc=org
+        druid.auth.authenticator.ldap.credentialsValidator.bindPassword: admin
+        druid.auth.authenticator.ldap.initialAdminPassword: admin
+        druid.auth.authenticator.ldap.initialInternalClientPassword: druidsystem
+        druid.auth.authenticator.ldap.credentialsValidator.baseDn: ou=Users,dc=example,dc=org
+        druid.auth.authenticator.ldap.credentialsValidator.userSearch: (&(uid=%s)(objectClass=inetOrgPerson))
+        druid.auth.authenticator.ldap.credentialsValidator.userAttribute: uid
+        druid.auth.authenticator.ldap.authorizeQueryContextParams: 'true'
+        # use the opa authorizer instead of ldap groups
+        #druid.auth.authenticator.ldap.authorizerName: OpaAuthorizer
+
+        # Escalator
+        druid.escalator.type: basic
+        druid.escalator.internalClientUsername: druid_system
+        druid.escalator.internalClientPassword: druidsystem
+        druid.escalator.authorizerName: OpaAuthorizer
+    roleGroups:
+      default:
+        replicas: 1
+  historicals:
+    configOverrides:
+      runtime.properties:
+        druid.auth.authenticatorChain: "[\"ldap\"]"
+        druid.auth.authenticator.ldap.type: basic
+        druid.auth.authenticator.ldap.enableCacheNotifications: 'true'
+        druid.auth.authenticator.ldap.credentialsValidator.type: ldap
+        druid.auth.authenticator.ldap.credentialsValidator.url: ldap://openldap:1389
+        druid.auth.authenticator.ldap.credentialsValidator.bindUser: uid=admin,ou=Users,dc=example,dc=org
+        druid.auth.authenticator.ldap.credentialsValidator.bindPassword: admin
+        druid.auth.authenticator.ldap.initialAdminPassword: admin
+        druid.auth.authenticator.ldap.initialInternalClientPassword: druidsystem
+        druid.auth.authenticator.ldap.credentialsValidator.baseDn: ou=Users,dc=example,dc=org
+        druid.auth.authenticator.ldap.credentialsValidator.userSearch: (&(uid=%s)(objectClass=inetOrgPerson))
+        druid.auth.authenticator.ldap.credentialsValidator.userAttribute: uid
+        druid.auth.authenticator.ldap.authorizeQueryContextParams: 'true'
+        # use the opa authorizer instead of ldap groups
+        #druid.auth.authenticator.ldap.authorizerName: OpaAuthorizer
+
+        # Escalator
+        druid.escalator.type: basic
+        druid.escalator.internalClientUsername: druid_system
+        druid.escalator.internalClientPassword: druidsystem
+        druid.escalator.authorizerName: OpaAuthorizer
+    roleGroups:
+      default:
+        replicas: 1
+  middleManagers:
+    configOverrides:
+      runtime.properties:
+        druid.auth.authenticatorChain: "[\"ldap\"]"
+        druid.auth.authenticator.ldap.type: basic
+        druid.auth.authenticator.ldap.enableCacheNotifications: 'true'
+        druid.auth.authenticator.ldap.credentialsValidator.type: ldap
+        druid.auth.authenticator.ldap.credentialsValidator.url: ldap://openldap:1389
+        druid.auth.authenticator.ldap.credentialsValidator.bindUser: uid=admin,ou=Users,dc=example,dc=org
+        druid.auth.authenticator.ldap.credentialsValidator.bindPassword: admin
+        druid.auth.authenticator.ldap.initialAdminPassword: admin
+        druid.auth.authenticator.ldap.initialInternalClientPassword: druidsystem
+        druid.auth.authenticator.ldap.credentialsValidator.baseDn: ou=Users,dc=example,dc=org
+        druid.auth.authenticator.ldap.credentialsValidator.userSearch: (&(uid=%s)(objectClass=inetOrgPerson))
+        druid.auth.authenticator.ldap.credentialsValidator.userAttribute: uid
+        druid.auth.authenticator.ldap.authorizeQueryContextParams: 'true'
+        # use the opa authorizer instead of ldap groups
+        #druid.auth.authenticator.ldap.authorizerName: OpaAuthorizer
+
+        # Escalator
+        druid.escalator.type: basic
+        druid.escalator.internalClientUsername: druid_system
+        druid.escalator.internalClientPassword: druidsystem
+        #druid.escalator.authorizerName: OpaAuthorizer
+    roleGroups:
+      default:
+        replicas: 1
+  routers:
+    configOverrides:
+      runtime.properties:    
+        druid.auth.authenticatorChain: "[\"ldap\"]"
+        druid.auth.authenticator.ldap.type: basic
+        druid.auth.authenticator.ldap.enableCacheNotifications: 'true'
+        druid.auth.authenticator.ldap.credentialsValidator.type: ldap
+        druid.auth.authenticator.ldap.credentialsValidator.url: ldap://openldap:1389
+        druid.auth.authenticator.ldap.credentialsValidator.bindUser: uid=admin,ou=Users,dc=example,dc=org
+        druid.auth.authenticator.ldap.credentialsValidator.bindPassword: admin
+        druid.auth.authenticator.ldap.initialAdminPassword: admin
+        druid.auth.authenticator.ldap.initialInternalClientPassword: druidsystem
+        druid.auth.authenticator.ldap.credentialsValidator.baseDn: ou=Users,dc=example,dc=org
+        druid.auth.authenticator.ldap.credentialsValidator.userSearch: (&(uid=%s)(objectClass=inetOrgPerson))
+        druid.auth.authenticator.ldap.credentialsValidator.userAttribute: uid
+        druid.auth.authenticator.ldap.authorizeQueryContextParams: 'true'
+        # use the opa authorizer instead of ldap groups
+        #druid.auth.authenticator.ldap.authorizerName: OpaAuthorizer
+
+        # Escalator
+        druid.escalator.type: basic
+        druid.escalator.internalClientUsername: druid_system
+        druid.escalator.internalClientPassword: druidsystem
+        #druid.escalator.authorizerName: OpaAuthorizer
+    roleGroups:
+      default:
+        replicas: 1
diff --git a/tests/templates/kuttl/ldap-authentication/00-assert.yaml b/tests/templates/kuttl/ldap-authentication/00-assert.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 300
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: druid-zk-server-default
+status:
+  readyReplicas: 1
+  replicas: 1
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: hdfs-znode
diff --git a/tests/templates/kuttl/ldap-authentication/00-install-zk.yaml.j2 b/tests/templates/kuttl/ldap-authentication/00-install-zk.yaml.j2
@@ -0,0 +1,27 @@
+---
+apiVersion: zookeeper.stackable.tech/v1alpha1
+kind: ZookeeperCluster
+metadata:
+  name: druid-zk
+spec:
+  version: {{ test_scenario['values']['zookeeper-latest'] }}
+  servers:
+    roleGroups:
+      default:
+        replicas: 1
+---
+apiVersion: zookeeper.stackable.tech/v1alpha1
+kind: ZookeeperZnode
+metadata:
+  name: druid-znode
+spec:
+  clusterRef:
+    name: druid-zk
+---
+apiVersion: zookeeper.stackable.tech/v1alpha1
+kind: ZookeeperZnode
+metadata:
+  name: hdfs-znode
+spec:
+  clusterRef:
+    name: druid-zk
diff --git a/tests/templates/kuttl/ldap-authentication/02-assert.yaml b/tests/templates/kuttl/ldap-authentication/02-assert.yaml
@@ -0,0 +1,28 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 600
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: druid-hdfs-namenode-default
+status:
+  readyReplicas: 2
+  replicas: 2
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: druid-hdfs-journalnode-default
+status:
+  readyReplicas: 1
+  replicas: 1
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: druid-hdfs-datanode-default
+status:
+  readyReplicas: 1
+  replicas: 1
diff --git a/tests/templates/kuttl/ldap-authentication/02-install-hdfs.yaml.j2 b/tests/templates/kuttl/ldap-authentication/02-install-hdfs.yaml.j2
@@ -0,0 +1,27 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+metadata:
+  name: druid-hdfs
+timeout: 600
+---
+apiVersion: hdfs.stackable.tech/v1alpha1
+kind: HdfsCluster
+metadata:
+  name: druid-hdfs
+spec:
+  version: {{ test_scenario['values']['hadoop'] }}
+  zookeeperConfigMapName: hdfs-znode
+  dfsReplication: 1
+  nameNodes:
+    roleGroups:
+      default:
+        replicas: 2
+  dataNodes:
+    roleGroups:
+      default:
+        replicas: 1
+  journalNodes:
+    roleGroups:
+      default:
+        replicas: 1
diff --git a/tests/templates/kuttl/ldap-authentication/03-assert-openldap.yaml b/tests/templates/kuttl/ldap-authentication/03-assert-openldap.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 300
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: openldap
+status:
+  readyReplicas: 1
+  replicas: 1
diff --git a/tests/templates/kuttl/ldap-authentication/03-install-openldap.yaml b/tests/templates/kuttl/ldap-authentication/03-install-openldap.yaml
@@ -0,0 +1,73 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: openldap
+  labels:
+    app.kubernetes.io/name: openldap
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: openldap
+  serviceName: openldap
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: openldap
+    spec:
+      containers:
+        - name: openldap
+          image: docker.io/bitnami/openldap:2.5
+          env:
+            - name: LDAP_ADMIN_USERNAME
+              value: admin
+            - name: LDAP_ADMIN_PASSWORD
+              value: admin
+            - name: LDAP_ENABLE_TLS
+              value: "yes"
+            - name: LDAP_TLS_CERT_FILE
+              value: /tls/tls.crt
+            - name: LDAP_TLS_KEY_FILE
+              value: /tls/tls.key
+            - name: LDAP_TLS_CA_FILE
+              value: /tls/ca.crt
+          ports:
+            - name: ldap
+              containerPort: 1389
+            - name: tls-ldap
+              containerPort: 1636
+          volumeMounts:
+            - name: tls
+              mountPath: /tls
+          startupProbe:
+            tcpSocket:
+              port: 1389
+          readinessProbe:
+            tcpSocket:
+              port: 1389
+      volumes:
+        - name: tls
+          csi:
+            driver: secrets.stackable.tech
+            volumeAttributes:
+              secrets.stackable.tech/class: openldap-tls
+              secrets.stackable.tech/scope: pod
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openldap
+  labels:
+    app.kubernetes.io/name: openldap
+spec:
+  type: ClusterIP
+  ports:
+    - name: ldap
+      port: 1389
+      targetPort: ldap
+    - name: tls-ldap
+      port: 1636
+      targetPort: tls-ldap
+  selector:
+    app.kubernetes.io/name: openldap
diff --git a/tests/templates/kuttl/ldap-authentication/03-openldap-secret-class.yaml b/tests/templates/kuttl/ldap-authentication/03-openldap-secret-class.yaml
@@ -0,0 +1,23 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+metadata:
+  name: openldap
+commands:
+  # SecretClass requires an explicit namespace to work
+  - script: |
+      kubectl apply -n $NAMESPACE -f - <<EOF
+      ---
+      apiVersion: secrets.stackable.tech/v1alpha1
+      kind: SecretClass
+      metadata:
+        name: openldap-tls
+      spec:
+        backend:
+          autoTls:
+            ca:
+              autoGenerate: true
+              secret:
+                name: openldap-tls-ca
+                namespace: $NAMESPACE
+      EOF
diff --git a/tests/templates/kuttl/ldap-authentication/04-assert-ldap-user.yaml b/tests/templates/kuttl/ldap-authentication/04-assert-ldap-user.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+commands:
+  - script: kubectl exec -n $NAMESPACE openldap-0 -- ldapsearch -H ldap://localhost:1389 -D uid=admin,ou=Users,dc=example,dc=org -w admin -b ou=Users,dc=example,dc=org > /dev/null
+  - script: kubectl exec -n $NAMESPACE openldap-0 -- bash -c LDAPTLS_CACERT=/tls/ca.crt ldapsearch -Z -H ldaps://localhost:1636 -D uid=admin,ou=Users,dc=example,dc=org -w admin -b ou=Users,dc=example,dc=org > /dev/null
diff --git a/tests/templates/kuttl/ldap-authentication/04-ldap-user.yaml b/tests/templates/kuttl/ldap-authentication/04-ldap-user.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+metadata:
+  name: create-ldap-user
+commands:
+  - script: kubectl cp -n $NAMESPACE ./create_ldap_user.sh openldap-0:/tmp
+  - script: kubectl exec -n $NAMESPACE openldap-0 -- sh /tmp/create_ldap_user.sh