openbao-helm/test/acceptance/server-ha-raft.bats

#!/usr/bin/env bats

load _helpers

@test "server/ha-raft: testing deployment" {
  cd `chart_dir`

  helm install "$(name_prefix)" \
    --set='server.ha.enabled=true' \
    --set='server.ha.raft.enabled=true' .
  wait_for_running $(name_prefix)-0

  # Sealed, not initialized
  wait_for_sealed_vault $(name_prefix)-0

  local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
    jq -r '.initialized')
  [ "${init_status}" == "false" ]

  # Replicas
  local replicas=$(kubectl get statefulset "$(name_prefix)" --output json |
    jq -r '.spec.replicas')
  [ "${replicas}" == "3" ]

  # Volume Mounts
  local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
    jq -r '.spec.template.spec.containers[0].volumeMounts | length')
  [ "${volumeCount}" == "3" ]

  # Volumes
  local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json |
    jq -r '.spec.template.spec.volumes | length')
  [ "${volumeCount}" == "2" ]

  local volume=$(kubectl get statefulset "$(name_prefix)" --output json |
    jq -r '.spec.template.spec.volumes[0].configMap.name')
  [ "${volume}" == "$(name_prefix)-config" ]

  # Service
  local service=$(kubectl get service "$(name_prefix)" --output json |
    jq -r '.spec.clusterIP')
  [ "${service}" != "None" ]

  local service=$(kubectl get service "$(name_prefix)" --output json |
    jq -r '.spec.type')
  [ "${service}" == "ClusterIP" ]

  local ports=$(kubectl get service "$(name_prefix)" --output json |
    jq -r '.spec.ports | length')
  [ "${ports}" == "2" ]

  local ports=$(kubectl get service "$(name_prefix)" --output json |
    jq -r '.spec.ports[0].port')
  [ "${ports}" == "8200" ]

  local ports=$(kubectl get service "$(name_prefix)" --output json |
    jq -r '.spec.ports[1].port')
  [ "${ports}" == "8201" ]

  # OpenBao Init
  local init=$(kubectl exec -ti "$(name_prefix)-0" -- \
    bao operator init -format=json -n 1 -t 1)

  local token=$(echo ${init} | jq -r '.unseal_keys_b64[0]')
  [ "${token}" != "" ]

  local root=$(echo ${init} | jq -r '.root_token')
  [ "${root}" != "" ]

  kubectl exec -ti openbao-0 -- bao operator unseal ${token}
  wait_for_ready "$(name_prefix)-0"

  sleep 5

  # OpenBao Unseal
  local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json | jq -r '.items[].metadata.name'))
  for pod in "${pods[@]}"
  do
      if [[ ${pod?} != "$(name_prefix)-0" ]]
      then
          kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-0.$(name_prefix)-internal:8200
          kubectl exec -ti ${pod} -- bao operator unseal ${token}
          wait_for_ready "${pod}"
      fi
  done

  # Sealed, not initialized
  local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
    jq -r '.sealed' )
  [ "${sealed_status}" == "false" ]

  local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json |
    jq -r '.initialized')
  [ "${init_status}" == "true" ]

  kubectl exec "$(name_prefix)-0" -- bao login ${root}

  local raft_status=$(kubectl exec "$(name_prefix)-0" -- bao operator raft list-peers -format=json |
    jq -r '.data.config.servers | length')
  [ "${raft_status}" == "3" ]
}

setup() {
  kubectl delete namespace acceptance --ignore-not-found=true
  kubectl create namespace acceptance
  kubectl config set-context --current --namespace=acceptance
}

#cleanup
teardown() {
  if [[ ${CLEANUP:-true} == "true" ]]
  then
      # If the test failed, print some debug output
      if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then
          kubectl logs -l app.kubernetes.io/name=openbao
      fi
      helm delete openbao
      kubectl delete --all pvc
      kubectl delete namespace acceptance --ignore-not-found=true
  fi
}
Add Raft HA support (#229) * Add raft support * Add acceptance test * Update templates/server-headless-service.yaml Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Add notes to raft configurables Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> 2020-03-18 19:49:14 +00:00			`#!/usr/bin/env bats`

			`load _helpers`

			`@test "server/ha-raft: testing deployment" {`
			cd `chart_dir`

			`helm install "$(name_prefix)" \`
			`--set='server.ha.enabled=true' \`
			`--set='server.ha.raft.enabled=true' .`
			`wait_for_running $(name_prefix)-0`

			`# Sealed, not initialized`
Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com> 2021-12-11 01:11:35 +00:00			`wait_for_sealed_vault $(name_prefix)-0`
Add Raft HA support (#229) * Add raft support * Add acceptance test * Update templates/server-headless-service.yaml Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Add notes to raft configurables Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> 2020-03-18 19:49:14 +00:00
replace vault command with bao and helm install/delete vault with openbao - part 1 Signed-off-by: jessebot <jessebot@linux.com> 2024-05-22 18:33:41 +00:00			`local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json \|`
Add Raft HA support (#229) * Add raft support * Add acceptance test * Update templates/server-headless-service.yaml Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Add notes to raft configurables Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> 2020-03-18 19:49:14 +00:00			`jq -r '.initialized')`
			`[ "${init_status}" == "false" ]`

			`# Replicas`
			`local replicas=$(kubectl get statefulset "$(name_prefix)" --output json \|`
			`jq -r '.spec.replicas')`
			`[ "${replicas}" == "3" ]`

			`# Volume Mounts`
			`local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json \|`
			`jq -r '.spec.template.spec.containers[0].volumeMounts \| length')`
Add OpenShift beta support (#319) * Initial commit * Added openshift flag * added self signed certificate for service annotation * added OpenShift flag * Added OpenShift flag * cleanup * Cleanup * Further cleanup * Further cleanup * reverted security context on injector * Extra corrections * cleanup * Removed Raft config for OpenShift, removed generated certs for ha and standby services * Add openshift flag to global block, route disabled by default, condition for injector in network policy * Added Unit tests for OpenShift * Fixed unit test for HA statefulset for OpenShift * Removed debug log level from stateful set * Added port 8201 to networkpolicy * Updated injector image * Add openshift beta support * Add openshift beta support * Remove comments from configs * Remove vault-k8s note from values * Change route to use active service when HA Co-authored-by: Radu Domnu <radu.domnu@sixdx.com> Co-authored-by: Radu Domnu <radu.domnu@gmail.com> 2020-06-03 02:10:41 +00:00			`[ "${volumeCount}" == "3" ]`
Add Raft HA support (#229) * Add raft support * Add acceptance test * Update templates/server-headless-service.yaml Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Add notes to raft configurables Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> 2020-03-18 19:49:14 +00:00
			`# Volumes`
			`local volumeCount=$(kubectl get statefulset "$(name_prefix)" --output json \|`
			`jq -r '.spec.template.spec.volumes \| length')`
Add OpenShift beta support (#319) * Initial commit * Added openshift flag * added self signed certificate for service annotation * added OpenShift flag * Added OpenShift flag * cleanup * Cleanup * Further cleanup * Further cleanup * reverted security context on injector * Extra corrections * cleanup * Removed Raft config for OpenShift, removed generated certs for ha and standby services * Add openshift flag to global block, route disabled by default, condition for injector in network policy * Added Unit tests for OpenShift * Fixed unit test for HA statefulset for OpenShift * Removed debug log level from stateful set * Added port 8201 to networkpolicy * Updated injector image * Add openshift beta support * Add openshift beta support * Remove comments from configs * Remove vault-k8s note from values * Change route to use active service when HA Co-authored-by: Radu Domnu <radu.domnu@sixdx.com> Co-authored-by: Radu Domnu <radu.domnu@gmail.com> 2020-06-03 02:10:41 +00:00			`[ "${volumeCount}" == "2" ]`
Add Raft HA support (#229) * Add raft support * Add acceptance test * Update templates/server-headless-service.yaml Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Add notes to raft configurables Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> 2020-03-18 19:49:14 +00:00
			`local volume=$(kubectl get statefulset "$(name_prefix)" --output json \|`
			`jq -r '.spec.template.spec.volumes[0].configMap.name')`
			`[ "${volume}" == "$(name_prefix)-config" ]`

			`# Service`
			`local service=$(kubectl get service "$(name_prefix)" --output json \|`
			`jq -r '.spec.clusterIP')`
			`[ "${service}" != "None" ]`

			`local service=$(kubectl get service "$(name_prefix)" --output json \|`
			`jq -r '.spec.type')`
			`[ "${service}" == "ClusterIP" ]`

			`local ports=$(kubectl get service "$(name_prefix)" --output json \|`
			`jq -r '.spec.ports \| length')`
			`[ "${ports}" == "2" ]`

			`local ports=$(kubectl get service "$(name_prefix)" --output json \|`
			`jq -r '.spec.ports[0].port')`
			`[ "${ports}" == "8200" ]`

			`local ports=$(kubectl get service "$(name_prefix)" --output json \|`
			`jq -r '.spec.ports[1].port')`
			`[ "${ports}" == "8201" ]`

update more vault to openbao everywhere Signed-off-by: jessebot <jessebot@linux.com> 2024-05-28 11:52:10 +00:00			`# OpenBao Init`
Add Raft HA support (#229) * Add raft support * Add acceptance test * Update templates/server-headless-service.yaml Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Add notes to raft configurables Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> 2020-03-18 19:49:14 +00:00			`local init=$(kubectl exec -ti "$(name_prefix)-0" -- \`
replace vault command with bao and helm install/delete vault with openbao - part 1 Signed-off-by: jessebot <jessebot@linux.com> 2024-05-22 18:33:41 +00:00			`bao operator init -format=json -n 1 -t 1)`
Add Raft HA support (#229) * Add raft support * Add acceptance test * Update templates/server-headless-service.yaml Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Add notes to raft configurables Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> 2020-03-18 19:49:14 +00:00
			`local token=$(echo ${init} \| jq -r '.unseal_keys_b64[0]')`
			`[ "${token}" != "" ]`
replace vault command with bao and helm install/delete vault with openbao - part 1 Signed-off-by: jessebot <jessebot@linux.com> 2024-05-22 18:33:41 +00:00
Add Raft HA support (#229) * Add raft support * Add acceptance test * Update templates/server-headless-service.yaml Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Add notes to raft configurables Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> 2020-03-18 19:49:14 +00:00			`local root=$(echo ${init} \| jq -r '.root_token')`
			`[ "${root}" != "" ]`

replace vault command with bao and helm install/delete vault with openbao - part 1 Signed-off-by: jessebot <jessebot@linux.com> 2024-05-22 18:33:41 +00:00			`kubectl exec -ti openbao-0 -- bao operator unseal ${token}`
Add Raft HA support (#229) * Add raft support * Add acceptance test * Update templates/server-headless-service.yaml Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Add notes to raft configurables Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> 2020-03-18 19:49:14 +00:00			`wait_for_ready "$(name_prefix)-0"`

			`sleep 5`

update more vault to openbao everywhere Signed-off-by: jessebot <jessebot@linux.com> 2024-05-28 11:52:10 +00:00			`# OpenBao Unseal`
replace vault command with bao and helm install/delete vault with openbao - part 1 Signed-off-by: jessebot <jessebot@linux.com> 2024-05-22 18:33:41 +00:00			`local pods=($(kubectl get pods --selector='app.kubernetes.io/name=openbao' -o json \| jq -r '.items[].metadata.name'))`
Add Raft HA support (#229) * Add raft support * Add acceptance test * Update templates/server-headless-service.yaml Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Add notes to raft configurables Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> 2020-03-18 19:49:14 +00:00			`for pod in "${pods[@]}"`
			`do`
			`if [[ ${pod?} != "$(name_prefix)-0" ]]`
			`then`
replace vault command with bao and helm install/delete vault with openbao - part 1 Signed-off-by: jessebot <jessebot@linux.com> 2024-05-22 18:33:41 +00:00			`kubectl exec -ti ${pod} -- bao operator raft join http://$(name_prefix)-0.$(name_prefix)-internal:8200`
			`kubectl exec -ti ${pod} -- bao operator unseal ${token}`
Add Raft HA support (#229) * Add raft support * Add acceptance test * Update templates/server-headless-service.yaml Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Add notes to raft configurables Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> 2020-03-18 19:49:14 +00:00			`wait_for_ready "${pod}"`
			`fi`
			`done`

			`# Sealed, not initialized`
replace vault command with bao and helm install/delete vault with openbao - part 1 Signed-off-by: jessebot <jessebot@linux.com> 2024-05-22 18:33:41 +00:00			`local sealed_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json \|`
Add Raft HA support (#229) * Add raft support * Add acceptance test * Update templates/server-headless-service.yaml Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Add notes to raft configurables Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> 2020-03-18 19:49:14 +00:00			`jq -r '.sealed' )`
			`[ "${sealed_status}" == "false" ]`

replace vault command with bao and helm install/delete vault with openbao - part 1 Signed-off-by: jessebot <jessebot@linux.com> 2024-05-22 18:33:41 +00:00			`local init_status=$(kubectl exec "$(name_prefix)-0" -- bao status -format=json \|`
Add Raft HA support (#229) * Add raft support * Add acceptance test * Update templates/server-headless-service.yaml Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Add notes to raft configurables Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> 2020-03-18 19:49:14 +00:00			`jq -r '.initialized')`
			`[ "${init_status}" == "true" ]`

replace vault command with bao and helm install/delete vault with openbao - part 1 Signed-off-by: jessebot <jessebot@linux.com> 2024-05-22 18:33:41 +00:00			`kubectl exec "$(name_prefix)-0" -- bao login ${root}`
Add Raft HA support (#229) * Add raft support * Add acceptance test * Update templates/server-headless-service.yaml Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Add notes to raft configurables Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> 2020-03-18 19:49:14 +00:00
replace vault command with bao and helm install/delete vault with openbao - part 1 Signed-off-by: jessebot <jessebot@linux.com> 2024-05-22 18:33:41 +00:00			`local raft_status=$(kubectl exec "$(name_prefix)-0" -- bao operator raft list-peers -format=json \|`
Add Raft HA support (#229) * Add raft support * Add acceptance test * Update templates/server-headless-service.yaml Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Add notes to raft configurables Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> 2020-03-18 19:49:14 +00:00			`jq -r '.data.config.servers \| length')`
			`[ "${raft_status}" == "3" ]`
			`}`

			`setup() {`
			`kubectl delete namespace acceptance --ignore-not-found=true`
			`kubectl create namespace acceptance`
			`kubectl config set-context --current --namespace=acceptance`
			`}`

			`#cleanup`
			`teardown() {`
Add Vault Helm ent support, service discovery (#250) * Add Vault Helm ent support, service discovery * Fix unit test * Update test/acceptance/server-ha-enterprise-dr.bats Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Update test/acceptance/server-ha-enterprise-dr.bats Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Update test/acceptance/server-ha-enterprise-perf.bats Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Update test/acceptance/server-ha-enterprise-perf.bats Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Update values.yaml Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> 2020-04-09 13:26:58 +00:00			`if [[ ${CLEANUP:-true} == "true" ]]`
			`then`
Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com> 2021-12-11 01:11:35 +00:00			`# If the test failed, print some debug output`
			`if [[ "$BATS_ERROR_STATUS" -ne 0 ]]; then`
replace vault command with bao and helm install/delete vault with openbao - part 1 Signed-off-by: jessebot <jessebot@linux.com> 2024-05-22 18:33:41 +00:00			`kubectl logs -l app.kubernetes.io/name=openbao`
Run CI tests in github workflows (#657) Ports the bats unit, chart-verifier, and bats acceptance tests to use github workflows and actions. The acceptance tests run using kind, and run for multiple k8s versions, on pushes to the main branch. Adds a SKIP_CSI env check in the CSI acceptance test, set in the workflow if K8s version is less than 1.16. Adds kubeAdmConfigPatches to the kind config to allow testing the CSI provider on K8s versions prior to 1.21. Updates the Secrets Store CSI driver to 1.0.0 in tests. Makes the HA Vault tests more robust by waiting for all consul client pods to be Ready, and waits with a timeout for Vault to start responding as sealed (since the tests on GitHub runners were often failing at that point). Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com> 2021-12-11 01:11:35 +00:00			`fi`
replace vault command with bao and helm install/delete vault with openbao - part 1 Signed-off-by: jessebot <jessebot@linux.com> 2024-05-22 18:33:41 +00:00			`helm delete openbao`
Add Vault Helm ent support, service discovery (#250) * Add Vault Helm ent support, service discovery * Fix unit test * Update test/acceptance/server-ha-enterprise-dr.bats Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Update test/acceptance/server-ha-enterprise-dr.bats Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Update test/acceptance/server-ha-enterprise-perf.bats Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Update test/acceptance/server-ha-enterprise-perf.bats Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Update values.yaml Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> 2020-04-09 13:26:58 +00:00			`kubectl delete --all pvc`
			`kubectl delete namespace acceptance --ignore-not-found=true`
			`fi`
Add Raft HA support (#229) * Add raft support * Add acceptance test * Update templates/server-headless-service.yaml Co-Authored-By: Theron Voran <tvoran@users.noreply.github.com> * Add notes to raft configurables Co-authored-by: Theron Voran <tvoran@users.noreply.github.com> 2020-03-18 19:49:14 +00:00			`}`