openbao-helm/test/acceptance/csi.bats

#!/usr/bin/env bats

load _helpers

@test "csi: testing deployment" {
  cd `chart_dir`

  kubectl delete namespace acceptance --ignore-not-found=true
  kubectl create namespace acceptance

  # Install Secrets Store CSI driver
  # Configure it to pass in a JWT for the provider to use, and rotate secrets rapidly
  # so we can see Agent's cache working.
  CSI_DRIVER_VERSION=1.3.2
  helm install secrets-store-csi-driver secrets-store-csi-driver \
    --repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \
    --version=$CSI_DRIVER_VERSION \
    --wait --timeout=5m \
    --namespace=acceptance \
    --set linux.image.pullPolicy="IfNotPresent" \
    --set tokenRequests[0].audience="openbao" \
    --set enableSecretRotation=true \
    --set rotationPollInterval=5s
  # Install OpenBao and OpenBao provider
  helm install openbao \
    --wait --timeout=5m \
    --namespace=acceptance \
    --set="server.dev.enabled=true" \
    --set="csi.enabled=true" \
    --set="csi.debug=true" \
    --set="csi.agent.logLevel=debug" \
    --set="injector.enabled=false" \
    .
  kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao
  kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=openbao-csi-provider

  # Set up k8s auth and a kv secret.
  cat ../../test/acceptance/csi-test/openbao-policy.hcl | kubectl --namespace=acceptance exec -i openbao-0 -- bao policy write kv-policy -
  kubectl --namespace=acceptance exec openbao-0 -- bao auth enable kubernetes
  kubectl --namespace=acceptance exec openbao-0 -- sh -c 'bao write auth/kubernetes/config \
    kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"'
  kubectl --namespace=acceptance exec openbao-0 -- bao write auth/kubernetes/role/kv-role \
    bound_service_account_names=nginx \
    bound_service_account_namespaces=acceptance \
    policies=kv-policy \
    ttl=20m
  kubectl --namespace=acceptance exec openbao-0 -- bao kv put secret/kv1 bar1=hello1

  kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/openbao-kv-secretproviderclass.yaml
  kubectl --namespace=acceptance apply -f ../../test/acceptance/csi-test/nginx.yaml
  kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx

  result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar)
  [[ "$result" == "hello1" ]]

  for i in $(seq 10); do
    sleep 2
    if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then
        echo "Agent returned a cached login response"
        return
    fi

    echo "Waiting to confirm the Agent is renewing CSI's auth token..."
  done

  # Print the logs and fail the test
  echo "Failed to find a log for the Agent renewing CSI's auth token"
  kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-agent
  kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=openbao-csi-provider" -c openbao-csi-provider
  exit 1
}

# Clean up
teardown() {
  if [[ ${CLEANUP:-true} == "true" ]]
  then
      echo "helm/pvc teardown"
      helm --namespace=acceptance delete openbao
      helm --namespace=acceptance delete secrets-store-csi-driver
      kubectl delete --all pvc
      kubectl delete namespace acceptance
  fi
}