e2711a2002
* Prepare for 0.25.0 release * Update CSI acceptance test assertion Starting in 1.4.0, the CSI provider caches Vault tokens locally. The main thing we want to check is that the Agent cache is being used so that it's doing the renewal legwork for any leased secrets, so check for the renewal log message instead because CSI won't auth over and over anymore.
83 lines
3.3 KiB
Bash
83 lines
3.3 KiB
Bash
#!/usr/bin/env bats
|
|
|
|
load _helpers
|
|
|
|
@test "csi: testing deployment" {
|
|
cd `chart_dir`
|
|
|
|
kubectl delete namespace acceptance --ignore-not-found=true
|
|
kubectl create namespace acceptance
|
|
|
|
# Install Secrets Store CSI driver
|
|
# Configure it to pass in a JWT for the provider to use, and rotate secrets rapidly
|
|
# so we can see Agent's cache working.
|
|
CSI_DRIVER_VERSION=1.3.2
|
|
helm install secrets-store-csi-driver secrets-store-csi-driver \
|
|
--repo https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts \
|
|
--version=$CSI_DRIVER_VERSION \
|
|
--wait --timeout=5m \
|
|
--namespace=acceptance \
|
|
--set linux.image.pullPolicy="IfNotPresent" \
|
|
--set tokenRequests[0].audience="vault" \
|
|
--set enableSecretRotation=true \
|
|
--set rotationPollInterval=5s
|
|
# Install Vault and Vault provider
|
|
helm install vault \
|
|
--wait --timeout=5m \
|
|
--namespace=acceptance \
|
|
--set="server.dev.enabled=true" \
|
|
--set="csi.enabled=true" \
|
|
--set="csi.debug=true" \
|
|
--set="csi.agent.logLevel=debug" \
|
|
--set="injector.enabled=false" \
|
|
.
|
|
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault
|
|
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod -l app.kubernetes.io/name=vault-csi-provider
|
|
|
|
# Set up k8s auth and a kv secret.
|
|
cat ./test/acceptance/csi-test/vault-policy.hcl | kubectl --namespace=acceptance exec -i vault-0 -- vault policy write kv-policy -
|
|
kubectl --namespace=acceptance exec vault-0 -- vault auth enable kubernetes
|
|
kubectl --namespace=acceptance exec vault-0 -- sh -c 'vault write auth/kubernetes/config \
|
|
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"'
|
|
kubectl --namespace=acceptance exec vault-0 -- vault write auth/kubernetes/role/kv-role \
|
|
bound_service_account_names=nginx \
|
|
bound_service_account_namespaces=acceptance \
|
|
policies=kv-policy \
|
|
ttl=20m
|
|
kubectl --namespace=acceptance exec vault-0 -- vault kv put secret/kv1 bar1=hello1
|
|
|
|
kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/vault-kv-secretproviderclass.yaml
|
|
kubectl --namespace=acceptance apply -f ./test/acceptance/csi-test/nginx.yaml
|
|
kubectl --namespace=acceptance wait --for=condition=Ready --timeout=5m pod nginx
|
|
|
|
result=$(kubectl --namespace=acceptance exec nginx -- cat /mnt/secrets-store/bar)
|
|
[[ "$result" == "hello1" ]]
|
|
|
|
for i in $(seq 10); do
|
|
sleep 2
|
|
if [ "$(kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent | grep "secret renewed: path=/v1/auth/kubernetes/login")" ]; then
|
|
echo "Agent returned a cached login response"
|
|
return
|
|
fi
|
|
|
|
echo "Waiting to confirm the Agent is renewing CSI's auth token..."
|
|
done
|
|
|
|
# Print the logs and fail the test
|
|
echo "Failed to find a log for the Agent renewing CSI's auth token"
|
|
kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-agent
|
|
kubectl --namespace=acceptance logs --tail=-1 -l "app.kubernetes.io/name=vault-csi-provider" -c vault-csi-provider
|
|
exit 1
|
|
}
|
|
|
|
# Clean up
|
|
teardown() {
|
|
if [[ ${CLEANUP:-true} == "true" ]]
|
|
then
|
|
echo "helm/pvc teardown"
|
|
helm --namespace=acceptance delete vault
|
|
helm --namespace=acceptance delete secrets-store-csi-driver
|
|
kubectl delete --all pvc
|
|
kubectl delete namespace acceptance
|
|
fi
|
|
}
|