Implement automated tests. #21
Conversation
The tests have a common initialization flow and set of tests that follows. 1. Durinig intialization flow - the repo kubernetes-conjur-deploy is being cloned and deployed. - test_app namespace is being created - conjur master is being loaded with relevant policies 2. Execution of set of tests is being invoked via run_tests.sh that run each test such that - script test_case_setup.sh run before each test - script test_case_teardown.sh run after each test - on each error, execution is being terminated immediately, leaving environment untouched. Notes: - Under time limitation there was some compromise on code refactoring and code convention. - We should consider having proper tool for manipulting yaml files.
test/test_cases/TEST_ID_2_multiple_pods_changing_pwd_inbetween.sh
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
@moticless / @doodlesbykumbi Finally got some time to review this - let e know if you have any questions.
| $cli exec $(get_conjur_cli_pod_name) -- conjur variable values add $SECRET_NAME $SECRET_VALUE | ||
| set_namespace $TEST_APP_NAMESPACE_NAME | ||
| } | ||
|
|
- Update conjur version from 5.0-stable to 5.5.0 because tests get failed on known issue : “502 Bad Gateway… nginx”
- Update conjur version from 5.0-stable to 5.5.0 because tests get failed on known issue : “502 Bad Gateway… nginx”
There was a problem hiding this comment.
@moticless Mostly non-blockers but there's a few big things that should probably addressed in this or followup PRs.
test/k8s-config/test-env.sh.yml
Outdated
| set -euo pipefail | ||
|
|
||
| source $TEST_CASES_UTILS |
There was a problem hiding this comment.
Is there a reason why we source a path from a variable? Should the util script(s) have a stable path?
There was a problem hiding this comment.
I didn't want that tests will be aware of the location of utils.sh since it is located outside of folder test_cases.
There was a problem hiding this comment.
removed it. and source it only once via run_tests.sh
| # related key-value from yaml file | ||
| SECRETS_DESTINATION_KEY_VALUE=${SECRETS_DESTINATION_KEY_VALUE:-"SECRETS_DESTINATION k8s_secrets"} | ||
| CONTAINER_MODE_KEY_VALUE=${CONTAINER_MODE_KEY_VALUE:-"CONTAINER_MODE init"} | ||
| K8S_SECRETS_KEY_VALUE=${K8S_SECRETS_KEY_VALUE:-"K8S_SECRETS test-k8s-secret"} |
There was a problem hiding this comment.
It's not a blocker for merging but this seems a bit messy of a way to specify overrides vs CLI arguments.
There was a problem hiding this comment.
This should be an issue: Improve parameterization of test scripts
| pod_name1=$(cli_get_pods_test_env | awk '{print $1}') | ||
|
|
||
| echo "Verify pod $pod_name1 has environment variable 'TEST_SECRET' with value 'supersecret'" | ||
| verify_secret_value_in_pod $pod_name1 TEST_SECRET supersecret |
There was a problem hiding this comment.
Not a blocker either but keep in mind all of these unquoted vars are liable to injection or failure when combined with spaces or special chars
test/test_cases/test_case_setup.sh
Outdated
|
|
||
| source $TEST_CASES_UTILS | ||
|
|
||
| # TODO: replace the following with `oc create secret` |
There was a problem hiding this comment.
Tiny comment: we shouldn't use any OC-specific CLIs if we can - ideally we should be able to set everything up using vanilla kubectl for portability. oc generally doesn't provide almost any additional functionality other than for account administration.
| git clone --single-branch \ | ||
| --branch $KUBERNETES_CONJUR_DEPLOY_BRANCH \ | ||
| https://github.com/cyberark/kubernetes-conjur-deploy.git \ | ||
| kubernetes-conjur-deploy-$UNIQUE_TEST_ID |
There was a problem hiding this comment.
I just realized what this code is conceptually trying to do and I missed it in my last review. Using a separate per-test branch from another repo is extremely liable to fail and would be a huge perpetual effort to maintain. I don't have much guidance on what the tests should look like but this approach should be changed asap to something sturdier (even if it means that it uses conjur-intro repo deployments).
There was a problem hiding this comment.
We are aware of this issue. This is what we have for now. :(
There was a problem hiding this comment.
This needs to be a separate issue for tech debt
| git clone --single-branch \ | ||
| --branch $KUBERNETES_CONJUR_DEPLOY_BRANCH \ | ||
| https://github.com/cyberark/kubernetes-conjur-deploy.git \ | ||
| kubernetes-conjur-deploy-$UNIQUE_TEST_ID |
There was a problem hiding this comment.
Not a blocker: lots of overlap with test_in_docker.sh
test/test_with_summon.sh
Outdated
|
|
||
| exit $exit_code | ||
| exit 0 |
There was a problem hiding this comment.
This change makes the exit call unnecessary. If you have set -e everywhere and depend on that, that probably means that cleanup isn't properly done on failures.
test/utils.sh
Outdated
| wait_for_it 600 "oc get dc/test-env -o jsonpath={.status.replicas} | grep '^${expected_num_replicas}$'|| oc rollout latest dc/test-env" | ||
|
|
||
| echo "Expecting for $expected_num_replicas deployed pods" | ||
| wait_for_it 600 "oc get pods --namespace=$TEST_APP_NAMESPACE_NAME --selector app=test-env --no-headers | wc -l | grep $expected_num_replicas" |
There was a problem hiding this comment.
these CLIs are hardcoded. Probably worthy to mention here that we should just use kubectl instead of oc everywhere.
There was a problem hiding this comment.
@moticless / @Tovli : Just 3 issues need to be opened and we ca get this approved.
| # related key-value from yaml file | ||
| SECRETS_DESTINATION_KEY_VALUE=${SECRETS_DESTINATION_KEY_VALUE:-"SECRETS_DESTINATION k8s_secrets"} | ||
| CONTAINER_MODE_KEY_VALUE=${CONTAINER_MODE_KEY_VALUE:-"CONTAINER_MODE init"} | ||
| K8S_SECRETS_KEY_VALUE=${K8S_SECRETS_KEY_VALUE:-"K8S_SECRETS test-k8s-secret"} |
There was a problem hiding this comment.
This should be an issue: Improve parameterization of test scripts
| git clone --single-branch \ | ||
| --branch $KUBERNETES_CONJUR_DEPLOY_BRANCH \ | ||
| https://github.com/cyberark/kubernetes-conjur-deploy.git \ | ||
| kubernetes-conjur-deploy-$UNIQUE_TEST_ID |
There was a problem hiding this comment.
This needs to be a separate issue for tech debt
There was a problem hiding this comment.
@moticless @Tovli Approved now that we have the following issues filed:
…grpc CNJR-3914: Remove vulnerable versions of grpc and go-sqlite3
The tests have a common initialization flow and set of tests that follows.
Notes: