Implement automated tests.

test/bootstrap.env

@@ -1,15 +1,15 @@
 export UNIQUE_TEST_ID="$(uuidgen | tr "[:upper:]" "[:lower:]" | head -c 10)"
-
 export CONJUR_VERSION=5
-export CONJUR_MINOR_VERSION=0
-export CONJUR_APPLIANCE_IMAGE=registry.tld/conjur-appliance:$CONJUR_VERSION.$CONJUR_MINOR_VERSION-stable
+export CONJUR_MINOR_VERSION=5.0
+export CONJUR_APPLIANCE_IMAGE=registry.tld/conjur-appliance:$CONJUR_VERSION.$CONJUR_MINOR_VERSION
 export CONJUR_FOLLOWER_COUNT=1
 export CONJUR_ACCOUNT=account-$UNIQUE_TEST_ID
 export AUTHENTICATOR_ID=conjur-$CONJUR_VERSION-$UNIQUE_TEST_ID-test
 export CONJUR_ADMIN_PASSWORD=adminPass$UNIQUE_TEST_ID
 export DEPLOY_MASTER_CLUSTER=true
 export CONJUR_NAMESPACE_NAME=conjur-deploy-$UNIQUE_TEST_ID
 export TEST_RUNNER_IMAGE=demo-$UNIQUE_TEST_ID
+export KUBERNETES_CONJUR_DEPLOY_BRANCH=v0.1
 
 #######
 # OpenShift
@@ -26,4 +26,3 @@ export TEST_APP_NAMESPACE_NAME=test-app-$UNIQUE_TEST_ID
 
 export MINIKUBE="${MINIKUBE:-false}"
 export MINISHIFT="${MINISHIFT:-false}"
-

test/k8s-config/secrets-access-role-binding.sh.yml

@@ -1,6 +1,6 @@
 #!/bin/bash
-
 set -euo pipefail
+
 cat << EOL
 ---
 apiVersion: v1

test/k8s-config/secrets-access-role.sh.yml

@@ -0,0 +1,17 @@
+#!/bin/bash
+set -euo pipefail
+
+# Test cases can modify following variable from outside:
+SECRET_CLUSTER_ROLE_VERBS_VALUE=${SECRET_CLUSTER_ROLE_VERBS_VALUE:-"[ \"get\", \"patch\" ]"}
+
+cat << EOL
+---
+apiVersion: v1
+kind: ClusterRole
+metadata:
+  name: secrets-access
+rules:
+  - resources: ["secrets"]
+    verbs: ${SECRET_CLUSTER_ROLE_VERBS_VALUE}
+
+EOL

test/k8s-config/test-env.sh.yml

@@ -1,6 +1,15 @@
 #!/bin/bash
-
 set -euo pipefail
+
+# Test cases can modify following variables from outside. Either by selecting
+# default valid input, by leaving it unmodified. Or setting a single key which
+# represent a key without a value. Or by setting it with invalid key or value.
+# Another option is to set it to $KEY_VALUE_NOT_EXIST which means to omit
+# related key-value from yaml file
+SECRETS_DESTINATION_KEY_VALUE=${SECRETS_DESTINATION_KEY_VALUE:-"SECRETS_DESTINATION k8s_secrets"}
+CONTAINER_MODE_KEY_VALUE=${CONTAINER_MODE_KEY_VALUE:-"CONTAINER_MODE init"}
+K8S_SECRETS_KEY_VALUE=${K8S_SECRETS_KEY_VALUE:-"K8S_SECRETS test-k8s-secret"}
+
 cat << EOL
 ---
 apiVersion: v1
@@ -22,8 +31,8 @@ spec:
       containers:
       - image: debian
         name: test-app
-        command: ["printenv"]
-        args: ["TEST_SECRET"]
+        command: ["sleep"]
+        args: ["infinity"]
         env:
           - name: TEST_SECRET
             valueFrom:
@@ -35,9 +44,6 @@ spec:
         imagePullPolicy: Always
         name: cyberark-secrets-provider
         env:
-          - name: CONTAINER_MODE
-            value: init
-
           - name: MY_POD_NAME
             valueFrom:
               fieldRef:
@@ -78,15 +84,12 @@ spec:
               configMapKeyRef:
                 name: conjur-master-ca-env
                 key: ssl-certificate
-
-          - name: K8S_SECRETS
-            value: test-k8s-secret
-
           - name: DEBUG
             value: "true"
 
-          - name: SECRETS_DESTINATION
-            value: k8s_secrets
+`yaml_print_key_name_value "          " ${K8S_SECRETS_KEY_VALUE}`
+`yaml_print_key_name_value "          " ${CONTAINER_MODE_KEY_VALUE}`
+`yaml_print_key_name_value "          " ${SECRETS_DESTINATION_KEY_VALUE}`
 
       imagePullSecrets:
         - name: dockerpullsecret

test/run_demo.sh

@@ -76,7 +76,7 @@ function enableImagePull() {
 
 function provideSecretAccessToServiceAccount() {
   $cli delete clusterrole secrets-access --ignore-not-found=true
-  $cli create -f k8s-config/secrets-access-role.yml
+  ./k8s-config/secrets-access-role.sh.yml | $cli create -f -
 
   ./k8s-config/secrets-access-role-binding.sh.yml | $cli create -f -
 }

test/stop

@@ -1,8 +1,6 @@
 #!/bin/bash
 set -euo pipefail
 
-source bootstrap.env
-
 . utils.sh
 
 set_namespace default

test/test_cases/TEST_ID_10_SECRETS_DESTINATION_not_exist.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+set -euxo pipefail
+
+create_secret_access_role
+
+create_secret_access_role_binding
+
+echo "Create test-env pod. SECRETS_DESTINATION is with invalid value 'incorrect_secrets'"
+export SECRETS_DESTINATION_KEY_VALUE=$KEY_VALUE_NOT_EXIST
+deploy_test_env
+
+pod_name=$(cli_get_pods_test_env | awk '{print $1}')
+
+echo "Expecting secrets provider to fail with error 'CSPFK004E Environment variable 'SECRETS_DESTINATION' must be provided'"
+wait_for_it 600 "$cli logs $pod_name -c cyberark-secrets-provider | grep 'CSPFK004E'"

test/test_cases/TEST_ID_1_providing_secret_successfully.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+set -euxo pipefail
+
+create_secret_access_role
+
+create_secret_access_role_binding
+
+deploy_test_env
+
+echo "Verifying pod test_env has environment variable 'TEST_SECRET' with value 'supersecret'"
+pod_name=$(cli_get_pods_test_env | awk '{print $1}')
+verify_secret_value_in_pod $pod_name TEST_SECRET supersecret

test/test_cases/TEST_ID_2_multiple_pods_changing_pwd_inbetween.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+set -euxo pipefail
+
+echo "Creating secrets access role"
+$TEST_CASES_K8S_CONFIG_DIR/secrets-access-role.sh.yml | $cli create -f -
+
+echo "Creating secrets access role binding"
+$TEST_CASES_K8S_CONFIG_DIR/secrets-access-role-binding.sh.yml | $cli create -f -
+
+deploy_test_env
+
+pod_name1=$(cli_get_pods_test_env | awk '{print $1}')
+
+echo "Verify pod $pod_name1 has environment variable 'TEST_SECRET' with value 'supersecret'"
+verify_secret_value_in_pod $pod_name1 TEST_SECRET supersecret
+
+test_app_set_secret secrets/test_secret secret2
+
+echo "Deleting pod $pod_name1"
+$cli delete pod $pod_name1
+
+pod_name2=$(cli_get_pods_test_env | awk '{print $1}')
+echo "Verify pod $pod_name2 has environment variable 'TEST_SECRET' with value 'supersecret'"
+verify_secret_value_in_pod $pod_name2 TEST_SECRET secret2
+
+test_app_set_secret secrets/test_secret secret3
+
+echo "Setting deploymentconfig test-env to replicas"
+$cli scale dc test-env --replicas=3
+
+echo "Waiting for 3 running pod test-env"
+wait_for_it 600 "$cli get pods | grep test-env | grep Running | wc -l | tr -d ' ' | grep '^3$'"
+
+echo "Iterate over new pods and verify their secret was updated"
+pod_names=$(cli_get_pods_test_env | awk '{print $1}' | grep -v $pod_name2)
+for new_pod in $pod_names
+do
+     echo "Verify pod $new_pod has environment variable 'TEST_SECRET' with value 'secret3'"
+     verify_secret_value_in_pod $new_pod TEST_SECRET secret3
+done

test/test_cases/TEST_ID_3_SECRETS_DESTINATION_with_incorrect_value.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+set -euxo pipefail
+
+create_secret_access_role
+
+create_secret_access_role_binding
+
+echo "Deploying test_env with incorrect value for SECRETS_DESTINATION envrionment variable"
+export SECRETS_DESTINATION_KEY_VALUE="SECRETS_DESTINATION SECRETS_DESTINATION_incorrect_value"
+deploy_test_env
+
+echo "Expecting secrets provider to fail with error 'CSPFK005E Provided incorrect value for environment variable SECRETS_DESTINATION'"
+pod_name=$(cli_get_pods_test_env | awk '{print $1}')
+wait_for_it 600 "$cli logs $pod_name -c cyberark-secrets-provider | grep 'CSPFK005E'"

test/test_cases/TEST_ID_4_CONTAINER_MODE_not_exist.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+set -euxo pipefail
+
+create_secret_access_role
+
+create_secret_access_role_binding
+
+echo "Deploying test_env without CONTAINER_MODE envrionment variable"
+export CONTAINER_MODE_KEY_VALUE=$KEY_VALUE_NOT_EXIST
+deploy_test_env
+
+echo "Expecting secrets provider to fail with error 'CSPFK007E Setting SECRETS_DESTINATION environment variable to 'k8s_secrets' must run as init container'"
+pod_name=$(cli_get_pods_test_env | awk '{print $1}')
+wait_for_it 600 "$cli logs $pod_name -c cyberark-secrets-provider | grep 'CSPFK007E'"

test/test_cases/TEST_ID_5_no_get_permission_to_secret.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+set -euxo pipefail
+
+echo "Creating secrets access role without 'get' permission"
+export SECRET_CLUSTER_ROLE_VERBS_VALUE="[ \"patch\" ]"
+create_secret_access_role
+
+create_secret_access_role_binding
+
+deploy_test_env
+
+echo "Expecting secrets provider to fail with error 'CSPFK004D Failed to retrieve k8s secret. Reason:...'"
+pod_name=$(cli_get_pods_test_env | awk '{print $1}')
+wait_for_it 600 "$cli logs $pod_name -c cyberark-secrets-provider | grep 'CSPFK004D'"

test/test_cases/TEST_ID_6_no_patch_permission_to_secret.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+set -euxo pipefail
+
+echo "Creating secrets access role without 'get' permission"
+export SECRET_CLUSTER_ROLE_VERBS_VALUE="[ \"get\" ]"
+create_secret_access_role
+
+create_secret_access_role_binding
+
+deploy_test_env
+
+echo "Expecting secrets provider to fail with error 'CSPFK005D Failed to patch k8s secret. Reason:...'"
+pod_name=$(cli_get_pods_test_env | awk '{print $1}')
+wait_for_it 600 "$cli logs $pod_name -c cyberark-secrets-provider | grep 'CSPFK005D'"

test/test_cases/TEST_ID_7_K8S_SECRETS_env_var_not_exist.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+set -euxo pipefail
+
+create_secret_access_role
+
+create_secret_access_role_binding
+
+echo "Deploying test_env without K8S_SECRETS environment variable"
+export K8S_SECRETS_KEY_VALUE=$KEY_VALUE_NOT_EXIST
+deploy_test_env
+
+echo "Expecting for 'CrashLoopBackOff' state of pod test-env"
+wait_for_it 600 "cli_get_pods_test_env | grep CrashLoopBackOff"
+
+echo "Expecting secrets provider to fail with error 'CSPFK004E Environment variable K8S_SECRETS must be provided'"
+pod_name=$(cli_get_pods_test_env | awk '{print $1}')
+wait_for_it 600 "$cli logs $pod_name -c cyberark-secrets-provider | grep 'CSPFK004E'"

test/test_cases/TEST_ID_8_K8S_SECRETS_env_var_empty.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+set -euxo pipefail
+
+create_secret_access_role
+
+create_secret_access_role_binding
+
+echo "Deploying test_env with empty value for K8S_SECRETS envrionment variable"
+export K8S_SECRETS_KEY_VALUE="K8S_SECRETS"
+deploy_test_env
+
+echo "Expecting for CrashLoopBackOff state of pod test-env"
+wait_for_it 600 "cli_get_pods_test_env | grep CrashLoopBackOff"
+
+echo "Expecting Secrets provider to fail with error 'CSPFK004E Environment variable K8S_SECRETS must be provided'"
+pod_name=$(cli_get_pods_test_env | awk '{print $1}')
+wait_for_it 600 "$cli logs $pod_name -c cyberark-secrets-provider | grep 'CSPFK004E'"

test/test_cases/TEST_ID_9_K8S_SECRETS_env_var_incorrect_value.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+set -euxo pipefail
+
+create_secret_access_role
+
+create_secret_access_role_binding
+
+echo "Deploying test_env with incorrect value for K8S_SECRETS envrionment variable"
+export K8S_SECRETS_KEY_VALUE="K8S_SECRETS K8S_SECRETS_invalid_value"
+deploy_test_env
+
+echo "Expecting secrets provider to fail with debug message 'CSPFK004D Failed to retrieve k8s secret. Reason: secrets K8S_SECRETS_invalid_value not found'"
+pod_name=$(cli_get_pods_test_env | awk '{print $1}')
+wait_for_it 600 "$cli logs $pod_name -c cyberark-secrets-provider | grep 'CSPFK004D'"
+
+echo "Expecting secrets provider to fail with error 'CSPFK020E Failed to retrieve k8s secret'"
+$cli logs $pod_name -c cyberark-secrets-provider | grep 'CSPFK020E'

test/test_cases/run_tests.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+set -euo pipefail
+
+# By default lookup for folders with specifics prefix of type 'test_'. Can be modified by passing argument.
+TEST_NAME_PREFIX=${1:-TEST_ID_}
+
+# Keep environment variables for debugging
+printenv > printenv.debug
+
+export TEST_CASES_K8S_CONFIG_DIR="$PWD/../k8s-config"
+
+# export all utils.sh functions to be available for all tests
+set -a
+source "../utils.sh"
+set +a
+
+./test_case_teardown.sh
+
+times=1
+
+for c in {1..$times}
+do
+  for filename in ./$TEST_NAME_PREFIX*.sh; do
+      announce "Running '$filename'."
+      ./test_case_setup.sh
+      $filename
+      ./test_case_teardown.sh
+      announce "Test '$filename' ended successfully"
+  done
+done
+
+rm printenv.debug