diff --git a/Makefile b/Makefile index 7edf15aee..3901ea0da 100644 --- a/Makefile +++ b/Makefile @@ -100,8 +100,8 @@ YQ := yq # Test variables KIND_VERSION ?= 0.23.0 -KUBERNETES_VERSION ?= 1.30.2 -KUBECTL_VERSION ?= 1.30.2 +KUBERNETES_VERSION ?= 1.30.8 +KUBECTL_VERSION ?= 1.30.8 BATS_VERSION ?= 1.4.1 TRIVY_VERSION ?= 0.57.1 PROTOC_VERSION ?= 3.20.1 diff --git a/docker/crd.Dockerfile b/docker/crd.Dockerfile index b06872a05..47bd14fe7 100644 --- a/docker/crd.Dockerfile +++ b/docker/crd.Dockerfile @@ -13,7 +13,7 @@ # limitations under the License. FROM alpine as builder -ARG KUBE_VERSION=v1.29.11 +ARG KUBE_VERSION=v1.30.8 ARG TARGETARCH RUN apk add --no-cache curl && \ diff --git a/test/bats/gcp.bats b/test/bats/gcp.bats index 240b915af..d7ba1685c 100644 --- a/test/bats/gcp.bats +++ b/test/bats/gcp.bats @@ -10,9 +10,8 @@ PROVIDER_NAMESPACE=kube-system PROVIDER_YAML=https://raw.githubusercontent.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp/main/deploy/provider-gcp-plugin.yaml BASE64_FLAGS="-w 0" -export RESOURCE_NAME=${RESOURCE_NAME:-"projects/735463103342/secrets/test-secret-a/versions/latest"} +export RESOURCE_NAME=${SECRET_URI} export FILE_NAME=${FILE_NAME:-"secret"} -export SECRET_VALUE=${SECRET_VALUE:-"aHVudGVyMg=="} @test "install gcp provider" { run kubectl apply -f $PROVIDER_YAML --namespace $PROVIDER_NAMESPACE @@ -43,8 +42,21 @@ export SECRET_VALUE=${SECRET_VALUE:-"aHVudGVyMg=="} } @test "CSI inline volume test with pod portability - read gcp kv secret from pod" { + archive_info result=$(kubectl exec secrets-store-inline-crd --namespace=$NAMESPACE -- cat /mnt/secrets-store/$FILE_NAME) [[ "${result//$'\r'}" == "${SECRET_VALUE}" ]] + +} + +@test "CSI inline volume test with rotation - read gcp kv secret from pod" { + echo -n "secret-b" | gcloud secrets versions add ${SECRET_ID} --data-file=- + + # wait for secret rotation + sleep 120 + archive_info + result=$(kubectl exec secrets-store-inline-crd --namespace=$NAMESPACE -- cat /mnt/secrets-store/$FILE_NAME) + [[ "${result//$'\r'}" == "secret-b" ]] + } @test "CSI inline volume test with pod portability - unmount succeeds" { diff --git a/test/scripts/run-e2e-gcp.sh b/test/scripts/run-e2e-gcp.sh new file mode 100755 index 000000000..df51dcda7 --- /dev/null +++ b/test/scripts/run-e2e-gcp.sh @@ -0,0 +1,97 @@ +#!/usr/bin/env bash + +# Copyright 2024 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit +set -o nounset +set -o pipefail + +: "${GOOGLE_APPLICATION_CREDENTIALS:?Environment variable empty or not defined.}" + +function boskosctlwrapper() { + boskosctl --server-url http://"${BOSKOS_HOST}" --owner-name "secret-store-provider-gcp" "${@}" +} + +cleanup() { + gcloud beta secrets delete ${SECRET_ID} --quiet + # stop boskos heartbeat + if [ -n "${BOSKOS_HOST:-}" ]; then + boskosctlwrapper release --name "${RESOURCE_NAME}" --target-state dirty + fi +} +trap cleanup EXIT + + + +main() { + echo "starting the secret store csi driver test for gcp provider" + # TODOs + # 1. Create a temporary secret in boskos pool once https://github.com/kubernetes/k8s.io/pull/7416 is submitted. + # 2. Rotate secrets created in above step + # 3. Clean up the secret. + + #install boskosctl + if [[ -z "$(command -v boskosctl)" ]]; then + echo "installing boskosctl" + GO111MODULE=on go install sigs.k8s.io/boskos/cmd/boskosctl@master + echo "'boskosctl' has been installed to $GOPATH/bin, make sure this directory is in your \$PATH" + fi + + echo "testing boskosctl" + boskosctl --help + + # Aquire a project from boskos pool, test will use secret created on this + if [ -n "${BOSKOS_HOST:-}" ]; then + echo "Boskos acquire - ${BOSKOS_HOST}" + export BOSKOS_RESOURCE="$( boskosctlwrapper acquire --type gce-project --state free --target-state busy --timeout 1h )" + export RESOURCE_NAME=$(echo $BOSKOS_RESOURCE | jq -r ".name") + export GCP_PROJECT=$(echo $BOSKOS_RESOURCE | jq -r ".name") + + # send a heartbeat in the background to keep the lease while using the resource + echo "Starting Boskos HeartBeat" + boskosctlwrapper heartbeat --resource "${BOSKOS_RESOURCE}" & + fi + + echo "Using project ${GCP_PROJECT}" + gcloud config set project ${GCP_PROJECT} + + # TODO remove this after testing + gcloud projects get-iam-policy k8s-infra-e2e-boskos-001 \ + --flatten="bindings[].members" \ + --format='table(bindings.role)' \ + --filter="bindings.members:prow-build@k8s-infra-prow-build.iam.gserviceaccount.com" + + # create a secret in the aquired project + export SECRET_ID="test-secret-$(openssl rand -hex 4)" + export SECRET_VALUE="secret-a" + echo -n ${SECRET_VALUE} | gcloud beta secrets create ${SECRET_ID} --data-file=- --ttl=1800s --quiet + + export SECRET_PROJECT_ID="$(gcloud config get project)" + export SECRET_PROJECT_NUMBER="$(gcloud projects describe $SECRET_PROJECT_ID --format='value(projectNumber)')" + + export SECRET_URI="projects/${SECRET_PROJECT_NUMBER}/secrets/${SECRET_ID}/versions/latest" + + # Prow jobs are executed by `k8s-infra-prow-build.svc.id.goog` in test-pods namespace, so grant the access to the secret + gcloud secrets add-iam-policy-binding ${SECRET_ID} \ + --role=roles/secretmanager.secretAccessor \ + --member=principalSet://iam.googleapis.com/projects/773781448124/locations/global/workloadIdentityPools/k8s-infra-prow-build.svc.id.goog/namespace/test-pods + + # wait for permissions to propogate + sleep 60 + + make e2e-bootstrap e2e-helm-deploy e2e-gcp +} + +main