HSM Functional Tests

Signed-off-by: Mauricio Harley <[email protected]>

tests/functional/barbican_controller_test.go

@@ -12,7 +12,6 @@ import (
 	. "github.com/openstack-k8s-operators/lib-common/modules/common/test/helpers"
 
 	barbicanv1beta1 "github.com/openstack-k8s-operators/barbican-operator/api/v1beta1"
-	"github.com/openstack-k8s-operators/barbican-operator/controllers"
 	"github.com/openstack-k8s-operators/barbican-operator/pkg/barbican"
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	mariadb_test "github.com/openstack-k8s-operators/mariadb-operator/api/test/helpers"
@@ -425,11 +424,13 @@ var _ = Describe("Barbican controller", func() {
 
 	When("A Barbican with HSM is created", func() {
 		BeforeEach(func() {
+			DeferCleanup(k8sClient.Delete, ctx, CreateHSMLoginSecret(barbicanTest.Instance.Namespace, HSMLoginSecret))
+			DeferCleanup(k8sClient.Delete, ctx, CreateHSMCertsSecret(barbicanTest.Instance.Namespace, HSMCertsSecret))
+
 			DeferCleanup(th.DeleteInstance, CreateBarbican(barbicanTest.Instance, GetHSMBarbicanSpec()))
 			DeferCleanup(k8sClient.Delete, ctx, CreateBarbicanMessageBusSecret(barbicanTest.Instance.Namespace, barbicanTest.RabbitmqSecretName))
-			DeferCleanup(th.DeleteInstance, CreateBarbicanAPI(barbicanTest.Instance, GetHSMBarbicanAPISpec()))
+			infra.SimulateTransportURLReady(barbicanTest.BarbicanTransportURL)
 			DeferCleanup(k8sClient.Delete, ctx, CreateKeystoneAPISecret(barbicanTest.Instance.Namespace, SecretName))
-			// keystoneAPI := keystone.CreateKeystoneAPI(barbicanTest.Instance.Namespace)
 			DeferCleanup(
 				mariadb.DeleteDBService,
 				mariadb.CreateDBService(
@@ -440,12 +441,12 @@ var _ = Describe("Barbican controller", func() {
 					},
 				),
 			)
-			infra.SimulateTransportURLReady(barbicanTest.BarbicanTransportURL)
-			DeferCleanup(keystone.DeleteKeystoneAPI, keystone.CreateKeystoneAPI(barbicanTest.Instance.Namespace))
 			mariadb.SimulateMariaDBAccountCompleted(barbicanTest.BarbicanDatabaseAccount)
 			mariadb.SimulateMariaDBDatabaseCompleted(barbicanTest.BarbicanDatabaseName)
+			DeferCleanup(keystone.DeleteKeystoneAPI, keystone.CreateKeystoneAPI(barbicanTest.Instance.Namespace))
 			th.SimulateJobSuccess(barbicanTest.BarbicanDBSync)
-			// DeferCleanup(keystone.DeleteKeystoneAPI, keystoneAPI)
+			DeferCleanup(th.DeleteInstance, CreateBarbicanAPI(barbicanTest.Instance, GetHSMBarbicanAPISpec()))
+			th.SimulateJobSuccess(barbicanTest.BarbicanP11Prep)
 		})
 
 		It("Creates BarbicanAPI", func() {
@@ -464,7 +465,7 @@ var _ = Describe("Barbican controller", func() {
 			// Check the resulting deployment fields
 			Expect(int(*d.Spec.Replicas)).To(Equal(1))
 
-			Expect(d.Spec.Template.Spec.Volumes).To(HaveLen(3))
+			Expect(d.Spec.Template.Spec.Volumes).To(HaveLen(4))
 			Expect(d.Spec.Template.Spec.Containers).To(HaveLen(2))
 
 			container := d.Spec.Template.Spec.Containers[1]
@@ -473,28 +474,45 @@ var _ = Describe("Barbican controller", func() {
 			Expect(container.LivenessProbe.HTTPGet.Scheme).To(Equal(corev1.URISchemeHTTP))
 		})
 
-		It("Should have the right configuration contents", func() {
-			/*keystone.SimulateKeystoneEndpointReady(barbicanTest.BarbicanKeystoneEndpoint)
-			mariadb.SimulateMariaDBAccountCompleted(barbicanTest.BarbicanDatabaseAccount)
-			mariadb.SimulateMariaDBDatabaseCompleted(barbicanTest.BarbicanDatabaseName)*/
-
-			cf := th.GetSecret(barbicanTest.BarbicanConfigSecret)
-			Expect(cf).ShouldNot(BeNil())
-			confChrystoki := cf.Data["Chrystoki.conf"]
-			Expect(confChrystoki).To(
-				ContainSubstring("Luna = {\n  DefaultTimeOut = 500000;\n  PEDTimeout1 = 100000;\n  PEDTimeout2 = 200000;"))
-			confDefault := cf.Data["00-default.conf"]
-			Expect(confDefault).To(
-				ContainSubstring("[secretstore:pkcs11]"))
+		It("Verifies the PKCS11 struct is in good shape", func() {
+			Barbican := GetBarbican(barbicanTest.Instance)
+			Expect(Barbican.Spec.EnabledSecretStores).Should(Equal([]barbicanv1beta1.SecretStore{"pkcs11"}))
+			Expect(Barbican.Spec.GlobalDefaultSecretStore).Should(Equal(barbicanv1beta1.SecretStore("pkcs11")))
+
+			pkcs11 := Barbican.Spec.PKCS11
+			Expect(pkcs11.SlotId).Should(Equal(HSMSlotID))
+			Expect(pkcs11.LibraryPath).Should(Equal(HSMLibraryPath))
+			Expect(pkcs11.CertificatesMountPoint).Should(Equal(HSMCertificatesMountPoint))
+			Expect(pkcs11.LoginSecret).Should(Equal(HSMLoginSecret))
+			Expect(pkcs11.CertificatesSecret).Should(Equal(HSMCertsSecret))
+			Expect(pkcs11.MKEKLabel).Should(Equal(HSMMKEKLabel))
+			Expect(pkcs11.HMACLabel).Should(Equal(HSMHMACLabel))
+			Expect(pkcs11.ServerAddress).Should(Equal(HSMServerAddress))
+			Expect(pkcs11.ClientAddress).Should(Equal(HSMClientAddress))
+			Expect(pkcs11.Type).Should(Equal(HSMType))
 		})
 
-		It("Should have the relevant conditions in the right state", func() {
-			th.ExpectCondition(
-				barbicanTest.Instance,
-				ConditionGetterFunc(BarbicanConditionGetter),
-				controllers.P11PrepReadyCondition,
-				corev1.ConditionTrue,
-			)
+		It("Checks if the two relevant secrets have the right contents", func() {
+			hsmSecret := th.GetSecret(barbicanTest.BarbicanHSMLoginSecret)
+			Expect(hsmSecret).ShouldNot(BeNil())
+			confHSM := hsmSecret.Data["hsmLogin"]
+			Expect(confHSM).To(
+				ContainSubstring("12345678"))
+
+			certsSecret := th.GetSecret(barbicanTest.BarbicanHSMCertsSecret)
+			Expect(certsSecret).ShouldNot(BeNil())
+			confCA := certsSecret.Data["CACert.pem"]
+			Expect(confCA).To(
+				ContainSubstring("dummy-data"))
+			confServer := certsSecret.Data[HSMServerAddress+"Server.pem"]
+			Expect(confServer).To(
+				ContainSubstring("dummy-data"))
+			confClient := certsSecret.Data[HSMClientAddress+"Client.pem"]
+			Expect(confClient).To(
+				ContainSubstring("dummy-data"))
+			confKey := certsSecret.Data[HSMClientAddress+"Client.key"]
+			Expect(confKey).To(
+				ContainSubstring("dummy-data"))
 		})
 	})
 

tests/functional/barbican_test_data.go

@@ -54,6 +54,7 @@ type BarbicanTestData struct {
 	BarbicanDatabaseName     types.NamespacedName
 	BarbicanDatabaseAccount  types.NamespacedName
 	BarbicanDBSync           types.NamespacedName
+	BarbicanP11Prep          types.NamespacedName
 	BarbicanAPI              types.NamespacedName
 	BarbicanRole             types.NamespacedName
 	BarbicanRoleBinding      types.NamespacedName
@@ -64,6 +65,8 @@ type BarbicanTestData struct {
 	BarbicanServicePublic    types.NamespacedName
 	BarbicanServiceInternal  types.NamespacedName
 	BarbicanConfigSecret     types.NamespacedName
+	BarbicanHSMLoginSecret   types.NamespacedName
+	BarbicanHSMCertsSecret   types.NamespacedName
 	BarbicanConfigScripts    types.NamespacedName
 	BarbicanConfigMapData    types.NamespacedName
 	BarbicanScheduler        types.NamespacedName
@@ -96,6 +99,10 @@ func GetBarbicanTestData(barbicanName types.NamespacedName) BarbicanTestData {
 			Namespace: barbicanName.Namespace,
 			Name:      fmt.Sprintf("%s-db-sync", barbicanName.Name),
 		},
+		BarbicanP11Prep: types.NamespacedName{
+			Namespace: barbicanName.Namespace,
+			Name:      fmt.Sprintf("%s-p11-prep", barbicanName.Name),
+		},
 		BarbicanAPI: types.NamespacedName{
 			Namespace: barbicanName.Namespace,
 			Name:      fmt.Sprintf("%s-api-api", barbicanName.Name),
@@ -137,6 +144,16 @@ func GetBarbicanTestData(barbicanName types.NamespacedName) BarbicanTestData {
 			Namespace: barbicanName.Namespace,
 			Name:      fmt.Sprintf("%s-%s", barbicanName.Name, "config-data"),
 		},
+		// This secret stores the password to connect to the HSM.
+		BarbicanHSMLoginSecret: types.NamespacedName{
+			Namespace: barbicanName.Namespace,
+			Name:      "hsm-login",
+		},
+		// This secret stores the certificates used to interact with the HSM.
+		BarbicanHSMCertsSecret: types.NamespacedName{
+			Namespace: barbicanName.Namespace,
+			Name:      "hsm-certs",
+		},
 		BarbicanConfigScripts: types.NamespacedName{
 			Namespace: barbicanName.Namespace,
 			Name:      fmt.Sprintf("%s-%s", barbicanName.Name, "scripts"),

tests/functional/base_test.go

@@ -43,17 +43,6 @@ func CreateKeystoneAPISecret(namespace string, name string) *corev1.Secret {
 	)
 }
 
-func CreateHSMSecret(namespace string, name string) *corev1.Secret {
-	return th.CreateSecret(
-		types.NamespacedName{Namespace: namespace, Name: name},
-		map[string][]byte{
-			"AdminPassword":            []byte("12345678"),
-			"BarbicanPassword":         []byte("12345678"),
-			"KeystoneDatabasePassword": []byte("12345678"),
-		},
-	)
-}
-
 func GetDefaultBarbicanSpec() map[string]interface{} {
 	return map[string]interface{}{
 		"databaseInstance":          "openstack",
@@ -187,33 +176,30 @@ func GetTLSBarbicanAPISpec() map[string]interface{} {
 
 // ========== HSM Stuff ============
 func GetHSMBarbicanSpec() map[string]interface{} {
-	return map[string]interface{}{
-		"databaseInstance":          "openstack",
-		"secret":                    SecretName,
-		"simpleCryptoBackendSecret": SecretName,
-		"barbicanAPI":               GetHSMBarbicanAPISpec(),
-	}
-}
-
-func GetHSMBarbicanAPISpec() map[string]interface{} {
-	spec := GetDefaultBarbicanAPISpec()
+	spec := GetDefaultBarbicanSpec()
 	maps.Copy(spec, map[string]interface{}{
 		"enabledSecretStores":      []string{"pkcs11"},
 		"globalDefaultSecretStore": "pkcs11",
 		"pkcs11": map[string]interface{}{
-			"type":          HSMType,
-			"libraryPath":   HSMLibraryPath,
-			"slotId":        HSMSlotID,
-			"MKEKLabel":     HSMMKEKLabel,
-			"HMACLabel":     HSMHMACLabel,
-			"serverAddress": HSMServerAddress,
-			"clientAddress": HSMClientAddress,
-			"loginSecret":   HSMLoginSecret,
+			"slotId":                 HSMSlotID,
+			"libraryPath":            HSMLibraryPath,
+			"certificatesMountPoint": HSMCertificatesMountPoint,
+			"loginSecret":            HSMLoginSecret,
+			"certificatesSecret":     HSMCertsSecret,
+			"MKEKLabel":              HSMMKEKLabel,
+			"HMACLabel":              HSMHMACLabel,
+			"serverAddress":          HSMServerAddress,
+			"clientAddress":          HSMClientAddress,
+			"type":                   HSMType,
 		},
 	})
 	return spec
 }
 
+func GetHSMBarbicanAPISpec() map[string]interface{} {
+	return GetDefaultBarbicanAPISpec()
+}
+
 func CreateHSMLoginSecret(namespace string, name string) *corev1.Secret {
 	return th.CreateSecret(
 		types.NamespacedName{Namespace: namespace, Name: name},
@@ -223,6 +209,18 @@ func CreateHSMLoginSecret(namespace string, name string) *corev1.Secret {
 	)
 }
 
+func CreateHSMCertsSecret(namespace string, name string) *corev1.Secret {
+	return th.CreateSecret(
+		types.NamespacedName{Namespace: namespace, Name: name},
+		map[string][]byte{
+			"CACert.pem":                    []byte("dummy-data"),
+			HSMServerAddress + "Server.pem": []byte("dummy-data"),
+			HSMClientAddress + "Client.pem": []byte("dummy-data"),
+			HSMClientAddress + "Client.key": []byte("dummy-data"),
+		},
+	)
+}
+
 // ========== End of HSM Stuff ============
 
 func GetDefaultBarbicanAPISpec() map[string]interface{} {

tests/functional/suite_test.go

@@ -71,14 +71,16 @@ const (
 	interval = time.Millisecond * 200
 
 	// HSM Constants
-	HSMType          = "luna" // Using them Luna model without any specific selection criteria.
-	HSMLibraryPath   = "/usr/local/luna/libs/64/libCryptoki2.so"
-	HSMSlotID        = "1"
-	HSMMKEKLabel     = "MKEKLabel"
-	HSMHMACLabel     = "HMACLabel"
-	HSMServerAddress = "192.168.0.1"
-	HSMClientAddress = "192.168.0.2"
-	HSMLoginSecret   = "hsm-secret"
+	HSMType                   = "luna" // Using them Luna model without any specific selection criteria.
+	HSMLibraryPath            = "/usr/local/luna/libs/64/libCryptoki2.so"
+	HSMCertificatesMountPoint = "/usr/local/luna/config/certs"
+	HSMSlotID                 = "1"
+	HSMMKEKLabel              = "MKEKLabel"
+	HSMHMACLabel              = "HMACLabel"
+	HSMServerAddress          = "192.168.0.1"
+	HSMClientAddress          = "192.168.0.2"
+	HSMLoginSecret            = "hsm-login"
+	HSMCertsSecret            = "hsm-certs"
 )
 
 func TestAPIs(t *testing.T) {