-
Notifications
You must be signed in to change notification settings - Fork 470
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add integration test for GetAuthorizedEntries RPC #5356
base: main
Are you sure you want to change the base?
Changes from all commits
8a8168b
bced4a6
ad69533
8c06cae
ad281c4
60cf79c
4a862bb
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
#!/bin/bash | ||
|
||
"${ROOTDIR}/setup/x509pop/setup.sh" conf/server conf/agent | ||
|
||
"${ROOTDIR}/setup/debugserver/build.sh" "${RUNDIR}/conf/server/debugclient" | ||
"${ROOTDIR}/setup/debugagent/build.sh" "${RUNDIR}/conf/agent/debugclient" |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
#!/bin/bash | ||
|
||
docker-up spire-server |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
#!/bin/bash | ||
|
||
log-debug "bootstrapping agent..." | ||
docker compose exec -T spire-server \ | ||
/opt/spire/bin/spire-server bundle show > conf/agent/bootstrap.crt | ||
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
#!/bin/bash | ||
|
||
docker-up spire-agent |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
#!/bin/bash | ||
set -e | ||
|
||
SIZE=10 | ||
|
||
# Create entries for uid 1001 | ||
for ((m=1;m<=$SIZE;m++)); do | ||
log-debug "creating registration entry: $m" | ||
docker compose exec -T spire-server \ | ||
/opt/spire/bin/spire-server entry create \ | ||
-parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/agent/agent.crt.pem)" \ | ||
-spiffeID "spiffe://domain.test/workload-$m" \ | ||
-selector "unix:uid:1001" \ | ||
-ttl 0 & | ||
done | ||
|
||
for ((m=1;m<=$SIZE;m++)); do | ||
check-synced-entry "spire-agent" "spiffe://domain.test/workload-$m" | ||
done | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. let's simplify CI and make each step distinct; checking in agent that entries are synced is separate from their creation however, that probably also could just be a separate integration test (if doesn't already exist)? do we need the agent to come up at all for us to make the later GetAuthorizedEntries call? |
Original file line number | Diff line number | Diff line change | ||||||
---|---|---|---|---|---|---|---|---|
@@ -0,0 +1,94 @@ | ||||||||
#!/bin/bash | ||||||||
|
||||||||
# Ensure the script exits on errors | ||||||||
set -e | ||||||||
|
||||||||
# Variables | ||||||||
SPIRE_SERVER="http://localhost:8081" | ||||||||
EXPECTED_SVID="spiffe://domain.test/workload" | ||||||||
RETRY_COUNT=10 | ||||||||
RETRY_DELAY=2 # Seconds to wait between retries | ||||||||
SIZE=10 | ||||||||
|
||||||||
# Function to list entries | ||||||||
list_entries() { | ||||||||
local response | ||||||||
|
||||||||
response=$(curl -s -X GET "$SPIRE_SERVER/v1/entries") | ||||||||
|
||||||||
echo "$response" | ||||||||
} | ||||||||
|
||||||||
# Function to call GetAuthorizedEntries | ||||||||
call_get_authorized_entries() { | ||||||||
local response | ||||||||
|
||||||||
response=$(curl -s -X POST "$SPIRE_SERVER/v1/entries/authorized" -H "Content-Type: application/json" -d '{}') | ||||||||
|
||||||||
echo "$response" | ||||||||
} | ||||||||
|
||||||||
# Function to verify the GetAuthorizedEntries response | ||||||||
verify_get_authorized_entries() { | ||||||||
local response=$1 | ||||||||
|
||||||||
for ((m=1;m<=$SIZE;m++)); do | ||||||||
|
||||||||
if echo "$response" | grep -q "$EXPECTED_SVID-$m"; then | ||||||||
echo "GetAuthorizedEntries response includes expected SVID $EXPECTED_SVID." | ||||||||
return 0 | ||||||||
else | ||||||||
echo "GetAuthorizedEntries response does not include expected SVID $EXPECTED_SVID." | ||||||||
echo "Response details:" | ||||||||
echo "$response" | ||||||||
return 1 | ||||||||
fi | ||||||||
done | ||||||||
} | ||||||||
|
||||||||
# Function to verify registration entry | ||||||||
verify_registration_entry() { | ||||||||
local response | ||||||||
|
||||||||
response=$(list_entries) | ||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. why do we need to verify the full list of entries to test GetAuthorizedEntries? that could be a separate integration test (if it doesn't already exist) |
||||||||
|
||||||||
if echo "$response" | grep -q "$EXPECTED_SVID"; then | ||||||||
echo "Registration entry with SVID $EXPECTED_SVID exists." | ||||||||
return 0 | ||||||||
else | ||||||||
echo "Registration entry with SVID $EXPECTED_SVID does not exist." | ||||||||
echo "Entries details:" | ||||||||
echo "$response" | ||||||||
return 1 | ||||||||
fi | ||||||||
} | ||||||||
|
||||||||
# Prepare the test data | ||||||||
echo "Setting up test data..." | ||||||||
# (Include any commands to set up test data here) | ||||||||
Comment on lines
+66
to
+68
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
we're not setting up test data here |
||||||||
|
||||||||
# Verify the registration entry | ||||||||
echo "Verifying registration entry..." | ||||||||
if ! verify_registration_entry; then | ||||||||
echo "Registration entry verification failed." | ||||||||
exit 1 | ||||||||
fi | ||||||||
|
||||||||
# Wait for the entries to become available | ||||||||
echo "Waiting for entries to become available..." | ||||||||
attempt=0 | ||||||||
while [ $attempt -lt $RETRY_COUNT ]; do | ||||||||
response=$(call_get_authorized_entries) | ||||||||
|
||||||||
if verify_get_authorized_entries "$response"; then | ||||||||
echo "Test passed!" | ||||||||
exit 0 | ||||||||
fi | ||||||||
|
||||||||
attempt=$((attempt + 1)) | ||||||||
echo "Entries not available yet. Waiting for $RETRY_DELAY seconds... (Attempt $attempt)" | ||||||||
sleep $RETRY_DELAY | ||||||||
done | ||||||||
|
||||||||
echo "Failed to verify entries after $RETRY_COUNT attempts." | ||||||||
exit 1 |
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,38 @@ | ||||||
# Integration Test Suite: Get Authorized Entries | ||||||
|
||||||
This test suite validates the functionality of getting authorized entries from the SPIRE server. It includes setup, execution, and cleanup of the test environment. | ||||||
|
||||||
## Overview | ||||||
|
||||||
The "Get Authorized Entries" test suite ensures that the SPIRE server and agent are correctly configured to handle and authorize entries. The suite involves setting up SPIRE, creating registration entries, running the test, and cleaning up after the test. | ||||||
|
||||||
## Test Steps | ||||||
|
||||||
1. **Setup (`01-setup.sh`)** | ||||||
- Generates required certificates and keys. | ||||||
- Starts the SPIRE server and agent. | ||||||
|
||||||
2. **Create Registration (`02-create_registration.sh`)** | ||||||
- Creates necessary registration entries for testing. | ||||||
|
||||||
3. **Assert Entities Creation (`03-assert-entities-created.sh`)** | ||||||
- Creates necessary registration entries for testing. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
|
||||||
4. **Teardown (`teardown`)** | ||||||
- Stops the SPIRE server and agent. | ||||||
- Cleans up any remaining artifacts. | ||||||
|
||||||
## Prerequisites | ||||||
|
||||||
- Ensure you have SPIRE installed and configured. | ||||||
- The `spire-server` and `spire-agent` binaries should be in your `PATH`. | ||||||
- Ensure Docker and Rancher are installed if applicable for your environment. | ||||||
|
||||||
## Running the Tests | ||||||
|
||||||
1. **Run the Test Suite** | ||||||
|
||||||
To execute the test suite, run the following command: | ||||||
|
||||||
```bash | ||||||
./test/integration/test-one.sh ./test/integration/suites/get-authorized-entries\ |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
agent { | ||
data_dir = "/opt/spire/data/agent" | ||
log_level = "DEBUG" | ||
server_address = "spire-server" | ||
server_port = "8081" | ||
socket_path = "/opt/spire/sockets/workload_api.sock" | ||
trust_bundle_path = "/opt/spire/conf/agent/bootstrap.crt" | ||
trust_domain = "domain.test" | ||
admin_socket_path = "/opt/debug.sock" | ||
experimental { | ||
x509_svid_cache_max_size = 8 | ||
} | ||
} | ||
|
||
plugins { | ||
NodeAttestor "x509pop" { | ||
plugin_data { | ||
private_key_path = "/opt/spire/conf/agent/agent.key.pem" | ||
certificate_path = "/opt/spire/conf/agent/agent.crt.pem" | ||
} | ||
} | ||
KeyManager "disk" { | ||
plugin_data { | ||
directory = "/opt/spire/data/agent" | ||
} | ||
} | ||
WorkloadAttestor "unix" { | ||
plugin_data { | ||
} | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
server { | ||
bind_address = "0.0.0.0" | ||
bind_port = "8081" | ||
trust_domain = "domain.test" | ||
data_dir = "/opt/spire/data/server" | ||
log_level = "DEBUG" | ||
ca_ttl = "1h" | ||
default_x509_svid_ttl = "10m" | ||
} | ||
|
||
plugins { | ||
DataStore "sql" { | ||
plugin_data { | ||
database_type = "sqlite3" | ||
connection_string = "/opt/spire/data/server/datastore.sqlite3" | ||
} | ||
} | ||
NodeAttestor "x509pop" { | ||
plugin_data { | ||
ca_bundle_path = "/opt/spire/conf/server/agent-cacert.pem" | ||
} | ||
} | ||
KeyManager "memory" { | ||
plugin_data = {} | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
services: | ||
spire-server: | ||
image: spire-server:latest-local | ||
hostname: spire-server | ||
volumes: | ||
- ./conf/server:/opt/spire/conf/server | ||
command: ["-config", "/opt/spire/conf/server/server.conf"] | ||
spire-agent: | ||
image: spire-agent:latest-local | ||
hostname: spire-agent | ||
depends_on: ["spire-server"] | ||
volumes: | ||
- ./conf/agent:/opt/spire/conf/agent | ||
command: ["-config", "/opt/spire/conf/agent/agent.conf"] |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
#!/bin/bash | ||
|
||
set -e | ||
|
||
echo "Bringing down services..." | ||
|
||
## Stop the SPIRE server | ||
#if pgrep spire-server > /dev/null; then | ||
# echo "Stopping SPIRE server..." | ||
# sudo kill -9 $(pgrep spire-server) || true | ||
#fi | ||
# | ||
## Stop the SPIRE agent | ||
#if pgrep spire-agent > /dev/null; then | ||
# echo "Stopping SPIRE agent..." | ||
# sudo kill -9 $(pgrep spire-agent) || true | ||
#fi | ||
# | ||
## Remove temporary directories if needed | ||
#echo "Cleaning up..." | ||
#rm -rf /tmp/spire/data | ||
#rm -rf /tmp/spire/conf | ||
|
||
echo "Teardown complete." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't see other CI needing these setups you have here since shared creds already are checked in