diff --git a/tests/e2e/examples/secureJsonDatasource/00-assertions.yaml b/tests/e2e/examples/secureJsonDatasource/00-assertions.yaml new file mode 100644 index 000000000..21e991c5e --- /dev/null +++ b/tests/e2e/examples/secureJsonDatasource/00-assertions.yaml @@ -0,0 +1,34 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grafana-deployment + ownerReferences: + - apiVersion: grafana.integreatly.org/v1beta1 + kind: Grafana + name: grafana +status: + availableReplicas: 1 +--- +apiVersion: grafana.integreatly.org/v1beta1 +kind: GrafanaDatasource +metadata: + name: thanos +spec: + datasource: + secureJsonData: + httpHeaderValue1: 'Bearer ${token}' + valuesFrom: + - targetPath: "secureJsonData.httpHeaderValue1" + valueFrom: + secretKeyRef: + name: grafana-instance-sa-token + key: token +status: + uid: +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: thanos-querier +status: + availableReplicas: 1 diff --git a/tests/e2e/examples/secureJsonDatasource/00-resources.yaml b/tests/e2e/examples/secureJsonDatasource/00-resources.yaml new file mode 100644 index 000000000..2952bb1f2 --- /dev/null +++ b/tests/e2e/examples/secureJsonDatasource/00-resources.yaml @@ -0,0 +1,103 @@ +apiVersion: grafana.integreatly.org/v1beta1 +kind: Grafana +metadata: + name: grafana + labels: + dashboards: "grafana" +spec: + config: + log: + mode: "console" + auth: + disable_login_form: "false" + security: + admin_user: root + admin_password: secret + deployment: + spec: + template: + spec: + containers: + - name: grafana + image: grafana/grafana:10.4.2 # Not all grafana versions support the API to test the datasource +--- +apiVersion: v1 +kind: Secret +metadata: + name: grafana-instance-sa-token +stringData: + token: "token-content" +--- +apiVersion: grafana.integreatly.org/v1beta1 +kind: GrafanaDatasource +metadata: + name: thanos +spec: + instanceSelector: + matchLabels: + dashboards: "grafana" + datasource: + access: proxy + basicAuth: false + editable: true + isDefault: true + jsonData: + httpHeaderName1: 'Authorization' + timeInterval: 5s + tlsSkipVerify: true + secureJsonData: + httpHeaderValue1: 'Bearer ${token}' + name: Prometheus + orgId: 1 + type: prometheus + url: (join('',['http://thanos-querier.',$namespace,'.svc',':8080'])) + valuesFrom: + - targetPath: "secureJsonData.httpHeaderValue1" + valueFrom: + secretKeyRef: + name: grafana-instance-sa-token + key: token +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: thanos-querier + labels: + app: thanos-querier +spec: + selector: + matchLabels: + app: thanos-querier + template: + metadata: + labels: + app: thanos-querier + spec: + terminationGracePeriodSeconds: 3 + containers: + - name: netcat + image: alpine + command: + - sh + - -c + - | + set -eu + echo "Starting pod" + while true; do echo -e 'HTTP/1.1 200 OK\n\n{"asdf":"date"}' | nc -l -p 8080; done + ports: + - containerPort: 8080 + name: http + protocol: TCP +--- +apiVersion: v1 +kind: Service +metadata: + name: thanos-querier +spec: + selector: + app: thanos-querier + ports: + - port: 8080 + name: http + protocol: TCP + targetPort: 8080 diff --git a/tests/e2e/examples/secureJsonDatasource/01-assertions.yaml b/tests/e2e/examples/secureJsonDatasource/01-assertions.yaml new file mode 100644 index 000000000..9fc7f96d0 --- /dev/null +++ b/tests/e2e/examples/secureJsonDatasource/01-assertions.yaml @@ -0,0 +1,6 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: grafana-querier +status: + succeeded: 1 diff --git a/tests/e2e/examples/secureJsonDatasource/01-resources.yaml b/tests/e2e/examples/secureJsonDatasource/01-resources.yaml new file mode 100644 index 000000000..be8492622 --- /dev/null +++ b/tests/e2e/examples/secureJsonDatasource/01-resources.yaml @@ -0,0 +1,27 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: grafana-querier + labels: + app: grafana-querier +spec: + template: + spec: + restartPolicy: Never + containers: + - name: netcat + image: dwdraju/alpine-curl-jq #alpine + env: + - name: BASEURL + value: (join('',['http://root:secret@grafana-service.',$namespace,'.svc',':3000'])) + command: + - sh + - -c + - | + set -eu + sleep 15 + echo "The base URL for grafana: ${BASEURL}" + export DATASOURCE_UID=$(curl -v "${BASEURL}/api/datasources" -H "Accept: application/json" | jq -r '.[0].uid') + echo "Datasource UID: ${DATASOURCE_UID}" + RESULT=$(curl -s "${BASEURL}/api/datasources/uid/${DATASOURCE_UID}/health" -H "Accept: application/json" | jq -r '.') + echo "Result: ${RESULT}" diff --git a/tests/e2e/examples/secureJsonDatasource/README.md b/tests/e2e/examples/secureJsonDatasource/README.md new file mode 100644 index 000000000..c2030ba0c --- /dev/null +++ b/tests/e2e/examples/secureJsonDatasource/README.md @@ -0,0 +1,28 @@ +# Testing GrafanaDatasource secureJsonData + +This test creates a GrafanaDatasource with a reference +to a secret (which is normally created by a serviceAccount) +and makes sure it's inserted correctly into +grafana. + +## Step 00 + +This step creates a number of resources: +- Grafana (to create a new grafana) +- GrafanaDatasource (with secureJsonData and a secret) +- A thanos emulator pod, using netcat, with a service + +## Step 01 + +This step starts a pod which query the grafana to test it's datasource, +which in turn forces the grafana to query thanos. + +## Step 02 + +Verify in the log that grafana is happy with the response from +the datasource. + +## Step 03 + +Verify in the log that grafana sent the authorization header with +the token. diff --git a/tests/e2e/examples/secureJsonDatasource/chainsaw-test.yaml b/tests/e2e/examples/secureJsonDatasource/chainsaw-test.yaml new file mode 100755 index 000000000..629ebce21 --- /dev/null +++ b/tests/e2e/examples/secureJsonDatasource/chainsaw-test.yaml @@ -0,0 +1,59 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: secure-json-datasource +spec: + concurrent: false + steps: + # This starts the grafana and the netcat simulating thanos. + - name: step-00 + try: + - apply: + template: true + file: 00-resources.yaml + - assert: + template: true + file: 00-assertions.yaml + # This queries the grafana to trigger a query to the netcat simulating thanos. + - name: step-01 + try: + - apply: + template: true + file: 01-resources.yaml + - assert: + file: 01-assertions.yaml + # This step verifies that grafana is happy with the datasource + - name: step-02 + timeouts: + assert: 5s + try: + - script: + content: 'kubectl logs -n ${namespace} -l job-name=grafana-querier | grep "Result: " -A200 | sed "s|Result:||" | jq -r "."' + env: + - name: namespace + value: ($namespace) + outputs: + - name: grafana_response + value: (json_parse($stdout)) + - assert: + resource: + ($grafana_response): + status: OK + # This step verifies that netcat/thanos got a call with a token + - name: step-03 + timeouts: + assert: 5s + try: + - script: + content: 'kubectl logs -n ${namespace} -l app=thanos-querier | grep "^Authorization:" | head -n 1' + env: + - name: namespace + value: ($namespace) + outputs: + - name: thanos_request_log + value: ($stdout) + - assert: + resource: + ($thanos_request_log): + "Authorization: Bearer token-content"