From 9553a30c91959d38b323e312b1ed1e74b58bb89c Mon Sep 17 00:00:00 2001 From: John Allberg Date: Sun, 14 Apr 2024 21:33:02 +0200 Subject: [PATCH 1/3] chore: create test for secureJsonData. --- .../secureJsonDatasource/00-assertions.yaml | 34 ++++++ .../secureJsonDatasource/00-resources.yaml | 103 ++++++++++++++++++ .../secureJsonDatasource/01-assertions.yaml | 6 + .../secureJsonDatasource/01-resources.yaml | 27 +++++ .../examples/secureJsonDatasource/README.md | 28 +++++ .../secureJsonDatasource/chainsaw-test.yaml | 55 ++++++++++ 6 files changed, 253 insertions(+) create mode 100644 tests/e2e/examples/secureJsonDatasource/00-assertions.yaml create mode 100644 tests/e2e/examples/secureJsonDatasource/00-resources.yaml create mode 100644 tests/e2e/examples/secureJsonDatasource/01-assertions.yaml create mode 100644 tests/e2e/examples/secureJsonDatasource/01-resources.yaml create mode 100644 tests/e2e/examples/secureJsonDatasource/README.md create mode 100755 tests/e2e/examples/secureJsonDatasource/chainsaw-test.yaml diff --git a/tests/e2e/examples/secureJsonDatasource/00-assertions.yaml b/tests/e2e/examples/secureJsonDatasource/00-assertions.yaml new file mode 100644 index 000000000..21e991c5e --- /dev/null +++ b/tests/e2e/examples/secureJsonDatasource/00-assertions.yaml @@ -0,0 +1,34 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grafana-deployment + ownerReferences: + - apiVersion: grafana.integreatly.org/v1beta1 + kind: Grafana + name: grafana +status: + availableReplicas: 1 +--- +apiVersion: grafana.integreatly.org/v1beta1 +kind: GrafanaDatasource +metadata: + name: thanos +spec: + datasource: + secureJsonData: + httpHeaderValue1: 'Bearer ${token}' + valuesFrom: + - targetPath: "secureJsonData.httpHeaderValue1" + valueFrom: + secretKeyRef: + name: grafana-instance-sa-token + key: token +status: + uid: +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: thanos-querier +status: + availableReplicas: 1 diff --git a/tests/e2e/examples/secureJsonDatasource/00-resources.yaml b/tests/e2e/examples/secureJsonDatasource/00-resources.yaml new file mode 100644 index 000000000..2952bb1f2 --- /dev/null +++ b/tests/e2e/examples/secureJsonDatasource/00-resources.yaml @@ -0,0 +1,103 @@ +apiVersion: grafana.integreatly.org/v1beta1 +kind: Grafana +metadata: + name: grafana + labels: + dashboards: "grafana" +spec: + config: + log: + mode: "console" + auth: + disable_login_form: "false" + security: + admin_user: root + admin_password: secret + deployment: + spec: + template: + spec: + containers: + - name: grafana + image: grafana/grafana:10.4.2 # Not all grafana versions support the API to test the datasource +--- +apiVersion: v1 +kind: Secret +metadata: + name: grafana-instance-sa-token +stringData: + token: "token-content" +--- +apiVersion: grafana.integreatly.org/v1beta1 +kind: GrafanaDatasource +metadata: + name: thanos +spec: + instanceSelector: + matchLabels: + dashboards: "grafana" + datasource: + access: proxy + basicAuth: false + editable: true + isDefault: true + jsonData: + httpHeaderName1: 'Authorization' + timeInterval: 5s + tlsSkipVerify: true + secureJsonData: + httpHeaderValue1: 'Bearer ${token}' + name: Prometheus + orgId: 1 + type: prometheus + url: (join('',['http://thanos-querier.',$namespace,'.svc',':8080'])) + valuesFrom: + - targetPath: "secureJsonData.httpHeaderValue1" + valueFrom: + secretKeyRef: + name: grafana-instance-sa-token + key: token +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: thanos-querier + labels: + app: thanos-querier +spec: + selector: + matchLabels: + app: thanos-querier + template: + metadata: + labels: + app: thanos-querier + spec: + terminationGracePeriodSeconds: 3 + containers: + - name: netcat + image: alpine + command: + - sh + - -c + - | + set -eu + echo "Starting pod" + while true; do echo -e 'HTTP/1.1 200 OK\n\n{"asdf":"date"}' | nc -l -p 8080; done + ports: + - containerPort: 8080 + name: http + protocol: TCP +--- +apiVersion: v1 +kind: Service +metadata: + name: thanos-querier +spec: + selector: + app: thanos-querier + ports: + - port: 8080 + name: http + protocol: TCP + targetPort: 8080 diff --git a/tests/e2e/examples/secureJsonDatasource/01-assertions.yaml b/tests/e2e/examples/secureJsonDatasource/01-assertions.yaml new file mode 100644 index 000000000..9fc7f96d0 --- /dev/null +++ b/tests/e2e/examples/secureJsonDatasource/01-assertions.yaml @@ -0,0 +1,6 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: grafana-querier +status: + succeeded: 1 diff --git a/tests/e2e/examples/secureJsonDatasource/01-resources.yaml b/tests/e2e/examples/secureJsonDatasource/01-resources.yaml new file mode 100644 index 000000000..be8492622 --- /dev/null +++ b/tests/e2e/examples/secureJsonDatasource/01-resources.yaml @@ -0,0 +1,27 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: grafana-querier + labels: + app: grafana-querier +spec: + template: + spec: + restartPolicy: Never + containers: + - name: netcat + image: dwdraju/alpine-curl-jq #alpine + env: + - name: BASEURL + value: (join('',['http://root:secret@grafana-service.',$namespace,'.svc',':3000'])) + command: + - sh + - -c + - | + set -eu + sleep 15 + echo "The base URL for grafana: ${BASEURL}" + export DATASOURCE_UID=$(curl -v "${BASEURL}/api/datasources" -H "Accept: application/json" | jq -r '.[0].uid') + echo "Datasource UID: ${DATASOURCE_UID}" + RESULT=$(curl -s "${BASEURL}/api/datasources/uid/${DATASOURCE_UID}/health" -H "Accept: application/json" | jq -r '.') + echo "Result: ${RESULT}" diff --git a/tests/e2e/examples/secureJsonDatasource/README.md b/tests/e2e/examples/secureJsonDatasource/README.md new file mode 100644 index 000000000..c2030ba0c --- /dev/null +++ b/tests/e2e/examples/secureJsonDatasource/README.md @@ -0,0 +1,28 @@ +# Testing GrafanaDatasource secureJsonData + +This test creates a GrafanaDatasource with a reference +to a secret (which is normally created by a serviceAccount) +and makes sure it's inserted correctly into +grafana. + +## Step 00 + +This step creates a number of resources: +- Grafana (to create a new grafana) +- GrafanaDatasource (with secureJsonData and a secret) +- A thanos emulator pod, using netcat, with a service + +## Step 01 + +This step starts a pod which query the grafana to test it's datasource, +which in turn forces the grafana to query thanos. + +## Step 02 + +Verify in the log that grafana is happy with the response from +the datasource. + +## Step 03 + +Verify in the log that grafana sent the authorization header with +the token. diff --git a/tests/e2e/examples/secureJsonDatasource/chainsaw-test.yaml b/tests/e2e/examples/secureJsonDatasource/chainsaw-test.yaml new file mode 100755 index 000000000..b2ae50b45 --- /dev/null +++ b/tests/e2e/examples/secureJsonDatasource/chainsaw-test.yaml @@ -0,0 +1,55 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: secure-json-datasource +spec: + concurrent: false + steps: + # This starts the grafana and the netcat simulating thanos. + - name: step-00 + try: + - apply: + template: true + file: 00-resources.yaml + - assert: + template: true + file: 00-assertions.yaml + # This queries the grafana to trigger a query to the netcat simulating thanos. + - name: step-01 + try: + - apply: + template: true + file: 01-resources.yaml + - assert: + file: 01-assertions.yaml + # This step verifies that grafana is happy with the datasource + - name: step-02 + try: + - script: + content: 'oc logs -n ${namespace} -l job-name=grafana-querier | grep "Result: " -A200 | sed "s|Result:||" | jq -r "."' + env: + - name: namespace + value: ($namespace) + outputs: + - name: grafana_response + value: (json_parse($stdout)) + - assert: + resource: + ($grafana_response): + status: OK + # This step verifies that netcat/thanos got a call with a token + - name: step-03 + try: + - script: + content: 'oc logs -n ${namespace} -l app=thanos-querier | grep "^Authorization:" | head -n 1' + env: + - name: namespace + value: ($namespace) + outputs: + - name: thanos_request_log + value: ($stdout) + - assert: + resource: + ($thanos_request_log): + "Authorization: Bearer token-content" From cf9120729506034f61c968caff33b5281d18584c Mon Sep 17 00:00:00 2001 From: John Allberg Date: Tue, 16 Apr 2024 16:25:02 +0200 Subject: [PATCH 2/3] chore: Switch from oc to kubectl. --- tests/e2e/examples/secureJsonDatasource/chainsaw-test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/e2e/examples/secureJsonDatasource/chainsaw-test.yaml b/tests/e2e/examples/secureJsonDatasource/chainsaw-test.yaml index b2ae50b45..f117d51cb 100755 --- a/tests/e2e/examples/secureJsonDatasource/chainsaw-test.yaml +++ b/tests/e2e/examples/secureJsonDatasource/chainsaw-test.yaml @@ -27,7 +27,7 @@ spec: - name: step-02 try: - script: - content: 'oc logs -n ${namespace} -l job-name=grafana-querier | grep "Result: " -A200 | sed "s|Result:||" | jq -r "."' + content: 'kubectl logs -n ${namespace} -l job-name=grafana-querier | grep "Result: " -A200 | sed "s|Result:||" | jq -r "."' env: - name: namespace value: ($namespace) @@ -42,7 +42,7 @@ spec: - name: step-03 try: - script: - content: 'oc logs -n ${namespace} -l app=thanos-querier | grep "^Authorization:" | head -n 1' + content: 'kubectl logs -n ${namespace} -l app=thanos-querier | grep "^Authorization:" | head -n 1' env: - name: namespace value: ($namespace) From 804b118136446ecfd53aedf3683a161d0253cd24 Mon Sep 17 00:00:00 2001 From: John Allberg Date: Wed, 17 Apr 2024 07:10:14 +0200 Subject: [PATCH 3/3] chore: Add short timeout on tasks that should be very quick. --- tests/e2e/examples/secureJsonDatasource/chainsaw-test.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/e2e/examples/secureJsonDatasource/chainsaw-test.yaml b/tests/e2e/examples/secureJsonDatasource/chainsaw-test.yaml index f117d51cb..629ebce21 100755 --- a/tests/e2e/examples/secureJsonDatasource/chainsaw-test.yaml +++ b/tests/e2e/examples/secureJsonDatasource/chainsaw-test.yaml @@ -25,6 +25,8 @@ spec: file: 01-assertions.yaml # This step verifies that grafana is happy with the datasource - name: step-02 + timeouts: + assert: 5s try: - script: content: 'kubectl logs -n ${namespace} -l job-name=grafana-querier | grep "Result: " -A200 | sed "s|Result:||" | jq -r "."' @@ -40,6 +42,8 @@ spec: status: OK # This step verifies that netcat/thanos got a call with a token - name: step-03 + timeouts: + assert: 5s try: - script: content: 'kubectl logs -n ${namespace} -l app=thanos-querier | grep "^Authorization:" | head -n 1'