diff --git a/tests/integration/integration-test.sh b/tests/integration/integration-test.sh
index dbc13839b..187fd7378 100755
--- a/tests/integration/integration-test.sh
+++ b/tests/integration/integration-test.sh
@@ -21,552 +21,552 @@ COSIGN_PUBLIC_KEY="$(printf -- "${COSIGN_PUBLIC_KEY//
/\\n }")"
## Join ghcr integration yaml
if [[ -n "${IMAGE+x}" && -n "${IMAGEPULLSECRET+x}" ]]; then
- yq '. *+ load("tests/integration/var-img.yaml")' tests/integration/ghcr-values.yaml >ghcr-tmp
- envsubst ghcr-values
- envsubst ghcr-validator
- rm ghcr-tmp
+ yq '. *+ load("tests/integration/var-img.yaml")' tests/integration/ghcr-values.yaml >ghcr-tmp
+ envsubst ghcr-values
+ envsubst ghcr-validator
+ rm ghcr-tmp
else
- echo "" >ghcr-values
+ echo "" >ghcr-values
fi
### SINGLE TEST CASE ####################################
single_test() { # ID TXT TYP REF NS MSG RES
- echo -n "[$1] $2"
- i=0 # intialize iterator
- export RAND=$(head -c 5 /dev/urandom | hexdump -ve '1/1 "%.2x"') # creating a random index to label the pods and avoid name collision for repeated runs
- MSG=$(envsubst <<<"$6") # in case RAND is to be used, it needs to be added as ${RAND} to cases.yaml (and maybe deployment file)
- while :; do
- i=$((i + 1))
- if [[ "$3" == "deploy" ]]; then
- kubectl run pod-$1-${RAND} --image="$4" --namespace="$5" -luse="connaisseur-integration-test" >output.log 2>&1 || true
- elif [[ "$3" == "workload" ]]; then
- envsubst output.log 2>&1 || true
- else
- kubectl apply -f $4 >output.log 2>&1 || true
- fi
- # if the webhook couldn't be called, try again.
- [[ ("$(cat output.log)" =~ "failed calling webhook") && $i -lt $RETRY ]] || break
- done
- if [[ ! "$(cat output.log)" =~ "${MSG}" ]]; then
- echo -e ${FAILED}
- echo "::group::Output"
- cat output.log
- kubectl logs -n connaisseur -lapp.kubernetes.io/instance=connaisseur
- echo "::endgroup::"
- EXIT="1"
- else
- echo -e "${SUCCESS}"
- fi
- rm output.log
-
- if [[ $7 != "null" ]]; then
- DEPLOYMENT_RES[$7]=$((${DEPLOYMENT_RES[$7]} + 1))
- fi
-
- # 3 tries on first test, 2 tries on second, 1 try for all subsequential
- RETRY=$((RETRY - 1))
+ echo -n "[$1] $2"
+ i=0 # intialize iterator
+ export RAND=$(head -c 5 /dev/urandom | hexdump -ve '1/1 "%.2x"') # creating a random index to label the pods and avoid name collision for repeated runs
+ MSG=$(envsubst <<<"$6") # in case RAND is to be used, it needs to be added as ${RAND} to cases.yaml (and maybe deployment file)
+ while :; do
+ i=$((i + 1))
+ if [[ "$3" == "deploy" ]]; then
+ kubectl run pod-$1-${RAND} --image="$4" --namespace="$5" -luse="connaisseur-integration-test" >output.log 2>&1 || true
+ elif [[ "$3" == "workload" ]]; then
+ envsubst output.log 2>&1 || true
+ else
+ kubectl apply -f $4 >output.log 2>&1 || true
+ fi
+ # if the webhook couldn't be called, try again.
+ [[ ("$(cat output.log)" =~ "failed calling webhook") && $i -lt $RETRY ]] || break
+ done
+ if [[ ! "$(cat output.log)" =~ "${MSG}" ]]; then
+ echo -e ${FAILED}
+ echo "::group::Output"
+ cat output.log
+ kubectl logs -n connaisseur -lapp.kubernetes.io/instance=connaisseur
+ echo "::endgroup::"
+ EXIT="1"
+ else
+ echo -e "${SUCCESS}"
+ fi
+ rm output.log
+
+ if [[ $7 != "null" ]]; then
+ DEPLOYMENT_RES[$7]=$((${DEPLOYMENT_RES[$7]} + 1))
+ fi
+
+ # 3 tries on first test, 2 tries on second, 1 try for all subsequential
+ RETRY=$((RETRY - 1))
}
### MULTI TEST CASE FROM FILE ####################################
multi_test() { # TEST_CASE: key in the `test_cases` dict in the cases.yaml
- # converting to json, as yq processing is pretty slow
- test_cases=$(yq e -o=json ".test_cases.$1" tests/integration/cases.yaml)
- len=$(echo ${test_cases} | jq 'length')
- for i in $(seq 0 $(($len - 1))); do
- test_case=$(echo ${test_cases} | jq ".[$i]")
- ID=$(echo ${test_case} | jq -r ".id")
- TEST_CASE_TXT=$(echo ${test_case} | jq -r ".txt")
- TYPE=$(echo ${test_case} | jq -r ".type")
- REF=$(echo ${test_case} | jq -r ".ref")
- NAMESPACE=$(echo ${test_case} | jq -r ".namespace")
- EXP_MSG=$(echo ${test_case} | jq -r ".expected_msg")
- EXP_RES=$(echo ${test_case} | jq -r ".expected_result")
- single_test "${ID}" "${TEST_CASE_TXT}" "${TYPE}" "${REF}" "${NAMESPACE}" "${EXP_MSG}" "${EXP_RES}"
- done
+ # converting to json, as yq processing is pretty slow
+ test_cases=$(yq e -o=json ".test_cases.$1" tests/integration/cases.yaml)
+ len=$(echo ${test_cases} | jq 'length')
+ for i in $(seq 0 $(($len - 1))); do
+ test_case=$(echo ${test_cases} | jq ".[$i]")
+ ID=$(echo ${test_case} | jq -r ".id")
+ TEST_CASE_TXT=$(echo ${test_case} | jq -r ".txt")
+ TYPE=$(echo ${test_case} | jq -r ".type")
+ REF=$(echo ${test_case} | jq -r ".ref")
+ NAMESPACE=$(echo ${test_case} | jq -r ".namespace")
+ EXP_MSG=$(echo ${test_case} | jq -r ".expected_msg")
+ EXP_RES=$(echo ${test_case} | jq -r ".expected_result")
+ single_test "${ID}" "${TEST_CASE_TXT}" "${TYPE}" "${REF}" "${NAMESPACE}" "${EXP_MSG}" "${EXP_RES}"
+ done
}
### WORKLOAD TEST ####################################
workload_test() { # WORKLOAD_KIND
- export KIND=$1
- export APIVERSION=$(kubectl api-resources | awk -v KIND=${KIND} '{ if($NF == ""KIND"") print $(NF-2);}')
-
- # UNSIGNED
- export TAG=unsigned
- echo "::group::${KIND}_${APIVERSION}_${TAG}.yaml"
- envsubst output.log 2>&1 || true
- if [[ ! ("$(cat output.log)" =~ 'deployment.apps/redis-with-many-instances created' && "$(cat output.log)" =~ 'pod/pod-with-many-containers created' && "$(cat output.log)" =~ 'pod/pod-with-many-containers-and-init-containers created' && "$(cat output.log)" =~ 'pod/pod-with-some-containers-and-init-containers created' && "$(cat output.log)" =~ 'pod/pod-with-coinciding-containers-and-init-containers created') ]]; then
- echo -e ${FAILED}
- echo "::group::Output"
- cat output.log
- echo "::endgroup::"
- EXIT="1"
- else
- echo -e "${SUCCESS}"
- fi
- rm output.log
+ echo -n 'Testing Connaisseur with complex requests...'
+ kubectl apply -f tests/integration/deployments/complexity.yaml >output.log 2>&1 || true
+ if [[ ! ("$(cat output.log)" =~ 'deployment.apps/redis-with-many-instances created' && "$(cat output.log)" =~ 'pod/pod-with-many-containers created' && "$(cat output.log)" =~ 'pod/pod-with-many-containers-and-init-containers created' && "$(cat output.log)" =~ 'pod/pod-with-some-containers-and-init-containers created' && "$(cat output.log)" =~ 'pod/pod-with-coinciding-containers-and-init-containers created') ]]; then
+ echo -e ${FAILED}
+ echo "::group::Output"
+ cat output.log
+ echo "::endgroup::"
+ EXIT="1"
+ else
+ echo -e "${SUCCESS}"
+ fi
+ rm output.log
}
### LOAD TEST ####################################
load_test() { #
- NUMBER_OF_INSTANCES=100
- echo -n 'Testing Connaisseur with many requests...'
- parallel --jobs 20 ./tests/integration/cause_load.sh {1} :::: <(seq ${NUMBER_OF_INSTANCES}) >output.log 2>&1 || true
- NUMBER_CREATED=$(cat output.log | grep "deployment[.]apps/redis-[0-9]* created" | wc -l || echo "0")
- if [[ ${NUMBER_CREATED} != "${NUMBER_OF_INSTANCES}" ]]; then
- echo -e ${FAILED}
- echo "::group::Output"
- echo "Only ${NUMBER_CREATED}/${NUMBER_OF_INSTANCES} pods were created."
- cat output.log
- echo "::endgroup::"
- EXIT="1"
- else
- echo -e "${SUCCESS}"
- fi
- rm output.log
+ NUMBER_OF_INSTANCES=100
+ echo -n 'Testing Connaisseur with many requests...'
+ parallel --jobs 20 ./tests/integration/cause_load.sh {1} :::: <(seq ${NUMBER_OF_INSTANCES}) >output.log 2>&1 || true
+ NUMBER_CREATED=$(cat output.log | grep "deployment[.]apps/redis-[0-9]* created" | wc -l || echo "0")
+ if [[ ${NUMBER_CREATED} != "${NUMBER_OF_INSTANCES}" ]]; then
+ echo -e ${FAILED}
+ echo "::group::Output"
+ echo "Only ${NUMBER_CREATED}/${NUMBER_OF_INSTANCES} pods were created."
+ cat output.log
+ echo "::endgroup::"
+ EXIT="1"
+ else
+ echo -e "${SUCCESS}"
+ fi
+ rm output.log
}
### CREATE IMAGEPULLSECRET ####################################
create_imagepullsecret_in_ns() { # NAMESPACE # CREATE
- local CREATE=${2:-true}
- if $CREATE; then
- echo -n "Creating Namespace '${1}'..."
- kubectl create ns ${1} >/dev/null || {
- echo -e "${FAILED}"
- exit 1
- }
- echo -e "${SUCCESS}"
- fi
- if [[ -n "${IMAGEPULLSECRET+x}" ]]; then
- echo -n "Creating imagePullSecret '${IMAGEPULLSECRET}'..."
- kubectl create secret generic ${IMAGEPULLSECRET} \
- --from-file=.dockerconfigjson=$HOME/.docker/config.json \
- --type=kubernetes.io/dockerconfigjson \
- --namespace=${1} >/dev/null || {
- echo -e "${FAILED}"
- exit 1
- }
- echo -e "${SUCCESS}"
- fi
+ local CREATE=${2:-true}
+ if $CREATE; then
+ echo -n "Creating Namespace '${1}'..."
+ kubectl create ns ${1} >/dev/null || {
+ echo -e "${FAILED}"
+ exit 1
+ }
+ echo -e "${SUCCESS}"
+ fi
+ if [[ -n "${IMAGEPULLSECRET+x}" ]]; then
+ echo -n "Creating imagePullSecret '${IMAGEPULLSECRET}'..."
+ kubectl create secret generic ${IMAGEPULLSECRET} \
+ --from-file=.dockerconfigjson=$HOME/.docker/config.json \
+ --type=kubernetes.io/dockerconfigjson \
+ --namespace=${1} >/dev/null || {
+ echo -e "${FAILED}"
+ exit 1
+ }
+ echo -e "${SUCCESS}"
+ fi
}
### INSTALLING CONNAISSEUR ####################################
helm_install_release() { # NAMESPACE
- create_imagepullsecret_in_ns ${1}
- echo -n "Installing released Connaisseur..."
- helm repo add connaisseur https://sse-secure-systems.github.io/connaisseur/charts
- helm show values connaisseur/connaisseur >release.yaml
- yq '. *+ load("ghcr-validator")' release.yaml >release_patched.yaml
- helm install connaisseur connaisseur/connaisseur --atomic \
- --namespace ${1} --values release_patched.yaml >/dev/null || {
- echo -e "${FAILED}"
- exit 1
- }
- echo -e "${SUCCESS}"
- sleep ${TIMEOUT}
+ create_imagepullsecret_in_ns ${1}
+ echo -n "Installing released Connaisseur..."
+ helm repo add connaisseur https://sse-secure-systems.github.io/connaisseur/charts
+ helm show values connaisseur/connaisseur >release.yaml
+ yq '. *+ load("ghcr-validator")' release.yaml >release_patched.yaml
+ helm install connaisseur connaisseur/connaisseur --atomic \
+ --namespace ${1} --values release_patched.yaml >/dev/null || {
+ echo -e "${FAILED}"
+ exit 1
+ }
+ echo -e "${SUCCESS}"
+ sleep ${TIMEOUT}
}
make_install() {
- create_imagepullsecret_in_ns "connaisseur"
- echo -n "Installing Connaisseur..."
- make install >/dev/null || {
- echo -e "${FAILED}"
- exit 1
- }
- echo -e "${SUCCESS}"
- sleep ${TIMEOUT}
+ create_imagepullsecret_in_ns "connaisseur"
+ echo -n "Installing Connaisseur..."
+ make install >/dev/null || {
+ echo -e "${FAILED}"
+ exit 1
+ }
+ echo -e "${SUCCESS}"
+ sleep ${TIMEOUT}
}
helm_install_namespace() { # NAMESPACE
- create_imagepullsecret_in_ns ${1}
- echo -n "Installing Connaisseur in namespace ${1}..."
- helm install connaisseur helm --atomic --create-namespace \
- --namespace ${1} >/dev/null || {
- echo -e "${FAILED}"
- exit 1
- }
- echo -e "${SUCCESS}"
- sleep ${TIMEOUT}
+ create_imagepullsecret_in_ns ${1}
+ echo -n "Installing Connaisseur in namespace ${1}..."
+ helm install connaisseur helm --atomic --create-namespace \
+ --namespace ${1} >/dev/null || {
+ echo -e "${FAILED}"
+ exit 1
+ }
+ echo -e "${SUCCESS}"
+ sleep ${TIMEOUT}
}
helm_install_namespace_no_create() { # NAMESPACE
- create_imagepullsecret_in_ns ${1} false
- echo -n "Installing Connaisseur in namespace ${1}..."
- helm install connaisseur helm --atomic \
- --namespace ${1} >/dev/null || {
- echo -e "${FAILED}"
- exit 1
- }
- echo -e "${SUCCESS}"
- sleep ${TIMEOUT}
+ create_imagepullsecret_in_ns ${1} false
+ echo -n "Installing Connaisseur in namespace ${1}..."
+ helm install connaisseur helm --atomic \
+ --namespace ${1} >/dev/null || {
+ echo -e "${FAILED}"
+ exit 1
+ }
+ echo -e "${SUCCESS}"
+ sleep ${TIMEOUT}
}
helm_install() {
- helm_install_namespace "connaisseur"
+ helm_install_namespace "connaisseur"
}
helm_repo_install() {
- # will install unconfigured Connaisseur
- echo -n "Installing Connaisseur..."
- helm repo add connaisseur https://sse-secure-systems.github.io/connaisseur/charts >/dev/null
- helm install connaisseur connaisseur/connaisseur --atomic --create-namespace \
- --namespace connaisseur >/dev/null || {
- echo -e "${FAILED}"
- exit 1
- }
- echo -e "${SUCCESS}"
- sleep ${TIMEOUT}
+ # will install unconfigured Connaisseur
+ echo -n "Installing Connaisseur..."
+ helm repo add connaisseur https://sse-secure-systems.github.io/connaisseur/charts >/dev/null
+ helm install connaisseur connaisseur/connaisseur --atomic --create-namespace \
+ --namespace connaisseur >/dev/null || {
+ echo -e "${FAILED}"
+ exit 1
+ }
+ echo -e "${SUCCESS}"
+ sleep ${TIMEOUT}
}
### UPGRADING CONNAISSEUR ####################################
make_upgrade() {
- echo -n 'Upgrading Connaisseur...'
- make upgrade >/dev/null || {
- echo -e ${FAILED}
- exit 1
- }
- echo -e "${SUCCESS}"
+ echo -n 'Upgrading Connaisseur...'
+ make upgrade >/dev/null || {
+ echo -e ${FAILED}
+ exit 1
+ }
+ echo -e "${SUCCESS}"
}
helm_upgrade_namespace() { # NS
- echo -n 'Upgrading Connaisseur...'
- helm upgrade connaisseur helm -n ${1} --wait >/dev/null || {
- echo -e ${FAILED}
- exit 1
- }
- echo -e "${SUCCESS}"
+ echo -n 'Upgrading Connaisseur...'
+ helm upgrade connaisseur helm -n ${1} --wait >/dev/null || {
+ echo -e ${FAILED}
+ exit 1
+ }
+ echo -e "${SUCCESS}"
}
### UNINSTALLING CONNAISSEUR ####################################
make_uninstall() {
- echo -n 'Uninstalling Connaisseur...'
- make uninstall >/dev/null || {
- echo -e "${FAILED}"
- exit 1
- }
- echo -e "${SUCCESS}"
+ echo -n 'Uninstalling Connaisseur...'
+ make uninstall >/dev/null || {
+ echo -e "${FAILED}"
+ exit 1
+ }
+ echo -e "${SUCCESS}"
}
helm_uninstall() {
- echo -n 'Uninstalling Connaisseur...'
- helm uninstall connaisseur -n connaisseur >/dev/null || {
- echo -e "${FAILED}"
- exit 1
- }
- echo -e "${SUCCESS}"
+ echo -n 'Uninstalling Connaisseur...'
+ helm uninstall connaisseur -n connaisseur >/dev/null || {
+ echo -e "${FAILED}"
+ exit 1
+ }
+ echo -e "${SUCCESS}"
}
update_values() { # [EXPRESSION...]
- for update in "$@"; do
- yq e -i "${update}" helm/values.yaml
- done
+ for update in "$@"; do
+ yq e -i "${update}" helm/values.yaml
+ done
}
update_values_minimal() {
- yq '. *+ load("ghcr-values")' -i helm/values.yaml
+ yq '. *+ load("ghcr-values")' -i helm/values.yaml
}
update_via_env_vars() {
- envsubst update
- yq '. *+ load("ghcr-values")' -i update
- yq eval-all --inplace 'select(fileIndex == 0) * select(fileIndex == 1)' helm/values.yaml update
- rm update
+ envsubst update
+ yq '. *+ load("ghcr-values")' -i update
+ yq eval-all --inplace 'select(fileIndex == 0) * select(fileIndex == 1)' helm/values.yaml update
+ rm update
}
update_helm_for_workloads() {
- envsubst update
- yq '. *+ load("ghcr-values")' -i update
- yq eval-all --inplace 'select(fileIndex == 0) * select(fileIndex == 1)' helm/values.yaml update
- rm update
+ envsubst update
+ yq '. *+ load("ghcr-values")' -i update
+ yq eval-all --inplace 'select(fileIndex == 0) * select(fileIndex == 1)' helm/values.yaml update
+ rm update
}
debug_vaules() { #PATH
- echo "::group::values.yaml"
- cat "$1"
- echo "::endgroup::"
+ echo "::group::values.yaml"
+ cat "$1"
+ echo "::endgroup::"
}
### RUN REGULAR INTEGRATION TEST ####################################
regular_int_test() {
- multi_test "regular"
-
- ### EDGE CASE TAG IN RELEASES AND TARGETS ####################################
- echo -n "[edge1] Testing edge case of tag defined in both targets and release json file..."
- POD=$(kubectl get pods -o name | grep "pod-rs-")
- DEPLOYED_SHA=$(kubectl get "${POD}" -o yaml | yq e '.spec.containers[0].image' - | sed 's/.*sha256://')
- if [[ "${DEPLOYED_SHA}" != 'c5327b291d702719a26c6cf8cc93f72e7902df46547106a9930feda2c002a4a7' ]]; then
- echo -e "${FAILED}"
- EXIT="1"
- else
- echo -e "${SUCCESS}"
- fi
-
- ### ALERTING TEST ####################################
- echo -n "Checking whether alert endpoints have been called successfully..."
- ENDPOINT_HITS="$(curl -s ${ALERTING_ENDPOINT_IP}:56243 --header 'Content-Type: application/json')"
- NUMBER_OF_DEPLOYMENTS=$((${DEPLOYMENT_RES["VALID"]} + ${DEPLOYMENT_RES["INVALID"]}))
- EXPECTED_ENDPOINT_HITS=$(jq -n \
- --argjson REQUESTS_TO_SLACK_ENDPOINT ${NUMBER_OF_DEPLOYMENTS} \
- --argjson REQUESTS_TO_OPSGENIE_ENDPOINT ${DEPLOYMENT_RES["VALID"]} \
- --argjson REQUESTS_TO_KEYBASE_ENDPOINT ${DEPLOYMENT_RES["INVALID"]} \
- '{
+ multi_test "regular"
+
+ ### EDGE CASE TAG IN RELEASES AND TARGETS ####################################
+ echo -n "[edge1] Testing edge case of tag defined in both targets and release json file..."
+ POD=$(kubectl get pods -o name | grep "pod-rs-")
+ DEPLOYED_SHA=$(kubectl get "${POD}" -o yaml | yq e '.spec.containers[0].image' - | sed 's/.*sha256://')
+ if [[ "${DEPLOYED_SHA}" != 'c5327b291d702719a26c6cf8cc93f72e7902df46547106a9930feda2c002a4a7' ]]; then
+ echo -e "${FAILED}"
+ EXIT="1"
+ else
+ echo -e "${SUCCESS}"
+ fi
+
+ ### ALERTING TEST ####################################
+ echo -n "Checking whether alert endpoints have been called successfully..."
+ ENDPOINT_HITS="$(curl -s ${ALERTING_ENDPOINT_IP}:56243 --header 'Content-Type: application/json')"
+ NUMBER_OF_DEPLOYMENTS=$((${DEPLOYMENT_RES["VALID"]} + ${DEPLOYMENT_RES["INVALID"]}))
+ EXPECTED_ENDPOINT_HITS=$(jq -n \
+ --argjson REQUESTS_TO_SLACK_ENDPOINT ${NUMBER_OF_DEPLOYMENTS} \
+ --argjson REQUESTS_TO_OPSGENIE_ENDPOINT ${DEPLOYMENT_RES["VALID"]} \
+ --argjson REQUESTS_TO_KEYBASE_ENDPOINT ${DEPLOYMENT_RES["INVALID"]} \
+ '{
"successful_requests_to_slack_endpoint":$REQUESTS_TO_SLACK_ENDPOINT,
"successful_requests_to_opsgenie_endpoint": $REQUESTS_TO_OPSGENIE_ENDPOINT,
"successful_requests_to_keybase_endpoint": $REQUESTS_TO_KEYBASE_ENDPOINT
}')
- diff <(echo "$ENDPOINT_HITS" | jq -S .) <(echo "$EXPECTED_ENDPOINT_HITS" | jq -S .) >diff.log 2>&1 || true
- if [[ -s diff.log ]]; then
- echo -e "${FAILED}"
- echo "::group::Alerting endpoint diff:"
- cat diff.log
- echo "::endgroup::"
- EXIT="1"
- else
- echo -e "${SUCCESS}"
- fi
- rm diff.log
+ diff <(echo "$ENDPOINT_HITS" | jq -S .) <(echo "$EXPECTED_ENDPOINT_HITS" | jq -S .) >diff.log 2>&1 || true
+ if [[ -s diff.log ]]; then
+ echo -e "${FAILED}"
+ echo "::group::Alerting endpoint diff:"
+ cat diff.log
+ echo "::endgroup::"
+ EXIT="1"
+ else
+ echo -e "${SUCCESS}"
+ fi
+ rm diff.log
}
### COSIGN TEST ####################################
cosign_int_test() {
- multi_test "cosign"
+ multi_test "cosign"
}
### MULTI-COSIGNed TEST ####################################
multi-cosigned_int_test() {
- multi_test "multi-cosigned"
+ multi_test "multi-cosigned"
}
### REKOR-COSIGNed TEST ####################################
rekor-cosigned_int_test() {
- multi_test "rekor-cosigned"
+ multi_test "rekor-cosigned"
}
### NAMESPACE VALIDATION TEST ####################################
namespace_val_int_test() {
- echo -n "Creating namespaces..."
- kubectl create namespace ignoredns >/dev/null
- kubectl label ns ignoredns securesystemsengineering.connaisseur/webhook=ignore use=connaisseur-integration-test >/dev/null
- kubectl create namespace validatedns >/dev/null
- kubectl label ns validatedns securesystemsengineering.connaisseur/webhook=validate use=connaisseur-integration-test >/dev/null
- echo -e "${SUCCESS}"
-
- multi_test "ignore-namespace-val"
- update_values '.namespacedValidation.mode="validate"'
- make_upgrade # upgrade Connaisseur installation
- multi_test "validate-namespace-val"
+ echo -n "Creating namespaces..."
+ kubectl create namespace ignoredns >/dev/null
+ kubectl label ns ignoredns securesystemsengineering.connaisseur/webhook=ignore use=connaisseur-integration-test >/dev/null
+ kubectl create namespace validatedns >/dev/null
+ kubectl label ns validatedns securesystemsengineering.connaisseur/webhook=validate use=connaisseur-integration-test >/dev/null
+ echo -e "${SUCCESS}"
+
+ multi_test "ignore-namespace-val"
+ update_values '.namespacedValidation.mode="validate"'
+ make_upgrade # upgrade Connaisseur installation
+ multi_test "validate-namespace-val"
}
### DEPLOYMENT TEST ####################################
deployment_int_test() {
- multi_test "deployment"
+ multi_test "deployment"
}
### PRECONFIG TEST ####################################
pre_config_int_test() {
- multi_test "pre-config"
+ multi_test "pre-config"
}
### CERTIFICATE INT TEST ####################################
certificate_int_test() {
- multi_test "certificate"
+ multi_test "certificate"
}
### CERTIFICATE TEST ####################################
certificate_check() {
- DIFF=$(diff tests/integration/tls.key <(kubectl get secrets -n connaisseur connaisseur-tls -o json | jq -r '.data."tls.key"' | base64 -d) || true)
- if [[ ${DIFF} != "" ]]; then
- echo "Unexpected TLS key. Should be pre-configured one."
- EXIT=1
- else
- echo "Found expected TLS key."
- fi
- DIFF=$(diff tests/integration/tls.cert <(kubectl get secrets -n connaisseur connaisseur-tls -o json | jq -r '.data."tls.crt"' | base64 -d) || true)
- if [[ ${DIFF} != "" ]]; then
- echo "Unexpected TLS certificate. Should be pre-configured one."
- EXIT=1
- else
- echo "Found expected TLS certificate."
- fi
+ DIFF=$(diff tests/integration/tls.key <(kubectl get secrets -n connaisseur connaisseur-tls -o json | jq -r '.data."tls.key"' | base64 -d) || true)
+ if [[ ${DIFF} != "" ]]; then
+ echo "Unexpected TLS key. Should be pre-configured one."
+ EXIT=1
+ else
+ echo "Found expected TLS key."
+ fi
+ DIFF=$(diff tests/integration/tls.cert <(kubectl get secrets -n connaisseur connaisseur-tls -o json | jq -r '.data."tls.crt"' | base64 -d) || true)
+ if [[ ${DIFF} != "" ]]; then
+ echo "Unexpected TLS certificate. Should be pre-configured one."
+ EXIT=1
+ else
+ echo "Found expected TLS certificate."
+ fi
}
case $1 in
"regular")
- update_via_env_vars
- make_install
- regular_int_test
- make_uninstall
- ;;
+ update_via_env_vars
+ make_install
+ regular_int_test
+ make_uninstall
+ ;;
"cosign")
- update_via_env_vars
- make_install
- cosign_int_test
- ;;
+ update_via_env_vars
+ make_install
+ cosign_int_test
+ ;;
"multi-cosigned")
- update_via_env_vars
- make_install
- multi-cosigned_int_test
- ;;
+ update_via_env_vars
+ make_install
+ multi-cosigned_int_test
+ ;;
"rekor-cosigned")
- update_via_env_vars
- make_install
- rekor-cosigned_int_test
- ;;
+ update_via_env_vars
+ make_install
+ rekor-cosigned_int_test
+ ;;
"namespace-val")
- update_via_env_vars
- update_values '.namespacedValidation.enabled=true'
- make_install
- namespace_val_int_test
- ;;
+ update_via_env_vars
+ update_values '.namespacedValidation.enabled=true'
+ make_install
+ namespace_val_int_test
+ ;;
"other-ns")
- echo "Testing deployment of Connaisseur in a different namespace than the default. See e.g. https://github.com/sse-secure-systems/connaisseur/issues/724"
- update_via_env_vars
- CLUSTER_NAME=$(kubectl config get-contexts $(kubectl config current-context) --no-headers | awk '{print $3}')
- CTX=deployconnaisseur
- NAME=securityadmin
- NS=security
-
- kubectl create ns ${NS}
- # Create service account with all permission on one namespace and some other, but non on other namespaces
- kubectl create serviceaccount ${NAME} --namespace=${NS}
- kubectl create rolebinding ${NAME} --clusterrole=cluster-admin --serviceaccount=${NS}:${NAME} --namespace=${NS}
- kubectl create clusterrole auxillary --verb='*' --resource=clusterrole,clusterrolebinding,mutatingwebhookconfigurations
- kubectl create clusterrolebinding ${NAME} --clusterrole=auxillary --serviceaccount=${NS}:${NAME}
-
- # Use that service account's config to run the Connaisseur deployment to see no other namespace is touched
- TOKEN=$(kubectl create token ${NAME} --namespace=${NS})
- kubectl config set-credentials ${CTX} --token=${TOKEN}
- kubectl config set-context ${CTX} --cluster=${CLUSTER_NAME} --user=${CTX}
- kubectl config use-context ${CTX}
- helm_install_namespace_no_create ${NS}
- single_test "on" "Testing unsigned image..." "deploy" "securesystemsengineering/testimage:unsigned" "${NS}" "Unable to find signed digest for image docker.io/securesystemsengineering/testimage:unsigned." "INVALID"
- ;;
+ echo "Testing deployment of Connaisseur in a different namespace than the default. See e.g. https://github.com/sse-secure-systems/connaisseur/issues/724"
+ update_via_env_vars
+ CLUSTER_NAME=$(kubectl config get-contexts $(kubectl config current-context) --no-headers | awk '{print $3}')
+ CTX=deployconnaisseur
+ NAME=securityadmin
+ NS=security
+
+ kubectl create ns ${NS}
+ # Create service account with all permission on one namespace and some other, but non on other namespaces
+ kubectl create serviceaccount ${NAME} --namespace=${NS}
+ kubectl create rolebinding ${NAME} --clusterrole=cluster-admin --serviceaccount=${NS}:${NAME} --namespace=${NS}
+ kubectl create clusterrole auxillary --verb='*' --resource=clusterrole,clusterrolebinding,mutatingwebhookconfigurations
+ kubectl create clusterrolebinding ${NAME} --clusterrole=auxillary --serviceaccount=${NS}:${NAME}
+
+ # Use that service account's config to run the Connaisseur deployment to see no other namespace is touched
+ TOKEN=$(kubectl create token ${NAME} --namespace=${NS})
+ kubectl config set-credentials ${CTX} --token=${TOKEN}
+ kubectl config set-context ${CTX} --cluster=${CLUSTER_NAME} --user=${CTX}
+ kubectl config use-context ${CTX}
+ helm_install_namespace_no_create ${NS}
+ single_test "on" "Testing unsigned image..." "deploy" "securesystemsengineering/testimage:unsigned" "${NS}" "Unable to find signed digest for image docker.io/securesystemsengineering/testimage:unsigned." "INVALID"
+ ;;
"deployment")
- update_via_env_vars
- update_values '.policy += {"pattern": "docker.io/library/*:*", "validator": "dockerhub-basics", "with": {"trust_root": "docker-official"}}'
- make_install
- deployment_int_test
- ;;
+ update_via_env_vars
+ update_values '.policy += {"pattern": "docker.io/library/*:*", "validator": "dockerhub-basics", "with": {"trust_root": "docker-official"}}'
+ make_install
+ deployment_int_test
+ ;;
"pre-config")
- update_values_minimal
- helm_install
- pre_config_int_test
- helm_uninstall
- ;;
+ update_values_minimal
+ helm_install
+ pre_config_int_test
+ helm_uninstall
+ ;;
"pre-and-workload")
- update_helm_for_workloads
- make_install
- pre_config_int_test
- for wo in "${WOLIST[@]}"; do
- workload_test "${wo}"
- done
- ;;
+ update_helm_for_workloads
+ make_install
+ pre_config_int_test
+ for wo in "${WOLIST[@]}"; do
+ workload_test "${wo}"
+ done
+ ;;
"helm-repo")
- helm_repo_install
- pre_config_int_test
- ;;
+ helm_repo_install
+ pre_config_int_test
+ ;;
"complexity")
- update_values_minimal
- update_values '.deployment.replicasCount=3' '.deployment.resources= {"limits": {"cpu":"1000m", "memory":"512Mi"},"requests": {"cpu":"500m", "memory":"512Mi"}}'
- make_install
- complexity_test
- ;;
+ update_values_minimal
+ update_values '.deployment.replicasCount=3' '.deployment.resources= {"limits": {"cpu":"1000m", "memory":"512Mi"},"requests": {"cpu":"500m", "memory":"512Mi"}}'
+ make_install
+ complexity_test
+ ;;
"load")
- update_values_minimal
- make_install
- load_test
- ;;
+ update_values_minimal
+ make_install
+ load_test
+ ;;
"configured-cert")
- echo "Testing deployment of Connaisseur using a pre-configured TLS certificate. See issue https://github.com/sse-secure-systems/connaisseur/issues/225"
- update_via_env_vars
- make_install
- certificate_int_test
- yq eval-all --inplace 'select(fileIndex == 0) * select(fileIndex == 1)' helm/values.yaml tests/integration/update-cert.yaml
- make_upgrade
- certificate_check
- certificate_int_test
- ;;
+ echo "Testing deployment of Connaisseur using a pre-configured TLS certificate. See issue https://github.com/sse-secure-systems/connaisseur/issues/225"
+ update_via_env_vars
+ make_install
+ certificate_int_test
+ yq eval-all --inplace 'select(fileIndex == 0) * select(fileIndex == 1)' helm/values.yaml tests/integration/update-cert.yaml
+ make_upgrade
+ certificate_check
+ certificate_int_test
+ ;;
"upgrade")
- helm_install_release "connaisseur"
- debug_vaules "release_patched.yaml"
- pre_config_int_test
- update_values_minimal
- debug_vaules "helm/values.yaml"
- helm_upgrade_namespace "connaisseur"
- pre_config_int_test
- helm_uninstall
- ;;
+ helm_install_release "connaisseur"
+ debug_vaules "release_patched.yaml"
+ pre_config_int_test
+ update_values_minimal
+ debug_vaules "helm/values.yaml"
+ helm_upgrade_namespace "connaisseur"
+ pre_config_int_test
+ helm_uninstall
+ ;;
*)
- echo "Invalid test case. Exiting..."
- exit 1
- ;;
+ echo "Invalid test case. Exiting..."
+ exit 1
+ ;;
esac
if [[ "${EXIT}" != "0" ]]; then
- echo -e "${FAILED} Failed integration test."
+ echo -e "${FAILED} Failed integration test."
else
- echo -e "${SUCCESS} Passed integration test."
+ echo -e "${SUCCESS} Passed integration test."
fi
if [[ "${GITHUB_ACTIONS-}" == "true" ]]; then
- exit $((${EXIT}))
+ exit $((${EXIT}))
fi
echo 'Cleaning up installation and test resources...'