mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-07-19 09:51:29 +00:00
tests: add test for sealed file secrets
add a test for sealed file secrets. Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
This commit is contained in:
ChengyuZhu6
parent
fe307303c8
commit
a94024aedc
@ -24,10 +24,12 @@ setup() {
|
|||||||
setup_common
|
setup_common
|
||||||
get_pod_config_dir
|
get_pod_config_dir
|
||||||
|
|
||||||
export K8S_TEST_YAML="${pod_config_dir}/pod-sealed-secret.yaml"
|
export K8S_TEST_ENV_YAML="${pod_config_dir}/pod-sealed-secret.yaml"
|
||||||
|
export K8S_TEST_FILE_YAML="${pod_config_dir}/pod-sealed-secret-as-file.yaml"
|
||||||
# Schedule on a known node so that later it can print the system's logs for
|
# Schedule on a known node so that later it can print the system's logs for
|
||||||
# debugging.
|
# debugging.
|
||||||
set_node "$K8S_TEST_YAML" "$node"
|
set_node "$K8S_TEST_ENV_YAML" "$node"
|
||||||
|
set_node "$K8S_TEST_FILE_YAML" "$node"
|
||||||
|
|
||||||
local CC_KBS_ADDR
|
local CC_KBS_ADDR
|
||||||
export CC_KBS_ADDR=$(kbs_k8s_svc_http_addr)
|
export CC_KBS_ADDR=$(kbs_k8s_svc_http_addr)
|
||||||
@ -38,7 +40,10 @@ setup() {
|
|||||||
if [ "${AA_KBC}" = "cc_kbc" ]; then
|
if [ "${AA_KBC}" = "cc_kbc" ]; then
|
||||||
kernel_params_value+=" agent.aa_kbc_params=cc_kbc::${CC_KBS_ADDR}"
|
kernel_params_value+=" agent.aa_kbc_params=cc_kbc::${CC_KBS_ADDR}"
|
||||||
fi
|
fi
|
||||||
set_metadata_annotation "${K8S_TEST_YAML}" \
|
set_metadata_annotation "${K8S_TEST_ENV_YAML}" \
|
||||||
|
"${kernel_params_annotation}" \
|
||||||
|
"${kernel_params_value}"
|
||||||
|
set_metadata_annotation "${K8S_TEST_FILE_YAML}" \
|
||||||
"${kernel_params_annotation}" \
|
"${kernel_params_annotation}" \
|
||||||
"${kernel_params_value}"
|
"${kernel_params_value}"
|
||||||
|
|
||||||
@ -69,13 +74,7 @@ setup() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
@test "Cannot Unseal Env Secrets with CDH without key" {
|
@test "Cannot Unseal Env Secrets with CDH without key" {
|
||||||
[ "${KATA_HYPERVISOR}" = "qemu-coco-dev" ] || skip "Test not ready yet for ${KATA_HYPERVISOR}"
|
k8s_create_pod "${K8S_TEST_ENV_YAML}"
|
||||||
|
|
||||||
if [ "${KBS}" = "false" ]; then
|
|
||||||
skip "Test skipped as KBS not setup"
|
|
||||||
fi
|
|
||||||
|
|
||||||
k8s_create_pod "${K8S_TEST_YAML}"
|
|
||||||
|
|
||||||
kubectl logs secret-test-pod-cc
|
kubectl logs secret-test-pod-cc
|
||||||
kubectl logs secret-test-pod-cc | grep -q "UNPROTECTED_SECRET = not_sealed_secret"
|
kubectl logs secret-test-pod-cc | grep -q "UNPROTECTED_SECRET = not_sealed_secret"
|
||||||
@ -86,14 +85,17 @@ setup() {
|
|||||||
|
|
||||||
|
|
||||||
@test "Unseal Env Secrets with CDH" {
|
@test "Unseal Env Secrets with CDH" {
|
||||||
[ "${KATA_HYPERVISOR}" = "qemu-coco-dev" ] || skip "Test not ready yet for ${KATA_HYPERVISOR}"
|
|
||||||
|
|
||||||
if [ "${KBS}" = "false" ]; then
|
|
||||||
skip "Test skipped as KBS not setup"
|
|
||||||
fi
|
|
||||||
|
|
||||||
kbs_set_resource "default" "sealed-secret" "test" "unsealed_secret"
|
kbs_set_resource "default" "sealed-secret" "test" "unsealed_secret"
|
||||||
k8s_create_pod "${K8S_TEST_YAML}"
|
k8s_create_pod "${K8S_TEST_ENV_YAML}"
|
||||||
|
|
||||||
|
kubectl logs secret-test-pod-cc
|
||||||
|
kubectl logs secret-test-pod-cc | grep -q "UNPROTECTED_SECRET = not_sealed_secret"
|
||||||
|
kubectl logs secret-test-pod-cc | grep -q "PROTECTED_SECRET = unsealed_secret"
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "Unseal File Secrets with CDH" {
|
||||||
|
kbs_set_resource "default" "sealed-secret" "test" "unsealed_secret"
|
||||||
|
k8s_create_pod "${K8S_TEST_FILE_YAML}"
|
||||||
|
|
||||||
kubectl logs secret-test-pod-cc
|
kubectl logs secret-test-pod-cc
|
||||||
kubectl logs secret-test-pod-cc | grep -q "UNPROTECTED_SECRET = not_sealed_secret"
|
kubectl logs secret-test-pod-cc | grep -q "UNPROTECTED_SECRET = not_sealed_secret"
|
||||||
|
|||||||
@ -0,0 +1,35 @@
|
|||||||
|
# Copyright (c) 2023 Intel Corporation
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
#
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Pod
|
||||||
|
metadata:
|
||||||
|
name: secret-test-pod-cc
|
||||||
|
spec:
|
||||||
|
runtimeClassName: kata
|
||||||
|
containers:
|
||||||
|
- name: busybox
|
||||||
|
image: quay.io/prometheus/busybox:latest
|
||||||
|
imagePullPolicy: Always
|
||||||
|
command:
|
||||||
|
- sh
|
||||||
|
- -c
|
||||||
|
- |
|
||||||
|
unseal_data=$(cat /sealed/secret-value/secret)
|
||||||
|
not_sealed_data=$(cat /sealed/not-sealed-secret-value/secret)
|
||||||
|
echo "PROTECTED_SECRET = $unseal_data"
|
||||||
|
echo "UNPROTECTED_SECRET = $not_sealed_data"
|
||||||
|
sleep 1000
|
||||||
|
volumeMounts:
|
||||||
|
- name: sealed-secret-volume
|
||||||
|
mountPath: "/sealed/secret-value"
|
||||||
|
- name: not-sealed-secret-volume
|
||||||
|
mountPath: "/sealed/not-sealed-secret-value"
|
||||||
|
volumes:
|
||||||
|
- name: sealed-secret-volume
|
||||||
|
secret:
|
||||||
|
secretName: sealed-secret
|
||||||
|
- name: not-sealed-secret-volume
|
||||||
|
secret:
|
||||||
|
secretName: not-sealed-secret
|
||||||
Loading…
Reference in New Issue
Block a user