tests: add test for sealed file secrets

add a test for sealed file secrets. Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
2025-07-19 09:51:29 +00:00 · 2024-09-30 11:45:14 +08:00 · 2024-09-30 11:45:14 +08:00 · a94024aedc
commit a94024aedc
parent fe307303c8
2 changed files with 54 additions and 17 deletions
--- a/tests/integration/kubernetes/k8s-sealed-secret.bats
+++ b/tests/integration/kubernetes/k8s-sealed-secret.bats
@ -24,10 +24,12 @@ setup() {
 	setup_common
 	get_pod_config_dir

-	export K8S_TEST_YAML="${pod_config_dir}/pod-sealed-secret.yaml"
+	export K8S_TEST_ENV_YAML="${pod_config_dir}/pod-sealed-secret.yaml"
+	export K8S_TEST_FILE_YAML="${pod_config_dir}/pod-sealed-secret-as-file.yaml"
 	# Schedule on a known node so that later it can print the system's logs for
 	# debugging.
-	set_node "$K8S_TEST_YAML" "$node"
+	set_node "$K8S_TEST_ENV_YAML" "$node"
+	set_node "$K8S_TEST_FILE_YAML" "$node"

 	local CC_KBS_ADDR
 	export CC_KBS_ADDR=$(kbs_k8s_svc_http_addr)
@ -38,7 +40,10 @@ setup() {
 	if [ "${AA_KBC}" = "cc_kbc" ]; then
 		kernel_params_value+=" agent.aa_kbc_params=cc_kbc::${CC_KBS_ADDR}"
 	fi
-	set_metadata_annotation "${K8S_TEST_YAML}" \
+	set_metadata_annotation "${K8S_TEST_ENV_YAML}" \
+		"${kernel_params_annotation}" \
+		"${kernel_params_value}"
+	set_metadata_annotation "${K8S_TEST_FILE_YAML}" \
 		"${kernel_params_annotation}" \
 		"${kernel_params_value}"

@ -69,13 +74,7 @@ setup() {
 }

@test "Cannot Unseal Env Secrets with CDH without key" {
-	[ "${KATA_HYPERVISOR}" = "qemu-coco-dev" ] || skip "Test not ready yet for ${KATA_HYPERVISOR}"
-
-	if [ "${KBS}" = "false" ]; then
-		skip "Test skipped as KBS not setup"
-	fi
-
-	k8s_create_pod "${K8S_TEST_YAML}"
+	k8s_create_pod "${K8S_TEST_ENV_YAML}"

 	kubectl logs secret-test-pod-cc
 	kubectl logs secret-test-pod-cc | grep -q "UNPROTECTED_SECRET = not_sealed_secret"
@ -86,14 +85,17 @@ setup() {


@test "Unseal Env Secrets with CDH" {
-	[ "${KATA_HYPERVISOR}" = "qemu-coco-dev" ] || skip "Test not ready yet for ${KATA_HYPERVISOR}"
-
-	if [ "${KBS}" = "false" ]; then
-		skip "Test skipped as KBS not setup"
-	fi
-
 	kbs_set_resource "default" "sealed-secret" "test" "unsealed_secret"
-	k8s_create_pod "${K8S_TEST_YAML}"
+	k8s_create_pod "${K8S_TEST_ENV_YAML}"
+
+	kubectl logs secret-test-pod-cc
+	kubectl logs secret-test-pod-cc | grep -q "UNPROTECTED_SECRET = not_sealed_secret"
+	kubectl logs secret-test-pod-cc | grep -q "PROTECTED_SECRET = unsealed_secret"
+}
+
+@test "Unseal File Secrets with CDH" {
+	kbs_set_resource "default" "sealed-secret" "test" "unsealed_secret"
+	k8s_create_pod "${K8S_TEST_FILE_YAML}"

 	kubectl logs secret-test-pod-cc
 	kubectl logs secret-test-pod-cc | grep -q "UNPROTECTED_SECRET = not_sealed_secret"
--- a/tests/integration/kubernetes/runtimeclass_workloads/pod-sealed-secret-as-file.yaml
+++ b/tests/integration/kubernetes/runtimeclass_workloads/pod-sealed-secret-as-file.yaml
@ -0,0 +1,35 @@
+# Copyright (c) 2023 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+apiVersion: v1
+kind: Pod
+metadata:
+  name: secret-test-pod-cc
+spec:
+  runtimeClassName: kata
+  containers:
+  - name: busybox
+    image: quay.io/prometheus/busybox:latest
+    imagePullPolicy: Always
+    command:
+    - sh
+    - -c
+    - |
+      unseal_data=$(cat /sealed/secret-value/secret)
+      not_sealed_data=$(cat /sealed/not-sealed-secret-value/secret)
+      echo "PROTECTED_SECRET = $unseal_data"
+      echo "UNPROTECTED_SECRET = $not_sealed_data"
+      sleep 1000
+    volumeMounts:
+        - name: sealed-secret-volume
+          mountPath: "/sealed/secret-value"
+        - name: not-sealed-secret-volume
+          mountPath: "/sealed/not-sealed-secret-value"
+  volumes:
+    - name: sealed-secret-volume
+      secret:
+        secretName: sealed-secret
+    - name: not-sealed-secret-volume
+      secret:
+        secretName: not-sealed-secret