e2e: update PodVM with Authenticated Registry cases

- add ImagePullSecret to default ServiceAccount - make these two test cases can be reused by other cloud providers - support given Authenticated Registry Fixes #1680 Signed-off-by: Da Li Liu <liudali@cn.ibm.com>
confidential-containers · Jan 29, 2024 · a0ae962 · a0ae962
1 parent 59e5bc6
commit a0ae962
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 5 deletions.
diff --git a/test/e2e/assessment_helpers.go b/test/e2e/assessment_helpers.go
@@ -548,3 +548,31 @@ func DeleteAndWaitForNamespace(ctx context.Context, client klient.Client, namesp
 	log.Infof("Namespace '%s' has been successfully deleted within 60s", nsObj.Name)
 	return nil
 }
+
+func AddImagePullSecretToDefaultServiceAccount(ctx context.Context, client klient.Client, secretName string) error {
+	clientSet, err := kubernetes.NewForConfig(client.RESTConfig())
+	if err != nil {
+		return err
+	}
+	serviceAccount, err := clientSet.CoreV1().ServiceAccounts(E2eNamespace).Get(context.TODO(), "default", metav1.GetOptions{})
+	if err != nil {
+		return err
+	}
+	secretExists := false
+	for _, secret := range serviceAccount.ImagePullSecrets {
+		if secret.Name == secretName {
+			secretExists = true
+			break
+		}
+	}
+	if !secretExists {
+		// Update the ServiceAccount to add the imagePullSecret
+		serviceAccount.ImagePullSecrets = append(serviceAccount.ImagePullSecrets, v1.LocalObjectReference{Name: secretName})
+		_, err := clientSet.CoreV1().ServiceAccounts(E2eNamespace).Update(context.TODO(), serviceAccount, metav1.UpdateOptions{})
+		if err != nil {
+			return err
+		}
+		log.Infof("ServiceAccount %s updated successfully.", "default")
+	}
+	return nil
+}
diff --git a/test/e2e/assessment_runner.go b/test/e2e/assessment_runner.go
@@ -198,6 +198,12 @@ func (tc *TestCase) Run() {
 				}
 			}
 
+			if os.Getenv("REGISTRY_CREDENTIAL_ENCODED") != "" {
+				if err = AddImagePullSecretToDefaultServiceAccount(ctx, client, "auth-json-secret"); err != nil {
+					t.Fatal(err)
+				}
+			}
+
 			if tc.pvc != nil {
 				if err = client.Resources().Create(ctx, tc.pvc); err != nil {
 					t.Fatal(err)

diff --git a/test/e2e/common_suite.go b/test/e2e/common_suite.go
@@ -244,7 +244,8 @@ func DoTestCreatePeerPodWithAuthenticatedImagewithValidCredentials(t *testing.T,
 	randseed := rand.New(rand.NewSource(time.Now().UnixNano()))
 	podName := "authenticated-image-valid-" + strconv.Itoa(int(randseed.Uint32())) + "-pod"
 	secretName := "auth-json-secret"
-	authfile, err := os.ReadFile("../../install/overlays/ibmcloud/auth.json")
+	providerName := os.Getenv("CLOUD_PROVIDER")
+	authfile, err := os.ReadFile("../../install/overlays/" + providerName + "/auth.json")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -257,12 +258,16 @@ func DoTestCreatePeerPodWithAuthenticatedImagewithValidCredentials(t *testing.T,
 }
 
 func DoTestCreatePeerPodWithAuthenticatedImageWithInvalidCredentials(t *testing.T, e env.Environment, assert CloudAssert) {
+	registryName := "quay.io"
+	if os.Getenv("AUTHENTICATED_REGISTRY_IMAGE") != "" {
+		registryName = strings.Split(os.Getenv("AUTHENTICATED_REGISTRY_IMAGE"), "/")[0]
+	}
 	randseed := rand.New(rand.NewSource(time.Now().UnixNano()))
 	podName := "authenticated-image-invalid-" + strconv.Itoa(int(randseed.Uint32())) + "-pod"
 	secretName := "auth-json-secret"
 	data := map[string]interface{}{
 		"auths": map[string]interface{}{
-			"quay.io": map[string]interface{}{
+			registryName: map[string]interface{}{
 				"auth": "aW52YWxpZHVzZXJuYW1lOmludmFsaWRwYXNzd29yZAo=",
 			},
 		},
@@ -288,7 +293,7 @@ func DoTestCreatePeerPodWithAuthenticatedImageWithoutCredentials(t *testing.T, e
 	expectedAuthStatus := "WithoutCredentials"
 	imageName := os.Getenv("AUTHENTICATED_REGISTRY_IMAGE")
 	pod := NewPod(E2eNamespace, podName, podName, imageName, WithRestartPolicy(v1.RestartPolicyNever))
-	NewTestCase(t, e, "InvalidAuthImagePeerPod", assert, "Peer pod with Authenticated Image with Invalid Credentials has been created").WithPod(pod).WithAuthenticatedImage().WithAuthImageStatus(expectedAuthStatus).WithCustomPodState(v1.PodPending).Run()
+	NewTestCase(t, e, "InvalidAuthImagePeerPod", assert, "Peer pod with Authenticated Image without Credentials has been created").WithPod(pod).WithAuthenticatedImage().WithAuthImageStatus(expectedAuthStatus).WithCustomPodState(v1.PodPending).Run()
 }
 
 func DoTestPodVMwithNoAnnotations(t *testing.T, e env.Environment, assert CloudAssert, expectedType string) {

diff --git a/test/provisioner/ibmcloud/provision_kustomize.go b/test/provisioner/ibmcloud/provision_kustomize.go
@@ -168,6 +168,7 @@ func (lio *IBMCloudInstallOverlay) Edit(ctx context.Context, cfg *envconf.Config
 		}
 	}
 	if os.Getenv("REGISTRY_CREDENTIAL_ENCODED") != "" {
+		registryName := "quay.io"
 		client, err := cfg.NewClient()
 		if err != nil {
 			return err
@@ -184,11 +185,13 @@ func (lio *IBMCloudInstallOverlay) Edit(ctx context.Context, cfg *envconf.Config
 				return err
 			}
 		}
-
+		if os.Getenv("AUTHENTICATED_REGISTRY_IMAGE") != "" {
+			registryName = strings.Split(os.Getenv("AUTHENTICATED_REGISTRY_IMAGE"), "/")[0]
+		}
 		log.Info("Setting up auth.json")
 		data := map[string]interface{}{
 			"auths": map[string]interface{}{
-				"quay.io": map[string]interface{}{
+				registryName: map[string]interface{}{
 					"auth": os.Getenv("REGISTRY_CREDENTIAL_ENCODED"),
 				},
 			},