From 9ceabf440d30320a5eed3c11d1bb6606ad9c4c3c Mon Sep 17 00:00:00 2001 From: Ramiro Algozino Date: Wed, 20 Nov 2024 13:02:41 +0100 Subject: [PATCH] feat(e2e): add minimal e2e to the module - Add minimal e2e tests that check that the packages can be deployed and come up properly, using Kapp. - There' still work to do for the tests to be useful, for example you can see that pomerium is logging some errors because it can't talk to dex because we don't setup anything regarding ingresses, but at least we get a very first check that the stuff comes up. --- .drone.yml | 431 +++++++++++++----- katalog/tests/dex/kustomization.yaml | 15 + katalog/tests/dex/secrets/config.yml | 53 +++ katalog/tests/gangplank/kustomization.yaml | 15 + katalog/tests/gangplank/secrets/gangplank.yml | 15 + katalog/tests/install-kapp.sh | 47 ++ katalog/tests/ldap-server/kustomization.yaml | 16 + katalog/tests/ldap-server/ldap-server.yaml | 83 ++++ katalog/tests/ldap-server/ns.yaml | 8 + .../tests/ldap-server/sighup.io-groups.ldif | 43 ++ katalog/tests/pomerium/kustomization.yaml | 25 + .../pomerium/resources/pomerium-config.env | 15 + .../pomerium/resources/pomerium-policy.yml | 21 + katalog/tests/pomerium/secrets/pomerium.env | 12 + katalog/tests/tests.sh | 36 ++ 15 files changed, 723 insertions(+), 112 deletions(-) create mode 100644 katalog/tests/dex/kustomization.yaml create mode 100644 katalog/tests/dex/secrets/config.yml create mode 100644 katalog/tests/gangplank/kustomization.yaml create mode 100644 katalog/tests/gangplank/secrets/gangplank.yml create mode 100755 katalog/tests/install-kapp.sh create mode 100644 katalog/tests/ldap-server/kustomization.yaml create mode 100644 katalog/tests/ldap-server/ldap-server.yaml create mode 100644 katalog/tests/ldap-server/ns.yaml create mode 100644 katalog/tests/ldap-server/sighup.io-groups.ldif create mode 100644 katalog/tests/pomerium/kustomization.yaml create mode 100644 katalog/tests/pomerium/resources/pomerium-config.env create mode 100644 katalog/tests/pomerium/resources/pomerium-policy.yml create mode 100644 katalog/tests/pomerium/secrets/pomerium.env create mode 100755 katalog/tests/tests.sh diff --git a/.drone.yml b/.drone.yml index 9a29b8c..13068c7 100644 --- a/.drone.yml +++ b/.drone.yml @@ -2,7 +2,7 @@ # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file. -name: license +name: Check for license presence kind: pipeline type: docker @@ -15,19 +15,19 @@ steps: - addlicense -c "SIGHUP s.r.l" -v -l bsd -y "2017-present" --check . --- -name: policeman +name: Linting kind: pipeline type: docker depends_on: - - license + - Check for license presence platform: os: linux arch: amd64 steps: - - name: lint + - name: Linting with Policeman image: quay.io/sighup/policeman pull: always environment: @@ -47,7 +47,7 @@ steps: depends_on: - clone - - name: render + - name: Render Manifests image: quay.io/sighup/e2e-testing:1.1.0_0.11.0_3.12.0_1.9.4_1.27.1_3.5.3_4.33.3 pull: always depends_on: @@ -57,124 +57,331 @@ steps: - kustomize build katalog/dex > dex.yml - kustomize build katalog/gangplank > gangplank.yml - - name: check-deprecated-apis + - name: Check for usage of deprecated APIs image: us-docker.pkg.dev/fairwinds-ops/oss/pluto:v5 pull: always depends_on: - - render + - Render Manifests commands: # we use --ignore-deprecations because we don't want the CI to fail when the API has not been removed yet. - - /pluto detect pomerium.yml --ignore-deprecations --target-versions=k8s=v1.29.0 - - /pluto detect dex.yml --ignore-deprecations --target-versions=k8s=v1.29.0 - - /pluto detect gangplank.yml --ignore-deprecations --target-versions=k8s=v1.29.0 - -# --- -# name: e2e-kubernetes-1.20 -# kind: pipeline -# type: docker - -# depends_on: -# - policeman - -# node: -# runner: internal - -# platform: -# os: linux -# arch: amd64 - -# trigger: -# ref: -# include: -# - refs/heads/master -# - refs/tags/** - -# steps: -# - name: init -# image: quay.io/sighup/e2e-testing-drone-plugin:v1.24.0 -# pull: always -# volumes: -# - name: shared -# path: /shared -# depends_on: [clone] -# settings: -# action: custom-cluster-120 -# pipeline_id: cluster-120 -# local_kind_config_path: katalog/tests/kind/config.yml -# cluster_version: "1.20.1" -# instance_path: /shared -# aws_default_region: -# from_secret: aws_region -# aws_access_key_id: -# from_secret: aws_access_key_id -# aws_secret_access_key: -# from_secret: aws_secret_access_key -# terraform_tf_states_bucket_name: -# from_secret: terraform_tf_states_bucket_name -# vsphere_server: -# from_secret: vsphere_server -# vsphere_password: -# from_secret: vsphere_password -# vsphere_user: -# from_secret: vsphere_user -# dockerhub_username: -# from_secret: dockerhub_username -# dockerhub_password: -# from_secret: dockerhub_password - -# - name: e2e -# image: quay.io/sighup/e2e-testing:1.1.0_0.2.2_2.16.1_1.9.4_1.21.1_3.8.7_2.4.1 # FIXME: Still uses image for 1.21 -# pull: always -# volumes: -# - name: shared -# path: /shared -# depends_on: [init] -# commands: -# - export KUBECONFIG=/shared/kube/kubeconfig-120 -# - bats -t katalog/tests/gatekeeper.sh - -# - name: destroy -# image: quay.io/sighup/e2e-testing-drone-plugin:v1.24.0 -# pull: always -# depends_on: [e2e] -# settings: -# action: destroy -# pipeline_id: cluster-120 -# aws_default_region: -# from_secret: aws_region -# aws_access_key_id: -# from_secret: aws_access_key_id -# aws_secret_access_key: -# from_secret: aws_secret_access_key -# terraform_tf_states_bucket_name: -# from_secret: terraform_tf_states_bucket_name -# vsphere_server: -# from_secret: vsphere_server -# vsphere_password: -# from_secret: vsphere_password -# vsphere_user: -# from_secret: vsphere_user -# dockerhub_username: -# from_secret: dockerhub_username -# dockerhub_password: -# from_secret: dockerhub_password -# when: -# status: -# - success -# - failure - -# volumes: -# - name: shared -# temp: {} + - /pluto detect pomerium.yml --ignore-deprecations --target-versions=k8s=v1.31.0 + - /pluto detect dex.yml --ignore-deprecations --target-versions=k8s=v1.31.0 + - /pluto detect gangplank.yml --ignore-deprecations --target-versions=k8s=v1.31.0 + +--- +name: E2E Tests Kubernetes v1.28.13 +kind: pipeline +type: docker + +depends_on: + - Linting + +clone: + depth: 1 + +platform: + os: linux + arch: amd64 + +trigger: + ref: + include: + - refs/tags/** + +volumes: + - name: dockersock + host: + path: /var/run/docker.sock + +steps: + - name: Create Kind Cluster + image: quay.io/sighup/dind-kind-kubectl-kustomize:0.24.0_1.31.1_3.10.0 + pull: always + depends_on: + - clone + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + # KIND_CONFIG: ./katalog/tests/kind/config.yml + CLUSTER_VERSION: v1.28.13 + KUBECONFIG: kubeconfig-v1.28.13 + CLUSTER_NAME: ${DRONE_REPO_NAME}-${DRONE_BUILD_NUMBER}-v1.28.13 + commands: + # NOTE: kind's `--wait` flag that waits for the control-plane to be ready + # does not work when disabling the default CNI. It will always go in timeout. + - kind create cluster --name $${CLUSTER_NAME} --image registry.sighup.io/fury/kindest/node:$${CLUSTER_VERSION} # --config $${KIND_CONFIG} + # save the kubeconfig so we can use it from other steps. + - kind get kubeconfig --name $${CLUSTER_NAME} > $${KUBECONFIG} + + - name: End-to-End Tests + image: quay.io/sighup/e2e-testing:1.1.0_1.31.1_3.10.0_4.33.3 + pull: always + network_mode: host + environment: + KUBECONFIG: kubeconfig-v1.28.13 + depends_on: + - Create Kind Cluster + commands: + # wait for Kind cluster to be ready + - until kubectl get serviceaccount default > /dev/null 2>&1; do echo "waiting for control-plane" && sleep 1; done + - bats -t katalog/tests/tests.sh + + - name: Destroy Kind Cluster + image: quay.io/sighup/dind-kind-kubectl-kustomize:0.24.0_1.31.1_3.10.0 + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + CLUSTER_NAME: ${DRONE_REPO_NAME}-${DRONE_BUILD_NUMBER}-v1.28.13 + commands: + # does not matter if the command fails + - kind delete cluster --name $${CLUSTER_NAME} || true + depends_on: + - End-to-End Tests + when: + status: + - success + - failure + +--- +name: E2E Tests Kubernetes v1.29.8 +kind: pipeline +type: docker + +depends_on: + - Linting + +clone: + depth: 1 + +platform: + os: linux + arch: amd64 + +trigger: + ref: + include: + - refs/tags/** + +volumes: + - name: dockersock + host: + path: /var/run/docker.sock + +steps: + - name: Create Kind Cluster + image: quay.io/sighup/dind-kind-kubectl-kustomize:0.24.0_1.31.1_3.10.0 + pull: always + depends_on: + - clone + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + # KIND_CONFIG: ./katalog/tests/kind/config.yml + CLUSTER_VERSION: v1.29.8 + KUBECONFIG: kubeconfig-v1.29.8 + CLUSTER_NAME: ${DRONE_REPO_NAME}-${DRONE_BUILD_NUMBER}-v1.29.8 + commands: + # NOTE: kind's `--wait` flag that waits for the control-plane to be ready + # does not work when disabling the default CNI. It will always go in timeout. + - kind create cluster --name $${CLUSTER_NAME} --image registry.sighup.io/fury/kindest/node:$${CLUSTER_VERSION} # --config $${KIND_CONFIG} + # save the kubeconfig so we can use it from other steps. + - kind get kubeconfig --name $${CLUSTER_NAME} > $${KUBECONFIG} + + - name: End-to-End Tests + image: quay.io/sighup/e2e-testing:1.1.0_1.31.1_3.10.0_4.33.3 + pull: always + network_mode: host + environment: + KUBECONFIG: kubeconfig-v1.29.8 + depends_on: + - Create Kind Cluster + commands: + # wait for Kind cluster to be ready + - until kubectl get serviceaccount default > /dev/null 2>&1; do echo "waiting for control-plane" && sleep 1; done + - bats -t katalog/tests/tests.sh + + - name: Destroy Kind Cluster + image: quay.io/sighup/dind-kind-kubectl-kustomize:0.24.0_1.31.1_3.10.0 + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + CLUSTER_NAME: ${DRONE_REPO_NAME}-${DRONE_BUILD_NUMBER}-v1.29.8 + commands: + # does not matter if the command fails + - kind delete cluster --name $${CLUSTER_NAME} || true + depends_on: + - End-to-End Tests + when: + status: + - success + - failure + +--- +name: E2E Tests Kubernetes v1.30.4 +kind: pipeline +type: docker + +depends_on: + - Linting + +clone: + depth: 1 + +platform: + os: linux + arch: amd64 + +trigger: + ref: + include: + - refs/tags/** + +volumes: + - name: dockersock + host: + path: /var/run/docker.sock + +steps: + - name: Create Kind Cluster + image: quay.io/sighup/dind-kind-kubectl-kustomize:0.24.0_1.31.1_3.10.0 + pull: always + depends_on: + - clone + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + # KIND_CONFIG: ./katalog/tests/kind/config.yml + CLUSTER_VERSION: v1.30.4 + KUBECONFIG: kubeconfig-v1.30.4 + CLUSTER_NAME: ${DRONE_REPO_NAME}-${DRONE_BUILD_NUMBER}-v1.30.4 + commands: + # NOTE: kind's `--wait` flag that waits for the control-plane to be ready + # does not work when disabling the default CNI. It will always go in timeout. + - kind create cluster --name $${CLUSTER_NAME} --image registry.sighup.io/fury/kindest/node:$${CLUSTER_VERSION} # --config $${KIND_CONFIG} + # save the kubeconfig so we can use it from other steps. + - kind get kubeconfig --name $${CLUSTER_NAME} > $${KUBECONFIG} + + - name: End-to-End Tests + image: quay.io/sighup/e2e-testing:1.1.0_1.31.1_3.10.0_4.33.3 + pull: always + network_mode: host + environment: + KUBECONFIG: kubeconfig-v1.30.4 + depends_on: + - Create Kind Cluster + commands: + # wait for Kind cluster to be ready + - until kubectl get serviceaccount default > /dev/null 2>&1; do echo "waiting for control-plane" && sleep 1; done + - bats -t katalog/tests/tests.sh + + - name: Destroy Kind Cluster + image: quay.io/sighup/dind-kind-kubectl-kustomize:0.24.0_1.31.1_3.10.0 + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + CLUSTER_NAME: ${DRONE_REPO_NAME}-${DRONE_BUILD_NUMBER}-v1.30.4 + commands: + # does not matter if the command fails + - kind delete cluster --name $${CLUSTER_NAME} || true + depends_on: + - End-to-End Tests + when: + status: + - success + - failure + +--- +name: E2E Tests Kubernetes v1.31.0 +kind: pipeline +type: docker + +depends_on: + - Linting + +clone: + depth: 1 + +platform: + os: linux + arch: amd64 + +trigger: + ref: + include: + - refs/tags/** + +volumes: + - name: dockersock + host: + path: /var/run/docker.sock + +steps: + - name: Create Kind Cluster + image: quay.io/sighup/dind-kind-kubectl-kustomize:0.24.0_1.31.1_3.10.0 + pull: always + depends_on: + - clone + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + # KIND_CONFIG: ./katalog/tests/kind/config.yml + CLUSTER_VERSION: v1.31.0 + KUBECONFIG: kubeconfig-v1.31.0 + CLUSTER_NAME: ${DRONE_REPO_NAME}-${DRONE_BUILD_NUMBER}-v1.31.0 + commands: + # NOTE: kind's `--wait` flag that waits for the control-plane to be ready + # does not work when disabling the default CNI. It will always go in timeout. + - kind create cluster --name $${CLUSTER_NAME} --image registry.sighup.io/fury/kindest/node:$${CLUSTER_VERSION} # --config $${KIND_CONFIG} + # save the kubeconfig so we can use it from other steps. + - kind get kubeconfig --name $${CLUSTER_NAME} > $${KUBECONFIG} + + - name: End-to-End Tests + image: quay.io/sighup/e2e-testing:1.1.0_1.31.1_3.10.0_4.33.3 + pull: always + network_mode: host + environment: + KUBECONFIG: kubeconfig-v1.31.0 + depends_on: + - Create Kind Cluster + commands: + # wait for Kind cluster to be ready + - until kubectl get serviceaccount default > /dev/null 2>&1; do echo "waiting for control-plane" && sleep 1; done + - bats -t katalog/tests/tests.sh + + - name: Destroy Kind Cluster + image: quay.io/sighup/dind-kind-kubectl-kustomize:0.24.0_1.31.1_3.10.0 + volumes: + - name: dockersock + path: /var/run/docker.sock + environment: + CLUSTER_NAME: ${DRONE_REPO_NAME}-${DRONE_BUILD_NUMBER}-v1.31.0 + commands: + # does not matter if the command fails + - kind delete cluster --name $${CLUSTER_NAME} || true + depends_on: + - End-to-End Tests + when: + status: + - success + - failure --- name: release kind: pipeline type: docker -# Uncomment once we have e2e tests -# depends_on: -# - e2e-kubernetes-1.20 +depends_on: + - E2E Tests Kubernetes v1.28.13 + - E2E Tests Kubernetes v1.29.8 + - E2E Tests Kubernetes v1.30.4 + - E2E Tests Kubernetes v1.31.0 platform: os: linux diff --git a/katalog/tests/dex/kustomization.yaml b/katalog/tests/dex/kustomization.yaml new file mode 100644 index 0000000..a9d5421 --- /dev/null +++ b/katalog/tests/dex/kustomization.yaml @@ -0,0 +1,15 @@ +# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../dex + +secretGenerator: + - name: dex + namespace: kube-system + files: + - config.yml=secrets/config.yml diff --git a/katalog/tests/dex/secrets/config.yml b/katalog/tests/dex/secrets/config.yml new file mode 100644 index 0000000..eb23134 --- /dev/null +++ b/katalog/tests/dex/secrets/config.yml @@ -0,0 +1,53 @@ +# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +issuer: https://dex.sighup.io +frontend: + dir: /app/web + theme: dark +storage: + type: kubernetes + config: + inCluster: true +web: + http: 0.0.0.0:5556 +telemetry: + http: 0.0.0.0:5558 +connectors: + - type: ldap + id: ldap + name: LDAP + config: + host: server.ldap.svc:389 + insecureNoSSL: true + bindDN: CN=admin,DC=sighup,DC=io + bindPW: HatFriday + userSearch: + baseDN: ou=people,DC=sighup,DC=io + filter: "(objectClass=person)" + username: cn + idAttr: cn + emailAttr: mail + nameAttr: displayName + groupSearch: + baseDN: DC=sighup,DC=io + filter: "(objectClass=groupOfNames)" + userMatchers: + - userAttr: DN + groupAttr: member + nameAttr: cn +oauth2: + skipApprovalScreen: true +staticClients: + - id: pomerium + redirectURIs: + - http://pomerium.127.0.0.1.nip.io + name: "Pomerium in-cluster SSO" + secret: pomerium + - id: gangplank + redirectURIs: + - http://gangplank.127.0.0.1.nip.io/callback + name: "In cluster LOGIN" + secret: gangplank +enablePasswordDB: false diff --git a/katalog/tests/gangplank/kustomization.yaml b/katalog/tests/gangplank/kustomization.yaml new file mode 100644 index 0000000..aa8b31d --- /dev/null +++ b/katalog/tests/gangplank/kustomization.yaml @@ -0,0 +1,15 @@ +# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../gangplank + +secretGenerator: + - name: gangplank + namespace: kube-system + files: + - gangplank.yml=secrets/gangplank.yml diff --git a/katalog/tests/gangplank/secrets/gangplank.yml b/katalog/tests/gangplank/secrets/gangplank.yml new file mode 100644 index 0000000..58dd9f1 --- /dev/null +++ b/katalog/tests/gangplank/secrets/gangplank.yml @@ -0,0 +1,15 @@ +# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +clusterName: auth-e2e +apiServerURL: "api-e2e.127.0.0.1.nip.io" +authorizeURL: "https://dex.127.0.0.1.nip.io/auth" +tokenURL: "https://dex.127.0.0.1.nip.io/token" +clientID: "gangplank" +clientSecret: "gangplank" +redirectURL: "https://gangplank.127.0.0.1.nip.io/callback" +scopes: ["openid", "profile", "email", "offline_access", "groups"] +usernameClaim: "email" +emailClaim: "email" +sessionSecurityKey: "fakey" diff --git a/katalog/tests/install-kapp.sh b/katalog/tests/install-kapp.sh new file mode 100755 index 0000000..c7c5a0b --- /dev/null +++ b/katalog/tests/install-kapp.sh @@ -0,0 +1,47 @@ +#!/bin/bash +# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +set -e + +echo "> Checking for Kapp and installing if missing" + +# Check if kapp is already installed +if command -v kapp &> /dev/null; then + echo "Nothing to do. Kapp is already installed." + exit 0 +fi + +# Define the kapp version +KAPP_VERSION="v0.63.3" +# Determine OS and architecture +OS=$(uname -s) +ARCH=$(uname -m) +echo "Detected operating system: ${OS}" +echo "Detected architecture: ${ARCH}" + +# Prepare the download URL based on OS and architecture +URL="" +case "${OS}" in + Linux|Darwin) + case "${ARCH}" in + x86_64|amd64) SUFFIX="amd64" ;; + arm|arm64) SUFFIX="arm64" ;; + *) echo "Architecture ${ARCH} is not supported."; exit 1 ;; + esac + URL="https://github.com/carvel-dev/kapp/releases/download/${KAPP_VERSION}/kapp-${OS}-${SUFFIX}" + ;; + *) + echo "Operating system ${OS} is not supported."; exit 1 ;; +esac + +# Download and setup kapp +echo "Downloading kapp from ${URL}..." +curl -LO "${URL}" + +# Move the binary in to your PATH +mv "kapp-${OS}-${SUFFIX}" /usr/local/bin/kapp + +# Make the binary executable +chmod +x /usr/local/bin/kapp diff --git a/katalog/tests/ldap-server/kustomization.yaml b/katalog/tests/ldap-server/kustomization.yaml new file mode 100644 index 0000000..d162980 --- /dev/null +++ b/katalog/tests/ldap-server/kustomization.yaml @@ -0,0 +1,16 @@ +# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: ldap +resources: + - ns.yaml + - ldap-server.yaml + +configMapGenerator: + - files: + - ./sighup.io-groups.ldif + name: ldap-ldif diff --git a/katalog/tests/ldap-server/ldap-server.yaml b/katalog/tests/ldap-server/ldap-server.yaml new file mode 100644 index 0000000..06af958 --- /dev/null +++ b/katalog/tests/ldap-server/ldap-server.yaml @@ -0,0 +1,83 @@ +# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + app: ldap-server + name: ldap +stringData: + LDAP_ADMIN_PASSWORD: HatFriday +--- +kind: ConfigMap +metadata: + labels: + app: ldap-server + name: ldap +apiVersion: v1 +data: + LDAP_ORGANISATION: SIGHUP + LDAP_DOMAIN: sighup.io +--- +apiVersion: v1 +kind: Service +metadata: + name: server +spec: + ports: + - name: "tcp-389" + port: 389 + protocol: TCP + targetPort: 389 + - name: "tcp-363" + port: 636 + protocol: TCP + targetPort: 636 + selector: + app: ldap-server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: ldap-server + name: ldap-server +spec: + replicas: 1 + selector: + matchLabels: + app: ldap-server + strategy: {} + template: + metadata: + labels: + app: ldap-server + spec: + volumes: + - name: ldap-ldif + configMap: + name: ldap-ldif + containers: + - name: ldap-server + image: registry.sighup.io/fury/osixia/openldap:1.5.0 + command: + - "sh" + - "-c" + - "cp -R /tmp/ldif /container/service/slapd/assets/config/bootstrap/ldif/custom && /container/tool/run" + envFrom: + - configMapRef: + name: ldap + - secretRef: + name: ldap + ports: + - containerPort: 389 + name: "tcp-389" + - containerPort: 636 + name: "tcp-636" + resources: {} + volumeMounts: + - name: ldap-ldif + mountPath: /tmp/ldif diff --git a/katalog/tests/ldap-server/ns.yaml b/katalog/tests/ldap-server/ns.yaml new file mode 100644 index 0000000..3019227 --- /dev/null +++ b/katalog/tests/ldap-server/ns.yaml @@ -0,0 +1,8 @@ +# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +apiVersion: v1 +kind: Namespace +metadata: + name: ldap diff --git a/katalog/tests/ldap-server/sighup.io-groups.ldif b/katalog/tests/ldap-server/sighup.io-groups.ldif new file mode 100644 index 0000000..2a28160 --- /dev/null +++ b/katalog/tests/ldap-server/sighup.io-groups.ldif @@ -0,0 +1,43 @@ +version: 1 + +dn: ou=groups,dc=sighup,dc=io +objectClass: top +objectClass: organizationalUnit +ou: groups + +dn: ou=people,dc=sighup,dc=io +objectClass: top +objectClass: organizationalUnit +ou: people + +dn: cn=user1,ou=people,dc=sighup,dc=io +objectClass: top +objectClass: person +objectClass: inetOrgPerson +cn: user +sn: one +mail: user.one@sighup.io +displayName: "Player One" +userPassword: userone + +dn: cn=user2,ou=people,dc=sighup,dc=io +objectClass: top +objectClass: person +objectClass: inetOrgPerson +cn: user +sn: two +mail: user.two@sighup.io +displayName: "Player Two" +userPassword: usertwo + +dn: cn=engineering,ou=groups,dc=sighup,dc=io +objectClass: top +objectClass: groupOfNames +cn: engineering +member: cn=user1,ou=people,dc=sighup,dc=io + +dn: cn=operations,ou=groups,dc=sighup,dc=io +objectClass: top +objectClass: groupOfNames +cn: amministrazione +member: cn=user2,ou=people,dc=sighup,dc=io diff --git a/katalog/tests/pomerium/kustomization.yaml b/katalog/tests/pomerium/kustomization.yaml new file mode 100644 index 0000000..d5b1a24 --- /dev/null +++ b/katalog/tests/pomerium/kustomization.yaml @@ -0,0 +1,25 @@ +# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../pomerium + +configMapGenerator: + - name: pomerium + behavior: replace + envs: + - resources/pomerium-config.env + - name: pomerium-policy + behavior: replace + files: + - policy.yml=resources/pomerium-policy.yml + +secretGenerator: + - name: pomerium-env + behavior: replace + envs: + - secrets/pomerium.env diff --git a/katalog/tests/pomerium/resources/pomerium-config.env b/katalog/tests/pomerium/resources/pomerium-config.env new file mode 100644 index 0000000..7cc2e1c --- /dev/null +++ b/katalog/tests/pomerium/resources/pomerium-config.env @@ -0,0 +1,15 @@ +# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +AUTHENTICATE_SERVICE_HOST=pomerium.127.0.0.1.nip.io +AUTHENTICATE_SERVICE_URL=https://$(AUTHENTICATE_SERVICE_HOST) +AUTOCERT=false +FORWARD_AUTH_HOST=pomerium.127.0.0.1.nip.io +FORWARD_AUTH_URL=https://$(FORWARD_AUTH_HOST) +IDP_CLIENT_ID=pomerium +IDP_PROVIDER=oidc +IDP_PROVIDER_URL=https://dex.127.0.0.1.nip.io +IDP_SCOPES="openid profile email groups" +LOG_LEVEL=info +POMERIUM_DEBUG=false diff --git a/katalog/tests/pomerium/resources/pomerium-policy.yml b/katalog/tests/pomerium/resources/pomerium-policy.yml new file mode 100644 index 0000000..a6d77ac --- /dev/null +++ b/katalog/tests/pomerium/resources/pomerium-policy.yml @@ -0,0 +1,21 @@ +# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +address: ":8080" +metrics_address: ":9090" + +insecure_server: true +autocert: false + +routes: + - from: https://grafana.127.0.0.1.nip.io + to: http://grafana.monitoring.svc.cluster.local:3000 + allow_websockets: true + host_rewrite_header: true + preserve_host_header: true + pass_identity_headers: true + policy: + - allow: + and: + - authenticated_user: true diff --git a/katalog/tests/pomerium/secrets/pomerium.env b/katalog/tests/pomerium/secrets/pomerium.env new file mode 100644 index 0000000..80a1636 --- /dev/null +++ b/katalog/tests/pomerium/secrets/pomerium.env @@ -0,0 +1,12 @@ +# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +# COOKIE_SECRET is obtained with `head -c32 /dev/urandom | base64` see https://www.pomerium.io/reference/#cookie-secret +COOKIE_SECRET=WmSD9CPtXLYWLs8kJgS8wDcOD5wv5KHsaOMXjougu/k= +#IDP_CLIENT_SECRET is the secret configured in the pomerium Dex static client +IDP_CLIENT_SECRET=pomerium +# SHARED_SECRET is obtained with `head -c32 /dev/urandom | base64` see https://www.pomerium.io/reference/#shared-secret +SHARED_SECRET=2R6D4hroMwnxhDPwn03q+l7uImShSMK0KqQdQC5SrlU= +# SIGNING_KEY is obtained with `openssl ecparam -genkey -name prime256v1 -noout -out ec_private.pem` then `cat ec_private.pem | base64` see https://www.pomerium.com/docs/reference/signing-key +SIGNING_KEY=LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUdyTjhwRmNKNWFSTXhZZDR5WVVaK1RPaHdramdLMC9Kb3kreWhpK1M1dDFvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFN3ZuNk5Ibjd2alRVTU84aFhLckZTWHRvdXpyaENTU2NyS1plb2F1TjRzN1FHcEJqY0RpTgo4aGlGQ2FITEdWbEZpRnZXczd2RUd3YWxObWlLaTgxWEVnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo= diff --git a/katalog/tests/tests.sh b/katalog/tests/tests.sh new file mode 100755 index 0000000..bbdc91e --- /dev/null +++ b/katalog/tests/tests.sh @@ -0,0 +1,36 @@ +#!/bin/bash +# Copyright (c) 2017-present SIGHUP s.r.l All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + + +# --------------------------------------------------- +# THIS IS WIP +# --------------------------------------------------- +# Right now we only check that the components are correctly deployed and come up. +# Here's some to do: +# - [ ] check that Dex talks to the LDAP server. +# - [ ] check that Gangplank redirects to Dex, login works and the you get the kubeconfig. +# - [ ] deploy Grafana or some other ingess, add the route to Pomerium and check that SSO is working. +# +# Note: +# There are some placeholders like .127.0.0.1.nip.io that need to be replaced when working on the more advanced tests. + +set -e + +bash katalog/tests/install-kapp.sh + +echo "> Deploying pre-requistes" +kapp deploy --app prerequisites --file https://raw.githubusercontent.com/sighupio/fury-kubernetes-monitoring/refs/tags/v3.3.0-rc.1/katalog/prometheus-operator/crds/0servicemonitorCustomResourceDefinition.yaml --yes + +echo "> Deploying LDAP server" +kapp deploy --app ldap --file <(kustomize build katalog/tests/ldap-server) --yes + +echo "> Deploying Dex" +kapp deploy --app dex --file <(kustomize build katalog/tests/dex) --yes + +echo "> Deploying Gangplank" +kapp deploy --app gangplank --file <(kustomize build katalog/tests/gangplank) --yes + +echo "> Deploying Pomerium" +kapp deploy --app pomerium --file <(kustomize build katalog/tests/pomerium) --yes