diff --git a/tests/functional/barbican_controller_test.go b/tests/functional/barbican_controller_test.go index 7609f41..4ae32eb 100644 --- a/tests/functional/barbican_controller_test.go +++ b/tests/functional/barbican_controller_test.go @@ -12,7 +12,7 @@ import ( . "github.com/openstack-k8s-operators/lib-common/modules/common/test/helpers" barbicanv1beta1 "github.com/openstack-k8s-operators/barbican-operator/api/v1beta1" - "github.com/openstack-k8s-operators/barbican-operator/controllers" + controllers "github.com/openstack-k8s-operators/barbican-operator/controllers" "github.com/openstack-k8s-operators/barbican-operator/pkg/barbican" condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition" mariadb_test "github.com/openstack-k8s-operators/mariadb-operator/api/test/helpers" @@ -434,11 +434,13 @@ var _ = Describe("Barbican controller", func() { When("A Barbican with HSM is created", func() { BeforeEach(func() { + DeferCleanup(k8sClient.Delete, ctx, CreateHSMLoginSecret(barbicanTest.Instance.Namespace, HSMLoginSecret)) + DeferCleanup(k8sClient.Delete, ctx, CreateHSMCertsSecret(barbicanTest.Instance.Namespace, HSMCertsSecret)) + DeferCleanup(th.DeleteInstance, CreateBarbican(barbicanTest.Instance, GetHSMBarbicanSpec())) DeferCleanup(k8sClient.Delete, ctx, CreateBarbicanMessageBusSecret(barbicanTest.Instance.Namespace, barbicanTest.RabbitmqSecretName)) - DeferCleanup(th.DeleteInstance, CreateBarbicanAPI(barbicanTest.Instance, GetHSMBarbicanAPISpec())) + infra.SimulateTransportURLReady(barbicanTest.BarbicanTransportURL) DeferCleanup(k8sClient.Delete, ctx, CreateKeystoneAPISecret(barbicanTest.Instance.Namespace, SecretName)) - // keystoneAPI := keystone.CreateKeystoneAPI(barbicanTest.Instance.Namespace) DeferCleanup( mariadb.DeleteDBService, mariadb.CreateDBService( @@ -449,12 +451,12 @@ var _ = Describe("Barbican controller", func() { }, ), ) - infra.SimulateTransportURLReady(barbicanTest.BarbicanTransportURL) - DeferCleanup(keystone.DeleteKeystoneAPI, keystone.CreateKeystoneAPI(barbicanTest.Instance.Namespace)) mariadb.SimulateMariaDBAccountCompleted(barbicanTest.BarbicanDatabaseAccount) mariadb.SimulateMariaDBDatabaseCompleted(barbicanTest.BarbicanDatabaseName) + DeferCleanup(keystone.DeleteKeystoneAPI, keystone.CreateKeystoneAPI(barbicanTest.Instance.Namespace)) th.SimulateJobSuccess(barbicanTest.BarbicanDBSync) - // DeferCleanup(keystone.DeleteKeystoneAPI, keystoneAPI) + DeferCleanup(th.DeleteInstance, CreateBarbicanAPI(barbicanTest.Instance, GetHSMBarbicanAPISpec())) + th.SimulateJobSuccess(barbicanTest.BarbicanP11Prep) }) It("Creates BarbicanAPI", func() { @@ -473,7 +475,7 @@ var _ = Describe("Barbican controller", func() { // Check the resulting deployment fields Expect(int(*d.Spec.Replicas)).To(Equal(1)) - Expect(d.Spec.Template.Spec.Volumes).To(HaveLen(3)) + Expect(d.Spec.Template.Spec.Volumes).To(HaveLen(4)) Expect(d.Spec.Template.Spec.Containers).To(HaveLen(2)) container := d.Spec.Template.Spec.Containers[1] @@ -482,28 +484,95 @@ var _ = Describe("Barbican controller", func() { Expect(container.LivenessProbe.HTTPGet.Scheme).To(Equal(corev1.URISchemeHTTP)) }) - It("Should have the right configuration contents", func() { - /*keystone.SimulateKeystoneEndpointReady(barbicanTest.BarbicanKeystoneEndpoint) - mariadb.SimulateMariaDBAccountCompleted(barbicanTest.BarbicanDatabaseAccount) - mariadb.SimulateMariaDBDatabaseCompleted(barbicanTest.BarbicanDatabaseName)*/ + It("Verifies the PKCS11 struct is in good shape", func() { + Barbican := GetBarbican(barbicanTest.Instance) + Expect(Barbican.Spec.EnabledSecretStores).Should(Equal([]barbicanv1beta1.SecretStore{"pkcs11"})) + Expect(Barbican.Spec.GlobalDefaultSecretStore).Should(Equal(barbicanv1beta1.SecretStore("pkcs11"))) + + pkcs11 := Barbican.Spec.PKCS11 + Expect(pkcs11.SlotId).Should(Equal(HSMSlotID)) + Expect(pkcs11.LibraryPath).Should(Equal(HSMLibraryPath)) + Expect(pkcs11.CertificatesMountPoint).Should(Equal(HSMCertificatesMountPoint)) + Expect(pkcs11.LoginSecret).Should(Equal(HSMLoginSecret)) + Expect(pkcs11.CertificatesSecret).Should(Equal(HSMCertsSecret)) + Expect(pkcs11.MKEKLabel).Should(Equal(HSMMKEKLabel)) + Expect(pkcs11.HMACLabel).Should(Equal(HSMHMACLabel)) + Expect(pkcs11.ServerAddress).Should(Equal(HSMServerAddress)) + Expect(pkcs11.ClientAddress).Should(Equal(HSMClientAddress)) + Expect(pkcs11.Type).Should(Equal(HSMType)) + }) - cf := th.GetSecret(barbicanTest.BarbicanConfigSecret) - Expect(cf).ShouldNot(BeNil()) - confChrystoki := cf.Data["Chrystoki.conf"] - Expect(confChrystoki).To( - ContainSubstring("Luna = {\n DefaultTimeOut = 500000;\n PEDTimeout1 = 100000;\n PEDTimeout2 = 200000;")) - confDefault := cf.Data["00-default.conf"] - Expect(confDefault).To( + It("Checks if the two relevant secrets have the right contents", func() { + hsmSecret := th.GetSecret(barbicanTest.BarbicanHSMLoginSecret) + Expect(hsmSecret).ShouldNot(BeNil()) + confHSM := hsmSecret.Data["hsmLogin"] + Expect(confHSM).To( + ContainSubstring("12345678")) + + certsSecret := th.GetSecret(barbicanTest.BarbicanHSMCertsSecret) + Expect(certsSecret).ShouldNot(BeNil()) + confCA := certsSecret.Data["CACert.pem"] + Expect(confCA).To( + ContainSubstring("dummy-data")) + confServer := certsSecret.Data[HSMServerAddress+"Server.pem"] + Expect(confServer).To( + ContainSubstring("dummy-data")) + confClient := certsSecret.Data[HSMClientAddress+"Client.pem"] + Expect(confClient).To( + ContainSubstring("dummy-data")) + confKey := certsSecret.Data[HSMClientAddress+"Client.key"] + Expect(confKey).To( + ContainSubstring("dummy-data")) + }) + + It("Verifies if Chrystoki.conf and 00-default.conf have the right contents.", func() { + confSecret := th.GetSecret(barbicanTest.BarbicanConfigSecret) + Expect(confSecret).ShouldNot(BeNil()) + + conf := confSecret.Data["Chrystoki.conf"] + Expect(conf).To( + ContainSubstring("Chrystoki2")) + Expect(conf).To( + ContainSubstring("LunaSA Client")) + Expect(conf).To( + ContainSubstring("ProtectedAuthenticationPathFlagStatus = 0")) + + conf = confSecret.Data["00-default.conf"] + Expect(conf).To( ContainSubstring("[secretstore:pkcs11]")) + Expect(conf).To( + ContainSubstring("plugin_name = PKCS11")) + Expect(conf).To( + ContainSubstring("slot_id = " + HSMSlotID)) }) - It("Should have the relevant conditions in the right state", func() { + It("Checks if the P11PreJob successfully executed", func() { + BarbicanExists(barbicanTest.Instance) + th.ExpectCondition( barbicanTest.Instance, ConditionGetterFunc(BarbicanConditionGetter), controllers.P11PrepReadyCondition, corev1.ConditionTrue, ) + + // Checking if both, the volume mount name and its mount path match the specified values. + volumeMounts := th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts + elemNum := 0 + for index, mount := range volumeMounts { + if mount.Name == barbican.LunaVolume { + elemNum = index + break + } + } + + volume := th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts[elemNum].Name + mountPath := th.GetJob(barbicanTest.BarbicanP11Prep).Spec.Template.Spec.Containers[0].VolumeMounts[elemNum].MountPath + + Eventually(func(g Gomega) { + g.Expect(volume).To(Equal(barbican.LunaVolume)) + g.Expect(mountPath).To(Equal(HSMCertificatesMountPoint)) + }, timeout, interval).Should(Succeed()) }) }) diff --git a/tests/functional/barbican_test_data.go b/tests/functional/barbican_test_data.go index 0557877..83b1794 100644 --- a/tests/functional/barbican_test_data.go +++ b/tests/functional/barbican_test_data.go @@ -54,6 +54,7 @@ type BarbicanTestData struct { BarbicanDatabaseName types.NamespacedName BarbicanDatabaseAccount types.NamespacedName BarbicanDBSync types.NamespacedName + BarbicanP11Prep types.NamespacedName BarbicanAPI types.NamespacedName BarbicanRole types.NamespacedName BarbicanRoleBinding types.NamespacedName @@ -65,6 +66,8 @@ type BarbicanTestData struct { BarbicanServiceInternal types.NamespacedName BarbicanConfigSecret types.NamespacedName BarbicanAPIConfigSecret types.NamespacedName + BarbicanHSMLoginSecret types.NamespacedName + BarbicanHSMCertsSecret types.NamespacedName BarbicanConfigScripts types.NamespacedName BarbicanConfigMapData types.NamespacedName BarbicanScheduler types.NamespacedName @@ -97,6 +100,10 @@ func GetBarbicanTestData(barbicanName types.NamespacedName) BarbicanTestData { Namespace: barbicanName.Namespace, Name: fmt.Sprintf("%s-db-sync", barbicanName.Name), }, + BarbicanP11Prep: types.NamespacedName{ + Namespace: barbicanName.Namespace, + Name: fmt.Sprintf("%s-p11-prep", barbicanName.Name), + }, BarbicanAPI: types.NamespacedName{ Namespace: barbicanName.Namespace, Name: fmt.Sprintf("%s-api-api", barbicanName.Name), @@ -141,6 +148,15 @@ func GetBarbicanTestData(barbicanName types.NamespacedName) BarbicanTestData { BarbicanAPIConfigSecret: types.NamespacedName{ Namespace: barbicanName.Namespace, Name: fmt.Sprintf("%s-%s", barbicanName.Name, "api-config-data"), + // This secret stores the password to connect to the HSM. + BarbicanHSMLoginSecret: types.NamespacedName{ + Namespace: barbicanName.Namespace, + Name: "hsm-login", + }, + // This secret stores the certificates used to interact with the HSM. + BarbicanHSMCertsSecret: types.NamespacedName{ + Namespace: barbicanName.Namespace, + Name: "hsm-certs", }, BarbicanConfigScripts: types.NamespacedName{ Namespace: barbicanName.Namespace, diff --git a/tests/functional/base_test.go b/tests/functional/base_test.go index fff85fb..c0930f8 100644 --- a/tests/functional/base_test.go +++ b/tests/functional/base_test.go @@ -43,17 +43,6 @@ func CreateKeystoneAPISecret(namespace string, name string) *corev1.Secret { ) } -func CreateHSMSecret(namespace string, name string) *corev1.Secret { - return th.CreateSecret( - types.NamespacedName{Namespace: namespace, Name: name}, - map[string][]byte{ - "AdminPassword": []byte("12345678"), - "BarbicanPassword": []byte("12345678"), - "KeystoneDatabasePassword": []byte("12345678"), - }, - ) -} - func GetDefaultBarbicanSpec() map[string]interface{} { return map[string]interface{}{ "databaseInstance": "openstack", @@ -134,6 +123,14 @@ func BarbicanKeystoneListenerNotExists(name types.NamespacedName) { }, timeout, interval).Should(Succeed()) } +func BarbicanExists(name types.NamespacedName) { + Consistently(func(g Gomega) { + instance := &barbicanv1.Barbican{} + err := k8sClient.Get(ctx, name, instance) + g.Expect(k8s_errors.IsNotFound(err)).To(BeFalse()) + }, timeout, interval).Should(Succeed()) +} + func BarbicanAPIConditionGetter(name types.NamespacedName) condition.Conditions { instance := GetBarbicanAPI(name) return instance.Status.Conditions @@ -187,33 +184,30 @@ func GetTLSBarbicanAPISpec() map[string]interface{} { // ========== HSM Stuff ============ func GetHSMBarbicanSpec() map[string]interface{} { - return map[string]interface{}{ - "databaseInstance": "openstack", - "secret": SecretName, - "simpleCryptoBackendSecret": SecretName, - "barbicanAPI": GetHSMBarbicanAPISpec(), - } -} - -func GetHSMBarbicanAPISpec() map[string]interface{} { - spec := GetDefaultBarbicanAPISpec() + spec := GetDefaultBarbicanSpec() maps.Copy(spec, map[string]interface{}{ "enabledSecretStores": []string{"pkcs11"}, "globalDefaultSecretStore": "pkcs11", "pkcs11": map[string]interface{}{ - "type": HSMType, - "libraryPath": HSMLibraryPath, - "slotId": HSMSlotID, - "MKEKLabel": HSMMKEKLabel, - "HMACLabel": HSMHMACLabel, - "serverAddress": HSMServerAddress, - "clientAddress": HSMClientAddress, - "loginSecret": HSMLoginSecret, + "slotId": HSMSlotID, + "libraryPath": HSMLibraryPath, + "certificatesMountPoint": HSMCertificatesMountPoint, + "loginSecret": HSMLoginSecret, + "certificatesSecret": HSMCertsSecret, + "MKEKLabel": HSMMKEKLabel, + "HMACLabel": HSMHMACLabel, + "serverAddress": HSMServerAddress, + "clientAddress": HSMClientAddress, + "type": HSMType, }, }) return spec } +func GetHSMBarbicanAPISpec() map[string]interface{} { + return GetDefaultBarbicanAPISpec() +} + func CreateHSMLoginSecret(namespace string, name string) *corev1.Secret { return th.CreateSecret( types.NamespacedName{Namespace: namespace, Name: name}, @@ -223,6 +217,18 @@ func CreateHSMLoginSecret(namespace string, name string) *corev1.Secret { ) } +func CreateHSMCertsSecret(namespace string, name string) *corev1.Secret { + return th.CreateSecret( + types.NamespacedName{Namespace: namespace, Name: name}, + map[string][]byte{ + "CACert.pem": []byte("dummy-data"), + HSMServerAddress + "Server.pem": []byte("dummy-data"), + HSMClientAddress + "Client.pem": []byte("dummy-data"), + HSMClientAddress + "Client.key": []byte("dummy-data"), + }, + ) +} + // ========== End of HSM Stuff ============ func GetDefaultBarbicanAPISpec() map[string]interface{} { diff --git a/tests/functional/suite_test.go b/tests/functional/suite_test.go index 073b828..7f5d38a 100644 --- a/tests/functional/suite_test.go +++ b/tests/functional/suite_test.go @@ -71,14 +71,16 @@ const ( interval = time.Millisecond * 200 // HSM Constants - HSMType = "luna" // Using them Luna model without any specific selection criteria. - HSMLibraryPath = "/usr/local/luna/libs/64/libCryptoki2.so" - HSMSlotID = "1" - HSMMKEKLabel = "MKEKLabel" - HSMHMACLabel = "HMACLabel" - HSMServerAddress = "192.168.0.1" - HSMClientAddress = "192.168.0.2" - HSMLoginSecret = "hsm-secret" + HSMType = "luna" // Using them Luna model without any specific selection criteria. + HSMLibraryPath = "/usr/local/luna/libs/64/libCryptoki2.so" + HSMCertificatesMountPoint = "/usr/local/luna/config/certs" + HSMSlotID = "1" + HSMMKEKLabel = "MKEKLabel" + HSMHMACLabel = "HMACLabel" + HSMServerAddress = "192.168.0.1" + HSMClientAddress = "192.168.0.2" + HSMLoginSecret = "hsm-login" + HSMCertsSecret = "hsm-certs" ) func TestAPIs(t *testing.T) {