Testing: sealed secrets

Signed-off-by: Leonardo Milleri <[email protected]>

Author: lmilleri

tests/scripts/config-trustee.sh

@@ -97,6 +97,5 @@ spec:
   kbsRvpsRefValuesConfigMapName: rvps-reference-values
   kbsSecretResources: ["kbsres1"]
   kbsResourcePolicyConfigMapName: resource-policy
-  kbsServiceType: LoadBalancer
 EOF
 

tests/tee/sealed-secrets/01-assert.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vault-secret
+  namespace: trustee-operator-system
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: sealed-secret
+  namespace: default

tests/tee/sealed-secrets/01-vault-secret.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  # create vault secret pointing to kbs default/vault-secret/secret
+  - script: export BASE64=$(cat secret.json | basenc --base64url -w0) && kubectl create secret generic sealed-secret --from-literal="secret=sealed.fakejwsheader.${BASE64}.fakesignature"
+  - script: kubectl create secret generic -n trustee-operator-system vault-secret --from-literal='secret=hello!'

tests/tee/sealed-secrets/02-patch-kbsconfig.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: export CR_NAME=$(kubectl get kbsconfig -n trustee-operator-system -o=jsonpath='{.items[0].metadata.name}') && kubectl patch KbsConfig -n trustee-operator-system $CR_NAME --type=json -p='[{"op":"add", "path":"/spec/kbsSecretResources/-", "value":"vault-secret"}]'

tests/tee/sealed-secrets/03-assert.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: sealed-pod
+  namespace: default
+status:
+  containerStatuses:
+  - ready: true

tests/tee/sealed-secrets/03-sealed-pod.yaml

@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: export KATA_RUNTIME=${KATA_RUNTIME:-kata-snp} && envsubst < "pod-sealed.yaml.in" > "pod-sealed.yaml"
+  - script: kubectl apply -f pod-sealed.yaml
+  - script: rm pod-sealed.yaml

tests/tee/sealed-secrets/04-assert.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+commands:
+  - script: test "$(kubectl exec sealed-pod -- cat /sealed/mysecret/secret)" = "hello!"

tests/tee/sealed-secrets/05-teardown.yaml

@@ -0,0 +1,8 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: kubectl delete secret -n default sealed-secret
+  - script: kubectl delete secret -n trustee-operator-system vault-secret
+  - script: kubectl delete pod sealed-pod
+  - script: export CR_NAME=$(kubectl get kbsconfig -n trustee-operator-system -o=jsonpath='{.items[0].metadata.name}') &&
+            kubectl get KbsConfig -n trustee-operator-system $CR_NAME -o json | jq ".spec.kbsSecretResources -= [\"vault-secret\"]" | kubectl apply -f -

tests/tee/sealed-secrets/pod-sealed.yaml.in

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: sealed-pod
+  annotations:
+    io.containerd.cri.runtime-handler: ${KATA_RUNTIME}
+    io.katacontainers.config.hypervisor.kernel_params: " agent.aa_kbc_params=cc_kbc::http://kbs-service.trustee-operator-system:8080"
+spec:
+  runtimeClassName: ${KATA_RUNTIME}
+  containers:
+    - name: sealed-pod
+      volumeMounts:
+        - name: secret-volume
+          mountPath: "/sealed/mysecret"
+      env:
+      - name: PROTECTED_SECRET
+        valueFrom:
+          secretKeyRef:
+            name: sealed-secret
+            key: secret
+      image: quay.io/prometheus/busybox:latest
+      imagePullPolicy: Always
+      command:
+        - sh
+        - -c
+        - |
+          env
+          sleep "36000"
+      securityContext:
+        privileged: false
+        seccompProfile:
+          type: RuntimeDefault
+  volumes:
+    - name: secret-volume
+      secret:
+        secretName: sealed-secret

tests/tee/sealed-secrets/secret.json

@@ -0,0 +1,8 @@
+{
+    "version": "0.1.0",
+    "type": "vault",
+    "name": "kbs:///default/vault-secret/secret",
+    "provider": "kbs",
+    "provider_settings": {},
+    "annotations": {}
+}