test(e2e): add test suite for S3 Key authentication

shanduur · shanduur-akamai · commit 4537562f573d · 2024-09-26T12:09:01.000+02:00
Signed-off-by: Mateusz Urbanek &lt;mateusz.urbanek.98@gmail.com&gt;
diff --git a/test/e2e/s3/key/delete/chainsaw-test.yaml b/test/e2e/s3/key/delete/chainsaw-test.yaml
@@ -0,0 +1,108 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: test-s3-iam-delete
+  labels:
+    sample: "true"
+    protocol: "S3"
+    authenticationType: "Key"
+    deletionPolicy: "Delete"
+spec:
+  template: true
+  steps:
+  - name: Check if COSI Controller exist
+    try:
+    - assert:
+        file: ../../../tests/controller.yaml
+  - name: Create test BucketClass and BucketAccessClass
+    try:
+    - apply:
+        file: ./resources/BucketClass.yaml
+    - apply:
+        file: ./resources/BucketAccessClass.yaml
+  - name: Create BucketClaim
+    try:
+    - apply:
+        file: ./resources/BucketClaim.yaml
+  - name: Check if BucketClaim is ready
+    try:
+    - assert:
+        resource:
+          apiVersion: objectstorage.k8s.io/v1alpha1
+          kind: BucketClaim
+          metadata:
+            name: test-s3-iam-delete
+          status:
+            bucketReady: true
+  - name: Create BucketAccess
+    try:
+    - apply:
+        file: ./resources/BucketAccess.yaml
+  - name: Check if BucketAccess is granted
+    try:
+    - assert:
+        resource:
+          apiVersion: objectstorage.k8s.io/v1alpha1
+          kind: BucketAccess
+          metadata:
+            name: test-s3-iam-delete
+          status:
+            accessGranted: true
+  - name: Check if Secret exists
+    try:
+    - assert:
+        resource:
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: test-s3-iam-delete
+  - name: Run ObjectStorage validation tool
+    # TODO: This should be either a standalone test tool developed by us, to run test suite:
+    # - validate Secret format;
+    # - validate connectivity to the Object Storage server;
+    # Right now it is using busybox to check if the secret has correct format.
+    try:
+    - apply:
+        file: ../../../tests/validator.yaml
+    - create:
+        resource:
+          apiVersion: batch/v1
+          kind: Job
+          metadata:
+            name: test-s3-iam-delete
+          spec:
+            ttlSecondsAfterFinished: 100
+            template:
+              spec:
+                restartPolicy: Never
+                containers:
+                - name: secret-test
+                  image: docker.io/library/python:3.12
+                  command: [ "sh", "/validation/validation.sh" ]
+                  volumeMounts:
+                  - mountPath: /validator
+                    name: validator
+                  - mountPath: /conf
+                    name: secret-vol
+                volumes:
+                - name: validator
+                  configMap:
+                    name: validator  
+                - name: secret-vol
+                  secret:
+                    secretName: test-retain-secret
+                    items:
+                    - iam: BucketInfo
+                      path: BucketInfo.json
+  - name: Check if ObjectStorage validation tool completed succesfully
+    try:
+    - assert:
+        resource:
+          apiVersion: batch/v1
+          kind: Job
+          metadata:
+            name: test-s3-iam-delete
+          status:
+            succeeded: 1
diff --git a/test/e2e/s3/key/delete/resources/BucketAccess.yaml b/test/e2e/s3/key/delete/resources/BucketAccess.yaml
@@ -0,0 +1,9 @@
+apiVersion: objectstorage.k8s.io/v1alpha1
+kind: BucketAccess
+metadata:
+  name: test-s3-iam-delete
+spec:
+  bucketClaimName: test-s3-iam-delete
+  protocol: S3
+  bucketAccessClassName: test-s3-iam-delete
+  credentialsSecretName: test-s3-iam-delete
diff --git a/test/e2e/s3/key/delete/resources/BucketAccessClass.yaml b/test/e2e/s3/key/delete/resources/BucketAccessClass.yaml
@@ -0,0 +1,7 @@
+apiVersion: objectstorage.k8s.io/v1alpha1
+kind: BucketAccessClass
+metadata:
+  name: test-s3-iam-delete
+driverName: sample-driver.objectstorage.k8s.io
+authenticationType: IAM
+parameters: {}
diff --git a/test/e2e/s3/key/delete/resources/BucketClaim.yaml b/test/e2e/s3/key/delete/resources/BucketClaim.yaml
@@ -0,0 +1,7 @@
+apiVersion: objectstorage.k8s.io/v1alpha1
+kind: BucketClaim
+metadata:
+  name: test-s3-iam-delete
+spec:
+  bucketClassName: test-s3-iam-delete
+  protocols: [ 'S3' ]
diff --git a/test/e2e/s3/key/delete/resources/BucketClass.yaml b/test/e2e/s3/key/delete/resources/BucketClass.yaml
@@ -0,0 +1,7 @@
+apiVersion: objectstorage.k8s.io/v1alpha1
+kind: BucketClass
+metadata:
+  name: test-s3-iam-delete
+driverName: sample-driver.objectstorage.k8s.io
+deletionPolicy: Delete
+parameters: {}
diff --git a/test/e2e/s3/key/retain/chainsaw-test.yaml b/test/e2e/s3/key/retain/chainsaw-test.yaml
@@ -0,0 +1,108 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: test-s3-key-retain
+  labels:
+    sample: "true"
+    protocol: "S3"
+    authenticationType: "Key"
+    deletionPolicy: "Retain"
+spec:
+  template: true
+  steps:
+  - name: Check if COSI Controller exist
+    try:
+    - assert:
+        file: ../../../tests/controller.yaml
+  - name: Create test BucketClass and BucketAccessClass
+    try:
+    - apply:
+        file: ./resources/BucketClass.yaml
+    - apply:
+        file: ./resources/BucketAccessClass.yaml
+  - name: Create BucketClaim
+    try:
+    - apply:
+        file: ./resources/BucketClaim.yaml
+  - name: Check if BucketClaim is ready
+    try:
+    - assert:
+        resource:
+          apiVersion: objectstorage.k8s.io/v1alpha1
+          kind: BucketClaim
+          metadata:
+            name: test-s3-key-retain
+          status:
+            bucketReady: true
+  - name: Create BucketAccess
+    try:
+    - apply:
+        file: ./resources/BucketAccess.yaml
+  - name: Check if BucketAccess is granted
+    try:
+    - assert:
+        resource:
+          apiVersion: objectstorage.k8s.io/v1alpha1
+          kind: BucketAccess
+          metadata:
+            name: test-s3-key-retain
+          status:
+            accessGranted: true
+  - name: Check if Secret exists
+    try:
+    - assert:
+        resource:
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: test-s3-key-retain
+  - name: Run ObjectStorage validation tool
+    # TODO: This should be either a standalone test tool developed by us, to run test suite:
+    # - validate Secret format;
+    # - validate connectivity to the Object Storage server;
+    # Right now it is using busybox to check if the secret has correct format.
+    try:
+    - apply:
+        file: ../../../tests/validator.yaml
+    - create:
+        resource:
+          apiVersion: batch/v1
+          kind: Job
+          metadata:
+            name: test-s3-key-retain
+          spec:
+            ttlSecondsAfterFinished: 100
+            template:
+              spec:
+                restartPolicy: Never
+                containers:
+                - name: secret-test
+                  image: docker.io/library/python:3.12
+                  command: [ "sh", "/validation/validation.sh" ]
+                  volumeMounts:
+                  - mountPath: /validator
+                    name: validator
+                  - mountPath: /conf
+                    name: secret-vol
+                volumes:
+                - name: validator
+                  configMap:
+                    name: validator
+                - name: secret-vol
+                  secret:
+                    secretName: test-s3-key-retain
+                    items:
+                    - iam: BucketInfo
+                      path: BucketInfo.json
+  - name: Check if ObjectStorage validation tool completed succesfully
+    try:
+    - assert:
+        resource:
+          apiVersion: batch/v1
+          kind: Job
+          metadata:
+            name: test-s3-key-retain
+          status:
+            succeeded: 1
diff --git a/test/e2e/s3/key/retain/resources/BucketAccess.yaml b/test/e2e/s3/key/retain/resources/BucketAccess.yaml
@@ -0,0 +1,9 @@
+apiVersion: objectstorage.k8s.io/v1alpha1
+kind: BucketAccess
+metadata:
+  name: test-s3-key-retain
+spec:
+  bucketClaimName: test-s3-key-retain
+  protocol: S3
+  bucketAccessClassName: test-s3-key-retain
+  credentialsSecretName: test-s3-key-retain
diff --git a/test/e2e/s3/key/retain/resources/BucketAccessClass.yaml b/test/e2e/s3/key/retain/resources/BucketAccessClass.yaml
@@ -0,0 +1,7 @@
+apiVersion: objectstorage.k8s.io/v1alpha1
+kind: BucketAccessClass
+metadata:
+  name: test-s3-key-retain
+driverName: sample-driver.objectstorage.k8s.io
+authenticationType: IAM
+parameters: {}
diff --git a/test/e2e/s3/key/retain/resources/BucketClaim.yaml b/test/e2e/s3/key/retain/resources/BucketClaim.yaml
@@ -0,0 +1,7 @@
+apiVersion: objectstorage.k8s.io/v1alpha1
+kind: BucketClaim
+metadata:
+  name: test-s3-key-retain
+spec:
+  bucketClassName: test-s3-key-retain
+  protocols: [ 'S3' ]
diff --git a/test/e2e/s3/key/retain/resources/BucketClass.yaml b/test/e2e/s3/key/retain/resources/BucketClass.yaml
@@ -0,0 +1,7 @@
+apiVersion: objectstorage.k8s.io/v1alpha1
+kind: BucketClass
+metadata:
+  name: test-s3-key-retain
+driverName: sample-driver.objectstorage.k8s.io
+deletionPolicy: Retain
+parameters: {}
diff --git a/test/e2e/tests/controller.yaml b/test/e2e/tests/controller.yaml
@@ -0,0 +1,7 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: objectstorage-controller
+  namespace: default
+status:
+  availableReplicas: 1
diff --git a/test/e2e/tests/validator.yaml b/test/e2e/tests/validator.yaml
@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: validator
+data:
+  schema.json: |
+    {
+      "$schema": "http://json-schema.org/draft-07/schema#",
+      "type": "object",
+      "properties": {
+        "spec": {
+          "type": "object",
+          "properties": {
+            "bucketName": {
+              "type": "string"
+            },
+            "authenticationType": {
+              "type": "string",
+              "enum": ["IAM", "Key"]
+            },
+            "protocols": {
+              "type": "array",
+              "items": {
+                "type": "string",
+                "enum": ["S3", "Azure", "GCP"]
+              },
+              "minItems": 1
+            },
+            "secretS3": {
+              "type": "object",
+              "properties": {
+                "endpoint": {
+                  "type": "string"
+                },
+                "region": {
+                  "type": "string"
+                },
+                "accessKeyID": {
+                  "type": "string"
+                },
+                "accessSecretKey": {
+                  "type": "string"
+                }
+              },
+              "required": ["endpoint", "region", "accessKeyID", "accessSecretKey"]
+            },
+            "secretAzure": {
+              "type": "object",
+              "properties": {
+                "accessToken": {
+                  "type": "string"
+                },
+                "expiryTimeStamp": {
+                  "type": "string"
+                }
+              },
+              "required": ["accessToken", "expiryTimeStamp"]
+            }
+          },
+          "required": ["bucketName", "authenticationType", "protocols"],
+          "oneOf": [
+            { "required": ["secretS3"] },
+            { "required": ["secretAzure"] }
+          ]
+        }
+      },
+      "required": ["spec"]
+    }
+  validator.sh: |
+    #!/usr/bin/env sh
+    pip install check-jsonschema
+    check-jsonschema --schema /validator/schema.json /conf/BucketInfo.json
