|
| 1 | +#!/usr/bin/env bats |
| 2 | + |
| 3 | +load helpers |
| 4 | + |
| 5 | +BATS_TESTS_DIR=test/bats/tests/gcp |
| 6 | +WAIT_TIME=60 |
| 7 | +SLEEP_TIME=1 |
| 8 | +NAMESPACE=default |
| 9 | +PROVIDER_NAMESPACE=kube-system |
| 10 | +PROVIDER_YAML=https://raw.githubusercontent.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp/main/deploy/provider-gcp-plugin.yaml |
| 11 | +CONTAINER_IMAGE=nginx |
| 12 | +EXEC_COMMAND="cat" |
| 13 | +BASE64_FLAGS="-w 0" |
| 14 | + |
| 15 | +export CONTAINER_IMAGE=$CONTAINER_IMAGE |
| 16 | +export RESOURCE_NAME=${RESOURCE_NAME:-"projects/735463103342/secrets/test-secret-a/versions/latest"} |
| 17 | +export FILE_NAME=${FILE_NAME:-"secret"} |
| 18 | +export SECRET_VALUE=${SECRET_VALUE:-"aHVudGVyMg=="} |
| 19 | + |
| 20 | +setup() { |
| 21 | + if [[ -z "${GCP_SA_JSON}" ]]; then |
| 22 | + echo "Error: GCP Service Account (GCP_SA_JSON) is not provided" >&2 |
| 23 | + return 1 |
| 24 | + fi |
| 25 | +} |
| 26 | + |
| 27 | +@test "install gcp provider" { |
| 28 | + run kubectl apply -f $PROVIDER_YAML --namespace $PROVIDER_NAMESPACE |
| 29 | + assert_success |
| 30 | + |
| 31 | + cmd="kubectl wait --for=condition=Ready --timeout=60s pod -l app=csi-secrets-store-provider-gcp --namespace $PROVIDER_NAMESPACE" |
| 32 | + wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd" |
| 33 | + |
| 34 | + GCP_PROVIDER_POD=$(kubectl get pod --namespace $PROVIDER_NAMESPACE -l app=csi-secrets-store-provider-gcp -o jsonpath="{.items[0].metadata.name}") |
| 35 | + |
| 36 | + run kubectl get pod/$GCP_PROVIDER_POD --namespace $PROVIDER_NAMESPACE |
| 37 | + assert_success |
| 38 | +} |
| 39 | + |
| 40 | +@test "create gcp k8s secret for provider auth" { |
| 41 | + run kubectl create secret generic secrets-store-creds --namespace $NAMESPACE --from-literal=key.json="${GCP_SA_JSON}" |
| 42 | + assert_success |
| 43 | +} |
| 44 | + |
| 45 | +@test "secretproviderclasses crd is established" { |
| 46 | + cmd="kubectl wait --for condition=established --timeout=60s crd/secretproviderclasses.secrets-store.csi.x-k8s.io" |
| 47 | + wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd" |
| 48 | + |
| 49 | + run kubectl get crd/secretproviderclasses.secrets-store.csi.x-k8s.io |
| 50 | + assert_success |
| 51 | +} |
| 52 | + |
| 53 | +@test "deploy gcp secretproviderclass crd" { |
| 54 | + envsubst < $BATS_TESTS_DIR/gcp_v1alpha1_secretproviderclass.yaml | kubectl apply -f - |
| 55 | + |
| 56 | + cmd="kubectl get secretproviderclasses.secrets-store.csi.x-k8s.io/gcp -o yaml | grep gcp" |
| 57 | + wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd" |
| 58 | +} |
| 59 | + |
| 60 | +@test "CSI inline volume test with pod portability" { |
| 61 | + envsubst < $BATS_TESTS_DIR/nginx-pod-secrets-store-inline-volume-crd.yaml | kubectl apply -f - |
| 62 | + |
| 63 | + cmd="kubectl wait --for=condition=Ready --timeout=60s pod/nginx-secrets-store-inline-crd" |
| 64 | + wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd" |
| 65 | + |
| 66 | + run kubectl get pod/nginx-secrets-store-inline-crd |
| 67 | + assert_success |
| 68 | +} |
| 69 | + |
| 70 | +@test "CSI inline volume test with pod portability - read gcp kv secret from pod" { |
| 71 | + result=$(kubectl exec nginx-secrets-store-inline-crd -- $EXEC_COMMAND /mnt/secrets-store/$FILE_NAME) |
| 72 | + [[ "${result//$'\r'}" == "${SECRET_VALUE}" ]] |
| 73 | +} |
0 commit comments