add negative e2e tests

Author: aramase

pkg/secrets-store/nodeserver.go

@@ -154,9 +154,6 @@ func (ns *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 	parameters[csipodnamespace] = attrib[csipodnamespace]
 	parameters[csipoduid] = attrib[csipoduid]
 	parameters[csipodsa] = attrib[csipodsa]
-	podName = parameters[csipodname]
-	podNamespace = parameters[csipodnamespace]
-	podUID = parameters[csipoduid]
 
 	// ensure it's read-only
 	if !req.GetReadonly() {

pkg/secrets-store/nodeserver_test.go

@@ -51,31 +51,35 @@ func getTestTargetPath(t *testing.T) string {
 
 func TestNodePublishVolume(t *testing.T) {
 	tests := []struct {
-		name              string
-		nodePublishVolReq csi.NodePublishVolumeRequest
-		mountPoints       []mount.MountPoint
-		initObjects       []runtime.Object
-		expectedErr       bool
+		name               string
+		nodePublishVolReq  csi.NodePublishVolumeRequest
+		mountPoints        []mount.MountPoint
+		initObjects        []runtime.Object
+		expectedErr        bool
+		shouldRetryRemount bool
 	}{
 		{
-			name:              "volume capabilities nil",
-			nodePublishVolReq: csi.NodePublishVolumeRequest{},
-			expectedErr:       true,
+			name:               "volume capabilities nil",
+			nodePublishVolReq:  csi.NodePublishVolumeRequest{},
+			expectedErr:        true,
+			shouldRetryRemount: true,
 		},
 		{
 			name: "volume id is empty",
 			nodePublishVolReq: csi.NodePublishVolumeRequest{
 				VolumeCapability: &csi.VolumeCapability{},
 			},
-			expectedErr: true,
+			expectedErr:        true,
+			shouldRetryRemount: true,
 		},
 		{
 			name: "target path is empty",
 			nodePublishVolReq: csi.NodePublishVolumeRequest{
 				VolumeCapability: &csi.VolumeCapability{},
 				VolumeId:         "testvolid1",
 			},
-			expectedErr: true,
+			expectedErr:        true,
+			shouldRetryRemount: true,
 		},
 		{
 			name: "volume context is not set",
@@ -84,7 +88,8 @@ func TestNodePublishVolume(t *testing.T) {
 				VolumeId:         "testvolid1",
 				TargetPath:       getTestTargetPath(t),
 			},
-			expectedErr: true,
+			expectedErr:        true,
+			shouldRetryRemount: true,
 		},
 		{
 			name: "secret provider class not found",
@@ -94,7 +99,8 @@ func TestNodePublishVolume(t *testing.T) {
 				TargetPath:       getTestTargetPath(t),
 				VolumeContext:    map[string]string{"secretProviderClass": "provider1"},
 			},
-			expectedErr: true,
+			expectedErr:        true,
+			shouldRetryRemount: true,
 		},
 		{
 			name: "secret provider class in pod namespace not found",
@@ -112,7 +118,8 @@ func TestNodePublishVolume(t *testing.T) {
 					},
 				},
 			},
-			expectedErr: true,
+			expectedErr:        true,
+			shouldRetryRemount: true,
 		},
 		{
 			name: "provider not set in secret provider class",
@@ -130,7 +137,8 @@ func TestNodePublishVolume(t *testing.T) {
 					},
 				},
 			},
-			expectedErr: true,
+			expectedErr:        true,
+			shouldRetryRemount: true,
 		},
 		{
 			name: "parameters not set in secret provider class",
@@ -151,7 +159,8 @@ func TestNodePublishVolume(t *testing.T) {
 					},
 				},
 			},
-			expectedErr: true,
+			expectedErr:        true,
+			shouldRetryRemount: true,
 		},
 		{
 			name: "read only is not set to true",
@@ -173,7 +182,8 @@ func TestNodePublishVolume(t *testing.T) {
 					},
 				},
 			},
-			expectedErr: true,
+			expectedErr:        true,
+			shouldRetryRemount: true,
 		},
 		{
 			name: "failed to invoke provider, unmounted to force retry",
@@ -196,7 +206,8 @@ func TestNodePublishVolume(t *testing.T) {
 					},
 				},
 			},
-			expectedErr: true,
+			expectedErr:        true,
+			shouldRetryRemount: true,
 		},
 		{
 			name: "volume already mounted, no remount",
@@ -219,8 +230,9 @@ func TestNodePublishVolume(t *testing.T) {
 					},
 				},
 			},
-			mountPoints: []mount.MountPoint{},
-			expectedErr: false,
+			mountPoints:        []mount.MountPoint{},
+			expectedErr:        false,
+			shouldRetryRemount: true,
 		},
 	}
 
@@ -248,16 +260,25 @@ func TestNodePublishVolume(t *testing.T) {
 				t.Fatalf("expected error to be nil, got: %+v", err)
 			}
 
-			_, err = ns.NodePublishVolume(context.TODO(), &test.nodePublishVolReq)
-			if test.expectedErr && err == nil || !test.expectedErr && err != nil {
-				t.Fatalf("expected err: %v, got: %+v", test.expectedErr, err)
+			numberOfAttempts := 1
+			// to ensure the remount is tried after previous failure and still fails
+			if test.shouldRetryRemount {
+				numberOfAttempts = 2
 			}
-			mnts, err := ns.mounter.List()
-			if err != nil {
-				t.Fatalf("expected err to be nil, got: %v", err)
-			}
-			if test.expectedErr && len(test.mountPoints) == 0 && len(mnts) != 0 {
-				t.Fatalf("expected mount points to be 0")
+
+			for numberOfAttempts > 0 {
+				_, err = ns.NodePublishVolume(context.TODO(), &test.nodePublishVolReq)
+				if test.expectedErr && err == nil || !test.expectedErr && err != nil {
+					t.Fatalf("expected err: %v, got: %+v", test.expectedErr, err)
+				}
+				mnts, err := ns.mounter.List()
+				if err != nil {
+					t.Fatalf("expected err to be nil, got: %v", err)
+				}
+				if test.expectedErr && len(test.mountPoints) == 0 && len(mnts) != 0 {
+					t.Fatalf("expected mount points to be 0")
+				}
+				numberOfAttempts--
 			}
 		})
 	}

test/bats/azure.bats

@@ -86,7 +86,7 @@ setup() {
 
 @test "CSI inline volume test with pod portability - read azure kv secret from pod" {
   result=$(kubectl exec nginx-secrets-store-inline-crd -- $EXEC_COMMAND/$SECRET_NAME)
-  [[ "${result//$'\r'}" -eq "${SECRET_VALUE}" ]]
+  [[ "${result//$'\r'}" == "${SECRET_VALUE}" ]]
 }
 
 @test "CSI inline volume test with pod portability - read azure kv key from pod" {
@@ -114,20 +114,20 @@ setup() {
   POD=$(kubectl get pod -l app=nginx -o jsonpath="{.items[0].metadata.name}")
 
   result=$(kubectl exec $POD -- $EXEC_COMMAND/secretalias)
-  [[ "${result//$'\r'}" -eq "${SECRET_VALUE}" ]]
+  [[ "${result//$'\r'}" == "${SECRET_VALUE}" ]]
 
   result=$(kubectl exec $POD -- $EXEC_COMMAND/$KEY_NAME)
   result_base64_encoded=$(echo "${result//$'\r'}" | base64 ${BASE64_FLAGS})
   [[ "${result_base64_encoded}" == *"${KEY_VALUE_CONTAINS}"* ]]
 
   result=$(kubectl get secret foosecret -o jsonpath="{.data.username}" | base64 -d)
-  [[ "${result//$'\r'}" -eq "${SECRET_VALUE}" ]]
+  [[ "${result//$'\r'}" == "${SECRET_VALUE}" ]]
 
   result=$(kubectl exec -it $POD printenv | grep SECRET_USERNAME) | awk -F"=" '{ print $2}'
-  [[ "${result//$'\r'}" -eq "${SECRET_VALUE}" ]]
+  [[ "${result//$'\r'}" == "${SECRET_VALUE}" ]]
 
   result=$(kubectl get secret foosecret -o json | jq '.metadata.ownerReferences | length')
-  [[ "$result" == "2" ]]
+  [[ "$result" -eq 2 ]]
 }
 
 @test "Sync with K8s secrets - delete deployment, check secret deleted" {
@@ -139,7 +139,7 @@ setup() {
 
   sleep 20
   result=$(kubectl get secret | grep foosecret | wc -l)
-  [[ "$result" -eq "0" ]]
+  [[ "$result" -eq 0 ]]
 }
 
 @test "Test Namespaced scope SecretProviderClass - create deployment" {
@@ -170,20 +170,20 @@ setup() {
   POD=$(kubectl get pod -l app=nginx -n test-ns -o jsonpath="{.items[0].metadata.name}")
 
   result=$(kubectl exec -n test-ns $POD -- $EXEC_COMMAND/secretalias)
-  [[ "${result//$'\r'}" -eq "${SECRET_VALUE}" ]]
+  [[ "${result//$'\r'}" == "${SECRET_VALUE}" ]]
 
   result=$(kubectl exec -n test-ns $POD -- $EXEC_COMMAND/$KEY_NAME)
   result_base64_encoded=$(echo "${result//$'\r'}" | base64 ${BASE64_FLAGS})
   [[ "${result_base64_encoded}" == *"${KEY_VALUE_CONTAINS}"* ]]
 
   result=$(kubectl get secret foosecret -n test-ns -o jsonpath="{.data.username}" | base64 -d)
-  [[ "${result//$'\r'}" -eq "${SECRET_VALUE}" ]]
+  [[ "${result//$'\r'}" == "${SECRET_VALUE}" ]]
 
   result=$(kubectl exec -n test-ns $POD -- printenv | grep SECRET_USERNAME) | awk -F"=" '{ print $2}'
-  [[ "${result//$'\r'}" -eq "${SECRET_VALUE}" ]]
+  [[ "${result//$'\r'}" == "${SECRET_VALUE}" ]]
 
   result=$(kubectl get secret foosecret -n test-ns -o json | jq '.metadata.ownerReferences | length')
-  [[ "$result" -eq "2" ]]
+  [[ "$result" -eq 2 ]]
 }
 
 @test "Test Namespaced scope SecretProviderClass - Sync with K8s secrets - delete deployment, check secret deleted" {
@@ -192,5 +192,26 @@ setup() {
   sleep 20
 
   result=$(kubectl get secret -n test-ns | grep foosecret | wc -l)
-  [[ "$result" -eq "0" ]]
+  [[ "$result" -eq 0 ]]
+}
+
+@test "Test Namespaced scope SecretProviderClass - Should fail when no secret provider class in same namespace" {
+  run kubectl create ns negative-test-ns
+  assert_success
+
+  run kubectl create secret generic secrets-store-creds --from-literal clientid=${AZURE_CLIENT_ID} --from-literal clientsecret=${AZURE_CLIENT_SECRET} -n negative-test-ns
+  assert_success
+
+  envsubst < $BATS_TESTS_DIR/nginx-deployment-synck8s-azure.yaml | kubectl apply -n negative-test-ns -f -
+  sleep 5
+
+  POD=$(kubectl get pod -l app=nginx -n negative-test-ns -o jsonpath="{.items[0].metadata.name}")
+  cmd="kubectl describe pod $POD -n negative-test-ns | grep 'FailedMount.*failed to get secretproviderclass negative-test-ns/azure-sync.*not found'"
+  wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd"
+
+  run kubectl delete -f $BATS_TESTS_DIR/nginx-deployment-synck8s-azure.yaml -n negative-test-ns
+  assert_success
+
+  run kubectl delete ns negative-test-ns
+  assert_success
 }

test/bats/vault.bats

@@ -185,7 +185,7 @@ EOF
   [[ "$result" == "hello1" ]]
 
   result=$(kubectl get secret foosecret -o json | jq '.metadata.ownerReferences | length')
-  [[ "$result" == "2" ]]
+  [[ "$result" -eq 2 ]]
 }
 
 @test "Sync with K8s secrets - delete deployment, check secret is deleted" {
@@ -197,7 +197,7 @@ EOF
 
   sleep 20
   result=$(kubectl get secret | grep foosecret | wc -l)
-  [[ "$result" == "0" ]]
+  [[ "$result" -eq 0 ]]
 }
 
 @test "Test Namespaced scope SecretProviderClass - create deployment" {
@@ -238,7 +238,7 @@ EOF
   [[ "$result" == "hello1" ]]
 
   result=$(kubectl get secret -n test-ns foosecret -o json | jq '.metadata.ownerReferences | length')
-  [[ "$result" == "2" ]]
+  [[ "$result" -eq 2 ]]
 }
 
 @test "Test Namespaced scope SecretProviderClass - Sync with K8s secrets - delete deployment, check secret deleted" {
@@ -247,5 +247,23 @@ EOF
   sleep 20
 
   result=$(kubectl get secret -n test-ns | grep foosecret | wc -l)
-  [[ "$result" -eq "0" ]]
+  [[ "$result" -eq 0 ]]
+}
+
+@test "Test Namespaced scope SecretProviderClass - Should fail when no secret provider class in same namespace" {
+  run kubectl create ns negative-test-ns
+  assert_success
+
+  envsubst < $BATS_TESTS_DIR/nginx-deployment-synck8s.yaml | kubectl apply -n negative-test-ns -f -
+  sleep 5
+
+  POD=$(kubectl get pod -l app=nginx -n negative-test-ns -o jsonpath="{.items[0].metadata.name}")
+  cmd="kubectl describe pod $POD -n negative-test-ns | grep 'FailedMount.*failed to get secretproviderclass negative-test-ns/vault-foo-sync.*not found'"
+  wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd"
+
+  run kubectl delete -f $BATS_TESTS_DIR/nginx-deployment-synck8s.yaml -n negative-test-ns
+  assert_success
+
+  run kubectl delete ns negative-test-ns
+  assert_success
 }