From 9897db87f4daa67dac14f804a0efa7810508cbb4 Mon Sep 17 00:00:00 2001 From: Rajashekhar Gundeti Date: Thu, 20 Apr 2023 19:23:26 +0530 Subject: [PATCH] Oke 23021 - End to end test cases (#14) * added e2e test cases workflow * refactored github action workflows --- .github/workflows/build-n-push.yaml | 49 +++ .github/workflows/e2e-tests.yaml | 292 ++++++++++++++++++ .github/workflows/release.yaml | 56 +++- .../workflows/{build.yml => unit-tests.yaml} | 14 +- GettingStarted.md | 52 ++++ Makefile | 3 + .../Chart.yaml | 4 +- e2e/example/app.deployment.yaml | 46 +++ e2e/example/secret-provider-class.yaml | 31 ++ e2e/example/user-auth-config-example.yaml | 13 + 10 files changed, 536 insertions(+), 24 deletions(-) create mode 100644 .github/workflows/build-n-push.yaml create mode 100644 .github/workflows/e2e-tests.yaml rename .github/workflows/{build.yml => unit-tests.yaml} (77%) create mode 100644 e2e/example/app.deployment.yaml create mode 100644 e2e/example/secret-provider-class.yaml create mode 100644 e2e/example/user-auth-config-example.yaml diff --git a/.github/workflows/build-n-push.yaml b/.github/workflows/build-n-push.yaml new file mode 100644 index 00000000..f2369973 --- /dev/null +++ b/.github/workflows/build-n-push.yaml @@ -0,0 +1,49 @@ +name: BuildnPush + +on: + workflow_call: + inputs: + IMAGE_REGISTRY: + required: true + type: string + outputs: + IMAGE_PATH: + description: "Image Path" + value: ${{ jobs.image-build-n-push.outputs.IMAGE_PATH }} + +jobs: + unit-tests: + uses: ./.github/workflows/unit-tests.yaml + image-build-n-push: + needs: [unit-tests] + runs-on: ubuntu-latest + name: Builds container image and pushes to registry + env: + IMAGE_REGISTRY: ${{ inputs.IMAGE_REGISTRY }} + outputs: + IMAGE_PATH: ${{ steps.print-docker-image-path.outputs.IMAGE_PATH }} + steps: + + - name: Checkout + uses: actions/checkout@v3.3.0 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + with: + platforms: amd64 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Log into GitHub Container Registry + run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${GITHUB_ACTOR,,} --password-stdin + + - name: Build Image + run: IMAGE_REGISTRY="${{ env.IMAGE_REGISTRY }}" make docker-build + + - name: Push Image + run: IMAGE_REGISTRY="${{ env.IMAGE_REGISTRY }}" make docker-push + + - name: Print Image Path + id: print-docker-image-path + run: echo IMAGE_PATH=`IMAGE_REGISTRY="${{ env.IMAGE_REGISTRY }}" make print-docker-image-path` >> $GITHUB_OUTPUT \ No newline at end of file diff --git a/.github/workflows/e2e-tests.yaml b/.github/workflows/e2e-tests.yaml new file mode 100644 index 00000000..b7b56b0f --- /dev/null +++ b/.github/workflows/e2e-tests.yaml @@ -0,0 +1,292 @@ +name: E2E Tests + +on: + pull_request: {} + # workflow_run: + # workflows: ["BuildnPush"] + # types: + # - completed +concurrency: dev_environment + +env: + OCI_CLI_USER: ${{ secrets.OCI_CLI_USER }} + OCI_CLI_TENANCY: ${{ secrets.OCI_CLI_TENANCY }} + OCI_CLI_FINGERPRINT: ${{ secrets.OCI_CLI_FINGERPRINT }} + OCI_CLI_KEY_CONTENT: ${{ secrets.OCI_CLI_KEY_CONTENT }} + OCI_CLI_REGION: ${{ secrets.OCI_CLI_REGION }} + + # OCI_CLUSTER_ID: ${{ vars.CLUSTER_ID }} + # OCI_VAULT_ID: ${{ vars.VAULT_ID }} + OCI_VAULT_SECRET_VALUE: ${{ vars.VAULT_SECRET_VALUE }} +# OCI_DEBUG: "--debug" + +jobs: + build: + uses: ./.github/workflows/build-n-push.yaml + with: + IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY }} + secrets: inherit + setup-vault: + runs-on: ubuntu-latest + name: Setup Vault and secrets + needs: [ build ] + env: + OCI_VAULT_ID: ${{ vars.VAULT_ID }} + OCI_VAULT_KEY_ID: ${{ vars.VAULT_KEY_ID }} + outputs: + OCI_VAULT_ID: ${{ env.OCI_VAULT_ID }} + OCI_VAULT_KEY_ID: ${{ env.OCI_VAULT_KEY_ID }} + VAULT_SECRET_NAME: ${{ vars.SECRET_NAME_PREFIX }}-${{ env.OCI_RANDOM }} + VAULT_SECRET_OCID: ${{ steps.extract-secret-ocid.outputs.VAULT_SECRET_OCID }} + steps: + - name: create env with random + id: gen-random + run: echo "OCI_RANDOM=${RANDOM}" >> $GITHUB_ENV + + - name: Create vault if doesn't exist + if: ${{ vars.USE_EXISTING_VAULT != 'true' }} + uses: oracle-actions/run-oci-cli-command@v1.1 + id: create-vault + with: + silent: false + command: "kms management vault create --compartment-id ${{ vars.COMPARTMENT_ID }} --display-name ${{ vars.VAULT_NAME_PREFIX }}-${{ env.OCI_RANDOM }} --vault-type default" + query: "data.id" + + - name: get vault from previous output + if: ${{ vars.USE_EXISTING_VAULT != 'true' }} + run: echo "OCI_VAULT_ID=${{ steps.create-vault.outputs.raw_output }}" >> $GITHUB_ENV + + - name: create key if doesn't exist + if: ${{ vars.USE_EXISTING_VAULT != 'true' }} + uses: oracle-actions/run-oci-cli-command@v1.1 + id: create-vault-key + with: + silent: false + command: "kms management key create --endpoint ${{ vars.VAULT_MGMT_ENDPOINT }} --compartment-id ${{ vars.COMPARTMENT_ID }} --display-name key-${RANDOM} --key-shape '{ \"algorithm\" : \"AES\", \"length\" : 32 }'" + query: "data.id" + + - name: create env for key id from create-vault-key output + if: ${{ vars.USE_EXISTING_VAULT != 'true' }} + run: echo "OCI_VAULT_KEY_ID=${{ steps.create-vault-key.outputs.raw_output }}" >> $GITHUB_ENV + + - name: create secret in vault + uses: oracle-actions/run-oci-cli-command@v1.1 + id: create-secret + with: + silent: false + command: vault secret create-base64 --compartment-id ${{ vars.COMPARTMENT_ID }} --vault-id ${{ env.OCI_VAULT_ID }} --key-id ${{ env.OCI_VAULT_KEY_ID }} --secret-name ${{ vars.SECRET_NAME_PREFIX }}-${{ env.OCI_RANDOM }} --secret-content-content ${{ env.OCI_VAULT_SECRET_VALUE }}" +# query: "data.id" + + - name: extract secret id + id: extract-secret-ocid + run: echo VAULT_SECRET_OCID=`echo ${{ steps.create-secret.outputs.output }} | jq -r ".data.id"` >> $GITHUB_OUTPUT + + setup-cluster: + runs-on: ubuntu-latest + name: Setup Cluster + needs: [ build ] + env: + OCI_CLUSTER_ID: ${{ vars.CLUSTER_ID }} + outputs: + OCI_CLUSTER_ID: ${{ steps.print-cluster-id.outputs.clusterId }} + steps: + # - name: create vcn if doesn't exist + # - name: get vcn id from previous output or existing var + # - name: create cluster + # if: ${{ vars.USE_EXISTING_CLUSTER != 'true' }} + # uses: oracle-actions/run-oci-cli-command@v1.1 + # id: create-cluster + # with: + # silent: false + # command: "ce cluster create --compartment-id ${{ vars.COMPARTMENT_ID }} + # --vcn-id ${{ vars.VCN_ID }} --kubernetes-version ${{ vars.K8S_VERSION }} + # --wait-for-state succeeded" + # query: "data.secret-name" + + # - name: create env for key id from create-vault-key output + # if: ${{ vars.USE_EXISTING_CLUSTER != 'true' }} + # run: echo "OCI_CLUSTER_ID=${{ steps.create-cluster.outputs.raw_output }}" >> $GITHUB_ENV + + # - name: create nodepool + # if: ${{ vars.USE_EXISTING_CLUSTER != 'true' }} + + # - name: get kubeconfig + # uses: oracle-actions/run-oci-cli-command@v1.1 + # id: get-kube-config + # with: + # silent: false + # command: "ce cluster create-kubeconfig --cluster-id ${{ env.OCI_CLUSTER_ID }} --file $HOME/.kube/config --region ${{ env.OCI_CLI_REGION }} --token-version 2.0.0 --kube-endpoint PUBLIC_ENDPOINT" + + - name: print cluster id from vars + id: print-cluster-id + run: echo "clusterId=${{ env.OCI_CLUSTER_ID }}" >> $GITHUB_OUTPUT + + deploy-provider: + runs-on: ubuntu-latest + name: Deploy Provider + needs: [ setup-vault , setup-cluster , build ] + env: + OCI_VAULT_ID: ${{ needs.setup-vault.outputs.OCI_VAULT_ID }} + OCI_VAULT_SECRET_NAME: ${{ needs.setup-vault.outputs.VAULT_SECRET_NAME }} + OCI_VAULT_SECRET_OCID: ${{ needs.setup-vault.outputs.VAULT_SECRET_OCID }} + OCI_VAULT_SECRET_OCID_1: ${{ needs.setup-vault.outputs.VAULT_SECRET_OCID_1 }} + OCI_CLUSTER_ID: ${{ needs.setup-cluster.outputs.OCI_CLUSTER_ID }} + PROVIDER_NAMESPACE: ${{ vars.PROVIDER_NAMESPACE }} + IMAGE_PATH : ${{ needs.build.outputs.IMAGE_PATH }} + outputs: + OCI_VAULT_SECRET_NAME: ${{ needs.setup-vault.outputs.VAULT_SECRET_NAME }} + OCI_VAULT_SECRET_OCID: ${{ needs.setup-vault.outputs.VAULT_SECRET_OCID }} + OCI_CLUSTER_ID: ${{ needs.setup-cluster.outputs.OCI_CLUSTER_ID }} + steps: + - name: Configure Kubectl + uses: oracle-actions/configure-kubectl-oke@v1.3.1 + id: test-configure-kubectl-oke-action + with: + cluster: ${{ env.OCI_CLUSTER_ID }} + + - name: test cluster access + run: kubectl get nodes -A + + - name: create namespace in the cluster + continue-on-error: true + run: kubectl create namespace ${{ env.PROVIDER_NAMESPACE }} + + # - name: Install Helm + # uses: azure/setup-helm@v3 + + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: split image path into repo and tag + id: split-image-path + run: | + echo PROVIDER_IMAGE_REPO=`echo ${{ env.IMAGE_PATH }} | sed -e "s/:.*$//"` >> $GITHUB_OUTPUT + echo PROVIDER_IMAGE_TAG=`echo ${{ env.IMAGE_PATH }} | sed -e "s/.*://"` >> $GITHUB_OUTPUT + + - name: print image values + run: | + echo ${{ steps.split-image-path.outputs.PROVIDER_IMAGE_REPO }} + echo ${{ steps.split-image-path.outputs.PROVIDER_IMAGE_TAG }} + + - name: Deploy Helm chart + run: | + helm upgrade --install oci-provider charts/oci-secrets-store-csi-driver-provider \ + --namespace ${{ env.PROVIDER_NAMESPACE }} \ + --set "provider.image.repository=${{ steps.split-image-path.outputs.PROVIDER_IMAGE_REPO }},provider.image.tag=${{ steps.split-image-path.outputs.PROVIDER_IMAGE_TAG }}" + + - name: list pods + run: | + kubectl get daemonset --namespace oci-provider \ + --selector='app.kubernetes.io/name in (oci-secrets-store-csi-driver-provider, secrets-store-csi-driver)' + + - name: update auth file with correct values + run: | + sed -e 's/region:.*/region: ${{ env.OCI_CLI_REGION }}/' \ + -e 's/tenancy:.*/tenancy: ${{ env.OCI_CLI_TENANCY }}/' \ + -e 's/user:.*/user: ${{ env.OCI_CLI_USER }}/' \ + -e 's/fingerprint:.*/fingerprint: ${{ env.OCI_CLI_FINGERPRINT }}/' e2e/example/user-auth-config-example.yaml > e2e/example/user-auth-config-example.yaml.tmp + + # - name: print updated yaml file + # run: cat e2e/example/user-auth-config-example.yaml.tmp + + - name: delete secret if exists + continue-on-error: true + run: kubectl delete secret oci-config + + - name: create kubernetes secret for user auth config + run: | + kubectl create secret generic oci-config \ + --from-file=config=e2e/example/user-auth-config-example.yaml.tmp \ + --from-literal=private-key="${{ env.OCI_CLI_KEY_CONTENT }}" + + - name: update spc file with correct values + run: | + sed -e 's/vaultId:.*/vaultId: ${{ env.OCI_VAULT_ID }}/' \ + -e 's/authType:.*/authType: user/' \ + -e 's/- name:.*/- name: ${{ env.OCI_VAULT_SECRET_NAME }}/' e2e/example/secret-provider-class.yaml > e2e/example/secret-provider-class.yaml.tmp + + - name: update deployment file with secret name + run: | + sed -e 's/testingSecretName:.*/testingSecretName: ${{ env.OCI_VAULT_SECRET_NAME }}/' \ + e2e/example/app.deployment.yaml > e2e/example/app.deployment.yaml.tmp + + - name: print updated yaml file + run: cat e2e/example/secret-provider-class.yaml.tmp + + - name: deploy spc + run: kubectl apply -f e2e/example/secret-provider-class.yaml.tmp + + - name: deploy workload + run: kubectl apply -f e2e/example/app.deployment.yaml.tmp + + - name: Wait for pod to run + id: wait-on-pod + # run: kubectl wait --for=jsonpath='{.status.phase}'=Running pods/${{ env.POD_NAME }} --timeout=90s + run: sleep 90 + + - name: Verify pods are running + id: pod-names + run: kubectl get pods -l testingSecretName=${{ env.OCI_VAULT_SECRET_NAME }} -o='custom-columns=PodName:.metadata.name' --no-headers + + - name: capture pod name into env + run: echo "POD_NAME=`kubectl get pods -l testingSecretName=${{ env.OCI_VAULT_SECRET_NAME }} -o='custom-columns=PodName:.metadata.name' --no-headers`" >> $GITHUB_ENV + + - name: print secret value + id: print-secret-content + run: echo "SECRET_CONTENT=`kubectl exec -it ${{ env.POD_NAME }} -- cat /mnt/secrets-store/${{ env.OCI_VAULT_SECRET_NAME }} 2> /dev/null | base64`" >> $GITHUB_ENV + + # - name: convert to base64 + # id: convert-to-base64 + # run: echo -n ${{ steps.print-secret-content.outputs.output }} | base64 + + - name: print values + run: echo "${{ env.SECRET_CONTENT }} == ${{ env.OCI_VAULT_SECRET_VALUE}}" + + - name: verify value + run: if [ "${{ env.SECRET_CONTENT }}" == "${{ env.OCI_VAULT_SECRET_VALUE}}" ]; then exit 0; else exit 1; fi + + # cleanup + - name: remove deployment + if: ${{ always() }} + run: | + kubectl delete -f e2e/example/app.deployment.yaml.tmp \ + -f e2e/example/secret-provider-class.yaml.tmp + + - name: delete secret + if: ${{ always() }} + run: kubectl delete secret oci-config + + - name: uninstall provider + if: ${{ always() }} + run: helm uninstall oci-provider -n ${{ env.PROVIDER_NAMESPACE }} + + cleanup: + runs-on: ubuntu-latest + needs: [deploy-provider] + name: Cleanup resources + env: + OCI_VAULT_SECRET_NAME: ${{ needs.deploy-provider.outputs.OCI_VAULT_SECRET_NAME }} + OCI_VAULT_SECRET_OCID: ${{ needs.deploy-provider.outputs.OCI_VAULT_SECRET_OCID }} + OCI_CLUSTER_ID: ${{ needs.deploy-provider.outputs.OCI_CLUSTER_ID }} + steps: + - name: delete cluster + if: ${{ vars.USE_EXISTING_CLUSTER != 'true' }} + uses: oracle-actions/run-oci-cli-command@v1.1 + with: + command: "ce cluster delete --cluster-id ${{ env.OCI_CLUSTER_ID }} --wait-for-state SUCCEEDED" + + # - name: get secret id + # id: get-secret-ocid + # uses: oracle-actions/run-oci-cli-command@v1.1 + # with: + # command: "vault secret list --name ${{ env.OCI_VAULT_SECRET_NAME }} --compartment-id ${{ vars.COMPARTMENT_ID }}" + # query: data[0].id + + - name: delete secrets + uses: oracle-actions/run-oci-cli-command@v1.1 + with: + command: "vault secret schedule-secret-deletion --secret-id ${{ env.OCI_VAULT_SECRET_OCID }}" + # - name: delete vcn if created + # - name: delete vault if created \ No newline at end of file diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ad07f74b..311f04bb 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -8,27 +8,51 @@ on: jobs: build: + uses: ./.github/workflows/build-n-push.yaml + with: + IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY }} + secrets: inherit + image-publish: runs-on: ubuntu-latest + needs: ["build"] env: - IMAGE_REGISTRY: ${{ vars.IMAGE_REGISTRY }} + IMAGE_PATH : ${{ needs.build.outputs.IMAGE_PATH }} steps: - - name: Checkout - uses: actions/checkout@v3.3.0 - - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - with: - platforms: amd64 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - name: Log into GitHub Container Registry run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${GITHUB_ACTOR,,} --password-stdin - - name: Build Image - run: IMAGE_REGISTRY="${{ env.IMAGE_REGISTRY }}" make docker-build + - name: split image path into repo and tag + id: split-image-path + run: | + echo PROVIDER_IMAGE_REPO=`echo ${{ env.IMAGE_PATH }} | sed -e "s/:.*$//"` >> $GITHUB_ENV + echo PROVIDER_IMAGE_NEW_TAG=${{ github.ref_name }} >> $GITHUB_ENV + + - name: tag Image with release name + run: | + docker pull ${{ env.IMAGE_PATH }} + docker tag ${{ env.IMAGE_PATH }} ${{ env.PROVIDER_IMAGE_REPO }}:${{ env.PROVIDER_IMAGE_NEW_TAG }} + docker push ${{ env.PROVIDER_IMAGE_REPO }}:${{ env.PROVIDER_IMAGE_NEW_TAG }} - - name: Push Image - run: IMAGE_REGISTRY="${{ env.IMAGE_REGISTRY }}" make docker-push \ No newline at end of file + - name: Checkout + uses: actions/checkout@v3.3.0 + with: + fetch-depth: 0 + + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + + - name: helm release + run: | + git checkout gh-pages + git checkout origin/main charts + sed -i -e 's|repository:.*|repository: ${{ env.PROVIDER_IMAGE_REPO }}|' \ + -e 's|tag:.*|tag: ${{ env.PROVIDER_IMAGE_NEW_TAG }}|' \ + charts/oci-secrets-store-csi-driver-provider/values.yaml + helm package charts/oci-secrets-store-csi-driver-provider -d charts + helm repo index --url https://${GITHUB_ACTOR,,}.github.io/oci-secrets-store-csi-driver-provider/charts --merge charts/index.yaml charts + git add charts + git commit -m "Releasing chart version: ${{ github.ref_name }}" + git push -u origin gh-pages \ No newline at end of file diff --git a/.github/workflows/build.yml b/.github/workflows/unit-tests.yaml similarity index 77% rename from .github/workflows/build.yml rename to .github/workflows/unit-tests.yaml index 68f0b883..b8ed7c20 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/unit-tests.yaml @@ -1,22 +1,24 @@ name: Unit Tests on: - pull_request: {} - push: {} + workflow_call: {} + push: + branches-ignore: + - gh-pages jobs: - build: - name: Build + build-binary-n-test: + name: Build Binary locally and run unit tests runs-on: ubuntu-latest steps: - name: Set up Go 1.x uses: actions/setup-go@v2 with: - go-version: 1.17.5 + go-version: 1.19 id: go - name: Check out code into the Go module directory - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: build the binary run: | diff --git a/GettingStarted.md b/GettingStarted.md index e77fbcc7..3b566621 100644 --- a/GettingStarted.md +++ b/GettingStarted.md @@ -28,6 +28,7 @@ The provider is a gRPC server accessible via the Unix domain socket. It's interf * [How to introduce new modules or upgrade existing ones?](#dep-management-vendoring) * [Versioning](#versioning) * [Linter](#linter) + * [CI Setup](#ci-setup) * [Known Issues](#known-issues) * [FAQ](#faq) @@ -354,6 +355,57 @@ Here is the tool's [documentation](https://golangci-lint.run/). Since this tool is standalone, the developers have to control the version themselves. > **_NOTE:_** Current version is 1.46.2 + +## CI Setup +GitHub Actions is used to implement Continuous integration pipeline. +Location in the code base: .github/workflows +Github workflows: +1. unit-tests.yaml – Runs unit test cases + * Functionality: + * builds binary + * run unit tests and test coverage reports + * send report to coveralls + + * triggers: + * On pushing a commit + * dependencies: + * None +2. build-n-push.yaml – builds and pushes to image registry + * Functionality: + * builds docker image + * pushes to registry + * triggers: + * on workflow_call from e2e tests and release workflows + * dependencies: + * unit-tests.yaml +3. e2e-tests.yaml – Runs end to end test cases + * Functionality: + * Creates cluster + * Creates Vault and Secrets + * Deploys the provider and sample workload + * Tests mounted contents with in a workload pod + * Cleans up created resources + * triggers: + * on pull request + * dependencies: + * unit-tests.yaml + * build-n-push.yaml + * flow: + E2E Pipeline + +4. release.yaml – Release + * Functionality: + * Tags the docker image with release version + * Releases helm charts + * triggers: + * on creating a release tag + * dependencies: + * unit-tests.yaml + * build-n-push.yaml + * flow: + Release Pipeline + + ## Known Issues diff --git a/Makefile b/Makefile index 0d9ce1c9..d2dddfb4 100644 --- a/Makefile +++ b/Makefile @@ -55,6 +55,9 @@ docker-push: docker-build-push: docker-build docker push ${IMAGE_PATH} +print-docker-image-path: + @echo ${IMAGE_PATH} + test-coverage: go test -coverprofile=cover.out ./… go tool cover -html=cover.out \ No newline at end of file diff --git a/charts/oci-secrets-store-csi-driver-provider/Chart.yaml b/charts/oci-secrets-store-csi-driver-provider/Chart.yaml index 5e106c6c..9cd365a6 100644 --- a/charts/oci-secrets-store-csi-driver-provider/Chart.yaml +++ b/charts/oci-secrets-store-csi-driver-provider/Chart.yaml @@ -7,10 +7,10 @@ apiVersion: v2 name: oci-secrets-store-csi-driver-provider description: OCI Vault provider for the Secrets Store CSI driver. -version: 0.2.5 +version: 0.2.8 type: application -appVersion: "0.9.2" +appVersion: "0.9.4" kubeVersion: ">=1.19.0-0" # CSI Driver 1.2.0 is compatible with K8S 1.19+ dependencies: diff --git a/e2e/example/app.deployment.yaml b/e2e/example/app.deployment.yaml new file mode 100644 index 00000000..453e9050 --- /dev/null +++ b/e2e/example/app.deployment.yaml @@ -0,0 +1,46 @@ +# +# OCI Secrets Store CSI Driver Provider +# +# Copyright (c) 2022 Oracle America, Inc. and its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ +# + +# This Deployment is used as a reference example of how to mount secrets into the pod +# via Secrets Store CSI Driver and OCI Vault Provider. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx + labels: + app: nginx +spec: + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + testingSecretName: abc + spec: + containers: + - name: nginx + image: nginx:1.21.4-alpine + ports: + - containerPort: 80 + resources: + limits: + memory: 128Mi + cpu: 200m + volumeMounts: + - name: 'some-creds' + mountPath: '/mnt/secrets-store' # here are mounted secrets + readOnly: true + volumes: + - name: some-creds + csi: + driver: 'secrets-store.csi.k8s.io' + readOnly: true + volumeAttributes: + secretProviderClass: 'test-oci-provider-class' # here we reference particular SecretProviderClass \ No newline at end of file diff --git a/e2e/example/secret-provider-class.yaml b/e2e/example/secret-provider-class.yaml new file mode 100644 index 00000000..4bd29aa2 --- /dev/null +++ b/e2e/example/secret-provider-class.yaml @@ -0,0 +1,31 @@ +# +# OCI Secrets Store CSI Driver Provider +# +# Copyright (c) 2022 Oracle America, Inc. and its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ +# + +# SecretProviderClass is a custom resource to provide driver configurations and +# provider-specific parameters to the CSI driver. +# +# On pod start and restart, the driver will communicate with the provider to retrieve the secret content +# from the external Secrets Store you have specified in the SecretProviderClass resource. +# +# For more information check: https://secrets-store-csi-driver.sigs.k8s.io/getting-started/usage.html +# +# This SecretProviderClass is used as a reference example of how to configure the OCI Vault provider. +# Each SecretProviderClass enumerates secrets to mount into the pod. +# So, multiple SecretProviderClass resources could exist in a single Kubernetes cluster. + +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: test-oci-provider-class # SecretProviderClass name is referenced from pod definition +spec: + parameters: + authSecretName: oci-config + authType: user + secrets: | + - name: test-secret-12813 + vaultId: ocid1.vault.oc1..aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa + provider: oci \ No newline at end of file diff --git a/e2e/example/user-auth-config-example.yaml b/e2e/example/user-auth-config-example.yaml new file mode 100644 index 00000000..476914f8 --- /dev/null +++ b/e2e/example/user-auth-config-example.yaml @@ -0,0 +1,13 @@ +# +# OCI Secrets Store CSI Driver Provider +# +# Copyright (c) 2022 Oracle America, Inc. and its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/ +# +auth: + region: us-phoenix-1 + tenancy: ocid1.tenancy.oc1..aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa + user: ocid1.user.oc1..aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa + # Omit if there is not a password for the key + # passphrase: supersecretpassword + fingerprint: 12:bf:17:7b:5f:e0:7d:13:75:11:d6:39:0d:e2:84:74 \ No newline at end of file