Skip to content

Commit

Permalink
test: error handling for arc conformance (#799)
Browse files Browse the repository at this point in the history 
* feat: implements outbound proxy support for arc extension (#695)

* feat: implements outbound proxy support for arc extension

Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>

* chore: adds additional error handling

Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>

* feat: setup Kubeconfig

Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>

* chore: updates file path

Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>

* chore: fixes shell check errors

Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>

* chore: adds log statement

Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>

* chore: fixes typo

Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>

* fix: updates plugin name to start with azure-arc to prevent early cleanup.

Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>

* chore: adds logs

Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>

* chore: addresess review comments

Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>

* chore: fix typo

Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>

* chore: upadates plugin image

Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>
  • Loading branch information
@nilekhc
nilekhc authored Feb 24, 2022
1 parent d0be43d commit 20ddcf7
Show file tree
Hide file tree
Showing 2 changed files with 50 additions and 4 deletions.
50 changes: 48 additions & 2 deletions arc/conformance/plugin/arc_conformance.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,11 +48,13 @@ setEnviornmentVariables() {
# initialize keyvault for conformance test
setupKeyVault() {
# create resource group
echo "INFO: Creating resource group $keyvault_resource_group"
az group create \
--name "$keyvault_resource_group" \
--location "$keyvault_location" 2> "${results_dir}"/error || python3 /arc/setup_failure_handler.py

# create keyvault
echo "INFO: Creating key vault $keyvault_name"
az keyvault create \
--name "$keyvault_name" \
--resource-group "$keyvault_resource_group" \
Expand All @@ -61,6 +63,7 @@ setupKeyVault() {
export KEYVAULT_NAME=$keyvault_name

# set access policy for keyvault
echo "INFO: Setting up key vault access policies"
az keyvault set-policy \
--name "$keyvault_name" \
--resource-group "$keyvault_resource_group" \
Expand All @@ -70,6 +73,7 @@ setupKeyVault() {
--certificate-permissions get create import 2> "${results_dir}"/error || python3 /arc/setup_failure_handler.py

# create keyvault secret
echo "INFO: Creating secret in key vault"
secret_value=$(openssl rand -hex 6)
az keyvault secret set \
--vault-name "$keyvault_name" \
Expand All @@ -79,6 +83,7 @@ setupKeyVault() {
export SECRET_VALUE=$secret_value

# create keyvault key
echo "INFO: Creating keys in key vault"
# RSA key
key_name=key1
az keyvault key create \
Expand Down Expand Up @@ -115,6 +120,7 @@ setupKeyVault() {


# create keyvault certificate
echo "INFO: Importing certificates in key vault"
# PEM and PKCS12 certificates
step certificate create test.domain.com test.crt test.key \
--profile self-signed \
Expand Down Expand Up @@ -155,6 +161,33 @@ setupKeyVault() {
--file testec.pfx 2> "${results_dir}"/error || python3 /arc/setup_failure_handler.py
}

# setup kubeconfig for conformance test
setupKubeConfig() {
KUBECTL_CONTEXT=azure-arc-akv-test
APISERVER=https://kubernetes.default.svc/
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt > ca.crt

kubectl config set-cluster ${KUBECTL_CONTEXT} \
--embed-certs=true \
--server=${APISERVER} \
--certificate-authority=./ca.crt 2> "${results_dir}"/error || python3 /arc/setup_failure_handler.py

kubectl config set-credentials ${KUBECTL_CONTEXT} --token="${TOKEN}" 2> "${results_dir}"/error || python3 /arc/setup_failure_handler.py

# Delete previous rolebinding if exists. And ignore the error if not found.
kubectl delete clusterrolebinding clusterconnect-binding --ignore-not-found
kubectl create clusterrolebinding clusterconnect-binding --clusterrole=cluster-admin --user="${OBJECT_ID}" 2> "${results_dir}"/error || python3 /arc/setup_failure_handler.py

kubectl config set-context ${KUBECTL_CONTEXT} \
--cluster=${KUBECTL_CONTEXT} \
--user=${KUBECTL_CONTEXT} \
--namespace=default 2> "${results_dir}"/error || python3 /arc/setup_failure_handler.py

kubectl config use-context ${KUBECTL_CONTEXT} 2> "${results_dir}"/error || python3 /arc/setup_failure_handler.py
echo "INFO: KubeConfig setup complete"
}

# validate enviorment variables
if [ -z "${TENANT_ID}" ]; then
echo "ERROR: parameter TENANT_ID is required." > "${results_dir}"/error
Expand Down Expand Up @@ -186,6 +219,12 @@ if [ -z "${ARC_CLUSTER_RG}" ]; then
python3 /arc/setup_failure_handler.py
fi

# OBJECT_ID is an id of the Service Principal created in conformance test subscription.
if [ -z "${OBJECT_ID}" ]; then
echo "ERROR: parameter OBJECT_ID is required." > "${results_dir}"/error
python3 /arc/setup_failure_handler.py
fi

# add az cli extensions
az extension add --name aks-preview
az extension add --name k8s-extension
Expand All @@ -204,14 +243,20 @@ setEnviornmentVariables
# setup keyvault
setupKeyVault

# setup Kubeconfig
setupKubeConfig

# wait for resources in ARC namespace
waitSuccessArc="$(waitForResources deployment azure-arc)"
if [ "${waitSuccessArc}" == false ]; then
echo "ERROR: deployment is not avilable in namespace - azure-arc" > "${results_dir}"/error
echo "ERROR: deployment is not available in namespace - azure-arc" > "${results_dir}"/error
python3 /arc/setup_failure_handler.py
exit 1
else
echo "INFO: resources are available in namespace - azure-arc"
fi

echo "INFO: Creating extension"
az k8s-extension create \
--name arc-akv-conformance \
--extension-type Microsoft.AzureKeyVaultSecretsProvider \
Expand All @@ -223,7 +268,7 @@ az k8s-extension create \
--release-namespace kube-system \
--configuration-settings 'secrets-store-csi-driver.enableSecretRotation=true' \
'secrets-store-csi-driver.rotationPollInterval=30s' \
'secrets-store-csi-driver.syncSecret.enabled=true'
'secrets-store-csi-driver.syncSecret.enabled=true' 2> "${results_dir}"/error || python3 /arc/setup_failure_handler.py

# wait for secrets store csi driver and provider pods
kubectl wait pod -n kube-system --for=condition=Ready -l app=secrets-store-csi-driver
Expand All @@ -232,6 +277,7 @@ kubectl wait pod -n kube-system --for=condition=Ready -l app=csi-secrets-store-p
/arc/e2e -ginkgo.v -ginkgo.skip="${GINKGO_SKIP}" -ginkgo.focus="${GINKGO_FOCUS}"

# clean up test resources
echo "INFO: cleaning up test resources"
az k8s-extension delete \
--name arc-akv-conformance \
--resource-group "${ARC_CLUSTER_RG}" \
Expand Down
4 changes: 2 additions & 2 deletions arc/conformance/plugin/conformance.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
sonobuoy-config:
driver: Job
plugin-name: akv-secrets-provider-arc-conformance
plugin-name: azure-arc-akv-secrets-provider
result-format: junit
spec:
image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure-arc-conformance:v1.0.0
image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure-arc-conformance:v1.0.1
imagePullPolicy: IfNotPresent
name: plugin
resources: {}
Expand Down

0 comments on commit 20ddcf7

Please sign in to comment.