test: error handling for arc conformance

arc/conformance/plugin/arc_conformance.sh

@@ -48,11 +48,13 @@ setEnviornmentVariables() {
 # initialize keyvault for conformance test
 setupKeyVault() {
   # create resource group
+  echo "INFO: Creating resource group $keyvault_resource_group"
   az group create \
   --name "$keyvault_resource_group" \
   --location "$keyvault_location" 2> "${results_dir}"/error || python3 /arc/setup_failure_handler.py
 
   # create keyvault
+  echo "INFO: Creating key vault $keyvault_name"
   az keyvault create \
   --name "$keyvault_name" \
   --resource-group "$keyvault_resource_group" \
@@ -61,6 +63,7 @@ setupKeyVault() {
   export KEYVAULT_NAME=$keyvault_name
 
   # set access policy for keyvault
+  echo "INFO: Setting up key vault access policies"
   az keyvault set-policy \
   --name "$keyvault_name" \
   --resource-group "$keyvault_resource_group" \
@@ -70,6 +73,7 @@ setupKeyVault() {
   --certificate-permissions get create import 2> "${results_dir}"/error || python3 /arc/setup_failure_handler.py
 
   # create keyvault secret
+  echo "INFO: Creating secret in key vault"
   secret_value=$(openssl rand -hex 6)
   az keyvault secret set \
   --vault-name "$keyvault_name" \
@@ -79,6 +83,7 @@ setupKeyVault() {
   export SECRET_VALUE=$secret_value
 
   # create keyvault key
+  echo "INFO: Creating keys in key vault"
   # RSA key
   key_name=key1
   az keyvault key create \
@@ -115,6 +120,7 @@ setupKeyVault() {
 
 
   # create keyvault certificate
+  echo "INFO: Importing certificates in key vault"
   # PEM and PKCS12 certificates
   step certificate create test.domain.com test.crt test.key \
   --profile self-signed \
@@ -155,6 +161,33 @@ setupKeyVault() {
   --file testec.pfx 2> "${results_dir}"/error || python3 /arc/setup_failure_handler.py
 }
 
+# setup kubeconfig for conformance test
+setupKubeConfig() {
+  KUBECTL_CONTEXT=azure-arc-akv-test
+  APISERVER=https://kubernetes.default.svc/
+  TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+  cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt > ca.crt
+
+  kubectl config set-cluster ${KUBECTL_CONTEXT} \
+    --embed-certs=true \
+    --server=${APISERVER} \
+    --certificate-authority=./ca.crt 2> "${results_dir}"/error || python3 /arc/setup_failure_handler.py
+
+  kubectl config set-credentials ${KUBECTL_CONTEXT} --token="${TOKEN}" 2> "${results_dir}"/error || python3 /arc/setup_failure_handler.py
+
+  # Delete previous rolebinding if exists. And ignore the error if not found.
+  kubectl delete clusterrolebinding clusterconnect-binding --ignore-not-found
+  kubectl create clusterrolebinding clusterconnect-binding --clusterrole=cluster-admin --user="${OBJECT_ID}" 2> "${results_dir}"/error || python3 /arc/setup_failure_handler.py
+
+  kubectl config set-context ${KUBECTL_CONTEXT} \
+    --cluster=${KUBECTL_CONTEXT} \
+    --user=${KUBECTL_CONTEXT} \
+    --namespace=default 2> "${results_dir}"/error || python3 /arc/setup_failure_handler.py
+
+  kubectl config use-context ${KUBECTL_CONTEXT} 2> "${results_dir}"/error || python3 /arc/setup_failure_handler.py
+  echo "INFO: KubeConfig setup complete"
+}
+
 # validate enviorment variables
 if [ -z "${TENANT_ID}" ]; then
   echo "ERROR: parameter TENANT_ID is required." > "${results_dir}"/error
@@ -186,6 +219,12 @@ if [ -z "${ARC_CLUSTER_RG}" ]; then
   python3 /arc/setup_failure_handler.py
 fi
 
+# OBJECT_ID is an id of the Service Principal created in conformance test subscription.
+if [ -z "${OBJECT_ID}" ]; then
+  echo "ERROR: parameter OBJECT_ID is required." > "${results_dir}"/error
+  python3 /arc/setup_failure_handler.py
+fi
+
 # add az cli extensions 
 az extension add --name aks-preview
 az extension add --name k8s-extension
@@ -204,14 +243,20 @@ setEnviornmentVariables
 # setup keyvault
 setupKeyVault
 
+# setup Kubeconfig
+setupKubeConfig
+
 # wait for resources in ARC namespace
 waitSuccessArc="$(waitForResources deployment azure-arc)"
 if [ "${waitSuccessArc}" == false ]; then
-    echo "ERROR: deployment is not avilable in namespace - azure-arc" > "${results_dir}"/error
+    echo "ERROR: deployment is not available in namespace - azure-arc" > "${results_dir}"/error
     python3 /arc/setup_failure_handler.py
     exit 1
+else
+    echo "INFO: resources are available in namespace - azure-arc"
 fi
 
+echo "INFO: Creating extension"
 az k8s-extension create \
       --name arc-akv-conformance \
       --extension-type Microsoft.AzureKeyVaultSecretsProvider \
@@ -223,7 +268,7 @@ az k8s-extension create \
       --release-namespace kube-system \
       --configuration-settings 'secrets-store-csi-driver.enableSecretRotation=true' \
         'secrets-store-csi-driver.rotationPollInterval=30s' \
-        'secrets-store-csi-driver.syncSecret.enabled=true'
+        'secrets-store-csi-driver.syncSecret.enabled=true' 2> "${results_dir}"/error || python3 /arc/setup_failure_handler.py
 
 # wait for secrets store csi driver and provider pods
 kubectl wait pod -n kube-system --for=condition=Ready -l app=secrets-store-csi-driver
@@ -232,6 +277,7 @@ kubectl wait pod -n kube-system --for=condition=Ready -l app=csi-secrets-store-p
 /arc/e2e -ginkgo.v -ginkgo.skip="${GINKGO_SKIP}" -ginkgo.focus="${GINKGO_FOCUS}"
 
 # clean up test resources
+echo "INFO: cleaning up test resources" 
 az k8s-extension delete \
   --name arc-akv-conformance \
   --resource-group "${ARC_CLUSTER_RG}" \

arc/conformance/plugin/conformance.yaml

@@ -1,9 +1,9 @@
 sonobuoy-config:
   driver: Job
-  plugin-name: akv-secrets-provider-arc-conformance
+  plugin-name: azure-arc-akv-secrets-provider
   result-format: junit
 spec:
-  image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure-arc-conformance:v1.0.0
+  image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure-arc-conformance:v1.0.1
   imagePullPolicy: IfNotPresent
   name: plugin
   resources: {}