Added E2E Tests Scenarios for Authorization upgrade (#559)

dell · Oct 15, 2024 · fdf6e36 · fdf6e36
1 parent 25ebf1e
commit fdf6e36
Show file tree

Hide file tree

Showing 5 changed files with 350 additions and 8 deletions.
diff --git a/tests/e2e/steps/steps_def.go b/tests/e2e/steps/steps_def.go
@@ -1125,6 +1125,16 @@ func (step *Step) configureAuthorizationProxyServer(res Resource, driver string,
 		return fmt.Errorf("failed to write admin token: %v\nErrMessage:\n%s", err, string(b))
 	}
 
+	address := proxyHost
+	// For v1.9.1 and earlier, use the old address
+	configVersion := cr.GetModule(csmv1.AuthorizationServer).ConfigVersion
+	isOldVersion, _ := utils.MinVersionCheck(configVersion, "v1.9.1")
+	if isOldVersion {
+		address = "authorization-ingress-nginx-controller.authorization.svc.cluster.local"
+	}
+
+	fmt.Printf("Address: %s\n", address)
+
 	fmt.Println("=== Creating Storage ===\n ")
 	cmd := exec.Command("karavictl",
 		"--admin-token", "/tmp/adminToken.yaml",
@@ -1135,11 +1145,11 @@ func (step *Step) configureAuthorizationProxyServer(res Resource, driver string,
 		"--user", user,
 		"--password", password,
 		"--array-insecure",
-		"--insecure", "--addr", fmt.Sprintf("%s:%s", proxyHost, port),
+		"--insecure", "--addr", fmt.Sprintf("%s:%s", address, port),
 	)
 	fmt.Println("=== Storage === \n", cmd.String())
 	b, err = cmd.CombinedOutput()
-	if err != nil {
+	if err != nil && !strings.Contains(string(b), "is already registered") {
 		return fmt.Errorf("failed to create storage %s: %v\nErrMessage:\n%s", storageType, err, string(b))
 	}
 
@@ -1148,7 +1158,7 @@ func (step *Step) configureAuthorizationProxyServer(res Resource, driver string,
 	cmd = exec.Command("karavictl",
 		"--admin-token", "/tmp/adminToken.yaml",
 		"tenant", "create",
-		"-n", tenantName, "--insecure", "--addr", fmt.Sprintf("%s:%s", proxyHost, port),
+		"-n", tenantName, "--insecure", "--addr", fmt.Sprintf("%s:%s", address, port),
 	)
 	b, err = cmd.CombinedOutput()
 	fmt.Println("=== Tenant === \n", cmd.String())
@@ -1167,7 +1177,7 @@ func (step *Step) configureAuthorizationProxyServer(res Resource, driver string,
 		"role", "create",
 		fmt.Sprintf("--role=%s=%s=%s=%s=%s",
 			roleName, storageType, sysID, pool, quotaLimit),
-		"--insecure", "--addr", fmt.Sprintf("%s:%s", proxyHost, port),
+		"--insecure", "--addr", fmt.Sprintf("%s:%s", address, port),
 	)
 
 	fmt.Println("=== Role === \n", cmd.String())
@@ -1185,7 +1195,7 @@ func (step *Step) configureAuthorizationProxyServer(res Resource, driver string,
 		"rolebinding", "create",
 		"--tenant", tenantName,
 		"--role", roleName,
-		"--insecure", "--addr", fmt.Sprintf("%s:%s", proxyHost, port),
+		"--insecure", "--addr", fmt.Sprintf("%s:%s", address, port),
 	)
 	fmt.Println("=== Binding Role ===\n", cmd.String())
 	b, err = cmd.CombinedOutput()
@@ -1199,7 +1209,7 @@ func (step *Step) configureAuthorizationProxyServer(res Resource, driver string,
 		"--admin-token", "/tmp/adminToken.yaml",
 		"generate", "token",
 		"--tenant", tenantName,
-		"--insecure", "--addr", fmt.Sprintf("%s:%s", proxyHost, port),
+		"--insecure", "--addr", fmt.Sprintf("%s:%s", address, port),
 		"--access-token-expiration", fmt.Sprint(10*time.Minute),
 	)
 	fmt.Println("=== Token ===\n", cmd.String())

diff --git a/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_n_minus_1.yaml b/tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_n_minus_1.yaml
@@ -0,0 +1,73 @@
+apiVersion: storage.dell.com/v1
+kind: ContainerStorageModule
+metadata:
+  name: authorization
+  namespace: authorization
+spec:
+  modules:
+    # Authorization: enable csm-authorization proxy server for RBAC
+    - name: authorization-proxy-server
+      # enable: Enable/Disable csm-authorization
+      enabled: true
+      configVersion: v1.9.1
+      forceRemoveModule: true
+      components:
+      - name: karavi-authorization-proxy-server
+        # enable: Enable/Disable csm-authorization proxy server
+        enabled: true
+        proxyService: dellemc/csm-authorization-proxy:v1.9.1
+        tenantService: dellemc/csm-authorization-tenant:v1.9.1
+        roleService: dellemc/csm-authorization-role:v1.9.1
+        storageService: dellemc/csm-authorization-storage:v1.9.1
+        redis: redis:6.0.8-alpine
+        commander: rediscommander/redis-commander:latest
+        opa: openpolicyagent/opa
+        opaKubeMgmt: openpolicyagent/kube-mgmt:0.11
+        envs:
+          # base hostname for the ingress rules that expose the services
+          # the proxy-server ingress will use this hostname
+          # Allowed values: string
+          # Default value: csm-authorization.com
+          - name: "PROXY_HOST"
+            value: "csm-authorization.com"
+
+          # Proxy-service ingress configuration
+          # Default value: nginx
+          - name: "PROXY_INGRESS_CLASSNAME"
+            value: "nginx"
+          # An additional host rule for the proxy-server ingress
+          # Default value: authorization-ingress-nginx-controller.namespace.svc.cluster.local
+          - name: "PROXY_INGRESS_HOST"
+            value: "authorization-ingress-nginx-controller.authorization.svc.cluster.local"
+
+          # Specify storage class for redis. Otherwise, default storage class is used.
+          # Default value: None
+          - name: "REDIS_STORAGE_CLASS"
+            value: "local-storage"
+
+      # enabled: Enable/Disable nginx ingress
+      # Allowed values:
+      #   true: enable deployment of nginx ingress controller
+      #   false: disable deployment of nginx ingress only if you have your own ingress controller
+      # Default value: true
+      - name: ingress-nginx
+        enabled: true
+
+      # enabled: Enable/Disable cert-manager
+      # Allowed values:
+      #   true: enable deployment of cert-manager
+      #   false: disable deployment of cert-manager only if it's already deployed
+      # Default value: true
+      - name: cert-manager
+        enabled: true
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: csm-config-params
+  namespace: authorization
+data:
+  csm-config-params.yaml: |
+    CONCURRENT_POWERFLEX_REQUESTS: 10
+    LOG_LEVEL: debug
diff --git a/tests/e2e/testfiles/powerflex-templates/powerflex-secret-template.yaml b/tests/e2e/testfiles/powerflex-templates/powerflex-secret-template.yaml
@@ -5,3 +5,5 @@
   skipCertificateValidation: true
   isDefault: true 
   mdm: REPLACE_MDM
+  nasName: "none"
+
diff --git a/tests/e2e/testfiles/storage_csm_powerflex_auth_driver_only_upgrade.yaml b/tests/e2e/testfiles/storage_csm_powerflex_auth_driver_only_upgrade.yaml
@@ -0,0 +1,151 @@
+apiVersion: storage.dell.com/v1
+kind: ContainerStorageModule
+metadata:
+  name: test-vxflexos
+  namespace: test-vxflexos
+spec:
+  driver:
+    csiDriverType: "powerflex"
+    csiDriverSpec:
+      # fsGroupPolicy: Defines if the underlying volume supports changing ownership and permission of the volume before being mounted.
+      # Allowed values: ReadWriteOnceWithFSType, File , None
+      # Default value: ReadWriteOnceWithFSType
+      fSGroupPolicy: "File"
+    configVersion: v2.10.0
+    replicas: 1
+    dnsPolicy: ClusterFirstWithHostNet
+    forceUpdate: false
+    forceRemoveDriver: true
+    common:
+      image: "dellemc/csi-vxflexos:nightly"
+      imagePullPolicy: Always
+      envs:
+        - name: X_CSI_VXFLEXOS_ENABLELISTVOLUMESNAPSHOT
+          value: "false"
+        - name: X_CSI_VXFLEXOS_ENABLESNAPSHOTCGDELETE
+          value: "false"
+        - name: X_CSI_DEBUG
+          value: "true"
+        - name: X_CSI_ALLOW_RWO_MULTI_POD_ACCESS
+          value: "false"
+        # Specify kubelet config dir path.
+        # Ensure that the config.yaml file is present at this path.
+        # Default value: None
+        - name: KUBELET_CONFIG_DIR
+          value: "/var/lib/kubelet"
+        - name: "CERT_SECRET_COUNT"
+          value: "0"
+
+
+    sideCars:
+    # sdc-monitor is disabled by default, due to high CPU usage
+      - name: sdc-monitor
+        enabled: false
+        image: dellemc/sdc:4.5.1
+        envs:
+        - name: HOST_PID
+          value: "1"
+        - name: MDM
+          value: "10.225.109.64,10.225.109.65" #provide MDM value
+
+    # health monitor is disabled by default, refer to driver documentation before enabling it
+    # Also set the env variable controller.envs.X_CSI_HEALTH_MONITOR_ENABLED  to "true".
+      - name: csi-external-health-monitor-controller
+        enabled: false
+        args: ["--monitor-interval=60s"]
+
+    controller:
+      envs:
+        # X_CSI_HEALTH_MONITOR_ENABLED: Enable/Disable health monitor of CSI volumes from Controller plugin - volume condition.
+        # Install the 'external-health-monitor' sidecar accordingly.
+        # Allowed values:
+        #   true: enable checking of health condition of CSI volumes
+        #   false: disable checking of health condition of CSI volumes
+        # Default value: false
+        - name: X_CSI_HEALTH_MONITOR_ENABLED
+          value: "false"
+
+      #"controller.nodeSelector" defines what nodes would be selected for pods of controller deployment
+      # Leave as blank to use all nodes
+      # Allowed values: map of key-value pairs
+      # Default value: None
+      # Examples:
+      #  node-role.kubernetes.io/control-plane: ""
+      nodeSelector:
+      # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint
+      #  node-role.kubernetes.io/master: ""
+      # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint
+      #  node-role.kubernetes.io/control-plane: ""
+
+      # "controller.tolerations" defines tolerations that would be applied to controller deployment
+      # Leave as blank to install controller on worker nodes
+      # Default value: None
+      tolerations:
+      # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint
+      # - key: "node-role.kubernetes.io/master"
+      #   operator: "Exists"
+      #   effect: "NoSchedule"
+      # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint
+      # - key: "node-role.kubernetes.io/control-plane"
+      #   operator: "Exists"
+      #   effect: "NoSchedule"
+
+    node:
+      envs:
+        # X_CSI_HEALTH_MONITOR_ENABLED: Enable/Disable health monitor of CSI volumes from node plugin - volume usage
+        # Allowed values:
+        #   true: enable checking of health condition of CSI volumes
+        #   false: disable checking of health condition of CSI volumes
+        # Default value: false
+        - name: X_CSI_HEALTH_MONITOR_ENABLED
+          value: "false"
+
+      # "node.nodeSelector" defines what nodes would be selected for pods of node daemonset
+      # Leave as blank to use all nodes
+      # Allowed values: map of key-value pairs
+      # Default value: None
+      # Examples:
+      #  node-role.kubernetes.io/control-plane: ""
+      nodeSelector:
+      # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint
+      #  node-role.kubernetes.io/master: ""
+      # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint
+      #  node-role.kubernetes.io/control-plane: ""
+
+      # "node.tolerations" defines tolerations that would be applied to node daemonset
+      # Leave as blank to install node driver only on worker nodes
+      # Default value: None
+      tolerations:
+      # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint
+      # - key: "node-role.kubernetes.io/master"
+      #   operator: "Exists"
+      #   effect: "NoSchedule"
+      # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint
+      # - key: "node-role.kubernetes.io/control-plane"
+      #   operator: "Exists"
+      #   effect: "NoSchedule"
+
+    initContainers:
+      - image: dellemc/sdc:4.5.1
+        imagePullPolicy: IfNotPresent
+        name: sdc
+        envs:
+          - name: MDM
+            value: "10.x.x.x,10.x.x.x"  #provide MDM value
+  modules:
+    # Authorization: enable csm-authorization for RBAC
+    - name: authorization
+      # enable: Enable/Disable csm-authorization
+      enabled: true
+      configVersion: v1.9.1
+      components:
+      - name: karavi-authorization-proxy
+        image: dellemc/csm-authorization-sidecar:v1.9.1
+        envs:
+          # proxyHost: hostname of the csm-authorization server
+          - name: "PROXY_HOST"
+            value: "authorization-ingress-nginx-controller.authorization.svc.cluster.local"
+
+          # skipCertificateValidation: Enable/Disable certificate validation of the csm-authorization server
+          - name: "SKIP_CERTIFICATE_VALIDATION"
+            value: "true"