[KRV-24554] Auth proxy e2e

tests/e2e/go.sum

@@ -139,6 +139,7 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
 github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA=
 github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To=
 github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk=

tests/e2e/run-e2e-test.sh

@@ -36,7 +36,7 @@ fi
 cp $CERT_CSI .
 
 # Uncomment for authorization proxy server
-#cp $KARAVICTL /usr/local/bin/
+# cp $DELLCTL /usr/local/bin/
 
 PATH=$PATH:$(go env GOPATH)/bin
 
@@ -54,7 +54,7 @@ ginkgo -mod=mod "${OPTS[@]}"
 rm -f cert-csi
 
 # Uncomment for authorization proxy server
-#rm -f /usr/local/bin/karavictl
+# rm -f /usr/local/bin/dellctl
 
 # Checking for test status
 TEST_PASS=$?

tests/e2e/steps/steps_def.go

@@ -1007,31 +1007,14 @@ func (step *Step) configureAuthorizationProxyServer(res Resource, driver string,
 	var err error
 
 	var (
-		endpoint        = ""
-		sysID           = ""
-		user            = ""
-		password        = ""
 		storageType     = ""
-		pool            = ""
 		driverNamespace = ""
 		proxyHost       = ""
 	)
 
-	//by default, use set defined in env file
-	endpointvar := "END_POINT"
-	systemIdvar := "SYSTEM_ID"
-	uservar := "STORAGE_USER"
-	passvar := "STORAGE_PASSWORD"
-	poolvar := "STORAGE_POOL"
-
 	// if tests are running multiple scenarios that require differently configured auth servers, we will not be able to use one set of vars
 	// this section is for powerflex, other drivers can add their sections as required.
 	if driver == "powerflex" {
-		endpointvar = "PFLEX_ENDPOINT"
-		systemIdvar = "PFLEX_SYSTEMID"
-		uservar = "PFLEX_USER"
-		passvar = "PFLEX_PASS"
-		poolvar = "PFLEX_POOL"
 		os.Setenv("STORAGE_TYPE", "powerflex")
 		os.Setenv("DRIVER_NAMESPACE", "test-vxflexos")
 	}
@@ -1041,21 +1024,6 @@ func (step *Step) configureAuthorizationProxyServer(res Resource, driver string,
 		os.Setenv("DRIVER_NAMESPACE", "isilon")
 	}
 	// get env variables
-	if os.Getenv(endpointvar) != "" {
-		endpoint = os.Getenv(endpointvar)
-	}
-	if os.Getenv(systemIdvar) != "" {
-		sysID = os.Getenv(systemIdvar)
-	}
-	if os.Getenv(uservar) != "" {
-		user = os.Getenv(uservar)
-	}
-	if os.Getenv(passvar) != "" {
-		password = os.Getenv(passvar)
-	}
-	if os.Getenv(poolvar) != "" {
-		pool = os.Getenv(poolvar)
-	}
 	if os.Getenv("STORAGE_TYPE") != "" {
 		storageType = os.Getenv("STORAGE_TYPE")
 	}
@@ -1071,7 +1039,7 @@ func (step *Step) configureAuthorizationProxyServer(res Resource, driver string,
 	}
 
 	fmt.Printf("=== Generating Admin Token ===\n")
-	adminTkn := exec.Command("karavictl",
+	adminTkn := exec.Command("dellctl",
 		"admin", "token",
 		"--name", "Admin",
 		"--jwt-signing-secret", "secret",
@@ -1090,16 +1058,8 @@ func (step *Step) configureAuthorizationProxyServer(res Resource, driver string,
 	}
 
 	fmt.Println("=== Creating Storage ===\n ")
-	cmd := exec.Command("karavictl",
-		"--admin-token", "/tmp/adminToken.yaml",
-		"storage", "create",
-		"--type", storageType,
-		"--endpoint", fmt.Sprintf("https://%s", endpoint),
-		"--system-id", sysID,
-		"--user", user,
-		"--password", password,
-		"--array-insecure",
-		"--insecure", "--addr", fmt.Sprintf("%s:%s", proxyHost, port),
+	cmd := exec.Command("kubectl", "apply",
+		"-f", "testfiles/authorization-templates/csm-authorization_v1_storage.yaml",
 	)
 	fmt.Println("=== Storage === \n", cmd.String())
 	b, err = cmd.CombinedOutput()
@@ -1110,10 +1070,8 @@ func (step *Step) configureAuthorizationProxyServer(res Resource, driver string,
 
 	// Create Tenant
 	fmt.Println("=== Creating Tenant ===\n ")
-	cmd = exec.Command("karavictl",
-		"--admin-token", "/tmp/adminToken.yaml",
-		"tenant", "create",
-		"-n", tenantName, "--insecure", "--addr", fmt.Sprintf("%s:%s", proxyHost, port),
+	cmd = exec.Command("kubectl", "apply",
+		"-f", "testfiles/authorization-templates/csm-authorization_v1_csmtenant.yaml",
 	)
 	b, err = cmd.CombinedOutput()
 	fmt.Println("=== Tenant === \n", cmd.String())
@@ -1127,12 +1085,8 @@ func (step *Step) configureAuthorizationProxyServer(res Resource, driver string,
 	if storageType == "powerscale" {
 		quotaLimit = "0"
 	}
-	cmd = exec.Command("karavictl",
-		"--admin-token", "/tmp/adminToken.yaml",
-		"role", "create",
-		fmt.Sprintf("--role=%s=%s=%s=%s=%s",
-			roleName, storageType, sysID, pool, quotaLimit),
-		"--insecure", "--addr", fmt.Sprintf("%s:%s", proxyHost, port),
+	cmd = exec.Command("kubectl", "apply",
+		"-f", "testfiles/authorization-templates/csm-authorization_v1_csmrole.yaml",
 	)
 
 	fmt.Println("=== Role === \n", cmd.String())
@@ -1144,29 +1098,15 @@ func (step *Step) configureAuthorizationProxyServer(res Resource, driver string,
 	// role creation take few seconds
 	time.Sleep(5 * time.Second)
 
-	// Bind role
-	cmd = exec.Command("karavictl",
-		"--admin-token", "/tmp/adminToken.yaml",
-		"rolebinding", "create",
-		"--tenant", tenantName,
-		"--role", roleName,
-		"--insecure", "--addr", fmt.Sprintf("%s:%s", proxyHost, port),
-	)
-	fmt.Println("=== Binding Role ===\n", cmd.String())
-	b, err = cmd.CombinedOutput()
-
-	if err != nil {
-		return fmt.Errorf("failed to create rolebinding %s: %v\nErrMessage:\n%s", roleName, err, string(b))
-	}
-
 	// Generate token
 	fmt.Println("=== Generating token ===\n ")
-	cmd = exec.Command("karavictl",
-		"--admin-token", "/tmp/adminToken.yaml",
+	cmd = exec.Command("dellctl",
 		"generate", "token",
-		"--tenant", tenantName,
-		"--insecure", "--addr", fmt.Sprintf("%s:%s", proxyHost, port),
+		"--admin-token", "/tmp/adminToken.yaml",
 		"--access-token-expiration", fmt.Sprint(10*time.Minute),
+		"--refresh-token-expiration", "48h",
+		"--tenant", "csmtenant-sample",
+		"--insecure", "--addr", fmt.Sprintf("%s:%s", proxyHost, port),
 	)
 	fmt.Println("=== Token ===\n", cmd.String())
 	b, err = cmd.CombinedOutput()

tests/e2e/testfiles/authorization-templates/csm-authorization_v1_csmrole.yaml

@@ -0,0 +1,15 @@
+apiVersion: csm-authorization.storage.dell.com/v1alpha1
+kind: CSMRole
+metadata:
+  labels:
+    app.kubernetes.io/name: role
+    app.kubernetes.io/instance: role-sample
+    app.kubernetes.io/part-of: csm-authorization
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/created-by: csm-authorization
+  name: csmrole-sample
+spec:
+  quota: 0GB
+  systemID: pscale-xyz
+  systemType: powerscale
+  pool: /ifs/data/csi

tests/e2e/testfiles/authorization-templates/csm-authorization_v1_csmtenant.yaml

@@ -0,0 +1,18 @@
+apiVersion: csm-authorization.storage.dell.com/v1alpha1
+kind: CSMTenant
+metadata:
+  labels:
+    app.kubernetes.io/name: csmtenant
+    app.kubernetes.io/instance: csmtenant-sample
+    app.kubernetes.io/part-of: csm-authorization
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/created-by: csm-authorization
+  name: csmtenant-sample
+spec:
+  # TODO(user): Add fields here
+  roles: role1,role2
+  approveSdc: false
+  revoke: false
+  # This prefix is added for each new volume provisioned by the tenant. 
+  # It should not exceed 3 characters. Example: tn1
+  volumePrefix: tn1

tests/e2e/testfiles/authorization-templates/csm-authorization_v1_storage.yaml

@@ -0,0 +1,12 @@
+apiVersion: csm-authorization.storage.dell.com/v1alpha1
+kind: Storage
+metadata:
+  name: powerflex
+spec:
+  type: powerflex
+  endpoint: https://127.0.0.1
+  systemID: 1a99aa999999aa9a
+  credentialStore: vault
+  credentialPath: storage/powerflex
+  skipCertificateValidation: true
+  pollInterval: 30s

tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server.yaml

@@ -42,11 +42,18 @@ spec:
           # enable: Enable/Disable csm-authorization proxy server
           enabled: true
           proxyService: dellemc/csm-authorization-proxy:v2.0.0-alpha
+          proxyServiceReplicas: 1
           tenantService: dellemc/csm-authorization-tenant:v2.0.0-alpha
+          tenantServiceReplicas: 1
           roleService: dellemc/csm-authorization-role:v2.0.0-alpha
+          roleServiceReplicas: 1
           storageService: dellemc/csm-authorization-storage:v2.0.0-alpha
+          storageServiceReplicas: 1
           opa: openpolicyagent/opa
           opaKubeMgmt: openpolicyagent/kube-mgmt:0.11
+          authorizationController: dellemc/csm-authorization-controller:v2.0.0-alpha
+          authorizationControllerReplicas: 1
+          leaderElection: true
 
           # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates
           # for self-signed certs, leave empty string
@@ -92,6 +99,18 @@ spec:
           vaultRole: csm-authorization
           skipCertificateValidation: true
           kvEnginePath: secret
+          # certificate: base64-encoded certificate for cert/private-key pair -- add cert here to use custom certificates
+          #  for self-signed certs, leave empty string
+          # Allowed values: string
+          certificate: ""
+          # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates
+          #  for self-signed certs, leave empty string
+          # Allowed values: string
+          privateKey: ""
+          # certificateAuthority: base64-encoded certificate authority for validating vault server certificate -- add certificate authority here to use custom certificates
+          #  for self-signed certs, leave empty string
+          # Allowed values: string
+          certificateAuthority: ""
 
 ---
 apiVersion: v1

tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_alt_ns.yaml

@@ -42,11 +42,18 @@ spec:
           # enable: Enable/Disable csm-authorization proxy server
           enabled: true
           proxyService: dellemc/csm-authorization-proxy:v2.0.0-alpha
+          proxyServiceReplicas: 1
           tenantService: dellemc/csm-authorization-tenant:v2.0.0-alpha
+          tenantServiceReplicas: 1
           roleService: dellemc/csm-authorization-role:v2.0.0-alpha
+          roleServiceReplicas: 1
           storageService: dellemc/csm-authorization-storage:v2.0.0-alpha
+          storageServiceReplicas: 1
           opa: openpolicyagent/opa
           opaKubeMgmt: openpolicyagent/kube-mgmt:0.11
+          authorizationController: dellemc/csm-authorization-controller:v2.0.0-alpha
+          authorizationControllerReplicas: 1
+          leaderElection: true
 
           # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates
           # for self-signed certs, leave empty string
@@ -75,14 +82,36 @@ spec:
               annotations: {}
 
         - name: redis
-          redis: redis:6.0.8-alpine
+          redis: redis:7.2.4-alpine
           commander: rediscommander/redis-commander:latest
           # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis
           # to use a different storage class for redis, specify the name of the storage class
           # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization
           # Default value: None
+          redisName: redis-csm
+          redisCommander: redicommander
+          sentinel: sentinel
+          redisReplicas: 5
           storageclass: ""
 
+        - name: vault
+          vaultAddress: https://10.247.100.22:8400
+          vaultRole: csm-authorization
+          skipCertificateValidation: true
+          kvEnginePath: secret
+          # certificate: base64-encoded certificate for cert/private-key pair -- add cert here to use custom certificates
+          #  for self-signed certs, leave empty string
+          # Allowed values: string
+          certificate: ""
+          # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates
+          #  for self-signed certs, leave empty string
+          # Allowed values: string
+          privateKey: ""
+          # certificateAuthority: base64-encoded certificate authority for validating vault server certificate -- add certificate authority here to use custom certificates
+          #  for self-signed certs, leave empty string
+          # Allowed values: string
+          certificateAuthority: ""
+
 ---
 apiVersion: v1
 kind: ConfigMap

tests/e2e/testfiles/authorization-templates/csm_authorization_proxy_server_default_redis.yaml

@@ -42,11 +42,18 @@ spec:
           # enable: Enable/Disable csm-authorization proxy server
           enabled: true
           proxyService: dellemc/csm-authorization-proxy:v2.0.0-alpha
+          proxyServiceReplicas: 1
           tenantService: dellemc/csm-authorization-tenant:v2.0.0-alpha
+          tenantServiceReplicas: 1
           roleService: dellemc/csm-authorization-role:v2.0.0-alpha
+          roleServiceReplicas: 1
           storageService: dellemc/csm-authorization-storage:v2.0.0-alpha
+          storageServiceReplicas: 1
           opa: openpolicyagent/opa
           opaKubeMgmt: openpolicyagent/kube-mgmt:0.11
+          authorizationController: dellemc/csm-authorization-controller:v2.0.0-alpha
+          authorizationControllerReplicas: 1
+          leaderElection: true
 
           # certificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates
           # for self-signed certs, leave empty string
@@ -75,14 +82,36 @@ spec:
               annotations: {}
 
         - name: redis
-          redis: redis:6.0.8-alpine
+          redis: redis:7.2.4-alpine
           commander: rediscommander/redis-commander:latest
+          redisName: redis-csm
+          redisCommander: redicommander
+          sentinel: sentinel
+          redisReplicas: 5
           # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis
           # to use a different storage class for redis, specify the name of the storage class
           # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver using this installation of CSM Authorization
           # Default value: None
           storageclass: ""
 
+        - name: vault
+          vaultAddress: https://10.0.0.1:8400
+          vaultRole: csm-authorization
+          skipCertificateValidation: true
+          kvEnginePath: secret
+          # certificate: base64-encoded certificate for cert/private-key pair -- add cert here to use custom certificates
+          #  for self-signed certs, leave empty string
+          # Allowed values: string
+          certificate: ""
+          # privateKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates
+          #  for self-signed certs, leave empty string
+          # Allowed values: string
+          privateKey: ""
+          # certificateAuthority: base64-encoded certificate authority for validating vault server certificate -- add certificate authority here to use custom certificates
+          #  for self-signed certs, leave empty string
+          # Allowed values: string
+          certificateAuthority: ""
+
 ---
 apiVersion: v1
 kind: ConfigMap