[TEP-0089] SPIRE for non-falsifiable provenance. Setup the test envir…

…onment. This PR is part of a set of PRs to enable non-falsifiable provenance using SPIRE. This PR sets up the environment needed to enable this feature in E2E tests. Note that the SPRIRE flag itself is not enabled, i.e. the feature itself is not enabled. This PR is to test if adding the SPIRE environment does not break anything in E2E tests. Signed-off-by: jagathprakash <31057312+jagathprakash@users.noreply.github.com>
tektoncd · May 3, 2023 · 6844752 · 6844752
1 parent 09d422c
commit 6844752
Show file tree

Hide file tree

Showing 7 changed files with 579 additions and 0 deletions.
diff --git a/test/e2e-common.sh b/test/e2e-common.sh
@@ -48,6 +48,65 @@ function install_pipeline_crd_version() {
   verify_pipeline_installation
 }
 
+function spire_apply() {
+  if [ $# -lt 2 -o "$1" != "-spiffeID" ]; then
+    echo "spire_apply requires a spiffeID as the first arg" >&2
+    exit 1
+  fi
+  show=$(kubectl exec -n spire deployment/spire-server -- \
+    /opt/spire/bin/spire-server entry show $1 $2)
+  if [ "$show" != "Found 0 entries" ]; then
+    # delete to recreate
+    entryid=$(echo "$show" | grep "^Entry ID" | cut -f2 -d:)
+    kubectl exec -n spire deployment/spire-server -- \
+      /opt/spire/bin/spire-server entry delete -entryID $entryid
+  fi
+  kubectl exec -n spire deployment/spire-server -- \
+    /opt/spire/bin/spire-server entry create "$@"
+}
+
+function install_spire() {
+  echo ">> Deploying Spire"
+  DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+
+  echo "Creating SPIRE namespace..."
+  kubectl create ns spire
+
+  echo "Applying SPIFFE CSI Driver configuration..."
+  kubectl apply -f "$DIR"/testdata/spire/spiffe-csi-driver.yaml
+
+  echo "Deploying SPIRE server"
+  kubectl apply -f "$DIR"/testdata/spire/spire-server.yaml
+
+  echo "Deploying SPIRE agent"
+  kubectl apply -f "$DIR"/testdata/spire/spire-agent.yaml
+
+  wait_until_pods_running spire || fail_test "SPIRE did not come up"
+
+  spire_apply \
+    -spiffeID spiffe://example.org/ns/spire/node/example \
+    -selector k8s_psat:cluster:example-cluster \
+    -selector k8s_psat:agent_ns:spire \
+    -selector k8s_psat:agent_sa:spire-agent \
+    -node
+  spire_apply \
+    -spiffeID spiffe://example.org/ns/tekton-pipelines/sa/tekton-pipelines-controller \
+    -parentID spiffe://example.org/ns/spire/node/example \
+    -selector k8s:ns:tekton-pipelines \
+    -selector k8s:pod-label:app:tekton-pipelines-controller \
+    -selector k8s:sa:tekton-pipelines-controller \
+    -admin
+}
+
+function patch_pipline_spire() {
+  kubectl patch \
+      deployment tekton-pipelines-controller \
+      -n tekton-pipelines \
+      --patch-file "$DIR"/testdata/patch/pipeline-controller-spire.json
+
+  verify_pipeline_installation
+}
+
 function verify_pipeline_installation() {
   # Make sure that everything is cleaned up in the current namespace.
   delete_pipeline_resources

diff --git a/test/e2e-tests.sh b/test/e2e-tests.sh
@@ -41,6 +41,22 @@ install_pipeline_crd
 
 failed=0
 
+function add_spire() {
+  local gate="$1"
+  if [ "$gate" != "alpha" ] && [ "$gate" != "stable" ] && [ "$gate" != "beta" ] ; then
+    printf "Invalid gate %s\n" ${gate}
+    exit 255
+  fi
+  if [ "$gate" == "alpha" ] ; then
+    DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+    printf "Setting up environment for alpha features"
+    install_spire
+    patch_pipline_spire
+    kubectl apply -n tekton-pipelines -f "$DIR"/testdata/spire/config-spire.yaml
+    failed=0
+  fi
+}
+
 function set_feature_gate() {
   local gate="$1"
   local resolver="false"
@@ -91,6 +107,7 @@ function run_e2e() {
   fi
 }
 
+add_spire "$PIPELINE_FEATURE_GATE"
 set_feature_gate "$PIPELINE_FEATURE_GATE"
 set_result_extraction_method "$RESULTS_FROM"
 run_e2e

diff --git a/test/testdata/patch/pipeline-controller-spire.json b/test/testdata/patch/pipeline-controller-spire.json
@@ -0,0 +1,57 @@
+{
+    "spec":{
+       "template":{
+          "spec":{
+             "$setElementOrder/containers":[
+                {
+                   "name":"tekton-pipelines-controller"
+                }
+             ],
+             "$setElementOrder/volumes":[
+                {
+                   "name":"config-logging"
+                },
+                {
+                   "name":"config-registry-cert"
+                },
+                {
+                   "name":"spiffe-workload-api"
+                }
+             ],
+             "containers":[
+                {
+                   "$setElementOrder/volumeMounts":[
+                      {
+                         "mountPath":"/etc/config-logging"
+                      },
+                      {
+                         "mountPath":"/etc/config-registry-cert"
+                      },
+                      {
+                         "mountPath":"/spiffe-workload-api"
+                      }
+                   ],
+                   "name":"tekton-pipelines-controller",
+                   "volumeMounts":[
+                      {
+                         "mountPath":"/spiffe-workload-api",
+                         "name":"spiffe-workload-api",
+                         "readOnly":true
+                      }
+                   ]
+                }
+             ],
+             "volumes":[
+                {
+                   "csi":{
+                      "driver":"csi.spiffe.io",
+                      "readOnly":true
+                   },
+                   "name":"spiffe-workload-api"
+                }
+             ]
+          }
+       }
+    }
+ }
+
diff --git a/test/testdata/spire/config-spire.yaml b/test/testdata/spire/config-spire.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config-spire
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-pipelines
+data:
+  # spire-trust-domain specifies the SPIRE trust domain to use.
+  spire-trust-domain: "example.org"
+  # spire-socket-path specifies the SPIRE agent socket for SPIFFE workload API.
+  spire-socket-path: "unix:///spiffe-workload-api/spire-agent.sock"
+  # spire-server-addr specifies the SPIRE server address for workload/node registration.
+  spire-server-addr: "spire-server.spire.svc.cluster.local:8081"
+  # spire-node-alias-prefix specifies the SPIRE node alias prefix to use.
+  spire-node-alias-prefix: "/tekton-node/"
diff --git a/test/testdata/spire/spiffe-csi-driver.yaml b/test/testdata/spire/spiffe-csi-driver.yaml
@@ -0,0 +1,20 @@
+apiVersion: storage.k8s.io/v1
+kind: CSIDriver
+metadata:
+  name: "csi.spiffe.io"
+spec:
+  # Only ephemeral, inline volumes are supported. There is no need for a
+  # controller to provision and attach volumes.
+  attachRequired: false
+
+  # Request the pod information which the CSI driver uses to verify that an
+  # ephemeral mount was requested.
+  podInfoOnMount: true
+
+  # Don't change ownership on the contents of the mount since the Workload API
+  # Unix Domain Socket is typically open to all (i.e. 0777).
+  fsGroupPolicy: None
+
+  # Declare support for ephemeral volumes only.
+  volumeLifecycleModes:
+    - Ephemeral