Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: create e2e test for secureJsonData. (#1496)
- Loading branch information
Showing
6 changed files
with
257 additions
and
0 deletions.
There are no files selected for viewing
34 changes: 34 additions & 0 deletions
34
tests/e2e/examples/secureJsonDatasource/00-assertions.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: grafana-deployment | ||
ownerReferences: | ||
- apiVersion: grafana.integreatly.org/v1beta1 | ||
kind: Grafana | ||
name: grafana | ||
status: | ||
availableReplicas: 1 | ||
--- | ||
apiVersion: grafana.integreatly.org/v1beta1 | ||
kind: GrafanaDatasource | ||
metadata: | ||
name: thanos | ||
spec: | ||
datasource: | ||
secureJsonData: | ||
httpHeaderValue1: 'Bearer ${token}' | ||
valuesFrom: | ||
- targetPath: "secureJsonData.httpHeaderValue1" | ||
valueFrom: | ||
secretKeyRef: | ||
name: grafana-instance-sa-token | ||
key: token | ||
status: | ||
uid: | ||
--- | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: thanos-querier | ||
status: | ||
availableReplicas: 1 |
103 changes: 103 additions & 0 deletions
103
tests/e2e/examples/secureJsonDatasource/00-resources.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
apiVersion: grafana.integreatly.org/v1beta1 | ||
kind: Grafana | ||
metadata: | ||
name: grafana | ||
labels: | ||
dashboards: "grafana" | ||
spec: | ||
config: | ||
log: | ||
mode: "console" | ||
auth: | ||
disable_login_form: "false" | ||
security: | ||
admin_user: root | ||
admin_password: secret | ||
deployment: | ||
spec: | ||
template: | ||
spec: | ||
containers: | ||
- name: grafana | ||
image: grafana/grafana:10.4.2 # Not all grafana versions support the API to test the datasource | ||
--- | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: grafana-instance-sa-token | ||
stringData: | ||
token: "token-content" | ||
--- | ||
apiVersion: grafana.integreatly.org/v1beta1 | ||
kind: GrafanaDatasource | ||
metadata: | ||
name: thanos | ||
spec: | ||
instanceSelector: | ||
matchLabels: | ||
dashboards: "grafana" | ||
datasource: | ||
access: proxy | ||
basicAuth: false | ||
editable: true | ||
isDefault: true | ||
jsonData: | ||
httpHeaderName1: 'Authorization' | ||
timeInterval: 5s | ||
tlsSkipVerify: true | ||
secureJsonData: | ||
httpHeaderValue1: 'Bearer ${token}' | ||
name: Prometheus | ||
orgId: 1 | ||
type: prometheus | ||
url: (join('',['http://thanos-querier.',$namespace,'.svc',':8080'])) | ||
valuesFrom: | ||
- targetPath: "secureJsonData.httpHeaderValue1" | ||
valueFrom: | ||
secretKeyRef: | ||
name: grafana-instance-sa-token | ||
key: token | ||
--- | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: thanos-querier | ||
labels: | ||
app: thanos-querier | ||
spec: | ||
selector: | ||
matchLabels: | ||
app: thanos-querier | ||
template: | ||
metadata: | ||
labels: | ||
app: thanos-querier | ||
spec: | ||
terminationGracePeriodSeconds: 3 | ||
containers: | ||
- name: netcat | ||
image: alpine | ||
command: | ||
- sh | ||
- -c | ||
- | | ||
set -eu | ||
echo "Starting pod" | ||
while true; do echo -e 'HTTP/1.1 200 OK\n\n{"asdf":"date"}' | nc -l -p 8080; done | ||
ports: | ||
- containerPort: 8080 | ||
name: http | ||
protocol: TCP | ||
--- | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: thanos-querier | ||
spec: | ||
selector: | ||
app: thanos-querier | ||
ports: | ||
- port: 8080 | ||
name: http | ||
protocol: TCP | ||
targetPort: 8080 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
apiVersion: batch/v1 | ||
kind: Job | ||
metadata: | ||
name: grafana-querier | ||
status: | ||
succeeded: 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
apiVersion: batch/v1 | ||
kind: Job | ||
metadata: | ||
name: grafana-querier | ||
labels: | ||
app: grafana-querier | ||
spec: | ||
template: | ||
spec: | ||
restartPolicy: Never | ||
containers: | ||
- name: netcat | ||
image: dwdraju/alpine-curl-jq #alpine | ||
env: | ||
- name: BASEURL | ||
value: (join('',['http://root:secret@grafana-service.',$namespace,'.svc',':3000'])) | ||
command: | ||
- sh | ||
- -c | ||
- | | ||
set -eu | ||
sleep 15 | ||
echo "The base URL for grafana: ${BASEURL}" | ||
export DATASOURCE_UID=$(curl -v "${BASEURL}/api/datasources" -H "Accept: application/json" | jq -r '.[0].uid') | ||
echo "Datasource UID: ${DATASOURCE_UID}" | ||
RESULT=$(curl -s "${BASEURL}/api/datasources/uid/${DATASOURCE_UID}/health" -H "Accept: application/json" | jq -r '.') | ||
echo "Result: ${RESULT}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
# Testing GrafanaDatasource secureJsonData | ||
|
||
This test creates a GrafanaDatasource with a reference | ||
to a secret (which is normally created by a serviceAccount) | ||
and makes sure it's inserted correctly into | ||
grafana. | ||
|
||
## Step 00 | ||
|
||
This step creates a number of resources: | ||
- Grafana (to create a new grafana) | ||
- GrafanaDatasource (with secureJsonData and a secret) | ||
- A thanos emulator pod, using netcat, with a service | ||
|
||
## Step 01 | ||
|
||
This step starts a pod which query the grafana to test it's datasource, | ||
which in turn forces the grafana to query thanos. | ||
|
||
## Step 02 | ||
|
||
Verify in the log that grafana is happy with the response from | ||
the datasource. | ||
|
||
## Step 03 | ||
|
||
Verify in the log that grafana sent the authorization header with | ||
the token. |
59 changes: 59 additions & 0 deletions
59
tests/e2e/examples/secureJsonDatasource/chainsaw-test.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json | ||
apiVersion: chainsaw.kyverno.io/v1alpha1 | ||
kind: Test | ||
metadata: | ||
name: secure-json-datasource | ||
spec: | ||
concurrent: false | ||
steps: | ||
# This starts the grafana and the netcat simulating thanos. | ||
- name: step-00 | ||
try: | ||
- apply: | ||
template: true | ||
file: 00-resources.yaml | ||
- assert: | ||
template: true | ||
file: 00-assertions.yaml | ||
# This queries the grafana to trigger a query to the netcat simulating thanos. | ||
- name: step-01 | ||
try: | ||
- apply: | ||
template: true | ||
file: 01-resources.yaml | ||
- assert: | ||
file: 01-assertions.yaml | ||
# This step verifies that grafana is happy with the datasource | ||
- name: step-02 | ||
timeouts: | ||
assert: 5s | ||
try: | ||
- script: | ||
content: 'kubectl logs -n ${namespace} -l job-name=grafana-querier | grep "Result: " -A200 | sed "s|Result:||" | jq -r "."' | ||
env: | ||
- name: namespace | ||
value: ($namespace) | ||
outputs: | ||
- name: grafana_response | ||
value: (json_parse($stdout)) | ||
- assert: | ||
resource: | ||
($grafana_response): | ||
status: OK | ||
# This step verifies that netcat/thanos got a call with a token | ||
- name: step-03 | ||
timeouts: | ||
assert: 5s | ||
try: | ||
- script: | ||
content: 'kubectl logs -n ${namespace} -l app=thanos-querier | grep "^Authorization:" | head -n 1' | ||
env: | ||
- name: namespace | ||
value: ($namespace) | ||
outputs: | ||
- name: thanos_request_log | ||
value: ($stdout) | ||
- assert: | ||
resource: | ||
($thanos_request_log): | ||
"Authorization: Bearer token-content" |