Skip to content

Commit

Permalink
Use Vault NewTestServer in suite_test.go
Browse files Browse the repository at this point in the history
Signed-off-by: Somtochi Onyekwere <[email protected]>
  • Loading branch information
somtochiama committed May 23, 2022
1 parent d49d7ca commit 22cb2b8
Show file tree
Hide file tree
Showing 3 changed files with 53 additions and 60 deletions.
10 changes: 9 additions & 1 deletion controllers/kustomization_decryptor_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -60,9 +60,17 @@ func TestKustomizationReconciler_Decryptor(t *testing.T) {

cli, err := api.NewClient(api.DefaultConfig())
g.Expect(err).NotTo(HaveOccurred(), "failed to create vault client")
cli.SetToken(os.Getenv("VAULT_TOKEN"))

enginePath := "sops"
err = cli.Sys().Mount(enginePath, &api.MountInput{
Type: "transit",
Description: "backend transit used by SOPS",
})
g.Expect(err).NotTo(HaveOccurred(), "failed to mount transit on engine path")
// create a master key on the vault transit engine
path, data := "sops/keys/firstkey", map[string]interface{}{"type": "rsa-4096"}

_, err = cli.Logical().Write(path, data)
g.Expect(err).NotTo(HaveOccurred(), "failed to write key")

Expand Down Expand Up @@ -127,7 +135,7 @@ func TestKustomizationReconciler_Decryptor(t *testing.T) {
StringData: map[string]string{
"pgp.asc": string(pgpKey),
"age.agekey": string(ageKey),
"sops.vault-token": "secret",
"sops.vault-token": os.Getenv("VAULT_TOKEN"),
},
}

Expand Down
71 changes: 34 additions & 37 deletions controllers/suite_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,10 @@ import (
"github.com/fluxcd/pkg/runtime/testenv"
"github.com/fluxcd/pkg/testserver"
sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
"github.com/hashicorp/vault/api"
"github.com/ory/dockertest"
vaulttransit "github.com/hashicorp/vault/builtin/logical/transit"
vaulthttp "github.com/hashicorp/vault/http"
"github.com/hashicorp/vault/sdk/logical"
"github.com/hashicorp/vault/vault"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
Expand Down Expand Up @@ -121,12 +123,12 @@ func runInContext(registerControllers func(*testenv.Environment), run func() err
}

// Create a Vault test instance.
pool, resource, err := createVaultTestInstance()
cluster, err := createVaultTestInstance()
if err != nil {
panic(fmt.Sprintf("Failed to create Vault instance: %v", err))
}
defer func() {
pool.Purge(resource)
cluster.Cleanup()
}()

runErr := run()
Expand Down Expand Up @@ -374,44 +376,39 @@ func createArtifact(artifactServer *testserver.ArtifactServer, fixture, path str
return fmt.Sprintf("%x", h.Sum(nil)), nil
}

func createVaultTestInstance() (*dockertest.Pool, *dockertest.Resource, error) {
// uses a sensible default on windows (tcp/http) and linux/osx (socket)
pool, err := dockertest.NewPool("")
if err != nil {
return nil, nil, fmt.Errorf("Could not connect to docker: %s", err)
func createVaultTestInstance() (*vault.TestCluster, error) {
// this is set to prevent "certificate signed by unknown authority" errors
os.Setenv("VAULT_SKIP_VERIFY", "true")
os.Setenv("VAULT_INSECURE", "true")
t := &testing.T{}
coreConfig := &vault.CoreConfig{
LogicalBackends: map[string]logical.Factory{
"transit": vaulttransit.Factory,
},
}
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
HandlerFunc: vaulthttp.Handler,
NumCores: 1,
})
cluster.Start()

if err := vault.TestWaitActiveWithError(cluster.Cores[0].Core); err != nil {
return nil, fmt.Errorf("test core not active: %s", err)
}

testClient := cluster.Cores[0].Client

// pulls an image, creates a container based on it and runs it
resource, err := pool.Run("vault", vaultVersion, []string{"VAULT_DEV_ROOT_TOKEN_ID=secret"})
status, err := testClient.Sys().InitStatus()
if err != nil {
return nil, nil, fmt.Errorf("Could not start resource: %s", err)
return nil, fmt.Errorf("cannot checking Vault client status: %s", err)
}
if status != true {
return nil, fmt.Errorf("waiting on Vault server to become ready")
}

os.Setenv("VAULT_ADDR", fmt.Sprintf("http://127.0.0.1:%v", resource.GetPort("8200/tcp")))
os.Setenv("VAULT_TOKEN", "secret")
os.Setenv("VAULT_ADDR", testClient.Address())
os.Setenv("VAULT_TOKEN", testClient.Token())
// exponential backoff-retry, because the application in the container might not be ready to accept connections yet
if err := pool.Retry(func() error {
cli, err := api.NewClient(api.DefaultConfig())
if err != nil {
return fmt.Errorf("Cannot create Vault Client: %w", err)
}
status, err := cli.Sys().InitStatus()
if err != nil {
return err
}
if status != true {
return fmt.Errorf("Vault not ready yet")
}
if err := cli.Sys().Mount("sops", &api.MountInput{
Type: "transit",
}); err != nil {
return fmt.Errorf("Cannot create Vault Transit Engine: %w", err)
}

return nil
}); err != nil {
return nil, nil, fmt.Errorf("Could not connect to docker: %w", err)
}

return pool, resource, nil
return cluster, nil
}
32 changes: 10 additions & 22 deletions internal/sops/hcvault/keysource_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ var (
// make use of the various `test*` variables.
func TestMain(m *testing.M) {
// this is set to prevent "certificate signed by unknown authority" errors
os.Setenv("VAULT_SKIP_VERIFY", "true")
os.Setenv("VAULT_INSECURE", "true")
t := &testing.T{}
coreConfig := &vault.CoreConfig{
Expand All @@ -56,32 +57,19 @@ func TestMain(m *testing.M) {
logger.Fatalf("test core not active: %s", err)
}

api.DefaultConfig()
testClient := cluster.Cores[0].Client
testVaultToken = testClient.Token()
testVaultAddress = testClient.Address()

// Wait until Vault is ready to serve requests
if err := func() error {
cfg := api.DefaultConfig()
cfg.Address = testVaultAddress
cli, err := api.NewClient(cfg)
cli.SetToken(testClient.Token())
if err != nil {
return fmt.Errorf("cannot create Vault client: %w", err)
}
status, err := cli.Sys().InitStatus()
if err != nil {
return err
}
if status != true {
return fmt.Errorf("waiting on Vault server to become ready")
}
return nil
}(); err != nil {
logger.Fatalf("could not connect to local vault server: %s", err)
status, err := testClient.Sys().InitStatus()
if err != nil {
logger.Fatalf("cannot checking Vault client status: %s", err)
}
if status != true {
logger.Fatal("waiting on Vault server to become ready")
}

testVaultToken = testClient.Token()
testVaultAddress = testClient.Address()

if err := enableVaultTransit(testVaultAddress, testVaultToken, testEnginePath); err != nil {
logger.Fatalf("could not enable Vault transit: %s", err)
}
Expand Down

0 comments on commit 22cb2b8

Please sign in to comment.