Tests for create-webhook task

khrm · Sep 5, 2019 · 31a03e8 · 31a03e8
1 parent 0a1c86d
commit 31a03e8
Show file tree

Hide file tree

Showing 7 changed files with 192 additions and 6 deletions.
diff --git a/docs/create-webhook-run.yaml b/docs/create-webhook-run.yaml
@@ -8,13 +8,13 @@ spec:
   inputs:
     params:
     - name: CreateCertificate
-      value: "false"
+      value: "true"
     - name: CreateIngress
-      value: "false"
+      value: "true"
     - name: CreateWebhook
       value: "false"
     - name: CreateEventListener
-      value: "false"
+      value: "true"
     - name: EventListenerName
       value: listener
     - name: CertificateKeyPassphrase
@@ -28,12 +28,12 @@ spec:
     - name: GithubRepo
       value: trigger
     - name: GithubSecretName
-      value: ghe-secret
+      value: githubsecret
     - name: GithubUrl
       value: github.com
     - name: TriggerBinding
       value: pipeline-binding
     - name: TriggerTemplate
       value: pipeline-template
   timeout: 1000s
-  serviceAccount: tekton-pipelines-controller
+  serviceAccount: default
diff --git a/docs/create-webhook.yaml b/docs/create-webhook.yaml
@@ -69,7 +69,7 @@ spec:
       openssl genrsa -des3 -out /var/tmp/ingress/key.pem -passout pass:$(inputs.params.CertificateKeyPassphrase) 2048
       openssl req -x509 -new -nodes -key /var/tmp/ingress/key.pem -sha256 -days 1825 -out /var/tmp/ingress/certificate.pem -passin pass:$(inputs.params.CertificateKeyPassphrase) -subj /CN=$(inputs.params.ExternalUrl)
       openssl rsa -in /var/tmp/ingress/key.pem -out /var/tmp/ingress/key.pem -passin pass:$(inputs.params.CertificateKeyPassphrase)
-      kubectl create secret tls $(inputs.params.CertificateSecretName) --cert=/var/tmp/ingress/certificate.pem --key=/var/tmp/ingress/key.pem -n tekton-pipelines
+      kubectl create secret tls $(inputs.params.CertificateSecretName) --cert=/var/tmp/ingress/certificate.pem --key=/var/tmp/ingress/key.pem 
       EOF
   - name: create-ingress
     image: lachlanevenson/k8s-kubectl:latest

diff --git a/docs/createwebhook.md b/docs/createwebhook.md
@@ -43,6 +43,9 @@ This task requires the following permissions to execute.  The clusterrole with t
   - update
 ```
 
+This task always mounts the secret specified in `GithubSecretName`.  It must be created before the task is run.  The contents can be dummy values if the webhook does not need to be created.  
+
+
 ## Task params
 
 These are the task parms to manage the task execution

diff --git a/test/e2e-tests-ingress.sh b/test/e2e-tests-ingress.sh
@@ -0,0 +1,133 @@
+#!/usr/bin/env bash
+
+# Copyright 2019 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+source $(dirname $0)/e2e-common.sh
+
+# Waits until taskrun completed.
+# Parameters: $1 - taskrun name
+function wait_until_taskrun_completed() {
+  echo -e "Waiting until taskrun $1 completed\n"
+  for i in {1..150}; do  # timeout after 5 minutes
+    taskrun_status="$(kubectl get taskrun $1 -o=jsonpath='{.status.conditions[0]}')"
+    match=$(echo $taskrun_status | grep "message:All Steps have completed executing reason:Succeeded status:True type:Succeeded")  || true
+    l=${#match}
+    if [ 0 -ne $l ];
+    then
+      return 0
+    fi
+    sleep 2
+  done
+  echo -e "\n\nERROR: timeout waiting for taskrun successful completion\n"
+  return 1
+}
+
+# Waits until pod started.
+# Parameters: $1 - pod name prefix
+function wait_until_pod_started() {
+  echo -e "Waiting until pod started\n"
+  for i in {1..150}; do  # timeout after 5 minutes
+    pod_status=$(kubectl get pod | grep $1 | grep "Running") || true
+    l=${#pod_status}
+    if [ 0 -ne $l ];
+    then
+      return 0
+    fi
+    sleep 2
+  done
+  echo -e "\n\nERROR: timeout waiting for pod successful start\n"
+  return 1
+}
+
+set -o errexit
+set -o pipefail
+
+# verify if the yaml file is valid
+for op in apply delete;do 
+  kubectl ${op} -f ${REPO_ROOT_DIR}/docs/create-webhook.yaml
+done
+
+# make sure no remaining resources from the previous run
+echo "clean up before start. Ignore (NotFound) errors"
+kubectl delete secret secret1 || true
+kubectl delete eventlistener listener || true
+kubectl delete taskrun create-webhook || true
+kubectl delete secret githubsecret || true
+
+# setup
+kubectl apply -f ${REPO_ROOT_DIR}/test/ingress/ingress-clusterrole.yaml
+kubectl apply -f ${REPO_ROOT_DIR}/test/ingress/ingress-clusterrolebinding.yaml
+kubectl apply -f ${REPO_ROOT_DIR}/docs/create-webhook.yaml
+kubectl create secret generic githubsecret --from-literal=accessToken=ff7d2c2949844f68cb18a68f4febad4454df2336 --from-literal=userName=tektonuser
+
+
+# test
+kubectl apply -f ${REPO_ROOT_DIR}/docs/create-webhook-run.yaml
+wait_until_taskrun_completed create-webhook 
+
+# check certificate
+echo -e "Testing certificate"
+crt=$(kubectl get secret secret1 -o=jsonpath='{.data.tls\.crt}')
+echo $crt | base64 --decode | grep "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-"
+echo $crt | base64 --decode | grep "\-\-\-\-\-END CERTIFICATE\-\-\-\-\-"
+
+key=$(kubectl get secret secret1 -o=jsonpath='{.data.tls\.key}')
+echo $key | base64 --decode | grep "\-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-"
+echo $key | base64 --decode | grep "\-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-"
+echo -e "Certificate is OK"
+
+# check ingress
+svc=$(kubectl get ingress listener -o=jsonpath='{.spec.rules[0].http.paths[0].backend.serviceName}')
+host=$(kubectl get ingress listener -o=jsonpath='{.spec.rules[0].host}')
+tlshost=$(kubectl get ingress listener -o=jsonpath='{.spec.tls[0].hosts[0]}')
+secret=$(kubectl get ingress listener -o=jsonpath='{.spec.tls[0].secretName}')
+if [ $svc != "listener" ] || [ $host != "listener.192.168.0.1.nip.io" ] || [ $tlshost != "listener.192.168.0.1.nip.io" ] || [ $secret != "secret1" ]; then
+  echo -e "unexpected values " "wanted: listener; got:" $svc", wanted: listener.192.168.0.1.nip.io; got:" $host", wanted: listener.192.168.0.1.nip.io; got:" $tlshost", wanted: secret1; got:" $secret
+  exit 1
+fi
+
+# check event listener
+listenername=$(kubectl get eventlistener listener -o=jsonpath='{.metadata.name}')
+bindingname=$(kubectl get eventlistener listener -o=jsonpath='{.spec.triggers[0].binding.name}')
+templatename=$(kubectl get eventlistener listener -o=jsonpath='{.spec.triggers[0].template.name}')
+if [ $listenername != "listener" ] || [ $bindingname != "pipeline-binding" ] || [ $templatename != "pipeline-template" ]; then
+  echo -e "unexpected values " "wanted: listener; got:" $listenername", wanted: pipeline-binding; got:" $bindingname", wanted: pipeline-template; got:" $templatename
+  exit 1
+fi
+
+# Checking EventListener log
+wait_until_pod_started listener
+log=$(kubectl logs $(kubectl get pod | grep listener | cut -f 1 -d " "))
+entry=$(echo $log | grep "Listen and serve on port 8082")  || true
+ll=${#entry}
+if [ 0 -eq $ll ];
+then
+  echo "Event Listener POD didn't start expectedly"
+  echo "POD dump:"
+  kubectl get pod listener -o yaml
+  exit 1
+fi
+
+
+# clean up
+kubectl delete -f ${REPO_ROOT_DIR}/test/ingress/ingress-clusterrole.yaml
+kubectl delete -f ${REPO_ROOT_DIR}/test/ingress/ingress-clusterrolebinding.yaml
+kubectl delete -f ${REPO_ROOT_DIR}/docs/create-webhook.yaml
+kubectl delete -f ${REPO_ROOT_DIR}/docs/create-webhook-run.yaml
+kubectl delete secret secret1
+kubectl delete eventlistener listener
+kubectl delete secret githubsecret
+
+
diff --git a/test/e2e-tests.sh b/test/e2e-tests.sh
@@ -30,6 +30,9 @@ install_pipeline_crd
 header "Running yaml tests"
 $(dirname $0)/e2e-tests-yaml.sh || failed=1
 
+header "Running ingress tests"
+$(dirname $0)/e2e-tests-ingress.sh || failed=1
+
 # Run the integration tests
 header "Running Go e2e tests"
 go_test_e2e -timeout=20m ./test || failed=1

diff --git a/test/ingress/ingress-clusterrole.yaml b/test/ingress/ingress-clusterrole.yaml
@@ -0,0 +1,35 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ingress
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - create
+  - update
+  - delete
+- apiGroups:
+  - tekton.dev
+  resources:
+  - eventlisteners
+  verbs:
+  - get
+  - list
+  - create
+  - update
+  - delete
+- apiGroups:
+  - extensions
+  resources:
+  - ingresses
+  verbs:
+  - create
+  - get
+  - list
+  - delete
+  - update
diff --git a/test/ingress/ingress-clusterrolebinding.yaml b/test/ingress/ingress-clusterrolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: ingress
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: default
+roleRef:
+  kind: ClusterRole
+  name: ingress 
+  apiGroup: rbac.authorization.k8s.io
-Original file line number
+Diff line change
@@ Expand Up @@
       - update
     ```
+    This task always mounts the secret specified in `GithubSecretName`.  It must be created before the task is run.  The contents can be dummy values if the webhook does not need to be created.
     ## Task params
     These are the task parms to manage the task execution
@@ Expand Down @@