Skip to content

Commit

Permalink
Update fernet keys rotation scripts
Browse files Browse the repository at this point in the history
Signed-off-by: Veronika Fisarova <vfisarov@redhat.com>
Co-authored-by: Andre Aranha <afariasa@redhat.com>
  • Loading branch information
Deydra71 and afaranha committed Dec 2, 2024
1 parent 80d688a commit 3919df6
Show file tree
Hide file tree
Showing 9 changed files with 71 additions and 5 deletions.
2 changes: 1 addition & 1 deletion kuttl-test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ apiVersion: kuttl.dev/v1beta1
kind: TestSuite
reportFormat: JSON
reportName: kuttl-test-keystone
timeout: 180
timeout: 800
namespace: keystone-kuttl-tests
parallel: 1
suppress:
Expand Down
42 changes: 42 additions & 0 deletions tests/kuttl/common/scripts/rotate_token.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
#!/bin/bash
set -x

TMP_SECRET_FILE="/tmp/keystone-secret.yaml"

generate_secret_yaml() {
cat <<EOF > $TMP_SECRET_FILE
apiVersion: v1
kind: Secret
metadata:
name: keystone
namespace: keystone-kuttl-tests
annotations:
keystone.openstack.org/rotatedat: "2009-11-10T23:00:00Z"
EOF
}

for rotation in {1..5}; do
echo "Starting rotation $rotation..."

# Apply new secret to trigger rotation
generate_secret_yaml
if ! oc apply -f $TMP_SECRET_FILE; then
echo "Failed to apply the secret!"
rm -f $TMP_SECRET_FILE
exit 1
fi

sleep 100

# Wait for rollout to complete
if ! oc rollout status deployment/keystone -n $NAMESPACE --timeout=60s; then
echo "Rollout status check failed for rotation $rotation."
continue
fi

echo "Rotation $rotation completed successfully."
done

rm -f $TMP_SECRET_FILE
echo "All rotations completed successfully."
exit 0
14 changes: 14 additions & 0 deletions tests/kuttl/common/scripts/test_invalid_token.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
#!/bin/bash
set -x

export OS_TOKEN=$(cat /tmp/temporary_test_token)

output=$(oc exec -tn $NAMESPACE openstackclient -- env -u OS_CLOUD - OS_AUTH_URL=http://keystone-public.keystone-kuttl-tests.svc:5000 OS_AUTH_TYPE=token OS_TOKEN=$OS_TOKEN openstack endpoint list 2>&1)

filtered_output=$(echo "$output" | grep -i "Could not recognize Fernet token")

if echo "$filtered_output" | grep -q "Could not recognize Fernet token"; then
exit 0
else
exit 1
fi
8 changes: 4 additions & 4 deletions tests/kuttl/common/scripts/validate_test_token.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,11 @@ set -euxo pipefail
seconds=1
while [ $seconds -le 30 ]; do
rotatedat=$(oc get secret keystone -n $NAMESPACE -o jsonpath="{.metadata.annotations['keystone\.openstack\.org/rotatedat']}")
if [ $rotatedat != "2009-11-10T23:00:00Z" ]; then
if [ "$rotatedat" != "2009-11-10T23:00:00Z" ]; then
break
fi
sleep 1
seconds=$(( $seconds + 1 ))
seconds=$(( seconds + 1 ))
done

sleep 20 # make sure a rollout started
Expand All @@ -17,9 +17,9 @@ oc rollout status deployment/keystone -n $NAMESPACE

export OS_TOKEN=$(cat /tmp/temporary_test_token)

alias openstack="oc exec -tn $NAMESPACE openstackclient -- env -u OS_CLOUD - OS_AUTH_URL=http://keystone-public.keystone-kuttl-tests.svc:5000 OS_AUTH_TYPE=token OS_TOKEN=$OS_TOKEN openstack"
output=$(oc exec -tn $NAMESPACE openstackclient -- env -u OS_CLOUD - OS_AUTH_URL=http://keystone-public.keystone-kuttl-tests.svc:5000 OS_AUTH_TYPE=token OS_TOKEN=$OS_TOKEN openstack endpoint list 2>&1 || true)

if openstack endpoint list 2>&1 | grep "Failed to validate token"; then
if echo "$output" | grep -qi "Could not recognize Fernet token"; then
exit 1
else
exit 0
Expand Down
6 changes: 6 additions & 0 deletions tests/kuttl/tests/fernet_rotation/03-assert.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# validate that token saved in previous step works
apiVersion: kuttl.dev/v1beta1
kind: TestAssert
namespaced: true
commands:
- script: ../../common/scripts/test_invalid_token.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- script: ../../common/scripts/rotate_token.sh

0 comments on commit 3919df6

Please sign in to comment.