-
Notifications
You must be signed in to change notification settings - Fork 174
Expand file tree
/
Copy pathrun.sh
More file actions
executable file
·324 lines (263 loc) · 11.7 KB
/
run.sh
File metadata and controls
executable file
·324 lines (263 loc) · 11.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
#!/usr/bin/env bash
# shellcheck disable=SC1091
set -euo pipefail
# Runs all e2e tests. Derived from the workload of CircleCI gke-api-nongroovy-tests.
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")"/../.. && pwd)"
# shellcheck source=../../scripts/lib.sh
source "$ROOT/scripts/lib.sh"
# shellcheck source=../../scripts/ci/sensor-wait.sh
source "$ROOT/scripts/ci/sensor-wait.sh"
# shellcheck source=../../tests/scripts/setup-certs.sh
source "$ROOT/tests/scripts/setup-certs.sh"
# shellcheck source=../../tests/e2e/lib.sh
source "$ROOT/tests/e2e/lib.sh"
test_e2e() {
info "Starting e2e tests"
require_environment "KUBECONFIG"
export_test_environment
export SENSOR_HELM_DEPLOY=true
export ROX_ACTIVE_VULN_REFRESH_INTERVAL=1m
export ROX_NETPOL_FIELDS=true
test_preamble
setup_deployment_env false false
remove_existing_stackrox_resources
setup_default_TLS_certs
info "Creating mocked compliance operator data for compliance v1 tests"
"$ROOT/tests/complianceoperator/create.sh"
kubectl get compliancecheckresults.compliance.openshift.io -n openshift-compliance
image_prefetcher_prebuilt_await
# If deploy_optional_e2e_components is called after deploy_stackrox it causes an unnecessary Sensor restart
deploy_optional_e2e_components
deploy_stackrox
rm -f FAIL
prepare_for_endpoints_test
run_roxctl_tests
run_roxctl_bats_tests "roxctl-test-output" "cluster" || touch FAIL
store_test_results "roxctl-test-output" "roxctl-test-output"
[[ ! -f FAIL ]] || die "roxctl e2e tests failed"
# Give some time for previous tests to finish up
wait_for_api
info "E2E API tests"
if pr_has_label "ci-release-build"; then
echo "Running e2e tests in release mode"
export GOTAGS=release
fi
make -C tests || touch FAIL
store_test_results "tests/all-tests-results" "all-tests-results"
[[ ! -f FAIL ]] || die "e2e API tests failed"
if [[ ${ORCHESTRATOR_FLAVOR:-} == "openshift" ]]; then
info "Temporarily skipping proxy test on OCP. TODO(ROX-25172)"
else
# Give some time for previous tests to finish up
wait_for_api
setup_proxy_tests "localhost"
run_proxy_tests "localhost"
fi
cd "$ROOT"
collect_and_check_stackrox_logs "/tmp/e2e-test-logs" "initial_tests"
# Give some time for previous tests to finish up
wait_for_api
info "E2E destructive tests"
make -C tests destructive-tests || touch FAIL
store_test_results "tests/destructive-tests-results" "destructive-tests-results"
[[ ! -f FAIL ]] || die "destructive e2e tests failed"
# Give some time for previous tests to finish up
wait_for_api
restore_4_6_postgres_backup
wait_for_api
info "E2E external backup tests"
make -C tests external-backup-tests || touch FAIL
store_test_results "tests/external-backup-tests-results" "external-backup-tests-results"
[[ ! -f FAIL ]] || die "external backup e2e tests failed"
}
test_preamble() {
require_executable "roxctl"
MAIN_TAG=$(make --quiet --no-print-directory tag)
export MAIN_TAG
export ROX_PLAINTEXT_ENDPOINTS="8080,grpc@8081"
export ROXDEPLOY_CONFIG_FILE_MAP="$ROOT/scripts/ci/endpoints/endpoints.yaml"
export TRUSTED_CA_FILE="$ROOT/tests/bad-ca/root.crt"
}
prepare_for_endpoints_test() {
info "Preparation for endpoints_test.go"
local gencerts_dir
gencerts_dir="$(mktemp -d)"
setup_client_CA_auth_provider
setup_generated_certs_for_test "$gencerts_dir"
if [[ ${ORCHESTRATOR_FLAVOR:-} == "openshift" ]]; then
info "Skipping resource patching for skipped endpoints_test.go. TODO(ROX-24688)"
else
patch_resources_for_test
fi
export SERVICE_CA_FILE="$gencerts_dir/ca.pem"
export SERVICE_CERT_FILE="$gencerts_dir/sensor-cert.pem"
export SERVICE_KEY_FILE="$gencerts_dir/sensor-key.pem"
}
run_roxctl_bats_tests() {
local output="${1}"
local suite="${2}"
if (( $# != 2 )); then
die "Error: run_roxctl_bats_tests requires 2 arguments: run_roxctl_bats_tests <test_output> <suite>"
fi
[[ -d "$ROOT/tests/roxctl/bats-tests/$suite" ]] || die "Cannot find directory: $ROOT/tests/roxctl/bats-tests/$suite"
info "Running Bats e2e tests on development roxctl"
"$ROOT/tests/roxctl/bats-runner.sh" "$output" "$ROOT/tests/roxctl/bats-tests/$suite"
}
run_roxctl_tests() {
info "Run roxctl tests"
junit_wrap "roxctl-token-file" "roxctl token-file test" "" \
"$ROOT/tests/roxctl/token-file.sh"
junit_wrap "roxctl-authz-trace" "roxctl authz-trace test" "" \
"$ROOT/tests/roxctl/authz-trace.sh"
junit_wrap "roxctl-istio-support" "roxctl istio-support test" "" \
"$ROOT/tests/roxctl/istio-support.sh"
junit_wrap "roxctl-k8s-context" "roxctl --use-current-k8s-context test" "" \
"$ROOT/tests/roxctl/roxctl-k8s-context.sh"
junit_wrap "roxctl-helm-chart-generation" "roxctl helm-chart-generation test" "" \
"$ROOT/tests/roxctl/helm-chart-generation.sh"
CA="$SERVICE_CA_FILE" junit_wrap "roxctl-yaml-verification" "roxctl yaml-verification test" "" \
"$ROOT/tests/yamls/roxctl_verification.sh"
}
setup_proxy_tests() {
info "Setup for proxy tests"
if [[ "$#" -ne 1 ]]; then
die "missing args. usage: setup_proxy_tests <server_name>"
fi
local server_name="$1"
PROXY_CERTS_DIR="$(mktemp -d)"
export PROXY_CERTS_DIR="$PROXY_CERTS_DIR"
"$ROOT/scripts/ci/proxy/deploy.sh" "${server_name}"
# Try preventing kubectl port-forward from hitting the FD limit, see
# https://github.com/kubernetes/kubernetes/issues/74551#issuecomment-910520361
# Note: this might fail if we don't have the correct privileges. Unfortunately,
# we cannot `sudo ulimit` because it is a shell builtin.
ulimit -n 65535 || true
nohup kubectl -n proxies port-forward svc/nginx-proxy-plain-http 10080:80 </dev/null &>/dev/null &
nohup kubectl -n proxies port-forward svc/nginx-proxy-tls-multiplexed 10443:443 </dev/null &>/dev/null &
nohup kubectl -n proxies port-forward svc/nginx-proxy-tls-multiplexed-tls-be 11443:443 </dev/null &>/dev/null &
nohup kubectl -n proxies port-forward svc/nginx-proxy-tls-http1 12443:443 </dev/null &>/dev/null &
nohup kubectl -n proxies port-forward svc/nginx-proxy-tls-http1-plain 13443:443 </dev/null &>/dev/null &
nohup kubectl -n proxies port-forward svc/nginx-proxy-tls-http2 14443:443 </dev/null &>/dev/null &
nohup kubectl -n proxies port-forward svc/nginx-proxy-tls-http2-plain 15443:443 </dev/null &>/dev/null &
sleep 1
}
cleanup_proxy_tests() {
if kubectl get ns proxies; then
kubectl delete ns proxies --wait
fi
}
run_proxy_tests() {
info "Running proxy tests"
if [[ "$#" -ne 1 ]]; then
die "missing args. usage: run_proxy_tests <server_name>"
fi
local server_name="$1"
local ping_endpoint="v1/ping"
info "Test HTTP access to plain HTTP proxy"
# --retry-connrefused only works when forcing IPv4, see https://github.com/appropriate/docker-curl/issues/5
local ping_response_http
ping_response_http="$(
curl --retry 5 --retry-connrefused -4 --retry-delay 1 --retry-max-time 10 \
-f \
http://"${server_name}":10080/"${ping_endpoint}" | jq -r '.status')"
echo "Got ping response '${ping_response_http}' from '${ping_endpoint}'"
[[ "${ping_response_http}" == "ok" ]]
info "Test HTTPS access to multiplexed TLS proxy"
# --retry-connrefused only works when forcing IPv4, see https://github.com/appropriate/docker-curl/issues/5
local ping_response_https
ping_response_https="$(
curl --cacert "${PROXY_CERTS_DIR}/ca.crt" \
--retry 5 --retry-connrefused -4 --retry-delay 1 --retry-max-time 10 \
-f \
https://"${server_name}":10443/"${ping_endpoint}" | jq -r '.status')"
echo "Got ping response '${ping_response_https}' from '${ping_endpoint}'"
[[ "${ping_response_https}" == "ok" ]]
info "Test roxctl access to proxies"
local proxies=(
"Plaintext proxy:10080:plaintext"
"Multiplexed TLS proxy with plain backends:10443"
"Multiplexed TLS proxy with TLS backends:11443"
"Multiplexed TLS proxy with plain backends (direct gRPC):10443:direct"
"Multiplexed TLS proxy with TLS backends (direct gRPC):11443:direct"
"HTTP/1 proxy with TLS backends:12443"
"HTTP/1 proxy with plain backends:13443"
"HTTP/2 proxy with TLS backends:14443"
"HTTP/2 proxy with plain backends:15443"
)
export ROX_CA_CERT_FILE=""
export ROX_SERVER_NAME=""
local failures=()
for p in "${proxies[@]}"; do
local name
name="$(echo "$p" | cut -d: -f1)"
local port
port="$(echo "$p" | cut -d: -f2)"
local opt
opt="$(echo "$p" | cut -d: -f3)"
mkdir -p "/tmp/proxy-test-${port}-${opt}" && cd "/tmp/proxy-test-${port}-${opt}"
local extra_args=()
local scheme="https"
local plaintext="false"
local plaintext_neg="true"
local direct=0
case "$opt" in
plaintext)
extra_args=(--insecure)
plaintext="true"
plaintext_neg="false"
scheme="http"
;;
direct)
extra_args=(--direct-grpc)
direct=1
;;
esac
info "Testing roxctl access through ${name}..."
local endpoint="${server_name}:${port}"
if [[ "$plaintext" = "false" ]]; then
local central_cert
central_cert="$(mktemp -d)/central_cert.pem"
info "Fetching central certificate for ${name}..."
roxctl "${extra_args[@]}" -e "$endpoint" \
central cert --insecure-skip-tls-verify 1>"$central_cert" || \
failures+=("$p,fetch-CA")
extra_args+=(--ca "$central_cert")
fi
for endpoint_tgt in "${scheme}://${endpoint}" "${scheme}://${endpoint}/" "$endpoint"; do
roxctl "${extra_args[@]}" --plaintext="$plaintext" -e "${endpoint_tgt}" central debug log >/dev/null || \
failures+=("$p")
if (( direct )); then
info "Direct gRPC to ${endpoint_tgt} with ${extra_args[*]}"
roxctl "${extra_args[@]}" -e "${endpoint_tgt}" central debug log >/dev/null || \
failures+=("${p},direct-grpc")
else
info "Force HTTP1 to ${endpoint_tgt} with ${extra_args[*]} and --plaintext=${plaintext}"
roxctl "${extra_args[@]}" --plaintext="$plaintext" --force-http1 -e "${endpoint_tgt}" central debug log >/dev/null || \
failures+=("${p},force-http1")
fi
if [[ "$endpoint_tgt" = *://* ]]; then
info "Auto-sense plaintext or TLS when specifying a scheme (${endpoint_tgt})"
roxctl "${extra_args[@]}" -e "${endpoint_tgt}" central debug log >/dev/null || \
failures+=("${p},tls-autosense")
info "Incompatible plaintext configuration should fail with --plaintext=${plaintext_neg}"
roxctl "${extra_args[@]}" --plaintext="$plaintext_neg" -e "${endpoint_tgt}" central debug log &>/dev/null && \
failures+=("${p},incompatible-tls")
fi
echo "Failures: ${#failures[@]}"
done
info "Test sensor generate k8s with ${server_name}:${port}, ${extra_args[*]} and --plaintext=${plaintext}"
roxctl "${extra_args[@]}" --plaintext="$plaintext" -e "${server_name}:${port}" \
sensor generate k8s --name remote --continue-if-exists 1>/dev/null || \
failures+=("${p},sensor-generate")
echo "Done."
rm -rf "/tmp/proxy-test-${port}"
done
echo "Total: ${#failures[@]} failures."
if (( ${#failures[@]} > 0 )); then
printf " - %s\n" "${failures[@]}"
exit 1
fi
}
if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
test_e2e "$*"
fi