[ADD] Add integration test for TLS and Mutual TLS options

Signed-off-by: poyaz <[email protected]> Signed-off-by: eunames <[email protected]>
k8up-io · Apr 24, 2024 · 0f7e073 · 0f7e073
1 parent 6eebda5
commit 0f7e073
Show file tree

Hide file tree

Showing 4 changed files with 360 additions and 0 deletions.
diff --git a/operator/backupcontroller/controller_integration_test.go b/operator/backupcontroller/controller_integration_test.go
@@ -138,6 +138,37 @@ func (ts *BackupTestSuite) Test_GivenBackupWithSecurityContext_ExpectBackupJobWi
 	ts.Assert().Equal(int64(500), *backupJob.Spec.ActiveDeadlineSeconds)
 }
 
+func (ts *BackupTestSuite) Test_GivenBackupWithTlsOptions_ExpectBackupJobWithTlsOptions() {
+	ts.BackupResource = ts.newBackupTls()
+	pvc := ts.newPvc("test-pvc", corev1.ReadWriteMany)
+	ts.EnsureResources(ts.BackupResource, pvc)
+
+	pvc.Status.Phase = corev1.ClaimBound
+	ts.UpdateStatus(pvc)
+
+	result := ts.whenReconciling(ts.BackupResource)
+	ts.Require().GreaterOrEqual(result.RequeueAfter, 30*time.Second)
+
+	backupJob := ts.expectABackupJob()
+	ts.Assert().NotNil(backupJob.Spec.Template.Spec.Volumes)
+	ts.assertBackupTlsVolumeAndTlsOptions(backupJob)
+}
+
+func (ts *BackupTestSuite) Test_GivenBackupWithMutualTlsOptions_ExpectBackupJobWithMutualTlsOptions() {
+	ts.BackupResource = ts.newBackupMutualTls()
+	pvc := ts.newPvc("test-pvc", corev1.ReadWriteMany)
+	ts.EnsureResources(ts.BackupResource, pvc)
+
+	pvc.Status.Phase = corev1.ClaimBound
+	ts.UpdateStatus(pvc)
+
+	result := ts.whenReconciling(ts.BackupResource)
+	ts.Require().GreaterOrEqual(result.RequeueAfter, 30*time.Second)
+
+	backupJob := ts.expectABackupJob()
+	ts.assertBackupMutualTlsVolumeAndMutualTlsOptions(backupJob)
+}
+
 func (ts *BackupTestSuite) Test_GivenPreBackupPods_ExpectPreBackupDeployment() {
 	ts.EnsureResources(ts.BackupResource, ts.newPreBackupPod())
 

diff --git a/operator/backupcontroller/controller_utils_integration_test.go b/operator/backupcontroller/controller_utils_integration_test.go
@@ -4,6 +4,8 @@ package backupcontroller
 
 import (
 	"context"
+	"github.com/k8up-io/k8up/v2/operator/cfg"
+	"k8s.io/utils/ptr"
 
 	appsv1 "k8s.io/api/apps/v1"
 	batchv1 "k8s.io/api/batch/v1"
@@ -23,6 +25,18 @@ import (
 
 const (
 	backupTag = "integrationTag"
+
+	backupTlsVolumeName       = "minio-client-tls"
+	backupTlsVolumeSecretName = "minio-client-tls"
+	backupTlsVolumeMount      = "/mnt/tls"
+	backupTlsCaCertPath       = backupTlsVolumeMount + "/ca.cert"
+
+	backupMutualTlsVolumeName       = "minio-client-mtls"
+	backupMutualTlsVolumeSecretName = "minio-client-mtls"
+	backupMutualTlsVolumeMount      = "/mnt/mtls"
+	backupMutualTlsCaCertPath       = backupMutualTlsVolumeMount + "/ca.cert"
+	backupMutualTlsClientCertPath   = backupMutualTlsVolumeMount + "/client.cert"
+	backupMutualTlsKeyCertPath      = backupMutualTlsVolumeMount + "/client.key"
 )
 
 func (ts *BackupTestSuite) newPvc(name string, accessMode corev1.PersistentVolumeAccessMode) *corev1.PersistentVolumeClaim {
@@ -134,6 +148,125 @@ func (ts *BackupTestSuite) newBackup() *k8upv1.Backup {
 	}
 }
 
+func (ts *BackupTestSuite) newBackupTls() *k8upv1.Backup {
+	return &k8upv1.Backup{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "backup",
+			Namespace: ts.NS,
+			UID:       uuid.NewUUID(),
+		},
+		Spec: k8upv1.BackupSpec{
+			RunnableSpec: k8upv1.RunnableSpec{
+				Backend: &k8upv1.Backend{
+					TLSOptions: &k8upv1.TLSOptions{CACert: backupTlsCaCertPath},
+					VolumeMounts: &[]corev1.VolumeMount{
+						{
+							Name:      backupTlsVolumeName,
+							MountPath: backupTlsVolumeMount,
+						},
+					},
+				},
+				Volumes: &[]k8upv1.RunnableVolumeSpec{
+					{
+						Name: backupTlsVolumeName,
+						Secret: &corev1.SecretVolumeSource{
+							SecretName:  backupTlsVolumeSecretName,
+							DefaultMode: ptr.To(corev1.SecretVolumeSourceDefaultMode),
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func (ts *BackupTestSuite) assertBackupTlsVolumeAndTlsOptions(job *batchv1.Job) {
+	expectArgs := []string{"-varDir", cfg.Config.PodVarDir, "-caCert", backupTlsCaCertPath}
+	expectVolumeMount := corev1.VolumeMount{Name: backupTlsVolumeName, MountPath: backupTlsVolumeMount}
+	expectVolume := corev1.Volume{
+		Name: backupTlsVolumeName,
+		VolumeSource: corev1.VolumeSource{
+			Secret: &corev1.SecretVolumeSource{
+				SecretName:  backupTlsVolumeSecretName,
+				DefaultMode: ptr.To(corev1.SecretVolumeSourceDefaultMode),
+			},
+		},
+	}
+
+	jobArguments := job.Spec.Template.Spec.Containers[0].Args
+	ts.Assert().Equal(jobArguments, expectArgs, "backup tls contains caCert path in job args")
+	jobVolumeMounts := job.Spec.Template.Spec.Containers[0].VolumeMounts
+	ts.Assert().NotNil(jobVolumeMounts)
+	ts.Assert().Contains(jobVolumeMounts, expectVolumeMount, "backup ca cert in job volume mount")
+	jobVolumes := job.Spec.Template.Spec.Volumes
+	ts.Assert().NotNil(jobVolumes)
+	ts.Assert().Contains(jobVolumes, expectVolume, "backup ca cert in job volume mount")
+}
+
+func (ts *BackupTestSuite) newBackupMutualTls() *k8upv1.Backup {
+	return &k8upv1.Backup{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "backup",
+			Namespace: ts.NS,
+			UID:       uuid.NewUUID(),
+		},
+		Spec: k8upv1.BackupSpec{
+			RunnableSpec: k8upv1.RunnableSpec{
+				Backend: &k8upv1.Backend{
+					TLSOptions: &k8upv1.TLSOptions{
+						CACert:     backupMutualTlsCaCertPath,
+						ClientCert: backupMutualTlsClientCertPath,
+						ClientKey:  backupMutualTlsKeyCertPath,
+					},
+					VolumeMounts: &[]corev1.VolumeMount{
+						{
+							Name:      backupMutualTlsVolumeName,
+							MountPath: backupMutualTlsVolumeMount,
+						},
+					},
+				},
+				Volumes: &[]k8upv1.RunnableVolumeSpec{
+					{
+						Name: backupMutualTlsVolumeName,
+						Secret: &corev1.SecretVolumeSource{
+							SecretName:  backupMutualTlsVolumeSecretName,
+							DefaultMode: ptr.To(corev1.SecretVolumeSourceDefaultMode),
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func (ts *BackupTestSuite) assertBackupMutualTlsVolumeAndMutualTlsOptions(job *batchv1.Job) {
+	expectArgs := []string{
+		"-varDir", cfg.Config.PodVarDir,
+		"-caCert", backupMutualTlsCaCertPath,
+		"-clientCert", backupMutualTlsClientCertPath,
+		"-clientKey", backupMutualTlsKeyCertPath,
+	}
+	expectVolumeMount := corev1.VolumeMount{Name: backupMutualTlsVolumeName, MountPath: backupMutualTlsVolumeMount}
+	expectVolume := corev1.Volume{
+		Name: backupMutualTlsVolumeName,
+		VolumeSource: corev1.VolumeSource{
+			Secret: &corev1.SecretVolumeSource{
+				SecretName:  backupMutualTlsVolumeSecretName,
+				DefaultMode: ptr.To(corev1.SecretVolumeSourceDefaultMode),
+			},
+		},
+	}
+
+	jobArguments := job.Spec.Template.Spec.Containers[0].Args
+	ts.Assert().Equal(jobArguments, expectArgs, "backup tls contains caCert path in job args")
+	jobVolumeMounts := job.Spec.Template.Spec.Containers[0].VolumeMounts
+	ts.Assert().NotNil(jobVolumeMounts)
+	ts.Assert().Contains(jobVolumeMounts, expectVolumeMount, "backup ca cert in job volume mount")
+	jobVolumes := job.Spec.Template.Spec.Volumes
+	ts.Assert().NotNil(jobVolumes)
+	ts.Assert().Contains(jobVolumes, expectVolume, "backup ca cert in job volume mount")
+}
+
 func (ts *BackupTestSuite) newBackupWithSecurityContext() *k8upv1.Backup {
 	runAsNonRoot := true
 	sc := &corev1.PodSecurityContext{

diff --git a/operator/checkcontroller/controller_integration_test.go b/operator/checkcontroller/controller_integration_test.go
@@ -26,6 +26,8 @@ type CheckTestSuite struct {
 	GivenChecks    []*k8upv1.Check
 	KeepSuccessful int
 	KeepFailed     int
+
+	BackupResource *k8upv1.Backup
 }
 
 func Test_Check(t *testing.T) {
@@ -136,3 +138,25 @@ func (ts *CheckTestSuite) expectNumberOfJobs(jobAmount int) {
 
 	ts.Assert().GreaterOrEqual(jobsLen, jobAmount)
 }
+
+func (ts *CheckTestSuite) Test_GivenCheckWithTlsOptions_ExpectCheckJobWithTlsOptions() {
+	checkResource := ts.newCheckTls()
+	ts.EnsureResources(checkResource)
+
+	result := ts.whenReconciling(checkResource)
+	ts.Require().GreaterOrEqual(result.RequeueAfter, 30*time.Second)
+
+	checkJob := ts.expectACheckJob()
+	ts.assertCheckTlsVolumeAndTlsOptions(checkJob)
+}
+
+func (ts *CheckTestSuite) Test_GivenCheckWithMutualTlsOptions_ExpectCheckJobWithMutualTlsOptions() {
+	checkResource := ts.newCheckMutualTls()
+	ts.EnsureResources(checkResource)
+
+	result := ts.whenReconciling(checkResource)
+	ts.Require().GreaterOrEqual(result.RequeueAfter, 30*time.Second)
+
+	checkJob := ts.expectACheckJob()
+	ts.assertCheckMutualTlsVolumeAndMutualTlsOptions(checkJob)
+}
diff --git a/operator/checkcontroller/controller_utils_integration_test.go b/operator/checkcontroller/controller_utils_integration_test.go
@@ -0,0 +1,172 @@
+//go:build integration
+
+package checkcontroller
+
+import (
+	"github.com/k8up-io/k8up/v2/operator/cfg"
+	batchv1 "k8s.io/api/batch/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/uuid"
+	"k8s.io/utils/ptr"
+	controllerruntime "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	k8upv1 "github.com/k8up-io/k8up/v2/api/v1"
+)
+
+const (
+	checkTlsVolumeName       = "minio-client-tls"
+	checkTlsVolumeSecretName = "minio-client-tls"
+	checkTlsVolumeMount      = "/mnt/tls"
+	checkTlsCaCertPath       = checkTlsVolumeMount + "/ca.cert"
+
+	checkMutualTlsVolumeName       = "minio-client-mtls"
+	checkMutualTlsVolumeSecretName = "minio-client-mtls"
+	checkMutualTlsVolumeMount      = "/mnt/mtls"
+	checkMutualTlsCaCertPath       = checkMutualTlsVolumeMount + "/ca.cert"
+	checkMutualTlsClientCertPath   = checkMutualTlsVolumeMount + "/client.cert"
+	checkMutualTlsKeyCertPath      = checkMutualTlsVolumeMount + "/client.key"
+)
+
+func (ts *CheckTestSuite) expectACheckJob() (foundJob *batchv1.Job) {
+	jobs := new(batchv1.JobList)
+	err := ts.Client.List(ts.Ctx, jobs, client.InNamespace(ts.NS))
+	ts.Require().NoError(err)
+
+	jobsLen := len(jobs.Items)
+	ts.T().Logf("%d Jobs found", jobsLen)
+	ts.Require().Len(jobs.Items, 1, "job exists")
+	return &jobs.Items[0]
+}
+
+func (ts *CheckTestSuite) whenReconciling(object *k8upv1.Check) controllerruntime.Result {
+	controller := CheckReconciler{
+		Kube: ts.Client,
+	}
+
+	result, err := controller.Provision(ts.Ctx, object)
+	ts.Require().NoError(err)
+
+	return result
+}
+
+func (ts *CheckTestSuite) newCheckTls() *k8upv1.Check {
+	return &k8upv1.Check{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "check",
+			Namespace: ts.NS,
+			UID:       uuid.NewUUID(),
+		},
+		Spec: k8upv1.CheckSpec{
+			RunnableSpec: k8upv1.RunnableSpec{
+				Backend: &k8upv1.Backend{
+					TLSOptions: &k8upv1.TLSOptions{CACert: checkTlsCaCertPath},
+					VolumeMounts: &[]corev1.VolumeMount{
+						{
+							Name:      checkTlsVolumeName,
+							MountPath: checkTlsVolumeMount,
+						},
+					},
+				},
+				Volumes: &[]k8upv1.RunnableVolumeSpec{
+					{
+						Name: checkTlsVolumeName,
+						Secret: &corev1.SecretVolumeSource{
+							SecretName:  checkTlsVolumeSecretName,
+							DefaultMode: ptr.To(corev1.SecretVolumeSourceDefaultMode),
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func (ts *CheckTestSuite) assertCheckTlsVolumeAndTlsOptions(job *batchv1.Job) {
+	expectArgs := []string{"-varDir", cfg.Config.PodVarDir, "-check", "-caCert", checkTlsCaCertPath}
+	expectVolumeMount := corev1.VolumeMount{Name: checkTlsVolumeName, MountPath: checkTlsVolumeMount}
+	expectVolume := corev1.Volume{
+		Name: checkTlsVolumeName,
+		VolumeSource: corev1.VolumeSource{
+			Secret: &corev1.SecretVolumeSource{
+				SecretName:  checkTlsVolumeSecretName,
+				DefaultMode: ptr.To(corev1.SecretVolumeSourceDefaultMode),
+			},
+		},
+	}
+
+	jobArguments := job.Spec.Template.Spec.Containers[0].Args
+	ts.Assert().Equal(jobArguments, expectArgs, "check tls contains caCert path in job args")
+	jobVolumeMounts := job.Spec.Template.Spec.Containers[0].VolumeMounts
+	ts.Assert().NotNil(jobVolumeMounts)
+	ts.Assert().Contains(jobVolumeMounts, expectVolumeMount, "check ca cert in job volume mount")
+	jobVolumes := job.Spec.Template.Spec.Volumes
+	ts.Assert().NotNil(jobVolumes)
+	ts.Assert().Contains(jobVolumes, expectVolume, "check ca cert in job volume mount")
+}
+
+func (ts *CheckTestSuite) newCheckMutualTls() *k8upv1.Check {
+	return &k8upv1.Check{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "backup",
+			Namespace: ts.NS,
+			UID:       uuid.NewUUID(),
+		},
+		Spec: k8upv1.CheckSpec{
+			RunnableSpec: k8upv1.RunnableSpec{
+				Backend: &k8upv1.Backend{
+					TLSOptions: &k8upv1.TLSOptions{
+						CACert:     checkMutualTlsCaCertPath,
+						ClientCert: checkMutualTlsClientCertPath,
+						ClientKey:  checkMutualTlsKeyCertPath,
+					},
+					VolumeMounts: &[]corev1.VolumeMount{
+						{
+							Name:      checkMutualTlsVolumeName,
+							MountPath: checkMutualTlsVolumeMount,
+						},
+					},
+				},
+				Volumes: &[]k8upv1.RunnableVolumeSpec{
+					{
+						Name: checkMutualTlsVolumeName,
+						Secret: &corev1.SecretVolumeSource{
+							SecretName:  checkMutualTlsVolumeSecretName,
+							DefaultMode: ptr.To(corev1.SecretVolumeSourceDefaultMode),
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func (ts *CheckTestSuite) assertCheckMutualTlsVolumeAndMutualTlsOptions(job *batchv1.Job) {
+	expectArgs := []string{
+		"-varDir", cfg.Config.PodVarDir,
+		"-check",
+		"-caCert", checkMutualTlsCaCertPath,
+		"-clientCert", checkMutualTlsClientCertPath,
+		"-clientKey", checkMutualTlsKeyCertPath,
+	}
+	expectVolumeMount := corev1.VolumeMount{Name: checkMutualTlsVolumeName, MountPath: checkMutualTlsVolumeMount}
+	expectVolume := corev1.Volume{
+		Name: checkMutualTlsVolumeName,
+		VolumeSource: corev1.VolumeSource{
+			Secret: &corev1.SecretVolumeSource{
+				SecretName:  checkMutualTlsVolumeSecretName,
+				DefaultMode: ptr.To(corev1.SecretVolumeSourceDefaultMode),
+			},
+		},
+	}
+
+	jobArguments := job.Spec.Template.Spec.Containers[0].Args
+	ts.Assert().Equal(jobArguments, expectArgs, "check tls contains caCert path in job args")
+	jobVolumeMounts := job.Spec.Template.Spec.Containers[0].VolumeMounts
+	ts.Assert().NotNil(jobVolumeMounts)
+	ts.Assert().Contains(jobVolumeMounts, expectVolumeMount, "check ca cert in job volume mount")
+	jobVolumes := job.Spec.Template.Spec.Volumes
+	ts.Assert().NotNil(jobVolumes)
+	ts.Assert().Contains(jobVolumes, expectVolume, "check ca cert in job volume mount")
+}