-
Notifications
You must be signed in to change notification settings - Fork 472
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add integration test for Batchx509SVID RPC
- Loading branch information
Thiago Valverde de Souza
authored and
Thiago Valverde de Souza
committed
Aug 18, 2024
1 parent
fbe0fed
commit 1d27256
Showing
8 changed files
with
240 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
#!/bin/bash | ||
|
||
# Exit on error | ||
set -e | ||
|
||
# Define directories | ||
BASE_DIR="/opt/spire/conf" | ||
SERVER_DIR="${BASE_DIR}/server" | ||
AGENT_DIR="${BASE_DIR}/agent" | ||
|
||
# Create necessary directories | ||
mkdir -p "${SERVER_DIR}" | ||
mkdir -p "${AGENT_DIR}" | ||
|
||
# Generate Root CA Certificate and Key | ||
echo "Generating Root CA certificate and key..." | ||
openssl genrsa -out root-ca.key 2048 | ||
openssl req -new -x509 -key root-ca.key -out root-ca.crt -days 3650 -subj "/CN=SPIRE Root CA" | ||
|
||
# Generate Server Certificate and Key | ||
echo "Generating Server certificate and key..." | ||
openssl genrsa -out server.key 2048 | ||
openssl req -new -key server.key -out server.csr -subj "/CN=SPIRE Server" | ||
openssl x509 -req -in server.csr -CA root-ca.crt -CAkey root-ca.key -CAcreateserial -out server.crt -days 365 | ||
|
||
# Generate Agent Certificate and Key | ||
echo "Generating Agent certificate and key..." | ||
openssl genrsa -out agent.key 2048 | ||
openssl req -new -key agent.key -out agent.csr -subj "/CN=SPIRE Agent" | ||
openssl x509 -req -in agent.csr -CA root-ca.crt -CAkey root-ca.key -CAcreateserial -out agent.crt -days 365 | ||
|
||
# Create Trust Bundles | ||
echo "Creating trust bundles..." | ||
cat root-ca.crt server.crt > "${SERVER_DIR}/agent-cacert.pem" | ||
cat root-ca.crt agent.crt > "${AGENT_DIR}/bootstrap.crt" | ||
|
||
# Combine Certificates and Keys | ||
echo "Creating combined certificate files..." | ||
cat agent.crt agent.key > "${AGENT_DIR}/agent.crt.pem" | ||
cat server.crt server.key > "${SERVER_DIR}/server.crt.pem" | ||
|
||
# Create Combined Key and Certificate Files | ||
echo "Creating combined key and certificate files..." | ||
cat agent.key agent.crt > "${AGENT_DIR}/agent.key.pem" | ||
cat server.key server.crt > "${SERVER_DIR}/server.key.pem" | ||
|
||
# Clean up intermediate files | ||
echo "Cleaning up..." | ||
rm server.key server.csr server.crt agent.key agent.csr agent.crt | ||
|
||
echo "Certificate files generated and placed in ${BASE_DIR}." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
#!/bin/bash | ||
|
||
set -e | ||
|
||
echo "RUNDIR: ${RUNDIR}" | ||
|
||
"${ROOTDIR}/setup/x509pop/setup.sh" conf/server conf/agent | ||
|
||
"${ROOTDIR}/setup/debugserver/build.sh" "${RUNDIR}/conf/server/debugclient" | ||
"${ROOTDIR}/setup/debugagent/build.sh" "${RUNDIR}/conf/agent/debugclient" | ||
|
||
|
||
echo "Starting SPIRE server..." | ||
spire-server run -config conf/server/server.conf > ${RUNDIR}/spire-server.log 2>&1 & | ||
SERVER_PID=$! | ||
sleep 5 | ||
|
||
echo "Starting SPIRE agent..." | ||
spire-agent run -config conf/agent/agent.conf & | ||
AGENT_PID=$! | ||
sleep 5 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
#!/bin/bash | ||
set -e | ||
|
||
# Function to check if the entry exists | ||
check_entry_exists() { | ||
local entry_id=$1 | ||
local retries=10 | ||
local delay=5 | ||
|
||
for ((i=1; i<=retries; i++)); do | ||
echo "Checking if entry with SPIFFE ID $entry_id exists (attempt $i)..." | ||
|
||
# Check if the entry exists using `spire-server entry show` | ||
response=$(spire-server entry show -spiffeID "$entry_id" 2>&1) | ||
|
||
# Check if the response contains the expected entry | ||
if echo "$response" | grep -q "SPIFFE ID"; then | ||
echo "Entry with SPIFFE ID $entry_id found." | ||
return 0 | ||
fi | ||
|
||
echo "Entry with SPIFFE ID $entry_id not found yet. Retrying in $delay seconds..." | ||
sleep "$delay" | ||
done | ||
|
||
echo "Failed to create entry within the timeout period." | ||
return 1 | ||
} | ||
|
||
# Create the registration entry | ||
echo "Creating registration entry..." | ||
spire-server entry create -parentID spiffe://example.org/spire/agent/x509pop/agent1 \ | ||
-spiffeID spiffe://example.org/workload \ | ||
-selector unix:uid:1000 \ | ||
-x509SVIDTTL 3600 \ | ||
-jwtSVIDTTL 3600 \ | ||
-downstream | ||
|
||
# Check if the entry exists | ||
check_entry_exists "spiffe://example.org/workload" |
30 changes: 30 additions & 0 deletions
30
test/integration/suites/batchx509SVID/03-test-batchx509svid.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
#!/bin/bash | ||
|
||
# Define the SPIRE server address | ||
SPIRE_SERVER_ADDRESS="localhost:8081" | ||
|
||
# Define the correct API endpoint for Batchx509SVID | ||
API_ENDPOINT="${SPIRE_SERVER_ADDRESS}/v1/batchx509svid" | ||
|
||
# Wait for SPIRE server to be ready | ||
echo "Waiting for SPIRE server to be ready..." | ||
for i in {1..10}; do | ||
response=$(curl -s -o /dev/null -w "%{http_code}" "${SPIRE_SERVER_ADDRESS}") | ||
if [ "$response" -eq 200 ]; then | ||
echo "SPIRE server is ready." | ||
break | ||
fi | ||
sleep 2 | ||
done | ||
|
||
# Make a request to the Batchx509SVID endpoint | ||
echo "Testing Batchx509SVID RPC..." | ||
response=$(curl -s -o /dev/null -w "%{http_code}" "${API_ENDPOINT}") | ||
|
||
# Check if the response code is 200 (OK) | ||
if [ "$response" -ne 200 ]; then | ||
echo "Error: Expected HTTP 200 OK but received HTTP $response" | ||
exit 1 | ||
else | ||
echo "Batchx509SVID RPC is working as expected." | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
# Batchx509SVID RPC Integration Test | ||
|
||
## Overview | ||
|
||
This test ensures the continued operation of the `Batchx509SVID` RPC in Open Source SPIRE. | ||
|
||
## Test Steps | ||
|
||
1. **Setup** | ||
|
||
- Starts SPIRE server and agent. | ||
- Configures necessary registration entries. | ||
|
||
Run the setup script: | ||
|
||
```bash | ||
sudo ./test/integration/suites/batchx509svid/01-setup.sh |
31 changes: 31 additions & 0 deletions
31
test/integration/suites/batchx509SVID/conf/agent/agent.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
agent { | ||
data_dir = "/opt/spire/data/agent" | ||
log_level = "DEBUG" | ||
server_address = "spire-server" | ||
server_port = "8081" | ||
socket_path = "/tmp/spire-agent/public/api.sock" | ||
trust_bundle_path = "/opt/spire/conf/agent/bootstrap.crt" | ||
trust_domain = "example.org" | ||
admin_socket_path = "/opt/debug.sock" | ||
experimental { | ||
x509_svid_cache_max_size = 8 | ||
} | ||
} | ||
|
||
plugins { | ||
NodeAttestor "x509pop" { | ||
plugin_data { | ||
private_key_path = "/opt/spire/conf/agent/agent.key.pem" | ||
certificate_path = "/opt/spire/conf/agent/agent.crt.pem" | ||
} | ||
} | ||
KeyManager "disk" { | ||
plugin_data { | ||
directory = "/opt/spire/data/agent" | ||
} | ||
} | ||
WorkloadAttestor "unix" { | ||
plugin_data { | ||
} | ||
} | ||
} |
26 changes: 26 additions & 0 deletions
26
test/integration/suites/batchx509SVID/conf/server/server.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
server { | ||
bind_address = "0.0.0.0" | ||
bind_port = "8081" | ||
trust_domain = "example.org" | ||
data_dir = "/opt/spire/data/server" | ||
log_level = "DEBUG" | ||
ca_ttl = "1h" | ||
default_x509_svid_ttl = "10m" | ||
} | ||
|
||
plugins { | ||
DataStore "sql" { | ||
plugin_data { | ||
database_type = "sqlite3" | ||
connection_string = "/opt/spire/data/server/datastore.sqlite3" | ||
} | ||
} | ||
NodeAttestor "x509pop" { | ||
plugin_data { | ||
ca_bundle_path = "/opt/spire/conf/server/agent-cacert.pem" | ||
} | ||
} | ||
KeyManager "memory" { | ||
plugin_data = {} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
#!/bin/bash | ||
|
||
set -e | ||
|
||
echo "Bringing down services..." | ||
|
||
# Stop the SPIRE server | ||
if pgrep spire-server > /dev/null; then | ||
echo "Stopping SPIRE server..." | ||
sudo kill -9 $(pgrep spire-server) || true | ||
fi | ||
|
||
# Stop the SPIRE agent | ||
if pgrep spire-agent > /dev/null; then | ||
echo "Stopping SPIRE agent..." | ||
sudo kill -9 $(pgrep spire-agent) || true | ||
fi | ||
|
||
# Remove temporary directories if needed | ||
echo "Cleaning up..." | ||
rm -rf /opt/spire/data | ||
rm -rf /opt/spire/conf | ||
|
||
echo "Teardown complete." |