e2e: add test for Vault with ServiceAccount per Tenant

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2025-06-13 10:33:35 +00:00 · 2021-07-08 10:33:17 +02:00
parent b700fa43e6
commit e3c7dea7d6
4 changed files with 136 additions and 5 deletions
--- a/e2e/deploy-vault.go
+++ b/e2e/deploy-vault.go
@ -2,6 +2,7 @@ package e2e

 import (
 	"context"
+	"fmt"
 	"strings"

 	. "github.com/onsi/gomega" // nolint
@ -12,11 +13,13 @@ import (
 )

 var (
-	vaultExamplePath = "../examples/kms/vault/"
-	vaultServicePath = "vault.yaml"
-	vaultPSPPath     = "vault-psp.yaml"
-	vaultRBACPath    = "csi-vaulttokenreview-rbac.yaml"
-	vaultConfigPath  = "kms-config.yaml"
+	vaultExamplePath     = "../examples/kms/vault/"
+	vaultServicePath     = "vault.yaml"
+	vaultPSPPath         = "vault-psp.yaml"
+	vaultRBACPath        = "csi-vaulttokenreview-rbac.yaml"
+	vaultConfigPath      = "kms-config.yaml"
+	vaultTenantPath      = "tenant-sa.yaml"
+	vaultTenantAdminPath = "tenant-sa-admin.yaml"
 )

 func deployVault(c kubernetes.Interface, deployTimeout int) {
@ -91,3 +94,58 @@ func createORDeleteVault(action string) {
 		e2elog.Failf("failed to %s vault psp %v", action, err)
 	}
 }
+
+// createTenantServiceAccount uses the tenant-sa.yaml example file to create
+// the ServiceAccount for the tenant and configured Hashicorp Vault with a
+// kv-store that the ServiceAccount has access to.
+func createTenantServiceAccount(c kubernetes.Interface, ns string) error {
+	err := createORDeleteTenantServiceAccount("create", ns)
+	if err != nil {
+		return fmt.Errorf("failed to create ServiceAccount: %w", err)
+	}
+
+	// wait for the Job to finish
+	const jobName = "vault-tenant-sa"
+	err = waitForJobCompletion(c, cephCSINamespace, jobName, deployTimeout)
+	if err != nil {
+		return fmt.Errorf("job %s/%s did not succeed: %w", cephCSINamespace, jobName, err)
+	}
+
+	return nil
+}
+
+// deleteTenantServiceAccount removed the ServiceAccount and other objects that
+// were created with createTenantServiceAccount.
+func deleteTenantServiceAccount(ns string) {
+	err := createORDeleteTenantServiceAccount("delete", ns)
+	Expect(err).Should(BeNil())
+}
+
+// createORDeleteTenantServiceAccount is a helper that reads the tenant-sa.yaml
+// example file and replaces the default namespaces with the current deployment
+// configuration.
+func createORDeleteTenantServiceAccount(action, ns string) error {
+	_, err := framework.RunKubectl(ns, action, "-f", vaultExamplePath+vaultTenantPath)
+	if err != nil {
+		return fmt.Errorf("failed to %s tenant ServiceAccount: %w", action, err)
+	}
+
+	// the ServiceAccount needs permissions in Vault, the admin job sets that up
+	data, err := replaceNamespaceInTemplate(vaultExamplePath + vaultTenantAdminPath)
+	if err != nil {
+		return fmt.Errorf("failed to read content from %q: %w", vaultExamplePath+vaultTenantAdminPath, err)
+	}
+
+	// replace the value for TENANT_NAMESPACE
+	data = strings.ReplaceAll(data, "value: tenant", "value: "+ns)
+
+	// replace "default" in the URL to the Vault service
+	data = strings.ReplaceAll(data, "vault.default", "vault."+cephCSINamespace)
+
+	_, err = framework.RunKubectlInput(cephCSINamespace, data, action, "-f", "-")
+	if err != nil {
+		return fmt.Errorf("failed to %s ServiceAccount: %w", action, err)
+	}
+
+	return nil
+}