From 48f1ea5f1131a6c316d39a3c5a60db68dbbcf912 Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Tue, 17 May 2022 17:30:45 -0400 Subject: [PATCH 1/3] tests/kola/ignition: update comment --- tests/kola/ignition/resource/remote/test.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/kola/ignition/resource/remote/test.sh b/tests/kola/ignition/resource/remote/test.sh index 72e15b7555..4fbb1aaf28 100755 --- a/tests/kola/ignition/resource/remote/test.sh +++ b/tests/kola/ignition/resource/remote/test.sh @@ -1,7 +1,7 @@ #!/bin/bash # kola: { "tags": "needs-internet" } # - tags: needs-internet -# - We fetch resources from S3. +# - We fetch resources from S3 and GCS. set -xeuo pipefail From 0bcec5c698096e7a75cf544ac8429f4acf0fd3d5 Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Fri, 6 May 2022 06:42:41 -0400 Subject: [PATCH 2/3] tests/kola/ignition: add S3 ARN tests Test the new ARN support in Ignition 2.14.0. S3 access points can't be accessed anonymously, so even the public objects need to be tested from inside an EC2 instance. --- .../resource/authenticated-s3/config.bu | 19 ++++++++++++++++++- .../data/expected/arn-ap-anon | 1 + .../data/expected/arn-ap-auth | 1 + .../data/expected/arn-ap-versioned-latest | 1 + .../data/expected/arn-ap-versioned-original | 1 + .../authenticated-s3/data/expected/arn-auth | 1 + tests/kola/ignition/resource/remote/config.bu | 11 ++++++++++- .../resource/remote/data/expected/arn-anon | 1 + .../remote/data/expected/arn-versioned-latest | 1 + .../data/expected/arn-versioned-original | 1 + 10 files changed, 36 insertions(+), 2 deletions(-) create mode 100644 tests/kola/ignition/resource/authenticated-s3/data/expected/arn-ap-anon create mode 100644 tests/kola/ignition/resource/authenticated-s3/data/expected/arn-ap-auth create mode 100644 tests/kola/ignition/resource/authenticated-s3/data/expected/arn-ap-versioned-latest create mode 100644 tests/kola/ignition/resource/authenticated-s3/data/expected/arn-ap-versioned-original create mode 100644 tests/kola/ignition/resource/authenticated-s3/data/expected/arn-auth create mode 100644 tests/kola/ignition/resource/remote/data/expected/arn-anon create mode 100644 tests/kola/ignition/resource/remote/data/expected/arn-versioned-latest create mode 100644 tests/kola/ignition/resource/remote/data/expected/arn-versioned-original diff --git a/tests/kola/ignition/resource/authenticated-s3/config.bu b/tests/kola/ignition/resource/authenticated-s3/config.bu index d55b1f1d2a..85305476cd 100644 --- a/tests/kola/ignition/resource/authenticated-s3/config.bu +++ b/tests/kola/ignition/resource/authenticated-s3/config.bu @@ -2,7 +2,7 @@ # associated with the instance variant: fcos -version: 1.0.0 +version: 1.5.0-experimental ignition: config: merge: @@ -12,3 +12,20 @@ storage: - path: /var/resource/s3-auth contents: source: "s3://ignition-test-fixtures/resources/authenticated" + - path: /var/resource/arn-auth + contents: + source: "arn:aws:s3:::ignition-test-fixtures/resources/authenticated" + # Publicly-readable object, fetched via an access point. Access points + # don't allow anonymous access. + - path: /var/resource/arn-ap-anon + contents: + source: "arn:aws:s3:us-east-1:460538899914:accesspoint/ignition-test-fixtures-ap/object/resources/anonymous" + - path: /var/resource/arn-ap-auth + contents: + source: "arn:aws:s3:us-east-1:460538899914:accesspoint/ignition-test-fixtures-ap/object/resources/authenticated" + - path: /var/resource/arn-ap-versioned-original + contents: + source: "arn:aws:s3:us-east-1:460538899914:accesspoint/ignition-test-fixtures-ap/object/resources/versioned?versionId=Y9YqVujoLyHHSHJ4DslyXoaLvcilQJnU" + - path: /var/resource/arn-ap-versioned-latest + contents: + source: "arn:aws:s3:us-east-1:460538899914:accesspoint/ignition-test-fixtures-ap/object/resources/versioned" diff --git a/tests/kola/ignition/resource/authenticated-s3/data/expected/arn-ap-anon b/tests/kola/ignition/resource/authenticated-s3/data/expected/arn-ap-anon new file mode 100644 index 0000000000..bfebec6131 --- /dev/null +++ b/tests/kola/ignition/resource/authenticated-s3/data/expected/arn-ap-anon @@ -0,0 +1 @@ +kola-anonymous \ No newline at end of file diff --git a/tests/kola/ignition/resource/authenticated-s3/data/expected/arn-ap-auth b/tests/kola/ignition/resource/authenticated-s3/data/expected/arn-ap-auth new file mode 100644 index 0000000000..f4253bde46 --- /dev/null +++ b/tests/kola/ignition/resource/authenticated-s3/data/expected/arn-ap-auth @@ -0,0 +1 @@ +kola-authenticated \ No newline at end of file diff --git a/tests/kola/ignition/resource/authenticated-s3/data/expected/arn-ap-versioned-latest b/tests/kola/ignition/resource/authenticated-s3/data/expected/arn-ap-versioned-latest new file mode 100644 index 0000000000..f55556eed1 --- /dev/null +++ b/tests/kola/ignition/resource/authenticated-s3/data/expected/arn-ap-versioned-latest @@ -0,0 +1 @@ +updated \ No newline at end of file diff --git a/tests/kola/ignition/resource/authenticated-s3/data/expected/arn-ap-versioned-original b/tests/kola/ignition/resource/authenticated-s3/data/expected/arn-ap-versioned-original new file mode 100644 index 0000000000..94f3610c08 --- /dev/null +++ b/tests/kola/ignition/resource/authenticated-s3/data/expected/arn-ap-versioned-original @@ -0,0 +1 @@ +original \ No newline at end of file diff --git a/tests/kola/ignition/resource/authenticated-s3/data/expected/arn-auth b/tests/kola/ignition/resource/authenticated-s3/data/expected/arn-auth new file mode 100644 index 0000000000..f4253bde46 --- /dev/null +++ b/tests/kola/ignition/resource/authenticated-s3/data/expected/arn-auth @@ -0,0 +1 @@ +kola-authenticated \ No newline at end of file diff --git a/tests/kola/ignition/resource/remote/config.bu b/tests/kola/ignition/resource/remote/config.bu index d36eaf8482..b9e0b15f1e 100644 --- a/tests/kola/ignition/resource/remote/config.bu +++ b/tests/kola/ignition/resource/remote/config.bu @@ -1,5 +1,5 @@ variant: fcos -version: 1.2.0 +version: 1.5.0-experimental storage: files: - path: /var/resource/http @@ -26,3 +26,12 @@ storage: - path: /var/resource/s3-versioned-https-latest contents: source: "https://ignition-test-fixtures.s3.amazonaws.com/resources/versioned" + - path: /var/resource/arn-anon + contents: + source: "arn:aws:s3:::ignition-test-fixtures/resources/anonymous" + - path: /var/resource/arn-versioned-original + contents: + source: "arn:aws:s3:::ignition-test-fixtures/resources/versioned?versionId=Y9YqVujoLyHHSHJ4DslyXoaLvcilQJnU" + - path: /var/resource/arn-versioned-latest + contents: + source: "arn:aws:s3:::ignition-test-fixtures/resources/versioned" diff --git a/tests/kola/ignition/resource/remote/data/expected/arn-anon b/tests/kola/ignition/resource/remote/data/expected/arn-anon new file mode 100644 index 0000000000..bfebec6131 --- /dev/null +++ b/tests/kola/ignition/resource/remote/data/expected/arn-anon @@ -0,0 +1 @@ +kola-anonymous \ No newline at end of file diff --git a/tests/kola/ignition/resource/remote/data/expected/arn-versioned-latest b/tests/kola/ignition/resource/remote/data/expected/arn-versioned-latest new file mode 100644 index 0000000000..f55556eed1 --- /dev/null +++ b/tests/kola/ignition/resource/remote/data/expected/arn-versioned-latest @@ -0,0 +1 @@ +updated \ No newline at end of file diff --git a/tests/kola/ignition/resource/remote/data/expected/arn-versioned-original b/tests/kola/ignition/resource/remote/data/expected/arn-versioned-original new file mode 100644 index 0000000000..94f3610c08 --- /dev/null +++ b/tests/kola/ignition/resource/remote/data/expected/arn-versioned-original @@ -0,0 +1 @@ +original \ No newline at end of file From 6fa3b80a18da3ecdad66156bb40c9a4664305977 Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Mon, 9 May 2022 21:05:14 -0400 Subject: [PATCH 3/3] tests/kola/ignition: test intra-cloud anonymous S3/GCS object fetching Have ext.config.ignition.resource.remote use the new noInstanceCreds flag to disable instance credentials in EC2 and GCE instances, so the test fetches resources anonymously. Move the checks for authenticated access of public objects into the authenticated-* tests. --- tests/kola/ignition/resource/authenticated-gs/config.bu | 4 ++++ .../resource/authenticated-gs/data/expected/gs-anon | 1 + tests/kola/ignition/resource/authenticated-s3/config.bu | 4 ++++ .../resource/authenticated-s3/data/expected/s3-anon | 1 + tests/kola/ignition/resource/remote/test.sh | 6 +++++- 5 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 tests/kola/ignition/resource/authenticated-gs/data/expected/gs-anon create mode 100644 tests/kola/ignition/resource/authenticated-s3/data/expected/s3-anon diff --git a/tests/kola/ignition/resource/authenticated-gs/config.bu b/tests/kola/ignition/resource/authenticated-gs/config.bu index cd7e032062..7453a016fb 100644 --- a/tests/kola/ignition/resource/authenticated-gs/config.bu +++ b/tests/kola/ignition/resource/authenticated-gs/config.bu @@ -9,6 +9,10 @@ ignition: - source: "gs://ignition-test-fixtures/resources/authenticated-var.ign" storage: files: + # Check that anonymous access works with credentials + - path: /var/resource/gs-anon + contents: + source: "gs://ignition-test-fixtures/resources/anonymous" - path: /var/resource/gs-auth contents: source: "gs://ignition-test-fixtures/resources/authenticated" diff --git a/tests/kola/ignition/resource/authenticated-gs/data/expected/gs-anon b/tests/kola/ignition/resource/authenticated-gs/data/expected/gs-anon new file mode 100644 index 0000000000..bfebec6131 --- /dev/null +++ b/tests/kola/ignition/resource/authenticated-gs/data/expected/gs-anon @@ -0,0 +1 @@ +kola-anonymous \ No newline at end of file diff --git a/tests/kola/ignition/resource/authenticated-s3/config.bu b/tests/kola/ignition/resource/authenticated-s3/config.bu index 85305476cd..73921033ec 100644 --- a/tests/kola/ignition/resource/authenticated-s3/config.bu +++ b/tests/kola/ignition/resource/authenticated-s3/config.bu @@ -9,6 +9,10 @@ ignition: - source: "s3://ignition-test-fixtures/resources/authenticated-var-v3.ign" storage: files: + # Check that anonymous access works with credentials + - path: /var/resource/s3-anon + contents: + source: "s3://ignition-test-fixtures/resources/anonymous" - path: /var/resource/s3-auth contents: source: "s3://ignition-test-fixtures/resources/authenticated" diff --git a/tests/kola/ignition/resource/authenticated-s3/data/expected/s3-anon b/tests/kola/ignition/resource/authenticated-s3/data/expected/s3-anon new file mode 100644 index 0000000000..bfebec6131 --- /dev/null +++ b/tests/kola/ignition/resource/authenticated-s3/data/expected/s3-anon @@ -0,0 +1 @@ +kola-anonymous \ No newline at end of file diff --git a/tests/kola/ignition/resource/remote/test.sh b/tests/kola/ignition/resource/remote/test.sh index 4fbb1aaf28..44d1ab2ee1 100755 --- a/tests/kola/ignition/resource/remote/test.sh +++ b/tests/kola/ignition/resource/remote/test.sh @@ -1,7 +1,11 @@ #!/bin/bash -# kola: { "tags": "needs-internet" } +# kola: { "tags": "needs-internet", "noInstanceCreds": true } # - tags: needs-internet # - We fetch resources from S3 and GCS. +# - noInstanceCreds: don't pass AWS or GCP credentials to instance +# - This test verifies that Ignition can fetch anonymous resources within +# a cloud platform (S3 -> EC2, GCS -> GCE) when no credentials are +# supplied set -xeuo pipefail