This repository has been archived by the owner on Nov 1, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
e2e: test git gpg commit and tag signing #2567
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| #!/usr/bin/env bats | ||
|
|
||
| load lib/defer | ||
| load lib/env | ||
| load lib/gpg | ||
| load lib/install | ||
| load lib/poll | ||
|
|
||
| git_port_forward_pid="" | ||
|
|
||
| function setup() { | ||
| kubectl create namespace "${FLUX_NAMESPACE}" &> /dev/null | ||
|
|
||
| # Install the git server, allowing external access | ||
| install_git_srv flux-git-deploy git_srv_result | ||
| # shellcheck disable=SC2154 | ||
| git_ssh_cmd="${git_srv_result[0]}" | ||
| export GIT_SSH_COMMAND="$git_ssh_cmd" | ||
| # shellcheck disable=SC2154 | ||
| git_port_forward_pid="${git_srv_result[1]}" | ||
|
|
||
| # Create a temporary GNUPGHOME | ||
| tmp_gnupghome=$(mktemp -d) | ||
| export GNUPGHOME="$tmp_gnupghome" | ||
| defer rm -rf "$tmp_gnupghome" | ||
|
|
||
| # Install Flux, with a new GPG key and signing enabled | ||
| gpg_key=$(create_gpg_key) | ||
| create_secret_from_gpg_key "$gpg_key" | ||
| install_flux_gpg "$gpg_key" | ||
| } | ||
|
|
||
| @test "Git sync tag is signed" { | ||
| # Test that a resource from https://github.com/fluxcd/flux-get-started is deployed | ||
| # This means the Flux instance _should_ have pushed a signed high-watermark tag | ||
| poll_until_true 'namespace demo' 'kubectl describe ns/demo' | ||
|
|
||
| # Clone the repo | ||
| local clone_dir | ||
| clone_dir="$(mktemp -d)" | ||
| defer rm -rf "$clone_dir" | ||
| git clone -b master ssh://git@localhost/git-server/repos/cluster.git "$clone_dir" | ||
| cd "$clone_dir" | ||
|
|
||
| # Test that the tag has been signed, this errors if this isn't the case | ||
| git pull -f --tags | ||
| git verify-tag --raw flux-sync >&3 | ||
| } | ||
|
|
||
| @test "Git commits are signed" { | ||
| # Ensure the resource we are going to lock is deployed | ||
| poll_until_true 'workload podinfo' 'kubectl -n demo describe deployment/podinfo' | ||
|
|
||
| # Let Flux push a commit | ||
| fluxctl --k8s-fwd-ns "${FLUX_NAMESPACE}" lock --workload demo:deployment/podinfo >&3 | ||
|
|
||
| # Clone the repo | ||
| local clone_dir | ||
| clone_dir="$(mktemp -d)" | ||
| defer rm -rf "$clone_dir" | ||
| git clone -b master ssh://git@localhost/git-server/repos/cluster.git "$clone_dir" | ||
| cd "$clone_dir" | ||
|
|
||
| # Test that the commit has been signed, this errors if this isn't the case | ||
| git verify-commit --raw HEAD >&3 | ||
| } | ||
|
|
||
| function teardown() { | ||
| kill "$git_port_forward_pid" | ||
| unset GIT_SSH_COMMAND | ||
| # Removing the namespace also takes care of removing Flux and gitsrv. | ||
| kubectl delete namespace "$FLUX_NAMESPACE" | ||
| # Only remove the demo workloads after Flux, so that they cannot be recreated. | ||
| kubectl delete namespace "$DEMO_NAMESPACE" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| #!/usr/bin/env bash | ||
|
|
||
| function create_gpg_key() { | ||
| local name=${1:-Flux} | ||
| local email=${2:-support@weave.works} | ||
|
|
||
| # https://www.gnupg.org/documentation/manuals/gnupg-devel/Unattended-GPG-key-generation.html | ||
| local batchcfg | ||
| batchcfg=$(mktemp) | ||
|
|
||
| cat >"$batchcfg" <<EOF | ||
| %echo Generating a throwaway OpenPGP key for "$name <$email>" | ||
| Key-Type: 1 | ||
| Key-Length: 2048 | ||
| Subkey-Type: 1 | ||
| Subkey-Length: 2048 | ||
| Name-Real: $name | ||
| Name-Email: $email | ||
| Expire-Date: 0 | ||
| %no-protection | ||
| %commit | ||
| %echo Done | ||
| EOF | ||
|
|
||
| # Generate the key with the written config | ||
| gpg --batch --gen-key "$batchcfg" | ||
| rm "$batchcfg" | ||
|
|
||
| # Find the ID of the key we just generated | ||
| local key_id | ||
| key_id=$(gpg --no-tty --list-secret-keys --with-colons "$name" 2>/dev/null \ | ||
| | awk -F: '/^sec:/ { print $5 }' | tail -1) | ||
| echo "$key_id" | ||
| } | ||
|
|
||
| function create_secret_from_gpg_key() { | ||
| local key_id="${1}" | ||
| local secret_name="${2:-flux-gpg-signing-key}" | ||
|
|
||
| if [ -z "$key_id" ]; then | ||
| echo "no key ID provided" >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Export key to secret | ||
| gpg --export-secret-keys "$key_id" | | ||
| kubectl --namespace "${FLUX_NAMESPACE}" \ | ||
| create secret generic "$secret_name" \ | ||
| --from-file=flux.asc=/dev/stdin | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just FYI (sorry I missed it before), I don't think this is necessary because each test is run in its own process, see https://github.com/bats-core/bats-core#writing-tests
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was aware of this but still added it for some reason :-S. Will remove it in an upcoming PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, no worries!!