e2e: add test case for credentials helper in podman

hashicorp · Jul 5, 2023 · 026129e · 026129e
1 parent bbe48bb
commit 026129e
Show file tree

Hide file tree

Showing 6 changed files with 120 additions and 18 deletions.
diff --git a/e2e/podman/input/auth_basic.hcl b/e2e/podman/input/auth_basic.hcl
@@ -55,22 +55,10 @@ job "auth_basic" {
     task "echo" {
       driver = "podman"
 
-      #       template {
-      #         data        = <<EOH
-      # {
-      #   "auths": {
-      #     "${var.registry_address}:${var.registry_port}": {
-      #       "auth": "${local.registry_auth}"
-      #     }
-      #   }
-      # }
-      #         EOH
-      #         destination = "local/auth.json"
-      #       }
-
       config {
         image = "${var.registry_address}:${var.registry_port}/docker.io/library/bash_auth_basic:private"
         args  = ["echo", "The auth basic test is OK!"]
+        auth_soft_fail = true
 
         auth {
           username   = "${var.registry_username}"

diff --git a/e2e/podman/input/auth_helper.hcl b/e2e/podman/input/auth_helper.hcl
@@ -0,0 +1,77 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+# This job runs a podman task using a container stored in a private registry
+# configured with credentials helper authentication. The registry.hcl job should
+# be running and healthy before running this job.
+
+variable "registry_address" {
+  type        = string
+  description = "The HTTP address of the local registry"
+  default     = "localhost"
+}
+
+variable "registry_port" {
+  type        = number
+  description = "The HTTP port of the local registry"
+  default = "7511"
+}
+
+job "auth_static" {
+  type = "batch"
+
+  constraint {
+    attribute = "${attr.kernel.name}"
+    value     = "linux"
+  }
+
+  group "helper" {
+    reschedule {
+      attempts  = 0
+      unlimited = false
+    }
+
+    network {
+      mode = "host"
+    }
+
+    task "echo" {
+      driver = "podman"
+
+      config {
+        image = "${var.registry_address}:${var.registry_port}/docker.io/library/bash_auth_helper:private"
+        args  = ["echo", "The credentials helper auth test is OK!"]
+
+        auth {
+          # usename and password come from [docker-credential-]test.sh found on
+          # $PATH as specified by "helper=test.sh" in plugin config
+          tls_verify = false
+        }
+      }
+
+      resources {
+        cpu    = 100
+        memory = 64
+      }
+    }
+  }
+}
+
+# test.sh (must be in $PATH)
+#
+# #!/usr/bin/env bash
+# set -euo pipefail
+# value=$(cat /dev/stdin)
+# username="auth_helper_user"
+# password="auth_helper_pass"
+# case "${value}" in
+#   docker.io/*)
+#     echo "must use local registry"
+#     exit 3
+#     ;;
+#   *)
+#     echo "{\"Username\": \"$username\", \"Secret\": \"$password\"}"
+#     exit 0
+#     ;;
+# esac
+
diff --git a/e2e/podman/input/auth_static.hcl b/e2e/podman/input/auth_static.hcl
@@ -55,3 +55,14 @@ job "auth_static" {
     }
   }
 }
+
+# auth.json (must be pointed to by config=<path>/auth.json)
+#
+# {
+#   "auths": {
+#     "127.0.0.1:7511/docker.io/library/bash_auth_static": {
+#       "auth": "YXV0aF9zdGF0aWNfdXNlcjphdXRoX3N0YXRpY19wYXNz"
+#     }
+#   }
+# }
+
diff --git a/e2e/podman/input/redis.hcl b/e2e/podman/input/redis.hcl
@@ -23,6 +23,7 @@ job "redis" {
       config {
         image = "docker.io/library/redis:7"
         ports = ["db"]
+        auth_soft_fail = true
       }
 
       resources {

diff --git a/e2e/podman/input/registry.hcl b/e2e/podman/input/registry.hcl
@@ -59,12 +59,14 @@ job "registry" {
 e2euser:$2y$05$QpRvGkM/CMG.AG/G7Uh6guULMIlv1ZvjwfPa6dNjdkH.fhTzcpLDC
 auth_basic_user:$2y$05$b/lpKjGJhVMdgbpu1hxe0eAGegeHFrsWXH9g0JEO2gcWzPNgvesby
 auth_static_user:$2y$05$ZDOhbzsNe9pCcR0NslV72.gTrRLwI.05tq5yJMtFkD2LSS.G0wAYe
+auth_helper_user:$2y$05$sY4qctfzsjIhNyPD.zBEVumP0l6V5gU1f6GEThvHQ1cwupS8rogtu
         EOH
         destination = "local/auth.txt"
       }
 
       config {
         image        = "docker.io/library/registry:2"
+        auth_soft_fail = true
         ports        = ["registryhttp"]
         network_mode = "host"
       }
@@ -111,6 +113,7 @@ set -euo pipefail
 podman pull docker.io/library/bash:5
 podman push --tls-verify=false --authfile=local/auth.json docker.io/library/bash:5 localhost:{{- env "NOMAD_PORT_registryhttp" -}}/docker.io/library/bash_auth_basic:private
 podman push --tls-verify=false --authfile=local/auth.json docker.io/library/bash:5 localhost:{{- env "NOMAD_PORT_registryhttp" -}}/docker.io/library/bash_auth_static:private
+podman push --tls-verify=false --authfile=local/auth.json docker.io/library/bash:5 localhost:{{- env "NOMAD_PORT_registryhttp" -}}/docker.io/library/bash_auth_helper:private
         EOH
         destination = "local/script.sh"
       }

diff --git a/e2e/podman/podman_test.go b/e2e/podman/podman_test.go
@@ -23,6 +23,7 @@ func TestPodman(t *testing.T) {
 	t.Run("testRedis", testRedis)
 	t.Run("testAuthBasic", testAuthBasic)
 	t.Run("testAuthFileStatic", testAuthFileStatic)
+	t.Run("testAuthHelper", testAuthHelper)
 }
 
 func testRedis(t *testing.T) {
@@ -41,8 +42,8 @@ func findService(t *testing.T, name string) (string, int) {
 }
 
 func testAuthBasic(t *testing.T) {
-	// start the private registry
-	_, regCleanup := jobs3.Submit(t, "./input/registry.hcl",
+	_, regCleanup := jobs3.Submit(t,
+		"./input/registry.hcl",
 		jobs3.Timeout(40*time.Second), // pulls an image
 	)
 	t.Cleanup(regCleanup)
@@ -62,16 +63,16 @@ func testAuthBasic(t *testing.T) {
 }
 
 func testAuthFileStatic(t *testing.T) {
-	// start the private registry
-	_, regCleanup := jobs3.Submit(t, "./input/registry.hcl",
+	_, regCleanup := jobs3.Submit(t,
+		"./input/registry.hcl",
 		jobs3.Timeout(40*time.Second), // pulls an image
 	)
 	t.Cleanup(regCleanup)
 
 	// find the private registry service
 	regAddr, regPort := findService(t, "registry")
 
-	// run the private bash image
+	// run the private _static bash image
 	bashJob, bashCleanup := jobs3.Submit(t, "./input/auth_static.hcl",
 		jobs3.Var("registry_address", regAddr),
 		jobs3.Var("registry_port", strconv.Itoa(regPort)),
@@ -81,3 +82,24 @@ func testAuthFileStatic(t *testing.T) {
 	logs := bashJob.TaskLogs("static", "echo")
 	must.StrContains(t, logs.Stdout, "The static auth test is OK!")
 }
+
+func testAuthHelper(t *testing.T) {
+	_, regCleanup := jobs3.Submit(t,
+		"./input/registry.hcl",
+		jobs3.Timeout(40*time.Second), // pulls an image
+	)
+	t.Cleanup(regCleanup)
+
+	// find the private registry service
+	regAddr, regPort := findService(t, "registry")
+
+	// run the private _helper bash image
+	bashJob, bashCleanup := jobs3.Submit(t, "./input/auth_helper.hcl",
+		jobs3.Var("registry_address", regAddr),
+		jobs3.Var("registry_port", strconv.Itoa(regPort)),
+		jobs3.WaitComplete("static"),
+	)
+	t.Cleanup(bashCleanup)
+	logs := bashJob.TaskLogs("helper", "echo")
+	must.StrContains(t, logs.Stdout, "The credentials helper auth test is OK!")
+}