e2e for workload identity

.github/workflows/e2e-tests.yaml

@@ -201,58 +201,106 @@ jobs:
  --from-file=config=e2e/example/user-auth-config-example.yaml.tmp \
  --from-literal=private-key="${{ env.OCI_CLI_KEY_CONTENT }}"
 
- - name: update spc file with correct values
+ - name: user principal authentication - update spc file with correct values
  run: | 
  sed -e 's/vaultId:.*/vaultId: ${{ env.OCI_VAULT_ID }}/' \
  -e 's/authType:.*/authType: user/' \
  -e 's/- name:.*/- name: ${{ env.OCI_VAULT_SECRET_NAME }}/' e2e/example/secret-provider-class.yaml > e2e/example/secret-provider-class.yaml.tmp
 
- - name: update deployment file with secret name
+ - name: user principal authentication - update deployment file with secret name
  run: | 
  sed -e 's/testingSecretName:.*/testingSecretName: ${{ env.OCI_VAULT_SECRET_NAME }}/' \
  e2e/example/app.deployment.yaml > e2e/example/app.deployment.yaml.tmp
 
- - name: print updated yaml file
+ - name: user principal authentication - print updated yaml file
  run: cat e2e/example/secret-provider-class.yaml.tmp
 
- - name: deploy spc
+ - name: user principal authentication - deploy spc
  run: kubectl apply -f e2e/example/secret-provider-class.yaml.tmp 
 
- - name: deploy workload
+ - name: user principal authentication - deploy workload
  run: kubectl apply -f e2e/example/app.deployment.yaml.tmp
 
- - name: Wait for pod to run
+ - name: user principal authentication - Wait for pod to run
  id: wait-on-pod
  # run: kubectl wait --for=jsonpath='{.status.phase}'=Running pods/${{ env.POD_NAME }} --timeout=90s
  run: sleep 90
 
- - name: Verify pods are running
+ - name: user principal authentication - Verify pods are running
  id: pod-names
  run: kubectl get pods -l testingSecretName=${{ env.OCI_VAULT_SECRET_NAME }} -o='custom-columns=PodName:.metadata.name' --no-headers
 
- - name: capture pod name into env
+ - name: user principal authentication - capture pod name into env
  run: echo "POD_NAME=`kubectl get pods -l testingSecretName=${{ env.OCI_VAULT_SECRET_NAME }} -o='custom-columns=PodName:.metadata.name' --no-headers`" >> $GITHUB_ENV
 
- - name: print secret value
+ - name: user principal authentication - print secret value
  id: print-secret-content
  run: echo "SECRET_CONTENT=`kubectl exec -it ${{ env.POD_NAME }} -- cat /mnt/secrets-store/${{ env.OCI_VAULT_SECRET_NAME }} 2> /dev/null | base64`" >> $GITHUB_ENV
 
  # - name: convert to base64
  # id: convert-to-base64
  # run: echo -n ${{ steps.print-secret-content.outputs.output }} | base64
 
- - name: print values
+ - name: user principal authentication - print values
  run: echo "${{ env.SECRET_CONTENT }} == ${{ env.OCI_VAULT_SECRET_VALUE}}"
 
- - name: verify value
+ - name: user principal authentication - verify value
  run: if [ "${{ env.SECRET_CONTENT }}" == "${{ env.OCI_VAULT_SECRET_VALUE}}" ]; then exit 0; else exit 1; fi
 
+ - name: workload identity principal authentication - update spc file with correct values
+ run: | 
+ sed -e 's/vaultId:.*/vaultId: ${{ env.OCI_VAULT_ID }}/' \
+ -e 's/authType:.*/authType: workload/' \
+ -e 's/- name:.*/- name: ${{ env.OCI_VAULT_SECRET_NAME }}/' e2e/example/workload-identity/secret-provider-class.yaml > e2e/example/workload-identity/secret-provider-class.yaml.tmp
+
+ - name: workload identity principal authentication - update deployment file with secret name
+ run: | 
+ sed -e 's/testingSecretName:.*/testingSecretName: workload-${{ env.OCI_VAULT_SECRET_NAME }}/' \
+ e2e/example/app.deployment.yaml > e2e/example/workload-identity/app.deployment.yaml.tmp
+
+ - name: workload identity principal authentication - print updated yaml file
+ run: cat e2e/example/workload-identity/secret-provider-class.yaml.tmp
+
+ - name: workload identity principal authentication - deploy namespace and service account
+ run: kubectl apply -f e2e/example/workload-identity/service-account.yaml
+
+ - name: workload identity principal authentication - deploy spc
+ run: kubectl apply -f e2e/example/workload-identity/secret-provider-class.yaml.tmp 
+
+ - name: workload identity principal authentication - deploy workload
+ run: kubectl apply -f e2e/example/workload-identity/app.deployment.yaml.tmp
+
+ - name: workload identity principal authentication - Wait for pod to run
+ id: wait-on-pod
+ # run: kubectl wait --for=jsonpath='{.status.phase}'=Running pods/${{ env.POD_NAME }} --timeout=90s
+ run: sleep 90
+
+ - name: workload identity principal authentication - Verify pods are running
+ id: pod-names
+ run: kubectl get pods -l testingSecretName=workload-${{ env.OCI_VAULT_SECRET_NAME }} -o='custom-columns=PodName:.metadata.name' --no-headers
+
+ - name: workload identity principal authentication - capture pod name into env
+ run: echo "POD_NAME=`kubectl get pods -l testingSecretName=workload-${{ env.OCI_VAULT_SECRET_NAME }} -o='custom-columns=PodName:.metadata.name' --no-headers`" >> $GITHUB_ENV
+
+ - name: workload identity principal authentication - print secret value
+ id: print-secret-content
+ run: echo "SECRET_CONTENT=`kubectl exec -it ${{ env.POD_NAME }} -- cat /mnt/secrets-store/${{ env.OCI_VAULT_SECRET_NAME }} 2> /dev/null | base64`" >> $GITHUB_ENV
+
+ - name: workload identity principal authentication - print values
+ run: echo "${{ env.SECRET_CONTENT }} == ${{ env.OCI_VAULT_SECRET_VALUE}}"
+
+ - name: workload identity principal authentication - verify value
+ run: if [ "${{ env.SECRET_CONTENT }}" == "${{ env.OCI_VAULT_SECRET_VALUE}}" ]; then exit 0; else exit 1; fi 
+
  # cleanup
  - name: remove deployment
  if: ${{ always() }} 
  run: |
  kubectl delete -f e2e/example/app.deployment.yaml.tmp \
- -f e2e/example/secret-provider-class.yaml.tmp
+ -f e2e/example/secret-provider-class.yaml.tmp \
+ -f e2e/example/workload-identity/secret-provider-class.yaml.tmp \
+ -f e2e/example/workload-identity/app.deployment.yaml.tmp \
+ -f e2e/example/workload-identity/service-account.yaml
 
  - name: delete secret
  if: ${{ always() }} 

e2e/example/workload-identity/app.deployment.yaml

@@ -0,0 +1,49 @@
+#
+# OCI Secrets Store CSI Driver Provider
+#
+# Copyright (c) 2022 Oracle America, Inc. and its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
+#
+
+# This Deployment is used as a reference example of how to mount secrets into the pod
+# via Secrets Store CSI Driver and OCI Vault Provider.
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: nginx
+ namespace: app-workload
+ labels:
+ app: nginx
+spec:
+ selector:
+ matchLabels:
+ app: nginx
+ template:
+ metadata:
+ labels:
+ app: nginx
+ testingSecretName: abc
+ spec:
+ serviceAccountName: workload-sa
+ automountServiceAccountToken: true
+ containers:
+ - name: nginx
+ image: nginx:1.21.4-alpine
+ ports:
+ - containerPort: 80
+ resources:
+ limits:
+ memory: 128Mi
+ cpu: 200m
+ volumeMounts:
+ - name: 'some-creds'
+ mountPath: '/mnt/secrets-store' # here are mounted secrets
+ readOnly: true
+ volumes:
+ - name: some-creds
+ csi:
+ driver: 'secrets-store.csi.k8s.io'
+ readOnly: true
+ volumeAttributes:
+ secretProviderClass: 'test-oci-provider-class' # here we reference particular SecretProviderClass

e2e/example/workload-identity/secret-provider-class.yaml

@@ -0,0 +1,35 @@
+#
+# OCI Secrets Store CSI Driver Provider
+#
+# Copyright (c) 2022 Oracle America, Inc. and its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
+#
+
+# SecretProviderClass is a custom resource to provide driver configurations and
+# provider-specific parameters to the CSI driver.
+#
+# On pod start and restart, the driver will communicate with the provider to retrieve the secret content
+# from the external Secrets Store you have specified in the SecretProviderClass resource.
+#
+# For more information check: https://secrets-store-csi-driver.sigs.k8s.io/getting-started/usage.html
+#
+# This SecretProviderClass is used as a reference example of how to configure the OCI Vault provider.
+# Each SecretProviderClass enumerates secrets to mount into the pod.
+# So, multiple SecretProviderClass resources could exist in a single Kubernetes cluster.
+
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+ name: test-oci-provider-class # SecretProviderClass name is referenced from pod definition
+ namespace: app-workload
+spec:
+ provider: oci # `provider` value is used as the provider socket name, must be constant
+ parameters:
+ # Each secret could be identified with `name` and either `stage` or `versionNumber`.
+ # If both `stage` and `versionNumber` are omitted, default stage CURRENT is used.
+ # Secret names could not be duplicated, since `name` field is used as a file name during the mounting.
+ secrets: |
+ - name: test-secret-12813
+ vaultId: ocid1.vault.oc1.iad.abcd.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+ authType: workload # possible values are: user, instance, workload
+ authSecretName: oci-config # required if authType is user and this value refers secret name contains user credentials for auth against vault

e2e/example/workload-identity/service-account.yaml

@@ -0,0 +1,17 @@
+#
+# OCI Secrets Store CSI Driver Provider
+#
+# Copyright (c) 2022 Oracle America, Inc. and its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
+#
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: app-workload
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: workload-sa
+ namespace: app-workload