... | ... |
@@ -5,7 +5,6 @@ import ( |
5 | 5 |
|
6 | 6 |
g "github.com/onsi/ginkgo" |
7 | 7 |
o "github.com/onsi/gomega" |
8 |
- |
|
9 | 8 |
exutil "github.com/openshift/origin/test/extended/util" |
10 | 9 |
kapi "k8s.io/kubernetes/pkg/api" |
11 | 10 |
) |
... | ... |
@@ -13,39 +12,38 @@ import ( |
13 | 13 |
var _ = g.Describe("[builds][Slow] can use build secrets", func() { |
14 | 14 |
defer g.GinkgoRecover() |
15 | 15 |
var ( |
16 |
- buildSecretBaseDir = exutil.FixturePath("testdata", "build-secrets") |
|
17 |
- secretsFixture = filepath.Join(buildSecretBaseDir, "test-secret.json") |
|
18 |
- secondSecretsFixture = filepath.Join(buildSecretBaseDir, "test-secret-2.json") |
|
19 |
- isFixture = filepath.Join(buildSecretBaseDir, "test-is.json") |
|
20 |
- dockerBuildFixture = filepath.Join(buildSecretBaseDir, "test-docker-build.json") |
|
21 |
- sourceBuildFixture = filepath.Join(buildSecretBaseDir, "test-s2i-build.json") |
|
22 |
- oc = exutil.NewCLI("build-secrets", exutil.KubeConfigPath()) |
|
16 |
+ buildSecretBaseDir = exutil.FixturePath("testdata", "build-secrets") |
|
17 |
+ secretsFixture = filepath.Join(buildSecretBaseDir, "test-secret.json") |
|
18 |
+ secondSecretsFixture = filepath.Join(buildSecretBaseDir, "test-secret-2.json") |
|
19 |
+ isFixture = filepath.Join(buildSecretBaseDir, "test-is.json") |
|
20 |
+ dockerBuildFixture = filepath.Join(buildSecretBaseDir, "test-docker-build.json") |
|
21 |
+ dockerBuildDockerfile = filepath.Join(buildSecretBaseDir, "Dockerfile") |
|
22 |
+ sourceBuildFixture = filepath.Join(buildSecretBaseDir, "test-s2i-build.json") |
|
23 |
+ sourceBuildBinDir = filepath.Join(buildSecretBaseDir, "s2i-binary-dir") |
|
24 |
+ oc = exutil.NewCLI("build-secrets", exutil.KubeConfigPath()) |
|
23 | 25 |
) |
24 | 26 |
|
25 | 27 |
g.Describe("build with secrets", func() { |
26 | 28 |
oc.SetOutputDir(exutil.TestContext.OutputDir) |
27 | 29 |
|
28 |
- g.It("should print the secrets during the source strategy build", func() { |
|
29 |
- g.By("creating the sample secret files") |
|
30 |
+ g.It("should contain secrets during the source strategy build", func() { |
|
31 |
+ g.By("creating secret fixtures") |
|
30 | 32 |
err := oc.Run("create").Args("-f", secretsFixture).Execute() |
31 | 33 |
o.Expect(err).NotTo(o.HaveOccurred()) |
32 | 34 |
err = oc.Run("create").Args("-f", secondSecretsFixture).Execute() |
33 | 35 |
o.Expect(err).NotTo(o.HaveOccurred()) |
34 | 36 |
|
35 |
- g.By("creating the sample source build config and image stream") |
|
37 |
+ g.By("creating test image stream") |
|
36 | 38 |
err = oc.Run("create").Args("-f", isFixture).Execute() |
37 | 39 |
o.Expect(err).NotTo(o.HaveOccurred()) |
38 | 40 |
|
41 |
+ g.By("creating test build config") |
|
39 | 42 |
err = oc.Run("create").Args("-f", sourceBuildFixture).Execute() |
40 | 43 |
o.Expect(err).NotTo(o.HaveOccurred()) |
41 | 44 |
|
42 |
- g.By("starting the sample source build") |
|
43 |
- out, err := oc.Run("start-build").Args("test", "--follow", "--wait").Output() |
|
45 |
+ g.By("starting the test source build") |
|
46 |
+ err = oc.Run("start-build").Args("test", "--from-dir", sourceBuildBinDir).Execute() |
|
44 | 47 |
o.Expect(err).NotTo(o.HaveOccurred()) |
45 |
- o.Expect(out).To(o.ContainSubstring("secret1=secret1")) |
|
46 |
- o.Expect(out).To(o.ContainSubstring("secret3=secret3")) |
|
47 |
- o.Expect(out).To(o.ContainSubstring("relative-secret1=secret1")) |
|
48 |
- o.Expect(out).To(o.ContainSubstring("relative-secret3=secret3")) |
|
49 | 48 |
|
50 | 49 |
g.By("checking the status of the build") |
51 | 50 |
err = exutil.WaitForABuild(oc.REST().Builds(oc.Namespace()), "test-1", exutil.CheckBuildSuccessFn, exutil.CheckBuildFailedFn) |
... | ... |
@@ -58,33 +56,36 @@ var _ = g.Describe("[builds][Slow] can use build secrets", func() { |
58 | 58 |
image, err := exutil.GetDockerImageReference(oc.REST().ImageStreams(oc.Namespace()), "test", "latest") |
59 | 59 |
o.Expect(err).NotTo(o.HaveOccurred()) |
60 | 60 |
|
61 |
- g.By("verifying the build secrets are not present in the output image") |
|
61 |
+ g.By("verifying the build secrets were available during build and not present in the output image") |
|
62 | 62 |
pod := exutil.GetPodForContainer(kapi.Container{Name: "test", Image: image}) |
63 | 63 |
oc.KubeFramework().TestContainerOutput("test-build-secret-source", pod, 0, []string{ |
64 |
- "relative-secret1=empty", |
|
65 |
- "secret3=empty", |
|
64 |
+ "testsecret/secret1=secret1", |
|
65 |
+ "testsecret/secret2=secret2", |
|
66 |
+ "testsecret/secret3=secret3", |
|
67 |
+ "testsecret2/secret1=secret1", |
|
68 |
+ "testsecret2/secret2=secret2", |
|
69 |
+ "testsecret2/secret3=secret3", |
|
66 | 70 |
}) |
67 | 71 |
}) |
68 | 72 |
|
69 |
- g.It("should print the secrets during the docker strategy build", func() { |
|
70 |
- g.By("creating the sample secret files") |
|
73 |
+ g.It("should contain secrets during the docker strategy build", func() { |
|
74 |
+ g.By("creating secret fixtures") |
|
71 | 75 |
err := oc.Run("create").Args("-f", secretsFixture).Execute() |
72 | 76 |
o.Expect(err).NotTo(o.HaveOccurred()) |
73 | 77 |
err = oc.Run("create").Args("-f", secondSecretsFixture).Execute() |
74 | 78 |
o.Expect(err).NotTo(o.HaveOccurred()) |
75 | 79 |
|
76 |
- g.By("creating the sample source build config and image stream") |
|
80 |
+ g.By("creating test image stream") |
|
77 | 81 |
err = oc.Run("create").Args("-f", isFixture).Execute() |
78 | 82 |
o.Expect(err).NotTo(o.HaveOccurred()) |
79 | 83 |
|
84 |
+ g.By("creating test build config") |
|
80 | 85 |
err = oc.Run("create").Args("-f", dockerBuildFixture).Execute() |
81 | 86 |
o.Expect(err).NotTo(o.HaveOccurred()) |
82 | 87 |
|
83 |
- g.By("starting the sample source build") |
|
84 |
- out, err := oc.Run("start-build").Args("test", "--follow", "--wait").Output() |
|
88 |
+ g.By("starting the test docker build") |
|
89 |
+ err = oc.Run("start-build").Args("test", "--from-file", dockerBuildDockerfile).Execute() |
|
85 | 90 |
o.Expect(err).NotTo(o.HaveOccurred()) |
86 |
- o.Expect(out).To(o.ContainSubstring("secret1=secret1")) |
|
87 |
- o.Expect(out).To(o.ContainSubstring("relative-secret2=secret2")) |
|
88 | 91 |
|
89 | 92 |
g.By("checking the status of the build") |
90 | 93 |
err = exutil.WaitForABuild(oc.REST().Builds(oc.Namespace()), "test-1", exutil.CheckBuildSuccessFn, exutil.CheckBuildFailedFn) |
... | ... |
@@ -92,6 +93,18 @@ var _ = g.Describe("[builds][Slow] can use build secrets", func() { |
92 | 92 |
exutil.DumpBuildLogs("test", oc) |
93 | 93 |
} |
94 | 94 |
o.Expect(err).NotTo(o.HaveOccurred()) |
95 |
+ |
|
96 |
+ g.By("getting the image name") |
|
97 |
+ image, err := exutil.GetDockerImageReference(oc.REST().ImageStreams(oc.Namespace()), "test", "latest") |
|
98 |
+ o.Expect(err).NotTo(o.HaveOccurred()) |
|
99 |
+ |
|
100 |
+ g.By("verifying the secrets are present in container output") |
|
101 |
+ pod := exutil.GetPodForContainer(kapi.Container{Name: "test", Image: image}) |
|
102 |
+ oc.KubeFramework().TestContainerOutput("test-build-secret-docker", pod, 0, []string{ |
|
103 |
+ "secret1=secret1", |
|
104 |
+ "relative-secret2=secret2", |
|
105 |
+ }) |
|
106 |
+ |
|
95 | 107 |
}) |
96 | 108 |
|
97 | 109 |
}) |
... | ... |
@@ -4,8 +4,10 @@ USER root |
4 | 4 |
ADD ./secret-dir /secrets |
5 | 5 |
COPY ./secret2 / |
6 | 6 |
|
7 |
-RUN test -f /secrets/secret1 && echo -n "secret1=" && cat /secrets/secret1 |
|
8 |
-RUN test -f /secret2 && echo -n "relative-secret2=" && cat /secret2 |
|
9 |
-RUN rm -rf /secrets && rm -rf /secret2 |
|
7 |
+# Create a shell script that will output secrets when the image is run |
|
8 |
+RUN echo '#!/bin/sh' > /secret_report.sh |
|
9 |
+RUN echo '(test -f /secrets/secret1 && echo -n "secret1=" && cat /secrets/secret1)' >> /secret_report.sh |
|
10 |
+RUN echo '(test -f /secret2 && echo -n "relative-secret2=" && cat /secret2)' >> /secret_report.sh |
|
11 |
+RUN chmod 755 /secret_report.sh |
|
10 | 12 |
|
11 |
-CMD ["true"] |
|
13 |
+CMD ["/bin/sh", "-c", "/secret_report.sh"] |
12 | 14 |
new file mode 100755 |
... | ... |
@@ -0,0 +1,21 @@ |
0 |
+#!/bin/bash |
|
1 |
+ |
|
2 |
+# Copy secrets into a location they can be output during image run |
|
3 |
+ |
|
4 |
+mkdir -p "${HOME}/testsecret" |
|
5 |
+if [[ -f /tmp/secret1 ]]; then |
|
6 |
+ # Copy three secrets defined in testsecret fixture to directory |
|
7 |
+ cp /tmp/secret? "${HOME}/testsecret" |
|
8 |
+else |
|
9 |
+ echo "Unable to locate testsecret fixture files" |
|
10 |
+ exit 1 |
|
11 |
+fi |
|
12 |
+ |
|
13 |
+mkdir -p "${HOME}/testsecret2" |
|
14 |
+if [[ -f secret1 ]]; then |
|
15 |
+ # Copy three secrets defined in testsecret2 fixture to directory |
|
16 |
+ cp secret? "${HOME}/testsecret2" |
|
17 |
+else |
|
18 |
+ echo "Unable to locate testsecret2 fixture files" |
|
19 |
+ exit 2 |
|
20 |
+fi |
|
0 | 21 |
\ No newline at end of file |
1 | 22 |
new file mode 100755 |
... | ... |
@@ -0,0 +1,15 @@ |
0 |
+#!/bin/bash |
|
1 |
+ |
|
2 |
+# Ensure none of the build config inject secrets still exist in the file system |
|
3 |
+for s in /tmp/secret? secret?; do |
|
4 |
+ if [[ -s "${s}" ]]; then |
|
5 |
+ echo "Found secret file which should have been removed: ${s}" |
|
6 |
+ exit 1 |
|
7 |
+ fi |
|
8 |
+done |
|
9 |
+ |
|
10 |
+# Print out the secrets copied into the image during assemble |
|
11 |
+cd "${HOME}" |
|
12 |
+for s in testsecret/* testsecret2/*; do |
|
13 |
+ echo -n "${s}=" && cat "${s}" |
|
14 |
+done |
|
0 | 15 |
\ No newline at end of file |
0 | 1 |
deleted file mode 100755 |
... | ... |
@@ -1,9 +0,0 @@ |
1 |
-#!/bin/bash |
|
2 |
- |
|
3 |
-[[ -f secret1 ]] && echo "relative-secret1=$(cat secret1)" |
|
4 |
-[[ -f secret2 ]] && echo "relative-secret2=$(cat secret2)" |
|
5 |
-[[ -f secret3 ]] && echo "relative-secret3=$(cat secret3)" |
|
6 |
- |
|
7 |
-[[ -f /tmp/secret1 ]] && echo "secret1=$(cat /tmp/secret1)" |
|
8 |
-[[ -f /tmp/secret2 ]] && echo "secret2=$(cat /tmp/secret2)" |
|
9 |
-[[ -f /tmp/secret3 ]] && echo "secret3=$(cat /tmp/secret3)" |
... | ... |
@@ -10,12 +10,9 @@ |
10 | 10 |
"spec":{ |
11 | 11 |
"triggers":[], |
12 | 12 |
"source":{ |
13 |
- "type":"Git", |
|
14 |
- "git":{ |
|
15 |
- "uri":"https://github.com/openshift/origin", |
|
16 |
- "ref": "secrets" |
|
13 |
+ "type":"Binary", |
|
14 |
+ "binary": { |
|
17 | 15 |
}, |
18 |
- "contextDir":"test/extended/testdata/build-secrets", |
|
19 | 16 |
"secrets": [ |
20 | 17 |
{ |
21 | 18 |
"secret": { "name": "testsecret" }, |
... | ... |
@@ -1,52 +1,52 @@ |
1 | 1 |
{ |
2 |
- "kind":"BuildConfig", |
|
3 |
- "apiVersion":"v1", |
|
4 |
- "metadata":{ |
|
5 |
- "name":"test", |
|
6 |
- "labels":{ |
|
7 |
- "name":"test" |
|
2 |
+ "kind": "BuildConfig", |
|
3 |
+ "apiVersion": "v1", |
|
4 |
+ "metadata": { |
|
5 |
+ "name": "test", |
|
6 |
+ "labels": { |
|
7 |
+ "name": "test" |
|
8 | 8 |
} |
9 | 9 |
}, |
10 |
- "spec":{ |
|
11 |
- "triggers":[], |
|
12 |
- "source":{ |
|
13 |
- "type":"Git", |
|
14 |
- "git":{ |
|
15 |
- "uri":"https://github.com/openshift/origin", |
|
16 |
- "ref": "secrets" |
|
10 |
+ "spec": { |
|
11 |
+ "triggers": [], |
|
12 |
+ "source": { |
|
13 |
+ "type": "Binary", |
|
14 |
+ "binary": { |
|
17 | 15 |
}, |
18 |
- "contextDir":"test/extended/testdata/test-build-app", |
|
19 | 16 |
"secrets": [ |
20 | 17 |
{ |
21 |
- "secret": { "name": "testsecret" }, |
|
18 |
+ "secret": { |
|
19 |
+ "name": "testsecret" |
|
20 |
+ }, |
|
22 | 21 |
"destinationDir": "/tmp" |
23 | 22 |
}, |
24 | 23 |
{ |
25 |
- "secret": { "name": "testsecret2" } |
|
24 |
+ "secret": { |
|
25 |
+ "name": "testsecret2" |
|
26 |
+ } |
|
26 | 27 |
} |
27 | 28 |
] |
28 | 29 |
}, |
29 |
- "strategy":{ |
|
30 |
- "type":"Source", |
|
30 |
+ "strategy": { |
|
31 |
+ "type": "Source", |
|
31 | 32 |
"env": [ |
32 | 33 |
{ |
33 | 34 |
"name": "BUILD_LOGLEVEL", |
34 | 35 |
"value": "5" |
35 | 36 |
} |
36 | 37 |
], |
37 |
- "sourceStrategy":{ |
|
38 |
- "from":{ |
|
39 |
- "kind":"DockerImage", |
|
40 |
- "name":"centos/ruby-22-centos7" |
|
41 |
- }, |
|
42 |
- "scripts":"https://raw.githubusercontent.com/openshift/origin/secrets/test/extended/testdata/build-secrets/s2i" |
|
38 |
+ "sourceStrategy": { |
|
39 |
+ "from": { |
|
40 |
+ "kind": "DockerImage", |
|
41 |
+ "name": "centos/ruby-22-centos7" |
|
42 |
+ } |
|
43 | 43 |
} |
44 | 44 |
}, |
45 |
- "output":{ |
|
46 |
- "to":{ |
|
47 |
- "kind":"ImageStreamTag", |
|
48 |
- "name":"test:latest" |
|
45 |
+ "output": { |
|
46 |
+ "to": { |
|
47 |
+ "kind": "ImageStreamTag", |
|
48 |
+ "name": "test:latest" |
|
49 | 49 |
} |
50 | 50 |
} |
51 | 51 |
} |
52 |
-} |
|
52 |
+} |
|
53 | 53 |
\ No newline at end of file |