Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- set -ev -o pipefail
- check() {
- cmd="$1"
- cond="$2"
- if ! ruby -ryaml -e 'puts YAML.load(STDIN.read)'${cmd} | grep -qe "$cond"; then
- echo "FAIL: condition '$cond' for command '$cmd'"
- fi
- }
- wait_for_restart() {
- while k get pods nats:nats | grep -qe 'Terminating|Restarting'; do
- sleep 1
- done
- }
- # Install and test usecase #3 and #4 - secrets are generated and roles wait
- ./deploy.sh
- kubectl -n my-nats get secrets secrets-1-1 -o yaml | check "['data'].keys" "cacert-key"
- kubectl -n my-nats get secrets secrets-1-1 -o yaml | check "['data']['nats-password']" "\S"
- # Test usecase #2 and #5 - set a manual secret
- helm upgrade --values vars.yml --set secrets.NATS_PASSWORD=newpassword my-nats nats-chart
- wait_for_restart
- k get pods nats:nats | grep -e 'Running.*[0-9]s$'
- k exec -it nats:nats env | grep -qe 'NATS_PASSWORD=newpassword'
- # Test usecase #6 - go back to a generated secret
- helm upgrade --values vars.yml --set secrets.NATS_PASSWORD= my-nats nats-chart
- wait_for_restart
- k exec -it nats:nats env | grep -qe 'NATS_PASSWORD=newpassword' && false
- # Test usecase #7 - set a value and notice only the value container is restarted
- old_time=$(k get pods my-nats:nats -o json | jq '.status.startTime')
- helm upgrade --values vars.yml --set env.myvalue="newvalue" my-nats nats-chart
- new_time=$(k get pods my-nats:nats -o json | jq '.status.startTime')
- if [ "$new_time" != "$old_time" ]; then
- echo "nats pod should not restart"
- exit 1
- fi
- # test usecase #8 - upgrade to a new version and see new secrets being created and roles waiting for them
- patch -p1 <<EOF
- diff --git a/role-manifest.yml b/role-manifest.yml
- index 9676f56..a44c566 100644
- --- a/role-manifest.yml
- +++ b/role-manifest.yml
- @@ -55,6 +55,7 @@ configuration:
- properties.fissile.monit.password: '"((MONIT_PASSWORD))"'
- properties.nats.password: '"((NATS_PASSWORD))"'
- properties.nats.user: '"((NATS_USER))"' # In BOSH templates, `p('nats.user')`
- + properties.nats.debug: '"((NATS_DEBUG))"'
- # we just need a BOSH release variable to use those
- properties.diego.rep.cell_id: '"((#MY_CERT))((/MY_CERT))"((cacert))((cacert_KEY)) ((MY_CERT_KEY))'
- auth:
- @@ -140,6 +141,12 @@ variables:
- options:
- type: environment
- secret: true
- +- name: NATS_DEBUG
- + type: password
- + options:
- + description: New Password
- + secret: true
- + required: true
- - name: NATS_PASSWORD
- type: password
- options:
- EOF
- ./containerize.sh
- eval $(minikube docker-env)
- fissile build images --force
- fissile build helm --auth-type rbac --defaults-file defaults.txt
- sed -i -e 's/version: .*/version: 10/' nats-chart/Chart.yaml
- helm upgrade my-nats nats-chart
- wait_for_restart
- k get secrets nats: | grep -q secrets-10-1
- k exec -it nats:nats env | grep -qe 'NATS_DEBUG=\S'
- # Test usecase #9 - rotate all generated secrets
- old_password=$( k get secrets :secrets-10-1 -o json | jq '.data."nats-password"' )
- helm upgrade --values vars.yml --set kube.secrets_generation_counter=2 my-nats nats-chart
- wait_for_restart
- new_password=$( k get secrets :secrets-10-2 -o json | jq '.data."nats-password"' )
- if [ "$new_password" != "$old_password" ]; then
- echo "nats password should have rotated"
- exit 1
- fi
Add Comment
Please, Sign In to add comment