#!/bin/bashset -ev -o pipefailcheck() { cmd="$1" cond="$2" if ! ruby -

1. #!/bin/bash
2.  
3. set -ev -o pipefail
4.  
5. check() {
6. cmd="$1"
7. cond="$2"
8. if ! ruby -ryaml -e 'puts YAML.load(STDIN.read)'${cmd} | grep -qe "$cond"; then
9. echo "FAIL: condition '$cond' for command '$cmd'"
10. fi
11. }
12.  
13. wait_for_restart() {
14. while k get pods nats:nats | grep -qe 'Terminating|Restarting'; do
15. sleep 1
16. done
17. }
18.  
19. # Install and test usecase #3 and #4 - secrets are generated and roles wait
20. ./deploy.sh
21. kubectl -n my-nats get secrets secrets-1-1 -o yaml | check "['data'].keys" "cacert-key"
22. kubectl -n my-nats get secrets secrets-1-1 -o yaml | check "['data']['nats-password']" "\S"
23.  
24. # Test usecase #2 and #5 - set a manual secret
25. helm upgrade --values vars.yml --set secrets.NATS_PASSWORD=newpassword my-nats nats-chart
26. wait_for_restart
27. k get pods nats:nats | grep -e 'Running.*[0-9]s$'
28. k exec -it nats:nats env | grep -qe 'NATS_PASSWORD=newpassword'
29.  
30. # Test usecase #6 - go back to a generated secret
31. helm upgrade --values vars.yml --set secrets.NATS_PASSWORD= my-nats nats-chart
32. wait_for_restart
33. k exec -it nats:nats env | grep -qe 'NATS_PASSWORD=newpassword' && false
34.  
35. # Test usecase #7 - set a value and notice only the value container is restarted
36. old_time=$(k get pods my-nats:nats -o json | jq '.status.startTime')
37. helm upgrade --values vars.yml --set env.myvalue="newvalue" my-nats nats-chart
38. new_time=$(k get pods my-nats:nats -o json | jq '.status.startTime')
39. if [ "$new_time" != "$old_time" ]; then
40. echo "nats pod should not restart"
41. exit 1
42. fi
43.  
44. # test usecase #8 - upgrade to a new version and see new secrets being created and roles waiting for them
45. patch -p1 <<EOF
46. diff --git a/role-manifest.yml b/role-manifest.yml
47. index 9676f56..a44c566 100644
48. --- a/role-manifest.yml
49. +++ b/role-manifest.yml
50. @@ -55,6 +55,7 @@ configuration:
51. properties.fissile.monit.password: '"((MONIT_PASSWORD))"'
52. properties.nats.password: '"((NATS_PASSWORD))"'
53. properties.nats.user: '"((NATS_USER))"' # In BOSH templates, `p('nats.user')`
54. + properties.nats.debug: '"((NATS_DEBUG))"'
55. # we just need a BOSH release variable to use those
56. properties.diego.rep.cell_id: '"((#MY_CERT))((/MY_CERT))"((cacert))((cacert_KEY)) ((MY_CERT_KEY))'
57. auth:
58. @@ -140,6 +141,12 @@ variables:
59. options:
60. type: environment
61. secret: true
62. +- name: NATS_DEBUG
63. + type: password
64. + options:
65. + description: New Password
66. + secret: true
67. + required: true
68. - name: NATS_PASSWORD
69. type: password
70. options:
71. EOF
72. ./containerize.sh
73. eval $(minikube docker-env)
74. fissile build images --force
75. fissile build helm --auth-type rbac --defaults-file defaults.txt
76. sed -i -e 's/version: .*/version: 10/' nats-chart/Chart.yaml
77.  
78. helm upgrade my-nats nats-chart
79. wait_for_restart
80. k get secrets nats: | grep -q secrets-10-1
81. k exec -it nats:nats env | grep -qe 'NATS_DEBUG=\S'
82.  
83. # Test usecase #9 - rotate all generated secrets
84. old_password=$( k get secrets :secrets-10-1 -o json | jq '.data."nats-password"' )
85. helm upgrade --values vars.yml --set kube.secrets_generation_counter=2 my-nats nats-chart
86. wait_for_restart
87. new_password=$( k get secrets :secrets-10-2 -o json | jq '.data."nats-password"' )
88. if [ "$new_password" != "$old_password" ]; then
89. echo "nats password should have rotated"
90. exit 1
91. fi