Last active
September 7, 2018 10:01
-
-
Save manno/9567bfabecdf47ca28303121006b5aa0 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -ev -o pipefail | |
check() { | |
cmd="$1" | |
cond="$2" | |
if ! ruby -ryaml -e 'puts YAML.load(STDIN.read)'${cmd} | grep -qe "$cond"; then | |
echo "FAIL: condition '$cond' for command '$cmd'" | |
fi | |
} | |
wait_for_restart() { | |
while k get pods nats:nats | grep -qe 'Terminating|Restarting'; do | |
sleep 1 | |
done | |
} | |
# Install and test usecase #3 and #4 - secrets are generated and roles wait | |
./deploy.sh | |
sleep 10 | |
kubectl -n my-nats get secrets secrets-1-1 -o yaml | check "['data'].keys" "cacert-key" | |
kubectl -n my-nats get secrets secrets-1-1 -o yaml | check "['data']['nats-password']" "\S" | |
# Test usecase #2 and #5 - set a manual secret | |
helm upgrade --values vars.yml --set secrets.NATS_PASSWORD=newpassword my-nats nats-chart | |
wait_for_restart | |
k get pods nats:nats | grep -e 'Running.*[0-9]s$' | |
k exec -it nats:nats env | grep -qe 'NATS_PASSWORD=newpassword' | |
# Test usecase #6 - go back to a generated secret | |
helm upgrade --values vars.yml --set secrets.NATS_PASSWORD= my-nats nats-chart | |
wait_for_restart | |
k exec -it nats:nats env | grep -qe 'NATS_PASSWORD=newpassword' && false | |
# Test usecase #7 - set a value and notice only the value container is restarted | |
old_time=$(k get pods my-nats:nats -o json | jq '.status.startTime') | |
helm upgrade --values vars.yml --set env.myvalue="newvalue" my-nats nats-chart | |
new_time=$(k get pods my-nats:nats -o json | jq '.status.startTime') | |
if [ "$new_time" != "$old_time" ]; then | |
echo "nats pod should not restart" | |
exit 1 | |
fi | |
# test usecase #8 - upgrade to a new version and see new secrets being created and roles waiting for them | |
patch -p1 <<EOF | |
diff --git a/role-manifest.yml b/role-manifest.yml | |
index 9676f56..a44c566 100644 | |
--- a/role-manifest.yml | |
+++ b/role-manifest.yml | |
@@ -55,6 +55,7 @@ configuration: | |
properties.fissile.monit.password: '"((MONIT_PASSWORD))"' | |
properties.nats.password: '"((NATS_PASSWORD))"' | |
properties.nats.user: '"((NATS_USER))"' # In BOSH templates, `p('nats.user')` | |
+ properties.nats.debug: '"((NATS_DEBUG))"' | |
# we just need a BOSH release variable to use those | |
properties.diego.rep.cell_id: '"((#MY_CERT))((/MY_CERT))"((cacert))((cacert_KEY)) ((MY_CERT_KEY))' | |
auth: | |
@@ -140,6 +141,12 @@ variables: | |
options: | |
type: environment | |
secret: true | |
+- name: NATS_DEBUG | |
+ type: password | |
+ options: | |
+ description: New Password | |
+ secret: true | |
+ required: true | |
- name: NATS_PASSWORD | |
type: password | |
options: | |
EOF | |
./containerize.sh | |
eval $(minikube docker-env) | |
fissile build images --force | |
fissile build helm --auth-type rbac --defaults-file defaults.txt | |
sed -i -e 's/version: .*/version: 10/' nats-chart/Chart.yaml | |
helm upgrade my-nats nats-chart | |
wait_for_restart | |
k get secrets nats: | grep -q secrets-10-1 | |
k exec -it nats:nats env | grep -qe 'NATS_DEBUG=\S' | |
# Test usecase #9 - rotate all generated secrets | |
old_password=$( k get secrets :secrets-10-1 -o json | jq '.data."nats-password"' ) | |
helm upgrade --values vars.yml --set kube.secrets_generation_counter=2 my-nats nats-chart | |
wait_for_restart | |
new_password=$( k get secrets :secrets-10-2 -o json | jq '.data."nats-password"' ) | |
if [ "$new_password" != "$old_password" ]; then | |
echo "nats password should have rotated" | |
exit 1 | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment