2022-09-05 03:06:08 -04:00
|
|
|
/*
|
|
|
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
|
|
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
|
*/
|
|
|
|
|
|
2022-03-22 11:03:15 -04:00
|
|
|
package cmd
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"bytes"
|
|
|
|
|
"context"
|
2023-09-29 08:01:40 -04:00
|
|
|
"fmt"
|
2022-03-22 11:03:15 -04:00
|
|
|
"strings"
|
|
|
|
|
"testing"
|
|
|
|
|
"time"
|
|
|
|
|
|
2022-09-21 07:47:57 -04:00
|
|
|
"github.com/edgelesssys/constellation/v2/bootstrapper/initproto"
|
2023-08-08 09:42:06 -04:00
|
|
|
"github.com/edgelesssys/constellation/v2/cli/internal/cmd/pathprefix"
|
2022-11-15 09:40:49 -05:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
|
2022-09-21 07:47:57 -04:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
2022-11-09 08:43:48 -05:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/cloud/gcpshared"
|
2022-09-21 07:47:57 -04:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/config"
|
|
|
|
|
"github.com/edgelesssys/constellation/v2/internal/constants"
|
2023-12-04 07:40:24 -05:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/constellation"
|
2023-12-06 04:01:39 -05:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/constellation/helm"
|
2023-12-08 10:27:04 -05:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/constellation/state"
|
2022-09-21 07:47:57 -04:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/file"
|
2023-03-02 09:08:31 -05:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/kms/uri"
|
2023-01-04 04:46:29 -05:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/logger"
|
2023-09-19 07:50:00 -04:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/semver"
|
2023-03-02 09:08:31 -05:00
|
|
|
"github.com/edgelesssys/constellation/v2/internal/versions"
|
2022-03-22 11:03:15 -04:00
|
|
|
"github.com/spf13/afero"
|
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
|
"github.com/stretchr/testify/require"
|
2023-10-24 09:39:18 -04:00
|
|
|
k8serrors "k8s.io/apimachinery/pkg/api/errors"
|
|
|
|
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
2023-09-29 08:01:40 -04:00
|
|
|
"k8s.io/client-go/tools/clientcmd"
|
|
|
|
|
k8sclientapi "k8s.io/client-go/tools/clientcmd/api"
|
2022-03-22 11:03:15 -04:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func TestInitArgumentValidation(t *testing.T) {
|
|
|
|
|
assert := assert.New(t)
|
|
|
|
|
|
2022-06-08 02:14:28 -04:00
|
|
|
cmd := NewInitCmd()
|
2022-03-22 11:03:15 -04:00
|
|
|
assert.NoError(cmd.ValidateArgs(nil))
|
|
|
|
|
assert.Error(cmd.ValidateArgs([]string{"something"}))
|
|
|
|
|
assert.Error(cmd.ValidateArgs([]string{"sth", "sth"}))
|
|
|
|
|
}
|
|
|
|
|
|
2023-11-03 10:47:03 -04:00
|
|
|
// preInitStateFile returns a state file satisfying the pre-init state file
|
|
|
|
|
// constraints.
|
2023-11-20 05:17:16 -05:00
|
|
|
func preInitStateFile(csp cloudprovider.Provider) *state.State {
|
|
|
|
|
s := defaultStateFile(csp)
|
2023-11-03 10:47:03 -04:00
|
|
|
s.ClusterValues = state.ClusterValues{}
|
|
|
|
|
return s
|
|
|
|
|
}
|
|
|
|
|
|
2022-03-22 11:03:15 -04:00
|
|
|
func TestInitialize(t *testing.T) {
|
2023-09-29 08:01:40 -04:00
|
|
|
respKubeconfig := k8sclientapi.Config{
|
|
|
|
|
Clusters: map[string]*k8sclientapi.Cluster{
|
|
|
|
|
"cluster": {
|
|
|
|
|
Server: "https://192.0.2.1:6443",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
respKubeconfigBytes, err := clientcmd.Write(respKubeconfig)
|
2023-10-24 09:39:18 -04:00
|
|
|
require.NoError(t, err)
|
2023-09-29 08:01:40 -04:00
|
|
|
|
2022-08-23 11:49:55 -04:00
|
|
|
gcpServiceAccKey := &gcpshared.ServiceAccountKey{
|
2023-08-03 07:54:48 -04:00
|
|
|
Type: "service_account",
|
|
|
|
|
ProjectID: "project_id",
|
|
|
|
|
PrivateKeyID: "key_id",
|
|
|
|
|
PrivateKey: "key",
|
|
|
|
|
ClientEmail: "client_email",
|
|
|
|
|
ClientID: "client_id",
|
|
|
|
|
AuthURI: "auth_uri",
|
|
|
|
|
TokenURI: "token_uri",
|
|
|
|
|
AuthProviderX509CertURL: "cert",
|
|
|
|
|
ClientX509CertURL: "client_cert",
|
2022-08-23 11:49:55 -04:00
|
|
|
}
|
2023-12-11 09:55:44 -05:00
|
|
|
testInitOutput := constellation.InitOutput{
|
2023-09-29 08:01:40 -04:00
|
|
|
Kubeconfig: respKubeconfigBytes,
|
2023-12-11 09:55:44 -05:00
|
|
|
OwnerID: "ownerID",
|
|
|
|
|
ClusterID: "clusterID",
|
2022-03-22 11:03:15 -04:00
|
|
|
}
|
2022-08-23 11:49:55 -04:00
|
|
|
serviceAccPath := "/test/service-account.json"
|
2022-03-22 11:03:15 -04:00
|
|
|
|
|
|
|
|
testCases := map[string]struct {
|
2022-10-11 06:24:33 -04:00
|
|
|
provider cloudprovider.Provider
|
2023-10-09 07:04:29 -04:00
|
|
|
stateFile *state.State
|
2022-08-31 07:57:59 -04:00
|
|
|
configMutator func(*config.Config)
|
|
|
|
|
serviceAccKey *gcpshared.ServiceAccountKey
|
2023-12-11 09:55:44 -05:00
|
|
|
initOutput constellation.InitOutput
|
2023-12-05 10:23:31 -05:00
|
|
|
initErr error
|
2022-11-25 04:02:12 -05:00
|
|
|
retriable bool
|
2022-08-31 07:57:59 -04:00
|
|
|
masterSecretShouldExist bool
|
|
|
|
|
wantErr bool
|
2022-03-22 11:03:15 -04:00
|
|
|
}{
|
|
|
|
|
"initialize some gcp instances": {
|
2022-10-11 06:24:33 -04:00
|
|
|
provider: cloudprovider.GCP,
|
2023-11-20 05:17:16 -05:00
|
|
|
stateFile: preInitStateFile(cloudprovider.GCP),
|
2022-08-25 09:12:08 -04:00
|
|
|
configMutator: func(c *config.Config) { c.Provider.GCP.ServiceAccountKeyPath = serviceAccPath },
|
|
|
|
|
serviceAccKey: gcpServiceAccKey,
|
2023-12-11 09:55:44 -05:00
|
|
|
initOutput: testInitOutput,
|
2022-03-22 11:03:15 -04:00
|
|
|
},
|
|
|
|
|
"initialize some azure instances": {
|
2023-12-11 09:55:44 -05:00
|
|
|
provider: cloudprovider.Azure,
|
|
|
|
|
stateFile: preInitStateFile(cloudprovider.Azure),
|
|
|
|
|
initOutput: testInitOutput,
|
2022-04-12 08:20:46 -04:00
|
|
|
},
|
2022-05-02 04:54:54 -04:00
|
|
|
"initialize some qemu instances": {
|
2023-12-11 09:55:44 -05:00
|
|
|
provider: cloudprovider.QEMU,
|
|
|
|
|
stateFile: preInitStateFile(cloudprovider.QEMU),
|
|
|
|
|
initOutput: testInitOutput,
|
2022-06-21 11:59:12 -04:00
|
|
|
},
|
2022-11-25 04:02:12 -05:00
|
|
|
"non retriable error": {
|
|
|
|
|
provider: cloudprovider.QEMU,
|
2023-11-20 05:17:16 -05:00
|
|
|
stateFile: preInitStateFile(cloudprovider.QEMU),
|
2023-12-05 10:23:31 -05:00
|
|
|
initErr: &constellation.NonRetriableInitError{Err: assert.AnError},
|
2023-09-25 06:10:07 -04:00
|
|
|
retriable: false,
|
|
|
|
|
masterSecretShouldExist: true,
|
|
|
|
|
wantErr: true,
|
|
|
|
|
},
|
|
|
|
|
"non retriable error with failed log collection": {
|
2023-12-05 10:23:31 -05:00
|
|
|
provider: cloudprovider.QEMU,
|
|
|
|
|
stateFile: preInitStateFile(cloudprovider.QEMU),
|
|
|
|
|
initErr: &constellation.NonRetriableInitError{Err: assert.AnError, LogCollectionErr: assert.AnError},
|
2022-11-25 04:02:12 -05:00
|
|
|
retriable: false,
|
|
|
|
|
masterSecretShouldExist: true,
|
|
|
|
|
wantErr: true,
|
|
|
|
|
},
|
2023-11-03 10:47:03 -04:00
|
|
|
"invalid state file": {
|
|
|
|
|
provider: cloudprovider.GCP,
|
|
|
|
|
stateFile: &state.State{Version: "invalid"},
|
|
|
|
|
configMutator: func(c *config.Config) { c.Provider.GCP.ServiceAccountKeyPath = serviceAccPath },
|
|
|
|
|
serviceAccKey: gcpServiceAccKey,
|
2023-12-11 09:55:44 -05:00
|
|
|
initOutput: testInitOutput,
|
2023-11-03 10:47:03 -04:00
|
|
|
retriable: true,
|
|
|
|
|
wantErr: true,
|
|
|
|
|
},
|
|
|
|
|
"empty state file": {
|
|
|
|
|
provider: cloudprovider.GCP,
|
|
|
|
|
stateFile: &state.State{},
|
|
|
|
|
configMutator: func(c *config.Config) { c.Provider.GCP.ServiceAccountKeyPath = serviceAccPath },
|
|
|
|
|
serviceAccKey: gcpServiceAccKey,
|
2023-12-11 09:55:44 -05:00
|
|
|
initOutput: testInitOutput,
|
2023-11-03 10:47:03 -04:00
|
|
|
retriable: true,
|
|
|
|
|
wantErr: true,
|
|
|
|
|
},
|
2023-10-24 09:39:18 -04:00
|
|
|
"no state file": {
|
2023-10-09 07:04:29 -04:00
|
|
|
provider: cloudprovider.GCP,
|
2023-10-24 09:39:18 -04:00
|
|
|
configMutator: func(c *config.Config) { c.Provider.GCP.ServiceAccountKeyPath = serviceAccPath },
|
|
|
|
|
serviceAccKey: gcpServiceAccKey,
|
2023-12-11 09:55:44 -05:00
|
|
|
initOutput: testInitOutput,
|
2023-10-09 07:04:29 -04:00
|
|
|
retriable: true,
|
|
|
|
|
wantErr: true,
|
|
|
|
|
},
|
2022-07-05 08:14:11 -04:00
|
|
|
"init call fails": {
|
2023-10-24 09:39:18 -04:00
|
|
|
provider: cloudprovider.GCP,
|
|
|
|
|
configMutator: func(c *config.Config) { c.Provider.GCP.ServiceAccountKeyPath = serviceAccPath },
|
2023-11-20 05:17:16 -05:00
|
|
|
stateFile: preInitStateFile(cloudprovider.GCP),
|
2023-10-24 09:39:18 -04:00
|
|
|
serviceAccKey: gcpServiceAccKey,
|
2023-12-05 10:23:31 -05:00
|
|
|
initErr: &constellation.NonRetriableInitError{Err: assert.AnError},
|
2023-10-24 09:39:18 -04:00
|
|
|
retriable: false,
|
|
|
|
|
masterSecretShouldExist: true,
|
|
|
|
|
wantErr: true,
|
2022-07-05 08:14:11 -04:00
|
|
|
},
|
2023-02-13 05:54:38 -05:00
|
|
|
"k8s version without v works": {
|
2023-12-11 09:55:44 -05:00
|
|
|
provider: cloudprovider.Azure,
|
|
|
|
|
stateFile: preInitStateFile(cloudprovider.Azure),
|
|
|
|
|
initOutput: testInitOutput,
|
2023-09-19 07:50:00 -04:00
|
|
|
configMutator: func(c *config.Config) {
|
|
|
|
|
res, err := versions.NewValidK8sVersion(strings.TrimPrefix(string(versions.Default), "v"), true)
|
2023-10-24 09:39:18 -04:00
|
|
|
require.NoError(t, err)
|
2023-09-19 07:50:00 -04:00
|
|
|
c.KubernetesVersion = res
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
"outdated k8s patch version doesn't work": {
|
2023-12-11 09:55:44 -05:00
|
|
|
provider: cloudprovider.Azure,
|
|
|
|
|
stateFile: preInitStateFile(cloudprovider.Azure),
|
|
|
|
|
initOutput: testInitOutput,
|
2023-09-19 07:50:00 -04:00
|
|
|
configMutator: func(c *config.Config) {
|
|
|
|
|
v, err := semver.New(versions.SupportedK8sVersions()[0])
|
2023-10-24 09:39:18 -04:00
|
|
|
require.NoError(t, err)
|
2023-09-19 07:50:00 -04:00
|
|
|
outdatedPatchVer := semver.NewFromInt(v.Major(), v.Minor(), v.Patch()-1, "").String()
|
|
|
|
|
c.KubernetesVersion = versions.ValidK8sVersion(outdatedPatchVer)
|
|
|
|
|
},
|
|
|
|
|
wantErr: true,
|
|
|
|
|
retriable: true, // doesn't need to show retriable error message
|
2023-02-13 05:54:38 -05:00
|
|
|
},
|
2022-03-22 11:03:15 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for name, tc := range testCases {
|
|
|
|
|
t.Run(name, func(t *testing.T) {
|
|
|
|
|
assert := assert.New(t)
|
2023-10-24 09:39:18 -04:00
|
|
|
require := require.New(t)
|
2022-06-21 11:59:12 -04:00
|
|
|
|
2022-08-23 11:49:55 -04:00
|
|
|
// Command
|
2022-06-08 02:14:28 -04:00
|
|
|
cmd := NewInitCmd()
|
2022-03-22 11:03:15 -04:00
|
|
|
var out bytes.Buffer
|
|
|
|
|
cmd.SetOut(&out)
|
|
|
|
|
var errOut bytes.Buffer
|
|
|
|
|
cmd.SetErr(&errOut)
|
2022-08-12 09:59:45 -04:00
|
|
|
|
2022-08-23 11:49:55 -04:00
|
|
|
// File system preparation
|
|
|
|
|
fs := afero.NewMemMapFs()
|
|
|
|
|
fileHandler := file.NewHandler(fs)
|
2022-10-11 06:24:33 -04:00
|
|
|
config := defaultConfigWithExpectedMeasurements(t, config.Default(), tc.provider)
|
2022-08-23 11:49:55 -04:00
|
|
|
if tc.configMutator != nil {
|
|
|
|
|
tc.configMutator(config)
|
|
|
|
|
}
|
|
|
|
|
require.NoError(fileHandler.WriteYAML(constants.ConfigFilename, config, file.OptNone))
|
2023-10-09 07:04:29 -04:00
|
|
|
if tc.stateFile != nil {
|
|
|
|
|
require.NoError(tc.stateFile.WriteToFile(fileHandler, constants.StateFilename))
|
2022-08-23 11:49:55 -04:00
|
|
|
}
|
|
|
|
|
if tc.serviceAccKey != nil {
|
|
|
|
|
require.NoError(fileHandler.WriteJSON(serviceAccPath, tc.serviceAccKey, file.OptNone))
|
|
|
|
|
}
|
|
|
|
|
|
2022-03-22 11:03:15 -04:00
|
|
|
ctx := context.Background()
|
|
|
|
|
ctx, cancel := context.WithTimeout(ctx, 4*time.Second)
|
|
|
|
|
defer cancel()
|
2022-06-28 05:19:03 -04:00
|
|
|
cmd.SetContext(ctx)
|
2023-10-24 09:39:18 -04:00
|
|
|
|
|
|
|
|
i := &applyCmd{
|
2023-11-20 05:17:16 -05:00
|
|
|
fileHandler: fileHandler,
|
|
|
|
|
flags: applyFlags{
|
|
|
|
|
rootFlags: rootFlags{force: true},
|
|
|
|
|
skipPhases: newPhases(skipInfrastructurePhase),
|
|
|
|
|
},
|
|
|
|
|
log: logger.NewTest(t),
|
|
|
|
|
spinner: &nopSpinner{},
|
|
|
|
|
merger: &stubMerger{},
|
2023-12-05 10:23:31 -05:00
|
|
|
applier: &stubConstellApplier{
|
|
|
|
|
masterSecret: uri.MasterSecret{
|
|
|
|
|
Key: bytes.Repeat([]byte{0x01}, 32),
|
|
|
|
|
Salt: bytes.Repeat([]byte{0x02}, 32),
|
|
|
|
|
},
|
|
|
|
|
measurementSalt: bytes.Repeat([]byte{0x03}, 32),
|
|
|
|
|
initErr: tc.initErr,
|
2023-12-11 09:55:44 -05:00
|
|
|
initOutput: tc.initOutput,
|
2023-12-05 10:23:31 -05:00
|
|
|
stubKubernetesUpgrader: &stubKubernetesUpgrader{
|
2023-10-24 09:39:18 -04:00
|
|
|
// On init, no attestation config exists yet
|
|
|
|
|
getClusterAttestationConfigErr: k8serrors.NewNotFound(schema.GroupResource{}, ""),
|
2023-12-05 10:23:31 -05:00
|
|
|
},
|
2023-12-06 04:01:39 -05:00
|
|
|
helmApplier: &stubHelmApplier{},
|
2023-10-24 09:39:18 -04:00
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2023-12-01 02:37:52 -05:00
|
|
|
err := i.apply(cmd, stubAttestationFetcher{}, "test")
|
2022-03-22 11:03:15 -04:00
|
|
|
|
2022-04-26 10:54:05 -04:00
|
|
|
if tc.wantErr {
|
2022-03-22 11:03:15 -04:00
|
|
|
assert.Error(err)
|
2023-11-20 05:17:16 -05:00
|
|
|
fmt.Println(err)
|
2022-11-25 04:02:12 -05:00
|
|
|
if !tc.retriable {
|
|
|
|
|
assert.Contains(errOut.String(), "This error is not recoverable")
|
|
|
|
|
} else {
|
|
|
|
|
assert.Empty(errOut.String())
|
|
|
|
|
}
|
2022-08-31 07:57:59 -04:00
|
|
|
if !tc.masterSecretShouldExist {
|
|
|
|
|
_, err = fileHandler.Stat(constants.MasterSecretFilename)
|
|
|
|
|
assert.Error(err)
|
|
|
|
|
}
|
2022-06-21 11:59:12 -04:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
require.NoError(err)
|
2022-07-26 04:58:39 -04:00
|
|
|
// assert.Contains(out.String(), base64.StdEncoding.EncodeToString([]byte("ownerID")))
|
2023-12-11 09:55:44 -05:00
|
|
|
assert.Contains(out.String(), "clusterID")
|
2023-03-02 09:08:31 -05:00
|
|
|
var secret uri.MasterSecret
|
2022-08-31 07:57:59 -04:00
|
|
|
assert.NoError(fileHandler.ReadJSON(constants.MasterSecretFilename, &secret))
|
|
|
|
|
assert.NotEmpty(secret.Key)
|
|
|
|
|
assert.NotEmpty(secret.Salt)
|
2022-03-22 11:03:15 -04:00
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-12-05 10:23:31 -05:00
|
|
|
type stubHelmApplier struct {
|
2023-08-24 10:40:47 -04:00
|
|
|
err error
|
|
|
|
|
}
|
|
|
|
|
|
2023-12-06 04:01:39 -05:00
|
|
|
func (s stubHelmApplier) PrepareHelmCharts(
|
2024-03-06 14:48:40 -05:00
|
|
|
_ helm.Options, _ *state.State, _ string, _ uri.MasterSecret,
|
2023-12-05 10:23:31 -05:00
|
|
|
) (helm.Applier, bool, error) {
|
2023-08-24 10:40:47 -04:00
|
|
|
return stubRunner{}, false, s.err
|
|
|
|
|
}
|
|
|
|
|
|
2023-10-24 09:39:18 -04:00
|
|
|
type stubRunner struct {
|
|
|
|
|
applyErr error
|
|
|
|
|
saveChartsErr error
|
|
|
|
|
}
|
2023-08-24 10:40:47 -04:00
|
|
|
|
|
|
|
|
func (s stubRunner) Apply(_ context.Context) error {
|
2023-10-24 09:39:18 -04:00
|
|
|
return s.applyErr
|
2023-08-24 10:40:47 -04:00
|
|
|
}
|
|
|
|
|
|
2023-09-08 06:02:16 -04:00
|
|
|
func (s stubRunner) SaveCharts(_ string, _ file.Handler) error {
|
2023-10-24 09:39:18 -04:00
|
|
|
return s.saveChartsErr
|
2023-09-08 06:02:16 -04:00
|
|
|
}
|
|
|
|
|
|
2022-03-22 11:03:15 -04:00
|
|
|
func TestWriteOutput(t *testing.T) {
|
|
|
|
|
assert := assert.New(t)
|
2023-02-10 08:59:44 -05:00
|
|
|
require := require.New(t)
|
2022-03-22 11:03:15 -04:00
|
|
|
|
2023-09-29 08:01:40 -04:00
|
|
|
clusterEndpoint := "cluster-endpoint"
|
|
|
|
|
|
|
|
|
|
expectedKubeconfig := k8sclientapi.Config{
|
|
|
|
|
Clusters: map[string]*k8sclientapi.Cluster{
|
|
|
|
|
"cluster": {
|
|
|
|
|
Server: fmt.Sprintf("https://%s:6443", clusterEndpoint),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
expectedKubeconfigBytes, err := clientcmd.Write(expectedKubeconfig)
|
|
|
|
|
require.NoError(err)
|
|
|
|
|
|
|
|
|
|
respKubeconfig := k8sclientapi.Config{
|
|
|
|
|
Clusters: map[string]*k8sclientapi.Cluster{
|
|
|
|
|
"cluster": {
|
2023-12-11 09:55:44 -05:00
|
|
|
Server: "https://cluster-endpoint:6443",
|
2023-09-29 08:01:40 -04:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
respKubeconfigBytes, err := clientcmd.Write(respKubeconfig)
|
|
|
|
|
require.NoError(err)
|
|
|
|
|
|
2022-06-21 11:59:12 -04:00
|
|
|
resp := &initproto.InitResponse{
|
2023-05-30 07:47:36 -04:00
|
|
|
Kind: &initproto.InitResponse_InitSuccess{
|
|
|
|
|
InitSuccess: &initproto.InitSuccessResponse{
|
|
|
|
|
OwnerId: []byte("ownerID"),
|
|
|
|
|
ClusterId: []byte("clusterID"),
|
2023-09-29 08:01:40 -04:00
|
|
|
Kubeconfig: respKubeconfigBytes,
|
2023-05-30 07:47:36 -04:00
|
|
|
},
|
|
|
|
|
},
|
2022-03-22 11:03:15 -04:00
|
|
|
}
|
2023-12-11 09:55:44 -05:00
|
|
|
ownerID := string(resp.GetInitSuccess().GetOwnerId())
|
|
|
|
|
clusterID := string(resp.GetInitSuccess().GetClusterId())
|
|
|
|
|
initOutput := constellation.InitOutput{
|
|
|
|
|
OwnerID: "ownerID",
|
|
|
|
|
ClusterID: "clusterID",
|
|
|
|
|
Kubeconfig: respKubeconfigBytes,
|
|
|
|
|
}
|
2022-07-01 04:57:29 -04:00
|
|
|
|
2023-10-09 07:04:29 -04:00
|
|
|
measurementSalt := []byte{0x41}
|
|
|
|
|
|
|
|
|
|
expectedStateFile := &state.State{
|
|
|
|
|
Version: state.Version1,
|
|
|
|
|
ClusterValues: state.ClusterValues{
|
|
|
|
|
ClusterID: clusterID,
|
|
|
|
|
OwnerID: ownerID,
|
2023-12-11 09:55:44 -05:00
|
|
|
MeasurementSalt: measurementSalt,
|
2023-10-09 07:04:29 -04:00
|
|
|
},
|
|
|
|
|
Infrastructure: state.Infrastructure{
|
|
|
|
|
APIServerCertSANs: []string{},
|
|
|
|
|
InitSecret: []byte{},
|
|
|
|
|
ClusterEndpoint: clusterEndpoint,
|
|
|
|
|
},
|
2022-07-01 04:57:29 -04:00
|
|
|
}
|
|
|
|
|
|
2022-03-22 11:03:15 -04:00
|
|
|
var out bytes.Buffer
|
|
|
|
|
testFs := afero.NewMemMapFs()
|
|
|
|
|
fileHandler := file.NewHandler(testFs)
|
|
|
|
|
|
2023-10-09 07:04:29 -04:00
|
|
|
stateFile := state.New().SetInfrastructure(state.Infrastructure{
|
|
|
|
|
ClusterEndpoint: clusterEndpoint,
|
|
|
|
|
})
|
|
|
|
|
|
2023-10-24 09:39:18 -04:00
|
|
|
i := &applyCmd{
|
|
|
|
|
fileHandler: fileHandler,
|
|
|
|
|
spinner: &nopSpinner{},
|
|
|
|
|
merger: &stubMerger{},
|
|
|
|
|
log: logger.NewTest(t),
|
2023-12-22 04:16:36 -05:00
|
|
|
applier: constellation.NewApplier(logger.NewTest(t), &nopSpinner{}, constellation.ApplyContextCLI, nil),
|
2023-10-24 09:39:18 -04:00
|
|
|
}
|
2023-12-11 09:55:44 -05:00
|
|
|
err = i.writeInitOutput(stateFile, initOutput, false, &out, measurementSalt)
|
2023-02-10 08:59:44 -05:00
|
|
|
require.NoError(err)
|
2022-07-05 08:14:11 -04:00
|
|
|
assert.Contains(out.String(), clusterID)
|
2022-06-21 11:59:12 -04:00
|
|
|
assert.Contains(out.String(), constants.AdminConfFilename)
|
2022-03-22 11:03:15 -04:00
|
|
|
|
|
|
|
|
afs := afero.Afero{Fs: testFs}
|
2022-04-06 04:36:58 -04:00
|
|
|
adminConf, err := afs.ReadFile(constants.AdminConfFilename)
|
2022-03-22 11:03:15 -04:00
|
|
|
assert.NoError(err)
|
2023-09-29 08:01:40 -04:00
|
|
|
assert.Contains(string(adminConf), clusterEndpoint)
|
|
|
|
|
assert.Equal(string(expectedKubeconfigBytes), string(adminConf))
|
2022-07-01 04:57:29 -04:00
|
|
|
|
2023-10-09 07:04:29 -04:00
|
|
|
fh := file.NewHandler(afs)
|
|
|
|
|
readStateFile, err := state.ReadFromFile(fh, constants.StateFilename)
|
2022-07-01 04:57:29 -04:00
|
|
|
assert.NoError(err)
|
2023-10-09 07:04:29 -04:00
|
|
|
assert.Equal(expectedStateFile, readStateFile)
|
2023-08-04 07:53:51 -04:00
|
|
|
out.Reset()
|
|
|
|
|
require.NoError(afs.Remove(constants.AdminConfFilename))
|
2023-02-10 08:59:44 -05:00
|
|
|
|
2023-08-04 07:53:51 -04:00
|
|
|
// test custom workspace
|
2023-10-16 09:05:29 -04:00
|
|
|
i.flags.pathPrefixer = pathprefix.New("/some/path")
|
2023-12-11 09:55:44 -05:00
|
|
|
err = i.writeInitOutput(stateFile, initOutput, true, &out, measurementSalt)
|
2023-08-04 07:53:51 -04:00
|
|
|
require.NoError(err)
|
|
|
|
|
assert.Contains(out.String(), clusterID)
|
2023-10-16 09:05:29 -04:00
|
|
|
assert.Contains(out.String(), i.flags.pathPrefixer.PrefixPrintablePath(constants.AdminConfFilename))
|
2023-02-10 08:59:44 -05:00
|
|
|
out.Reset()
|
2023-08-04 07:53:51 -04:00
|
|
|
// File is written to current working dir, we simply pass the workspace for generating readable user output
|
2023-02-10 08:59:44 -05:00
|
|
|
require.NoError(afs.Remove(constants.AdminConfFilename))
|
2023-10-16 09:05:29 -04:00
|
|
|
i.flags.pathPrefixer = pathprefix.PathPrefixer{}
|
2023-08-04 07:53:51 -04:00
|
|
|
|
|
|
|
|
// test config merging
|
2023-12-11 09:55:44 -05:00
|
|
|
err = i.writeInitOutput(stateFile, initOutput, true, &out, measurementSalt)
|
2023-02-10 08:59:44 -05:00
|
|
|
require.NoError(err)
|
|
|
|
|
assert.Contains(out.String(), clusterID)
|
|
|
|
|
assert.Contains(out.String(), constants.AdminConfFilename)
|
|
|
|
|
assert.Contains(out.String(), "Constellation kubeconfig merged with default config")
|
|
|
|
|
assert.Contains(out.String(), "You can now connect to your cluster")
|
2023-08-04 07:53:51 -04:00
|
|
|
out.Reset()
|
|
|
|
|
require.NoError(afs.Remove(constants.AdminConfFilename))
|
2023-02-10 08:59:44 -05:00
|
|
|
|
|
|
|
|
// test config merging with env vars set
|
|
|
|
|
i.merger = &stubMerger{envVar: "/some/path/to/kubeconfig"}
|
2023-12-11 09:55:44 -05:00
|
|
|
err = i.writeInitOutput(stateFile, initOutput, true, &out, measurementSalt)
|
2023-02-10 08:59:44 -05:00
|
|
|
require.NoError(err)
|
|
|
|
|
assert.Contains(out.String(), clusterID)
|
|
|
|
|
assert.Contains(out.String(), constants.AdminConfFilename)
|
|
|
|
|
assert.Contains(out.String(), "Constellation kubeconfig merged with default config")
|
|
|
|
|
assert.Contains(out.String(), "Warning: KUBECONFIG environment variable is set")
|
2022-03-22 11:03:15 -04:00
|
|
|
}
|
|
|
|
|
|
2023-08-04 07:53:51 -04:00
|
|
|
func TestGenerateMasterSecret(t *testing.T) {
|
2022-03-22 11:03:15 -04:00
|
|
|
testCases := map[string]struct {
|
2022-07-29 03:52:47 -04:00
|
|
|
createFileFunc func(handler file.Handler) error
|
|
|
|
|
fs func() afero.Fs
|
|
|
|
|
wantErr bool
|
2022-03-22 11:03:15 -04:00
|
|
|
}{
|
2023-08-04 07:53:51 -04:00
|
|
|
"file already exists": {
|
|
|
|
|
fs: afero.NewMemMapFs,
|
2022-07-29 03:52:47 -04:00
|
|
|
createFileFunc: func(handler file.Handler) error {
|
|
|
|
|
return handler.WriteJSON(
|
2023-08-04 07:53:51 -04:00
|
|
|
constants.MasterSecretFilename,
|
2023-03-02 09:08:31 -05:00
|
|
|
uri.MasterSecret{Key: []byte("constellation-master-secret"), Salt: []byte("constellation-32Byte-length-salt")},
|
2022-07-29 03:52:47 -04:00
|
|
|
file.OptNone,
|
|
|
|
|
)
|
|
|
|
|
},
|
2023-08-04 07:53:51 -04:00
|
|
|
wantErr: true,
|
2022-03-22 11:03:15 -04:00
|
|
|
},
|
|
|
|
|
"file does not exist": {
|
2024-02-21 07:30:31 -05:00
|
|
|
createFileFunc: func(_ file.Handler) error { return nil },
|
2022-07-29 03:52:47 -04:00
|
|
|
fs: afero.NewMemMapFs,
|
2023-08-04 07:53:51 -04:00
|
|
|
wantErr: false,
|
2022-03-22 11:03:15 -04:00
|
|
|
},
|
|
|
|
|
"file not writeable": {
|
2024-02-21 07:30:31 -05:00
|
|
|
createFileFunc: func(_ file.Handler) error { return nil },
|
2022-07-29 03:52:47 -04:00
|
|
|
fs: func() afero.Fs { return afero.NewReadOnlyFs(afero.NewMemMapFs()) },
|
|
|
|
|
wantErr: true,
|
2022-03-22 11:03:15 -04:00
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for name, tc := range testCases {
|
|
|
|
|
t.Run(name, func(t *testing.T) {
|
|
|
|
|
assert := assert.New(t)
|
|
|
|
|
require := require.New(t)
|
|
|
|
|
|
|
|
|
|
fileHandler := file.NewHandler(tc.fs())
|
2022-07-29 03:52:47 -04:00
|
|
|
require.NoError(tc.createFileFunc(fileHandler))
|
2022-03-22 11:03:15 -04:00
|
|
|
|
|
|
|
|
var out bytes.Buffer
|
2023-10-24 09:39:18 -04:00
|
|
|
i := &applyCmd{
|
|
|
|
|
fileHandler: fileHandler,
|
|
|
|
|
log: logger.NewTest(t),
|
2023-12-22 04:16:36 -05:00
|
|
|
applier: constellation.NewApplier(logger.NewTest(t), &nopSpinner{}, constellation.ApplyContextCLI, nil),
|
2023-10-24 09:39:18 -04:00
|
|
|
}
|
|
|
|
|
secret, err := i.generateAndPersistMasterSecret(&out)
|
2022-03-22 11:03:15 -04:00
|
|
|
|
2022-04-26 10:54:05 -04:00
|
|
|
if tc.wantErr {
|
2022-03-22 11:03:15 -04:00
|
|
|
assert.Error(err)
|
|
|
|
|
} else {
|
|
|
|
|
assert.NoError(err)
|
|
|
|
|
|
2023-08-04 07:53:51 -04:00
|
|
|
require.Contains(out.String(), constants.MasterSecretFilename)
|
2022-03-22 11:03:15 -04:00
|
|
|
|
2023-03-02 09:08:31 -05:00
|
|
|
var masterSecret uri.MasterSecret
|
2023-08-04 07:53:51 -04:00
|
|
|
require.NoError(fileHandler.ReadJSON(constants.MasterSecretFilename, &masterSecret))
|
2022-07-29 03:52:47 -04:00
|
|
|
assert.Equal(masterSecret.Key, secret.Key)
|
|
|
|
|
assert.Equal(masterSecret.Salt, secret.Salt)
|
2022-03-22 11:03:15 -04:00
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-10 08:59:44 -05:00
|
|
|
type stubMerger struct {
|
|
|
|
|
envVar string
|
|
|
|
|
mergeErr error
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (m *stubMerger) mergeConfigs(string, file.Handler) error {
|
|
|
|
|
return m.mergeErr
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (m *stubMerger) kubeconfigEnvVar() string {
|
|
|
|
|
return m.envVar
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-23 11:49:55 -04:00
|
|
|
func defaultConfigWithExpectedMeasurements(t *testing.T, conf *config.Config, csp cloudprovider.Provider) *config.Config {
|
2022-08-12 09:59:45 -04:00
|
|
|
t.Helper()
|
2022-08-23 11:49:55 -04:00
|
|
|
|
2023-08-02 04:27:43 -04:00
|
|
|
conf.RemoveProviderAndAttestationExcept(csp)
|
|
|
|
|
|
2023-07-25 08:20:25 -04:00
|
|
|
conf.Image = constants.BinaryVersion().String()
|
2023-02-10 07:27:22 -05:00
|
|
|
conf.Name = "kubernetes"
|
2022-11-22 12:47:08 -05:00
|
|
|
|
2023-08-02 04:43:25 -04:00
|
|
|
var zone, instanceType, diskType string
|
2022-08-23 11:49:55 -04:00
|
|
|
switch csp {
|
2023-11-20 05:17:16 -05:00
|
|
|
case cloudprovider.AWS:
|
|
|
|
|
conf.Provider.AWS.Region = "test-region-2"
|
|
|
|
|
conf.Provider.AWS.Zone = "test-zone-2c"
|
|
|
|
|
conf.Provider.AWS.IAMProfileControlPlane = "test-iam-profile"
|
|
|
|
|
conf.Provider.AWS.IAMProfileWorkerNodes = "test-iam-profile"
|
|
|
|
|
conf.Attestation.AWSSEVSNP.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce, measurements.PCRMeasurementLength)
|
|
|
|
|
conf.Attestation.AWSSEVSNP.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength)
|
|
|
|
|
conf.Attestation.AWSSEVSNP.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce, measurements.PCRMeasurementLength)
|
|
|
|
|
zone = "test-zone-2c"
|
|
|
|
|
instanceType = "c6a.xlarge"
|
|
|
|
|
diskType = "gp3"
|
2022-08-23 11:49:55 -04:00
|
|
|
case cloudprovider.Azure:
|
|
|
|
|
conf.Provider.Azure.SubscriptionID = "01234567-0123-0123-0123-0123456789ab"
|
|
|
|
|
conf.Provider.Azure.TenantID = "01234567-0123-0123-0123-0123456789ab"
|
|
|
|
|
conf.Provider.Azure.Location = "test-location"
|
|
|
|
|
conf.Provider.Azure.UserAssignedIdentity = "test-identity"
|
2022-08-25 09:12:08 -04:00
|
|
|
conf.Provider.Azure.ResourceGroup = "test-resource-group"
|
2023-03-10 05:33:06 -05:00
|
|
|
conf.Attestation.AzureSEVSNP.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce, measurements.PCRMeasurementLength)
|
|
|
|
|
conf.Attestation.AzureSEVSNP.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength)
|
|
|
|
|
conf.Attestation.AzureSEVSNP.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce, measurements.PCRMeasurementLength)
|
2023-08-02 04:43:25 -04:00
|
|
|
instanceType = "Standard_DC4as_v5"
|
|
|
|
|
diskType = "StandardSSD_LRS"
|
2022-08-23 11:49:55 -04:00
|
|
|
case cloudprovider.GCP:
|
|
|
|
|
conf.Provider.GCP.Region = "test-region"
|
|
|
|
|
conf.Provider.GCP.Project = "test-project"
|
|
|
|
|
conf.Provider.GCP.Zone = "test-zone"
|
2022-09-11 10:09:05 -04:00
|
|
|
conf.Provider.GCP.ServiceAccountKeyPath = "test-key-path"
|
2023-03-10 05:33:06 -05:00
|
|
|
conf.Attestation.GCPSEVES.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce, measurements.PCRMeasurementLength)
|
|
|
|
|
conf.Attestation.GCPSEVES.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength)
|
|
|
|
|
conf.Attestation.GCPSEVES.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce, measurements.PCRMeasurementLength)
|
2023-08-02 04:43:25 -04:00
|
|
|
zone = "europe-west3-b"
|
|
|
|
|
instanceType = "n2d-standard-4"
|
|
|
|
|
diskType = "pd-ssd"
|
2022-08-23 11:49:55 -04:00
|
|
|
case cloudprovider.QEMU:
|
2023-03-10 05:33:06 -05:00
|
|
|
conf.Attestation.QEMUVTPM.Measurements[4] = measurements.WithAllBytes(0x44, measurements.Enforce, measurements.PCRMeasurementLength)
|
|
|
|
|
conf.Attestation.QEMUVTPM.Measurements[9] = measurements.WithAllBytes(0x11, measurements.Enforce, measurements.PCRMeasurementLength)
|
|
|
|
|
conf.Attestation.QEMUVTPM.Measurements[12] = measurements.WithAllBytes(0xcc, measurements.Enforce, measurements.PCRMeasurementLength)
|
2022-08-23 11:49:55 -04:00
|
|
|
}
|
|
|
|
|
|
2023-08-02 04:43:25 -04:00
|
|
|
for groupName, group := range conf.NodeGroups {
|
|
|
|
|
group.Zone = zone
|
|
|
|
|
group.InstanceType = instanceType
|
|
|
|
|
group.StateDiskType = diskType
|
|
|
|
|
conf.NodeGroups[groupName] = group
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-23 11:49:55 -04:00
|
|
|
return conf
|
2022-08-12 09:59:45 -04:00
|
|
|
}
|
