Add token renewal test (spiffe#4330)

Signed-off-by: Tomoya Usami <[email protected]> Co-authored-by: Evan Gilman <[email protected]> Signed-off-by: Neniel <[email protected]>
Neniel · Aug 24, 2023 · c820922 · c820922
1 parent 734214b
commit c820922
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 3 deletions.
diff --git a/test/integration/suites/upstream-authority-vault/02-deploy-spire-and-verify-auth b/test/integration/suites/upstream-authority-vault/02-deploy-spire-and-verify-auth
@@ -39,7 +39,7 @@ log-info "verifying cert auth..."
 
 # Verify Token Auth
 log-info "verifying token auth..."
-TOKEN=$(./bin/kubectl exec -n vault vault-0 -- vault token create -policy=spire -field=token)
+TOKEN=$(./bin/kubectl exec -n vault vault-0 -- vault token create -policy=spire -ttl=1m -field=token)
 ./bin/kubectl create secret -n spire generic vault-credential \
  --from-literal=token=$TOKEN
 ./bin/kubectl apply -k ./conf/server/token-auth

diff --git a/test/integration/suites/upstream-authority-vault/04-verify-token-renewal.sh b/test/integration/suites/upstream-authority-vault/04-verify-token-renewal.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -eo pipefail
+
+log-debug "verifying token renewal..."
+
+timeout=$(date -ud "1 minute 30 second" +%s)
+count=0
+
+while [ $(date -u +%s) -lt $timeout ]; do
+ count=`./bin/kubectl logs -n spire $(./bin/kubectl get pod -n spire -o name) | echo "$(grep "Successfully renew auth token" || [[ $? == 1 ]])" | wc -l`
+ if [ $count -ge 2 ]; then
+ log-info "token renewal is verified"
+ exit 0
+ fi
+ sleep 10
+done
+
+fail-now "expected number of token renewal log not found"
diff --git a/test/integration/suites/upstream-authority-vault/conf/configure-auth-method.sh b/test/integration/suites/upstream-authority-vault/conf/configure-auth-method.sh
@@ -9,8 +9,7 @@ vault policy write spire /tmp/spire.hcl
 vault auth enable approle
 vault write auth/approle/role/spire \
  secret_id_ttl=120m \
- token_ttl=60m \
- token_max_tll=120m \
+ token_ttl=1m \
  policies="spire"
 
 # Configure K8s Auth Method
@@ -19,11 +18,13 @@ vault write auth/kubernetes/config kubernetes_host=https://$KUBERNETES_SERVICE_H
 vault write auth/kubernetes/role/my-role \
  bound_service_account_names=spire-server \
  bound_service_account_namespaces=spire \
+ token_ttl=1m \
  policies=spire
 
 # Configure Cert Auth Method
 vault auth enable cert
 vault write auth/cert/certs/my-role \
  display_name=spire \
+ token_ttl=1m \
  policies=spire \
  certificate=@/tmp/cert_auth_ca.pem