tests/e2e: Various authentication related refactors

- Add new expectedPodDescribe check for general purpose pod describe message checking - Remove `GetAuthenticatedImageStatus` - Use the pod describe message as a better way to check for general errors, rather than bespoke auth image approach Signed-off-by: stevenhorsman <[email protected]>
confidential-containers · Jul 25, 2024 · 72da0f7 · 72da0f7
1 parent 9e6516f
commit 72da0f7
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 67 deletions.
diff --git a/src/cloud-api-adaptor/test/e2e/assessment_helpers.go b/src/cloud-api-adaptor/test/e2e/assessment_helpers.go
@@ -59,7 +59,6 @@ func NewTestCase(t *testing.T, e env.Environment, testName string, assert CloudA
  assessMessage: assessMessage,
  podState: v1.PodRunning,
  imagePullTimer: false,
- isAuth: false,
  deletionWithin: assert.DefaultTimeout(),
  }
 
@@ -298,47 +297,6 @@ func GetSuccessfulAndErroredPods(ctx context.Context, t *testing.T, client klien
  return successPod, errorPod, podLogString, nil
 }
 
-func GetAuthenticatedImageStatus(ctx context.Context, client klient.Client, expectedStatus string, authpod v1.Pod) error {
- clientset, err := kubernetes.NewForConfig(client.RESTConfig())
- if err != nil {
- return err
- }
- watcher, err := clientset.CoreV1().Events(authpod.ObjectMeta.Namespace).Watch(ctx, metav1.ListOptions{})
- if err != nil {
- return err
- }
- defer watcher.Stop()
- for event := range watcher.ResultChan() {
- if event.Object.(*v1.Event).InvolvedObject.Name == authpod.ObjectMeta.Name {
- if event.Object.(*v1.Event).Type == "Normal" && event.Object.(*v1.Event).Reason == "Started" {
- return nil
- }
- if event.Object.(*v1.Event).Type == "Warning" && (strings.Contains(event.Object.(*v1.Event).Message, "failed to authorize") || strings.Contains(event.Object.(*v1.Event).Message, "illegal base64 data at input byte") || strings.Contains(event.Object.(*v1.Event).Message, "401 UNAUTHORIZED")) {
- if expectedStatus == "Completed" {
- return errors.New("Invalid Credentials: " + event.Object.(*v1.Event).Message)
- } else {
- return nil
- }
- }
-
- if event.Object.(*v1.Event).Type == "Warning" && strings.Contains(event.Object.(*v1.Event).Message, "not found") {
- return errors.New("Invalid Image Name: " + event.Object.(*v1.Event).Message)
- }
-
- if event.Object.(*v1.Event).Type == "Warning" && strings.Contains(event.Object.(*v1.Event).Message, "failed to pull manifest Not authorized") {
- if expectedStatus == "Completed" {
- return errors.New("Invalid auth-json-secret: " + event.Object.(*v1.Event).Message)
- } else {
- return nil
- }
- }
-
- }
- }
-
- return errors.New("PodVM Start Error")
-}
-
 // SkipTestOnCI skips the test if running on CI
 func SkipTestOnCI(t *testing.T) {
  ci := os.Getenv("CI")

diff --git a/src/cloud-api-adaptor/test/e2e/assessment_runner.go b/src/cloud-api-adaptor/test/e2e/assessment_runner.go
@@ -44,7 +44,6 @@ type ExtraPod struct {
  pod *v1.Pod
  imagePullTimer bool
  expectedPodLogString string
- isAuth bool
  testInstanceTypes InstanceValidatorFunctions
  podState v1.PodPhase
  testCommands []TestCommand
@@ -71,10 +70,10 @@ type TestCase struct {
  service *v1.Service
  testCommands []TestCommand
  expectedPodLogString string
+ expectedPodDescribe string
  podState v1.PodPhase
  imagePullTimer bool
- isAuth bool
- AuthImageStatus string
+ noAuthJson bool
  deletionWithin time.Duration
  testInstanceTypes InstanceValidatorFunctions
  isNydusSnapshotter bool
@@ -146,6 +145,11 @@ func (tc *TestCase) WithExpectedPodLogString(expectedPodLogString string) *TestC
  return tc
 }
 
+func (tc *TestCase) WithExpectedPodDescribe(expectedPodDescribe string) *TestCase {
+ tc.expectedPodDescribe = expectedPodDescribe
+ return tc
+}
+
 func (tc *TestCase) WithCustomPodState(customPodState v1.PodPhase) *TestCase {
  tc.podState = customPodState
  return tc
@@ -156,13 +160,8 @@ func (tc *TestCase) WithPodWatcher() *TestCase {
  return tc
 }
 
-func (tc *TestCase) WithAuthenticatedImage() *TestCase {
- tc.isAuth = true
- return tc
-}
-
-func (tc *TestCase) WithAuthImageStatus(status string) *TestCase {
- tc.AuthImageStatus = status
+func (tc *TestCase) WithNoAuthJson() *TestCase {
+ tc.noAuthJson = true
  return tc
 }
 
@@ -236,7 +235,7 @@ func (tc *TestCase) Run() {
  }
  }
 
- if tc.AuthImageStatus == "WithoutCredentials" {
+ if tc.noAuthJson {
  clientSet, err := kubernetes.NewForConfig(client.RESTConfig())
  if err != nil {
  t.Fatal(err)
@@ -362,12 +361,28 @@ func (tc *TestCase) Run() {
  t.Logf("Log output of peer pod:%s", LogString)
  }
 
- if tc.isAuth {
- if err := GetAuthenticatedImageStatus(ctx, client, tc.AuthImageStatus, *tc.pod); err != nil {
+ if tc.expectedPodDescribe != "" {
+ t.Logf("Assess expected pod describe message string: %s\n", tc.expectedPodDescribe)
+ if err := client.Resources(tc.pod.Namespace).List(ctx, &podlist); err != nil {
  t.Fatal(err)
  }
-
- t.Logf("PodVM has successfully reached %v state with authenticated Image - %v", tc.AuthImageStatus, os.Getenv("AUTHENTICATED_REGISTRY_IMAGE"))
+ for _, podItem := range podlist.Items {
+ if podItem.ObjectMeta.Name == tc.pod.Name {
+ podEvent, err := PodEventExtractor(ctx, client, *tc.pod)
+ if err != nil {
+ t.Fatal(err)
+ }
+ t.Logf("podEvent: %+v\n", podEvent)
+ if strings.Contains(podEvent.EventDescription, tc.expectedPodDescribe) {
+ log.Printf("Output Log from Pod: %s", podEvent)
+ } else {
+ t.Errorf("Job Created pod with Invalid log")
+ }
+ break
+ } else {
+ t.Fatal("Pod Not Found...")
+ }
+ }
  }
 
  if tc.testInstanceTypes.testSuccessfn != nil && tc.testInstanceTypes.testFailurefn != nil {
@@ -502,10 +517,6 @@ func (tc *TestCase) Run() {
  }
  t.Logf("Log output of peer pod:%s", LogString)
  }
- if extraPod.isAuth {
- // TBD
- t.Fatal("Error: isAuth hasn't been implemented in extraPods. Please implement assess function for isAuth")
- }
  if extraPod.testInstanceTypes.testSuccessfn != nil && extraPod.testInstanceTypes.testFailurefn != nil {
  // TBD
  t.Fatal("Error: testInstanceTypes hasn't been implemented in extraPods. Please implement assess for function testInstanceTypes.")

diff --git a/src/cloud-api-adaptor/test/e2e/common_suite.go b/src/cloud-api-adaptor/test/e2e/common_suite.go
@@ -238,10 +238,9 @@ func DoTestCreatePeerPodWithPVCAndCSIWrapper(t *testing.T, e env.Environment, as
 func DoTestCreatePeerPodWithAuthenticatedImageWithValidCredentials(t *testing.T, e env.Environment, assert CloudAssert) {
  randseed := rand.New(rand.NewSource(time.Now().UnixNano()))
  podName := "authenticated-image-valid-" + strconv.Itoa(int(randseed.Uint32())) + "-pod"
- expectedAuthStatus := "Completed"
  imageName := os.Getenv("AUTHENTICATED_REGISTRY_IMAGE")
  pod := NewPod(E2eNamespace, podName, podName, imageName, WithRestartPolicy(v1.RestartPolicyNever))
- NewTestCase(t, e, "ValidAuthImagePeerPod", assert, "Peer pod with Authenticated Image with Valid Credentials(Default service account) has been created").WithPod(pod).WithAuthenticatedImage().WithAuthImageStatus(expectedAuthStatus).WithCustomPodState(v1.PodPending).Run()
+ NewTestCase(t, e, "ValidAuthImagePeerPod", assert, "Peer pod with Authenticated Image with Valid Credentials(Default service account) has been created").WithPod(pod).WithCustomPodState(v1.PodRunning).Run()
 }
 
 func DoTestCreatePeerPodWithAuthenticatedImageWithInvalidCredentials(t *testing.T, e env.Environment, assert CloudAssert) {
@@ -266,21 +265,21 @@ func DoTestCreatePeerPodWithAuthenticatedImageWithInvalidCredentials(t *testing.
  if err != nil {
  t.Fatal(err)
  }
- expectedAuthStatus := "ImagePullBackOff"
+ expectedErrorMessage := "invalid username/password: unauthorized: Invalid Username or Password"
  secretData := map[string][]byte{v1.DockerConfigJsonKey: jsondata}
  secret := NewSecret(E2eNamespace, secretName, secretData, v1.SecretTypeDockerConfigJson)
  imageName := os.Getenv("AUTHENTICATED_REGISTRY_IMAGE")
  pod := NewPod(E2eNamespace, podName, podName, imageName, WithRestartPolicy(v1.RestartPolicyNever), WithImagePullSecrets(secretName))
- NewTestCase(t, e, "InvalidAuthImagePeerPod", assert, "Peer pod with Authenticated Image with Invalid Credentials has been created").WithSecret(secret).WithPod(pod).WithAuthenticatedImage().WithAuthImageStatus(expectedAuthStatus).WithCustomPodState(v1.PodPending).Run()
+ NewTestCase(t, e, "InvalidAuthImagePeerPod", assert, "Peer pod with Authenticated Image with Invalid Credentials has been created").WithSecret(secret).WithPod(pod).WithExpectedPodDescribe(expectedErrorMessage).WithCustomPodState(v1.PodPending).Run()
 }
 
 func DoTestCreatePeerPodWithAuthenticatedImageWithoutCredentials(t *testing.T, e env.Environment, assert CloudAssert) {
  randseed := rand.New(rand.NewSource(time.Now().UnixNano()))
  podName := "authenticated-image-without-creds-" + strconv.Itoa(int(randseed.Uint32())) + "-pod"
- expectedAuthStatus := "WithoutCredentials"
  imageName := os.Getenv("AUTHENTICATED_REGISTRY_IMAGE")
  pod := NewPod(E2eNamespace, podName, podName, imageName, WithRestartPolicy(v1.RestartPolicyNever))
- NewTestCase(t, e, "InvalidAuthImagePeerPod", assert, "Peer pod with Authenticated Image without Credentials has been created").WithPod(pod).WithAuthenticatedImage().WithAuthImageStatus(expectedAuthStatus).WithCustomPodState(v1.PodPending).Run()
+ expectedErrorString := "unauthorized: access to the requested resource is not authorized"
+ NewTestCase(t, e, "InvalidAuthImagePeerPod", assert, "Peer pod with Authenticated Image without Credentials has been created").WithPod(pod).WithNoAuthJson().WithExpectedPodDescribe(expectedErrorString).WithCustomPodState(v1.PodPending).Run()
 }
 
 func DoTestPodVMwithNoAnnotations(t *testing.T, e env.Environment, assert CloudAssert, expectedType string) {