convert spire to imagetest, add functional tests (#2178)

Signed-off-by: Josh Wolf <[email protected]>
chainguard-images · Feb 8, 2024 · 12f6db7 · 12f6db7
1 parent f3ec497
commit 12f6db7
Show file tree

Hide file tree

Showing 4 changed files with 86 additions and 76 deletions.
diff --git a/images/spire/config/main.tf b/images/spire/config/main.tf
@@ -30,6 +30,7 @@ variable "cmd" {
   description = "The command followed by entrypoint"
   default     = ""
 }
+
 module "accts" {
   source = "../../../tflib/accts"
   run-as = var.run-as
@@ -46,4 +47,5 @@ output "config" {
     }
     cmd = var.cmd
   })
-}
+}
+
diff --git a/images/spire/main.tf b/images/spire/main.tf
@@ -27,7 +27,10 @@ locals {
     },
 
     "oidc-discovery-provider" = {
-      run-as         = 65532
+      # NOTE: The sidecar `ghcr.io/spiffe/spiffe-helper` runs as root
+      # and creates the cert with root ownership. Therefore, the image itself
+      # needs root to read the cert. This seems like an upstream bug.
+      run-as         = 0
       entrypoint-cmd = "/usr/bin/oidc-discovery-provider"
       extra_packages = []
       cmd            = "--help"

diff --git a/images/spire/tests/helm.sh b/images/spire/tests/helm.sh
diff --git a/images/spire/tests/main.tf b/images/spire/tests/main.tf
@@ -1,7 +1,7 @@
 terraform {
   required_providers {
-    oci  = { source = "chainguard-dev/oci" }
-    helm = { source = "hashicorp/helm" }
+    oci       = { source = "chainguard-dev/oci" }
+    imagetest = { source = "chainguard-dev/imagetest" }
   }
 }
 
@@ -19,51 +19,87 @@ data "oci_string" "ref" {
   input    = each.value
 }
 
-resource "random_id" "hex" { byte_length = 4 }
+data "imagetest_inventory" "this" {}
 
-data "oci_exec_test" "helm" {
-  digest      = var.digests["server"] // Not used, but required by the resource.
-  script      = <<EOF
-set -e
+resource "imagetest_harness_k3s" "this" {
+  name      = "spire"
+  inventory = data.imagetest_inventory.this
+}
+
+module "spire_crds" {
+  source = "../../../tflib/imagetest/helm"
+
+  namespace = "spire-system"
+  chart     = "spire-crds"
+  repo      = "https://spiffe.github.io/helm-charts-hardened/"
+}
 
-rand=${random_id.hex.hex}
+module "spire" {
+  source = "../../../tflib/imagetest/helm"
 
-if ! command -v flock; then
-  echo "flock not installed; use \`brew install flock\`"
-  exit 1
-fi
+  name      = "spire"
+  namespace = "spire-system"
+  chart     = "spire"
+  repo      = "https://spiffe.github.io/helm-charts-hardened/"
 
-cat > /tmp/crd-values-$${rand}.yaml <<EOV
-annotations:
-  "helm.sh/resource-policy": "delete"
-EOV
+  values = {
+    spire-server = {
+      enabled = true
+      image = {
+        registry   = data.oci_string.ref["server"].registry
+        repository = data.oci_string.ref["server"].repo
+        tag        = data.oci_string.ref["server"].pseudo_tag
+      }
+    }
+    spire-agent = {
+      enabled = true
+      image = {
+        registry   = data.oci_string.ref["agent"].registry
+        repository = data.oci_string.ref["agent"].repo
+        tag        = data.oci_string.ref["agent"].pseudo_tag
+      }
+    }
+    spiffe-oidc-discovery-provider = {
+      enabled = true
+      image = {
+        registry   = data.oci_string.ref["oidc-discovery-provider"].registry
+        repository = data.oci_string.ref["oidc-discovery-provider"].repo
+        tag        = data.oci_string.ref["oidc-discovery-provider"].pseudo_tag
+      }
+      config = {
+        acme = {
+          tosAccepted = true
+        }
+      }
+    }
+  }
+}
 
-cat > /tmp/values-$${rand}.yaml <<EOV
-spire-server:
-  enabled: true
-  image:
-    registry: ${data.oci_string.ref["server"].registry}
-    repository: ${data.oci_string.ref["server"].repo}
-    tag: ${data.oci_string.ref["server"].pseudo_tag}
-spire-agent:
-  enabled: true
-  image:
-    registry: ${data.oci_string.ref["agent"].registry}
-    repository: ${data.oci_string.ref["agent"].repo}
-    tag: ${data.oci_string.ref["agent"].pseudo_tag}
-spiffe-oidc-discovery-provider:
-  enabled: true
-  image:
-    registry: ${data.oci_string.ref["oidc-discovery-provider"].registry}
-    repository: ${data.oci_string.ref["oidc-discovery-provider"].repo}
-    tag: ${data.oci_string.ref["oidc-discovery-provider"].pseudo_tag}
-  config:
-    acme:
-      tosAccepted: true
-EOV
+resource "imagetest_feature" "basic" {
+  harness     = imagetest_harness_k3s.this
+  name        = "Basic"
+  description = "Basic functionality of the spire helm chart."
 
-# Run with `flock` to ensure that only one test runs at a time.
-flock -e -w 600 /tmp/spire ./helm.sh $${rand}
-EOF
-  working_dir = path.module
+  steps = [
+    {
+      name = "spire CRDs helm install"
+      cmd  = module.spire_crds.install_cmd
+    },
+    {
+      name = "spire helm install"
+      cmd  = module.spire.install_cmd
+    },
+    {
+      # shoutout to the spire chart maintainers, these tests are actually
+      # pretty good!
+      name = "spire helm tests"
+      cmd  = <<EOF
+        helm test -n spire-system spire
+      EOF
+    },
+  ]
+
+  labels = {
+    type = "k8s"
+  }
 }