From fe01f237c60375a5c51ce7f5a342345d01f52730 Mon Sep 17 00:00:00 2001 From: Daniel Del Rio Figueira Date: Wed, 13 Nov 2024 09:36:38 +0100 Subject: [PATCH 1/5] PB-36900: Rootless working --- templates/tests/integration-tests-runner.yaml | 4 +- .../fixtures/create-cluster-with-passbolt.sh | 119 +++++++++--------- tests/integration/fixtures/passbolt.sh | 107 +++++++++------- tests/integration/run_integration_tests.sh | 48 +++---- .../tests/create_and_decrypt_test.sh | 26 ++-- 5 files changed, 162 insertions(+), 142 deletions(-) diff --git a/templates/tests/integration-tests-runner.yaml b/templates/tests/integration-tests-runner.yaml index c938844..a47ab4f 100644 --- a/templates/tests/integration-tests-runner.yaml +++ b/templates/tests/integration-tests-runner.yaml @@ -20,7 +20,9 @@ spec: bash /tests/run_tests.sh env: - name: TESTS_DEBUG - value: {{ quote .Values.integrationTests.debug }} + value: {{ quote .Values.integrationTests.debug | default false }} + - name: ROOTLESS + value: {{ quote .Values.integrationTests.rootless | default false }} volumeMounts: - name: integration-tests-runner mountPath: "/tests/run_tests.sh" diff --git a/tests/integration/fixtures/create-cluster-with-passbolt.sh b/tests/integration/fixtures/create-cluster-with-passbolt.sh index dc8cac5..2f1349c 100644 --- a/tests/integration/fixtures/create-cluster-with-passbolt.sh +++ b/tests/integration/fixtures/create-cluster-with-passbolt.sh @@ -12,82 +12,83 @@ SSL_KEY_PATH="/tmp/ssl.key" SSL_CERT_PATH="/tmp/ssl.crt" function createKindCluster { - echo "Creating kind cluster: $KIND_CLUSTER_NAME" - "$KIND_BINARY" create cluster --config "$KIND_CLUSTER_CONFIG_FILE" --name "$KIND_CLUSTER_NAME" + echo "Creating kind cluster: $KIND_CLUSTER_NAME" + "$KIND_BINARY" create cluster --config "$KIND_CLUSTER_CONFIG_FILE" --name "$KIND_CLUSTER_NAME" } function installNginxIngress { - "$KUBECTL_BINARY" apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml - "$KUBECTL_BINARY" rollout status deployment ingress-nginx-controller --timeout=120s -n ingress-nginx + "$KUBECTL_BINARY" apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml + "$KUBECTL_BINARY" rollout status deployment ingress-nginx-controller --timeout=120s -n ingress-nginx } function upgradePassboltChart { - local private_key="" - local public_key="" - local fingerprint="" - local jwt_private_key="" - local jwt_public_key="" - private_key=$(kubectl get secret passbolt-sec-gpg --namespace default -o jsonpath="{.data.serverkey_private\.asc}")  ✔ │ 56m 0s  - public_key=$(kubectl get secret passbolt-sec-gpg --namespace default -o jsonpath="{.data.serverkey\.asc}") - fingerprint=$(kubectl exec deploy/passbolt-depl-srv -c passbolt-depl-srv -- grep PASSBOLT_GPG_SERVER_KEY_FINGERPRINT /etc/environment | awk -F= '{gsub(/"/, ""); print $2}') - jwt_private_key=$(kubectl get secret passbolt-sec-jwt --namespace default -o jsonpath="{.data.jwt\.key}") - jwt_public_key=$(kubectl get secret passbolt-sec-jwt --namespace default -o jsonpath="{.data.jwt\.pem}") - "$HELM_BINARY" upgrade -i passbolt . \ - -f $HELM_TESTING_VALUES \ - -n default \ - --set integrationTests.debug="$DEBUG" \ - --set gpgServerKeyPrivate="$private_key" \ - --set gpgServerKeyPublic="$public_key" \ - --set passboltEnv.secret.PASSBOLT_GPG_SERVER_KEY_FINGERPRINT="$fingerprint" \ - --set jwtServerPrivate="$jwt_private_key" \ - --set jwtServerPublic="$jwt_public_key" + local private_key="" + local public_key="" + local fingerprint="" + local jwt_private_key="" + local jwt_public_key="" + private_key=$(kubectl get secret passbolt-sec-gpg --namespace default -o jsonpath="{.data.serverkey_private\.asc}")  ✔ │ 56m 0s  + public_key=$(kubectl get secret passbolt-sec-gpg --namespace default -o jsonpath="{.data.serverkey\.asc}") + fingerprint=$(kubectl exec deploy/passbolt-depl-srv -c passbolt-depl-srv -- grep PASSBOLT_GPG_SERVER_KEY_FINGERPRINT /etc/environment | awk -F= '{gsub(/"/, ""); print $2}') + jwt_private_key=$(kubectl get secret passbolt-sec-jwt --namespace default -o jsonpath="{.data.jwt\.key}") + jwt_public_key=$(kubectl get secret passbolt-sec-jwt --namespace default -o jsonpath="{.data.jwt\.pem}") + "$HELM_BINARY" upgrade -i passbolt . \ + -f $HELM_TESTING_VALUES \ + -n default \ + --set integrationTests.debug="$DEBUG" \ + --set integrationTests.rootless="$ROOTLESS" \ + --set gpgServerKeyPrivate="$private_key" \ + --set gpgServerKeyPublic="$public_key" \ + --set passboltEnv.secret.PASSBOLT_GPG_SERVER_KEY_FINGERPRINT="$fingerprint" \ + --set jwtServerPrivate="$jwt_private_key" \ + --set jwtServerPublic="$jwt_public_key" } function installPassboltChart { - if [[ ! -z "$GITLAB_CI" || ! -z "$GITHUB_WORKFLOW" ]]; then - "$HELM_BINARY" repo add bitnami https://charts.bitnami.com/bitnami - "$HELM_BINARY" repo add passbolt-library https://download.passbolt.com/charts/passbolt-library - "$HELM_BINARY" dependency build - fi - if "$HELM_BINARY" status passbolt; then - upgradePassboltChart - else - "$HELM_BINARY" install passbolt . -f $HELM_TESTING_VALUES -n default --set integrationTests.debug="$DEBUG" - fi - "$KUBECTL_BINARY" rollout status deployment passbolt-depl-srv --timeout=120s -n default + if [[ ! -z "$GITLAB_CI" || ! -z "$GITHUB_WORKFLOW" ]]; then + "$HELM_BINARY" repo add bitnami https://charts.bitnami.com/bitnami + "$HELM_BINARY" repo add passbolt-library https://download.passbolt.com/charts/passbolt-library + "$HELM_BINARY" dependency build + fi + if "$HELM_BINARY" status passbolt; then + upgradePassboltChart + else + "$HELM_BINARY" install passbolt . -f $HELM_TESTING_VALUES -n default --set integrationTests.debug="$DEBUG" --set integrationTests.rootless="$ROOTLESS" + fi + "$KUBECTL_BINARY" rollout status deployment passbolt-depl-srv --timeout=120s -n default } function createAndInstallSSLCertificates { - local domain="${1-passbolt.local}" - local ssl_key_path="$SSL_KEY_PATH" - local ssl_cert_path="$SSL_CERT_PATH" - "$MKCERT_BINARY" -install - "$MKCERT_BINARY" -cert-file "$ssl_cert_path" -key-file "$ssl_key_path" "$domain" - "$KUBECTL_BINARY" create secret generic mkcert-ca \ - --from-file=rootCA-key.pem=$("$MKCERT_BINARY" -CAROOT)/rootCA-key.pem \ - --from-file=rootCA.pem=$("$MKCERT_BINARY" -CAROOT)/rootCA.pem \ - -n default + local domain="${1-passbolt.local}" + local ssl_key_path="$SSL_KEY_PATH" + local ssl_cert_path="$SSL_CERT_PATH" + "$MKCERT_BINARY" -install + "$MKCERT_BINARY" -cert-file "$ssl_cert_path" -key-file "$ssl_key_path" "$domain" + "$KUBECTL_BINARY" create secret generic mkcert-ca \ + --from-file=rootCA-key.pem=$("$MKCERT_BINARY" -CAROOT)/rootCA-key.pem \ + --from-file=rootCA.pem=$("$MKCERT_BINARY" -CAROOT)/rootCA.pem \ + -n default } function createSecretWithTLS { - local secret_name="$K8S_LOCAL_TLS_SECRET" - local ssl_key_path="$SSL_KEY_PATH" - local ssl_cert_path="$SSL_CERT_PATH" - if "$KUBECTL_BINARY" get secret $secret_name -n default &>/dev/null; then - "$KUBECTL_BINARY" delete secret $secret_name -n default - fi - "$KUBECTL_BINARY" create secret tls $secret_name --cert="$ssl_cert_path" --key="$ssl_key_path" -n default + local secret_name="$K8S_LOCAL_TLS_SECRET" + local ssl_key_path="$SSL_KEY_PATH" + local ssl_cert_path="$SSL_CERT_PATH" + if "$KUBECTL_BINARY" get secret $secret_name -n default &>/dev/null; then + "$KUBECTL_BINARY" delete secret $secret_name -n default + fi + "$KUBECTL_BINARY" create secret tls $secret_name --cert="$ssl_cert_path" --key="$ssl_key_path" -n default } function createInfraAndInstallPassboltChart { - if ! "$KUBECTL_BINARY" config view -o jsonpath='{.contexts[*].name}' | grep -q "$KIND_CLUSTER_NAME"; then - createKindCluster - createAndInstallSSLCertificates - createSecretWithTLS - installNginxIngress - installPassboltChart - else - echo "Cluster $KIND_CLUSTER_NAME already exists" - fi + if ! "$KUBECTL_BINARY" config view -o jsonpath='{.contexts[*].name}' | grep -q "$KIND_CLUSTER_NAME"; then + createKindCluster + createAndInstallSSLCertificates + createSecretWithTLS + installNginxIngress + installPassboltChart + else + echo "Cluster $KIND_CLUSTER_NAME already exists" + fi } createInfraAndInstallPassboltChart diff --git a/tests/integration/fixtures/passbolt.sh b/tests/integration/fixtures/passbolt.sh index 91a6611..831c77b 100644 --- a/tests/integration/fixtures/passbolt.sh +++ b/tests/integration/fixtures/passbolt.sh @@ -1,73 +1,88 @@ #!/bin/bash function registerPassboltUser { - local firstname=$1 - local lastname=$2 - local email=$3 - registration=$("$KUBECTL_BINARY" exec -it deployment/passbolt-depl-srv -n default -- su -c "bin/cake passbolt register_user -u $email -f $firstname -l $lastname -r admin" -s /bin/bash www-data 2>/dev/null) - _log "$registration" - user_uuid=$(echo "${registration}" | grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*" | cut -d/ -f6) - user_token=$(echo "${registration}" | grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*" | cut -d/ -f7) + local firstname=$1 + local lastname=$2 + local email=$3 + local register_command="bin/cake passbolt register_user -u $email -f $firstname -l $lastname -r admin" + local command_as_root="su -c \"$register_command\" -s /bin/bash www-data" + if [ "$ROOTLESS" == true ]; then + command=$register_command + else + command=$command_as_root + fi + _log "$KUBECTL_BINARY" exec -it deployment/passbolt-depl-srv -n default -- ${command} >/dev/null + registration=$("$KUBECTL_BINARY" exec -it deployment/passbolt-depl-srv -n default -- ${command}) + _log "$registration" + regex='(https?)://[-[:alnum:]\+&@#/%?=~_|!:,.;]*[-[:alnum:]\+&@#/%=~_|]' + if [[ $registration =~ $regex ]]; then + _log User created on database + else + _log User creation failed + return 1 + fi + user_uuid=$(echo "${registration}" | grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*" | cut -d/ -f6) + user_token=$(echo "${registration}" | grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*" | cut -d/ -f7) - createGPGKey "$email" + createGPGKey "$email" - _log Registering user on passbolt api... - curl -s "https://${PASSBOLT_FQDN}/setup/complete/${user_uuid}" \ - -H "authority: ${PASSBOLT_FQDN}" \ - -H "accept: application/json" \ - -H "content-type: application/json" \ - --data-raw "{\"authenticationtoken\":{\"token\":\"${user_token}\"},\"gpgkey\":{\"armored_key\":\"$(awk '{printf "%s\\n", $0}' public-${email}.asc)\"}}" \ - --compressed >/dev/null - _log User "$email" succesfully registered - # Fixes an issue on the CI, where user with this key isn't found. - sleep 10 + _log Registering user on passbolt api... + curl -s "https://${PASSBOLT_FQDN}/setup/complete/${user_uuid}" \ + -H "authority: ${PASSBOLT_FQDN}" \ + -H "accept: application/json" \ + -H "content-type: application/json" \ + --data-raw "{\"authenticationtoken\":{\"token\":\"${user_token}\"},\"gpgkey\":{\"armored_key\":\"$(awk '{printf "%s\\n", $0}' public-${email}.asc)\"}}" \ + --compressed >/dev/null + _log User "$email" succesfully registered + # Fixes an issue on the CI, where user with this key isn't found. + sleep 10 } function configurePassbolt { - local id=$1 - _log Configuring passbolt cli... - _log $PASSBOLT_CLI_BINARY configure --serverAddress "https://${PASSBOLT_FQDN}" --userPassword "$PASSPHRASE" --userPrivateKeyFile "secret-${id}.asc" - $PASSBOLT_CLI_BINARY configure --serverAddress "https://${PASSBOLT_FQDN}" --userPassword "$PASSPHRASE" --userPrivateKeyFile "secret-${id}.asc" - _log passbolt cli configured + local id=$1 + _log Configuring passbolt cli... + _log $PASSBOLT_CLI_BINARY configure --serverAddress "https://${PASSBOLT_FQDN}" --userPassword "$PASSPHRASE" --userPrivateKeyFile "secret-${id}.asc" + $PASSBOLT_CLI_BINARY configure --serverAddress "https://${PASSBOLT_FQDN}" --userPassword "$PASSPHRASE" --userPrivateKeyFile "secret-${id}.asc" + _log passbolt cli configured } function createPassword { - local name="$1" - local secret="$2" - _log $PASSBOLT_CLI_BINARY create resource --name "${name}" --password "$secret" -j - $PASSBOLT_CLI_BINARY create resource --name "${name}" --password "$secret" -j + local name="$1" + local secret="$2" + _log $PASSBOLT_CLI_BINARY create resource --name "${name}" --password "$secret" -j + $PASSBOLT_CLI_BINARY create resource --name "${name}" --password "$secret" -j } function createPasswordInFolder { - local name="$1" - local secret="$2" - local folder="$3" - _log $PASSBOLT_CLI_BINARY create resource --name "${name}" --password "$secret" -f "$folder" -j - $PASSBOLT_CLI_BINARY create resource --name "${name}" --password "$secret" -f "$folder" -j + local name="$1" + local secret="$2" + local folder="$3" + _log $PASSBOLT_CLI_BINARY create resource --name "${name}" --password "$secret" -f "$folder" -j + $PASSBOLT_CLI_BINARY create resource --name "${name}" --password "$secret" -f "$folder" -j } function createFolder { - local name="$1" - _log $PASSBOLT_CLI_BINARY create folder --name "${name}" -j - $PASSBOLT_CLI_BINARY create folder --name "${name}" -j + local name="$1" + _log $PASSBOLT_CLI_BINARY create folder --name "${name}" -j + $PASSBOLT_CLI_BINARY create folder --name "${name}" -j } function sharePassword { - local id=$1 - local user_id=$2 - local type="$3" - _log $PASSBOLT_CLI_BINARY share resource --id "$id" --user "$user_id" --type "$type" - $PASSBOLT_CLI_BINARY share resource --id "$id" --user "$user_id" --type "$type" + local id=$1 + local user_id=$2 + local type="$3" + _log $PASSBOLT_CLI_BINARY share resource --id "$id" --user "$user_id" --type "$type" + $PASSBOLT_CLI_BINARY share resource --id "$id" --user "$user_id" --type "$type" } function getUserIdByUsername { - local username="$1" - _log $PASSBOLT_CLI_BINARY list user --filter "Username == \"$username\"" -j | jq -r .[0].id - $PASSBOLT_CLI_BINARY list user --filter "Username == \"$username\"" -j | jq -r .[0].id + local username="$1" + _log $PASSBOLT_CLI_BINARY list user --filter "Username == \"$username\"" -j | jq -r .[0].id + $PASSBOLT_CLI_BINARY list user --filter "Username == \"$username\"" -j | jq -r .[0].id } function getPasswordSecretById { - local id="$1" - _log "$PASSBOLT_CLI_BINARY" get resource --id "$id" -j | jq -r .password - "$PASSBOLT_CLI_BINARY" get resource --id "$id" -j | jq -r .password + local id="$1" + _log "$PASSBOLT_CLI_BINARY" get resource --id "$id" -j | jq -r .password + "$PASSBOLT_CLI_BINARY" get resource --id "$id" -j | jq -r .password } diff --git a/tests/integration/run_integration_tests.sh b/tests/integration/run_integration_tests.sh index 0076e32..e7880b7 100644 --- a/tests/integration/run_integration_tests.sh +++ b/tests/integration/run_integration_tests.sh @@ -19,41 +19,43 @@ LASTNAME="Doe" declare -a DEBUG_MESSAGES function testRunner { - name="$(echo $* | cut -d : -f 1)" - description="$(echo $* | cut -d : -f 2)" - green_text="\033[0;32m" - red_text="\033[0;31m" - reset="\033[0m" - log_file="/tmp/$name-integration-tests.log" - if $name &>${log_file}; then - _echo - echo -e "${green_text}[PASS] $description${reset}" - else - _echo - echo -e "${red_text}[FAIL] $description${reset}" - cat "$log_file" - return 1 - fi + name="$(echo $* | cut -d : -f 1)" + description="$(echo $* | cut -d : -f 2)" + green_text="\033[0;32m" + red_text="\033[0;31m" + reset="\033[0m" + log_file="/tmp/$name-integration-tests.log" + if $name &>${log_file}; then + _echo + echo -e "${green_text}[PASS] $description${reset}" + else + _echo + echo -e "${red_text}[FAIL] $description${reset}" + cat "$log_file" + return 1 + fi } installDependencies +echo Waiting for redis to be ready... +"$KUBECTL_BINARY" wait pod -l app.kubernetes.io/name=redis --for=condition=Ready # install CA from secret values CAROOT=/mkcert "$MKCERT_BINARY" -install addHostsEntry list=( - "testCreateAndDecryptPassword:It_should_create_and_decrypt_a_password" - "testCreateAndRemovePassword:It_should_create_and_remove_a_password" - "testCreateShareAndDecryptPassword:It_should_create_share_and_decrypt_a_password" - "testCreateAndFillFolder:It_should_create_and_fill_a_folder_with_passwords" + "testCreateAndDecryptPassword:It_should_create_and_decrypt_a_password" + "testCreateAndRemovePassword:It_should_create_and_remove_a_password" + "testCreateShareAndDecryptPassword:It_should_create_share_and_decrypt_a_password" + "testCreateAndFillFolder:It_should_create_and_fill_a_folder_with_passwords" ) failed=false for name in "${list[@]}"; do - if ! testRunner "$name"; then - failed=true - fi + if ! testRunner "$name"; then + failed=true + fi done if [ ${failed} == true ]; then - exit 1 + exit 1 fi diff --git a/tests/integration/tests/create_and_decrypt_test.sh b/tests/integration/tests/create_and_decrypt_test.sh index 3ae7f45..d7eebbd 100644 --- a/tests/integration/tests/create_and_decrypt_test.sh +++ b/tests/integration/tests/create_and_decrypt_test.sh @@ -1,17 +1,17 @@ #!/bin/bash function testCreateAndDecryptPassword { - local value="password-example" - local test_id="$(date +'%s')" - local username="email${test_id}@domain.tld" - _log Running "$test_id" test - registerPassboltUser $FIRSTNAME $LASTNAME "${username}" "$test_id" - configurePassbolt "${username}" - password=$(createPassword "${test_id}" "${value}" "$test_id") - result=$("$PASSBOLT_CLI_BINARY" get resource --id $(echo $password | jq -r .id) -j | jq -r .password) - if [[ "$value" != "$result" ]]; then - >&2 echo "Expected \"$value\", got \"$result\"" - return 1 - fi - _log Test "$test_id" ran succesfully + local value="password-example" + local test_id="$(date +'%s')" + local username="email${test_id}@domain.tld" + _log Running "$test_id" test + registerPassboltUser $FIRSTNAME $LASTNAME "${username}" "$test_id" + configurePassbolt "${username}" + password=$(createPassword "${test_id}" "${value}" "$test_id") + result=$("$PASSBOLT_CLI_BINARY" get resource --id $(echo $password | jq -r .id) -j | jq -r .password) + if [[ "$value" != "$result" ]]; then + >&2 echo "Expected \"$value\", got \"$result\"" + return 1 + fi + _log Test "$test_id" ran succesfully } From b3796928f349db2c756bae208e2197555f32a8bf Mon Sep 17 00:00:00 2001 From: Daniel Del Rio Figueira Date: Wed, 13 Nov 2024 11:33:43 +0100 Subject: [PATCH 2/5] PB-36900: Reworked kubectl exec command to add support for rootless execution --- .../fixtures/create-cluster-with-passbolt.sh | 4 +++- tests/integration/fixtures/passbolt.sh | 11 +++++------ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/tests/integration/fixtures/create-cluster-with-passbolt.sh b/tests/integration/fixtures/create-cluster-with-passbolt.sh index 2f1349c..1a8a337 100644 --- a/tests/integration/fixtures/create-cluster-with-passbolt.sh +++ b/tests/integration/fixtures/create-cluster-with-passbolt.sh @@ -53,7 +53,9 @@ function installPassboltChart { if "$HELM_BINARY" status passbolt; then upgradePassboltChart else - "$HELM_BINARY" install passbolt . -f $HELM_TESTING_VALUES -n default --set integrationTests.debug="$DEBUG" --set integrationTests.rootless="$ROOTLESS" + "$HELM_BINARY" install passbolt . -f $HELM_TESTING_VALUES -n default \ + --set integrationTests.debug="$DEBUG" \ + --set integrationTests.rootless="$ROOTLESS" fi "$KUBECTL_BINARY" rollout status deployment passbolt-depl-srv --timeout=120s -n default } diff --git a/tests/integration/fixtures/passbolt.sh b/tests/integration/fixtures/passbolt.sh index 831c77b..464fa21 100644 --- a/tests/integration/fixtures/passbolt.sh +++ b/tests/integration/fixtures/passbolt.sh @@ -4,15 +4,14 @@ function registerPassboltUser { local firstname=$1 local lastname=$2 local email=$3 - local register_command="bin/cake passbolt register_user -u $email -f $firstname -l $lastname -r admin" - local command_as_root="su -c \"$register_command\" -s /bin/bash www-data" + local register_command='bin/cake passbolt register_user -u $0 -f $1 -l $2 -r admin' + #local command_as_root="su -c "$register_command" -- $email $firstname $lastname -s /bin/bash www-data" + #local command_as_www="bash -c "$register_command" -- $email $firstname $lastname" if [ "$ROOTLESS" == true ]; then - command=$register_command + registration=$("$KUBECTL_BINARY" exec -it deployment/passbolt-depl-srv -n default -- bash -c "$register_command" $email $firstname $lastname 2>/dev/null) else - command=$command_as_root + registration=$("$KUBECTL_BINARY" exec -it deployment/passbolt-depl-srv -n default -- su www-data -c "$register_command" $email $firstname $lastname -s /bin/bash 2>/dev/null) fi - _log "$KUBECTL_BINARY" exec -it deployment/passbolt-depl-srv -n default -- ${command} >/dev/null - registration=$("$KUBECTL_BINARY" exec -it deployment/passbolt-depl-srv -n default -- ${command}) _log "$registration" regex='(https?)://[-[:alnum:]\+&@#/%?=~_|!:,.;]*[-[:alnum:]\+&@#/%=~_|]' if [[ $registration =~ $regex ]]; then From 2eff75175c98bbf6f4dd82b6f1288b5e775db445 Mon Sep 17 00:00:00 2001 From: Daniel Del Rio Figueira Date: Wed, 13 Nov 2024 11:45:51 +0100 Subject: [PATCH 3/5] PB-36900: Automate rootless values --- .../fixtures/create-cluster-with-passbolt.sh | 33 +++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/tests/integration/fixtures/create-cluster-with-passbolt.sh b/tests/integration/fixtures/create-cluster-with-passbolt.sh index 1a8a337..3293666 100644 --- a/tests/integration/fixtures/create-cluster-with-passbolt.sh +++ b/tests/integration/fixtures/create-cluster-with-passbolt.sh @@ -21,6 +21,31 @@ function installNginxIngress { "$KUBECTL_BINARY" rollout status deployment ingress-nginx-controller --timeout=120s -n ingress-nginx } +function http_port { + if [ "$ROOTLESS" == true ]; then + echo 8080 + else + echo 80 + fi +} + +function https_port { + if [ "$ROOTLESS" == true ]; then + echo 4433 + else + echo 443 + fi +} + +function image_tag { + tag="$(awk -F ' ' '/^ tag:/ {print $2}' values.yaml)" + if [ "$ROOTLESS" == true ]; then + echo "$tag"-non-root + else + echo "$tag" + fi +} + function upgradePassboltChart { local private_key="" local public_key="" @@ -33,7 +58,7 @@ function upgradePassboltChart { jwt_private_key=$(kubectl get secret passbolt-sec-jwt --namespace default -o jsonpath="{.data.jwt\.key}") jwt_public_key=$(kubectl get secret passbolt-sec-jwt --namespace default -o jsonpath="{.data.jwt\.pem}") "$HELM_BINARY" upgrade -i passbolt . \ - -f $HELM_TESTING_VALUES \ + -f "$HELM_TESTING_VALUES" \ -n default \ --set integrationTests.debug="$DEBUG" \ --set integrationTests.rootless="$ROOTLESS" \ @@ -41,7 +66,9 @@ function upgradePassboltChart { --set gpgServerKeyPublic="$public_key" \ --set passboltEnv.secret.PASSBOLT_GPG_SERVER_KEY_FINGERPRINT="$fingerprint" \ --set jwtServerPrivate="$jwt_private_key" \ - --set jwtServerPublic="$jwt_public_key" + --set jwtServerPublic="$jwt_public_key" \ + --set service.ports.https.targetPort="$(https_port)" \ + --set service.ports.http.targetPort="$(http_port)" } function installPassboltChart { @@ -54,6 +81,8 @@ function installPassboltChart { upgradePassboltChart else "$HELM_BINARY" install passbolt . -f $HELM_TESTING_VALUES -n default \ + --set service.ports.https.targetPort="$(https_port)" \ + --set service.ports.http.targetPort="$(http_port)" \ --set integrationTests.debug="$DEBUG" \ --set integrationTests.rootless="$ROOTLESS" fi From f55adf3b8a93ee5aa097adca415a19932b260bc6 Mon Sep 17 00:00:00 2001 From: Daniel Del Rio Figueira Date: Wed, 13 Nov 2024 12:21:09 +0100 Subject: [PATCH 4/5] PB-36900: Added cicd jobs --- .github/workflows/push_pr_main.yaml | 20 +++++++++++++++++++ .gitlab-ci.yml | 14 +++++++++++++ .../fixtures/create-cluster-with-passbolt.sh | 2 ++ 3 files changed, 36 insertions(+) diff --git a/.github/workflows/push_pr_main.yaml b/.github/workflows/push_pr_main.yaml index 1512599..a741799 100644 --- a/.github/workflows/push_pr_main.yaml +++ b/.github/workflows/push_pr_main.yaml @@ -49,6 +49,16 @@ jobs: - name: Run integration tests run: bash run_tests.sh --integration + integration-tests-mariadb-rootless: + name: Integration Tests Mariadb + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Run integration tests + run: ROOTLESS=true bash run_tests.sh --integration + integration-tests-postgresql: name: Integration Tests Postgresql runs-on: ubuntu-latest @@ -58,3 +68,13 @@ jobs: - name: Run integration tests run: bash run_tests.sh --integration -d postgresql + + integration-tests-postgresql-rootless: + name: Integration Tests Postgresql + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Run integration tests + run: ROOTLESS=true bash run_tests.sh --integration -d postgresql diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d8cf583..3cf0194 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -32,6 +32,8 @@ test Helm Charts: - bash run_tests.sh --unit integration Tests Helm Charts Mariadb: + variables: + ROOTLESS: false image: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/docker:dind script: - | @@ -39,7 +41,14 @@ integration Tests Helm Charts Mariadb: sleep 10 # Wait for docker service bash run_tests.sh --integration +integration Tests Helm Charts Mariadb Rootless: + variables: + ROOTLESS: true + extends: integration Tests Helm Charts Mariadb + integration Tests Helm Charts Postgresql: + variables: + ROOTLESS: false image: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/docker:dind script: - | @@ -47,6 +56,11 @@ integration Tests Helm Charts Postgresql: sleep 10 # Wait for docker service bash run_tests.sh --integration -d postgresql +integration Tests Helm Charts Postgresql Rootless: + variables: + ROOTLESS: true + extends: integration Tests Helm Charts Postgresql + publish: stage: publish image: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/alpine/helm diff --git a/tests/integration/fixtures/create-cluster-with-passbolt.sh b/tests/integration/fixtures/create-cluster-with-passbolt.sh index 3293666..7a0a54f 100644 --- a/tests/integration/fixtures/create-cluster-with-passbolt.sh +++ b/tests/integration/fixtures/create-cluster-with-passbolt.sh @@ -62,6 +62,7 @@ function upgradePassboltChart { -n default \ --set integrationTests.debug="$DEBUG" \ --set integrationTests.rootless="$ROOTLESS" \ + --set app.image.tag="$(image_tag)" \ --set gpgServerKeyPrivate="$private_key" \ --set gpgServerKeyPublic="$public_key" \ --set passboltEnv.secret.PASSBOLT_GPG_SERVER_KEY_FINGERPRINT="$fingerprint" \ @@ -83,6 +84,7 @@ function installPassboltChart { "$HELM_BINARY" install passbolt . -f $HELM_TESTING_VALUES -n default \ --set service.ports.https.targetPort="$(https_port)" \ --set service.ports.http.targetPort="$(http_port)" \ + --set app.image.tag="$(image_tag)" \ --set integrationTests.debug="$DEBUG" \ --set integrationTests.rootless="$ROOTLESS" fi From fe5a5f0f73e0499e78731b524b2c60dab9a4e28a Mon Sep 17 00:00:00 2001 From: Daniel Del Rio Figueira Date: Wed, 13 Nov 2024 14:49:42 +0100 Subject: [PATCH 5/5] Bump version to 1.3.0 --- CHANGELOG.md | 8 +++++++- Chart.yaml | 2 +- README.md | 21 ++++++++++++++++++++- README.md.gotmpl | 19 +++++++++++++++++++ 4 files changed, 47 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 79cb1bc..d6248ab 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,13 @@ All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/). -## [Unreleased](https://github.com/passbolt/charts-passbolt/compare/1.2.0...HEAD) +## [Unreleased](https://github.com/passbolt/charts-passbolt/compare/1.3.0...HEAD) + +## [1.3.0] - 2024-11-13 + +### Added + +- Added non-root image support ## [1.2.0] - 2024-10-30 diff --git a/Chart.yaml b/Chart.yaml index f9b29df..37255f6 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -16,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.2.0 +version: 1.3.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/README.md b/README.md index e75911d..db4bb4e 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ passbolt sails kubernetes -![Version: 1.2.0](https://img.shields.io/badge/Version-1.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.9.1-1-ce](https://img.shields.io/badge/AppVersion-4.9.1--1--ce-informational?style=flat-square) +![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.9.1-1-ce](https://img.shields.io/badge/AppVersion-4.9.1--1--ce-informational?style=flat-square) Passbolt is an open source, security first password manager with strong focus on collaboration. @@ -74,6 +74,25 @@ helm install my-release my-repo The above command deploys passbolt with default settings on your kubernetes cluster. Check the [configuration](#Configuration) section to check which parameters you can fine tune. +## Use passbolt non-root image + +In case you want to use the non-root passbolt image, there are a few changes that you have to introduce on your values file: + +```bash +app: + image: + tag: + +service: + ports: + https: + targetPort: 4433 + http: + targetPort: 8080 +``` + +With these changes you should be able to run passbolt on a container executed by www-data user. + ## Creating first user Once the chart is deployed, you can create your first user by running the following command: diff --git a/README.md.gotmpl b/README.md.gotmpl index a59b221..7a33da8 100644 --- a/README.md.gotmpl +++ b/README.md.gotmpl @@ -74,6 +74,25 @@ helm install my-release my-repo The above command deploys passbolt with default settings on your kubernetes cluster. Check the [configuration](#Configuration) section to check which parameters you can fine tune. +## Use passbolt non-root image + +In case you want to use the non-root passbolt image, there are a few changes that you have to introduce on your values file: + +```bash +app: + image: + tag: + +service: + ports: + https: + targetPort: 4433 + http: + targetPort: 8080 +``` + +With these changes you should be able to run passbolt on a container executed by www-data user. + ## Creating first user Once the chart is deployed, you can create your first user by running the following command: