-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TestCore with KV v2 doesn't generate metadata #8440
Comments
Hello -
Lines 125 to 133 in 6c45080
There, a Lines 881 to 888 in 17361f2
Contrast that with something like Lines 83 to 97 in 17361f2
That setups an unsealed vault cluster configured with a normal KV backend defined here: Lines 41 to 47 in 17361f2
That core config eventually gets used in Line 1100 in 6c45080
Granted that vault/builtin/logical/pki/ca_test.go Lines 28 to 42 in 6c45080
The factory function is defined inline there, but for KV you'd want to reference the KV factory defined in that plugin: Unfortunately in the end Hopefully this addresses your questions! |
@catsby Thank you for the really thorough answer! I've successfully refactored my tests to use I assume you might want to keep the issue around to maybe get some documentation about the limitation in |
Thanks for following up, @glindstedt. I'll leave this open as you suggest, I'm not honestly sure why |
I figure since I just ran headlong into this issue myself that I’d like to thank you both for documenting and explaining this issue, and that I should stand up and be counted as another person this affects. I was writing tests to verify that I was working appropriately with versioned KV v2 data when I found that the responses from the TestCoreUnsealed server contained my data, but were structurally unlike the documented responses. In terms of alternatives to TestCoreUnsealed, upon discovering testVaultServerUnseal in the code, I was excited when I saw how straightforward it was to use testVaultServerUnseal in the command tests and then immediately crestfallen when I realized it was only defined in the test file and not exported. I think it would be very cool if that could become accessible to folks writing tests since it so elegantly provides the needed test server. I thought I’d be able to get by with TestCoreUnsealed, but with this limitation that’s definitely not the case. +1 to encouraging that its limitations should be better documented. For my part, I’ll also transition my tests over to NewTestCluster along the lines you’ve described. Thanks again! |
Thanks for the input @mwodrich , I'm sorry for your troubles. This and other comments have been taken to heart and internally we're discussing and working on improvements to our current tests and tools/methods to improve future testing. I don't have a timeline so please bear with us, but we are working on it 😄 |
@glindstedt can you please provide a sample code, im having a hard time figuring this out |
@innovia Here's the helper function we're using to start the test cluster and add a KV v2 mount: import (
kv "github.com/hashicorp/vault-plugin-secrets-kv"
"github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/sdk/logical"
vaulthttp "github.com/hashicorp/vault/http"
hashivault "github.com/hashicorp/vault/vault"
)
func createVaultTestCluster(t *testing.T) *hashivault.TestCluster {
t.Helper()
coreConfig := &hashivault.CoreConfig{
LogicalBackends: map[string]logical.Factory{
"kv": kv.Factory,
},
}
cluster := hashivault.NewTestCluster(t, coreConfig, &hashivault.TestClusterOptions{
HandlerFunc: vaulthttp.Handler,
})
cluster.Start()
// Create KV V2 mount
if err := cluster.Cores[0].Client.Sys().Mount("kv", &api.MountInput{
Type: "kv",
Options: map[string]string{
"version": "2",
},
}); err != nil {
t.Fatal(err)
}
return cluster
}
func TestSomething(t *testing.T) {
cluster := createVaultTestCluster(t)
defer cluster.Cleanup()
rootVaultClient := cluster.Cores[0].Client
// do your testing
} Hope it helps! |
Thanks a lot! @glindstedt this is extremely helpful! Its working fine, my mistake for misplacing defer and closing the connection right before i vene started tests. |
Wanted to add the proper way of setting up a v2 secret KV version 2 expects the values to be in a Data map: https://www.vaultproject.io/api/secret/kv/kv-v2.html#data secret["data"] = map[string]interface{}{
"value": pass,
}```
and the path to write the secret must have the `/data` prefix after the secret kv name
`secrets/v2/data/plain/secrets/path/app` |
Prefer NeseTestCluster over TestCoreUnsealed for v2. hashicorp/vault#8440
Hi folks, |
@glindstedt any further updates here? - is issue still applicable or anything further pending? |
Due to issue age and quiescence, I'm going to go ahead and close this now. Please feel free to re-open as needed. Thanks! |
Describe the bug
While using the
TestCore
in the testing module to write integration tests, and mounting a KV v2 key-value store, it seems like it does not behave the same as a proper vault deployment, unless I'm missing some fundamental part of the setup process. Normally when creating a secret through the HTTP api underkv/data/test
a matching metadata entry would get created underkv/metadata/test
, however this does not seem to happen when usingTestCore
.To Reproduce
This test displays the issue:
Expected behavior
That the appropriate metadata entry would be created with the new secret.
Environment:
The text was updated successfully, but these errors were encountered: