Functional tests for HSM Support

Signed-off-by: Mauricio Harley <[email protected]>

tests/functional/barbican_controller_test.go

@@ -422,6 +422,77 @@ var _ = Describe("Barbican controller", func() {
 		})
 	})
 
+	When("A Barbican with HSM is created", func() {
+		BeforeEach(func() {
+			DeferCleanup(th.DeleteInstance, CreateBarbican(barbicanTest.Instance, GetHSMBarbicanSpec()))
+			DeferCleanup(k8sClient.Delete, ctx, CreateBarbicanMessageBusSecret(barbicanTest.Instance.Namespace, barbicanTest.RabbitmqSecretName))
+			DeferCleanup(th.DeleteInstance, CreateBarbicanAPI(barbicanTest.Instance, GetHSMBarbicanAPISpec()))
+			DeferCleanup(k8sClient.Delete, ctx, CreateKeystoneAPISecret(barbicanTest.Instance.Namespace, SecretName))
+			DeferCleanup(
+				mariadb.DeleteDBService,
+				mariadb.CreateDBService(
+					barbicanTest.Instance.Namespace,
+					GetBarbican(barbicanTest.Instance).Spec.DatabaseInstance,
+					corev1.ServiceSpec{
+						Ports: []corev1.ServicePort{{Port: 3306}},
+					},
+				),
+			)
+			infra.SimulateTransportURLReady(barbicanTest.BarbicanTransportURL)
+			DeferCleanup(keystone.DeleteKeystoneAPI, keystone.CreateKeystoneAPI(barbicanTest.Instance.Namespace))
+			mariadb.SimulateMariaDBAccountCompleted(barbicanTest.BarbicanDatabaseAccount)
+			//mariadb.SimulateMariaDBTLSDatabaseCompleted(barbicanTest.BarbicanDatabaseName)
+			th.SimulateJobSuccess(barbicanTest.BarbicanDBSync)
+		})
+
+		It("Creates BarbicanAPI", func() {
+			/*DeferCleanup(k8sClient.Delete, ctx, th.CreateCABundleSecret(barbicanTest.CABundleSecret))
+			DeferCleanup(k8sClient.Delete, ctx, th.CreateCertSecret(barbicanTest.InternalCertSecret))
+			DeferCleanup(k8sClient.Delete, ctx, th.CreateCertSecret(barbicanTest.PublicCertSecret))*/
+			keystone.SimulateKeystoneEndpointReady(barbicanTest.BarbicanKeystoneEndpoint)
+
+			th.ExpectCondition(
+				barbicanTest.Instance,
+				ConditionGetterFunc(BarbicanAPIConditionGetter),
+				condition.TLSInputReadyCondition,
+				corev1.ConditionTrue,
+			)
+
+			BarbicanAPIExists(barbicanTest.Instance)
+
+			d := th.GetDeployment(barbicanTest.BarbicanAPI)
+			// Check the resulting deployment fields
+			Expect(int(*d.Spec.Replicas)).To(Equal(1))
+
+			Expect(d.Spec.Template.Spec.Volumes).To(HaveLen(6))
+			Expect(d.Spec.Template.Spec.Containers).To(HaveLen(2))
+
+			// cert deployment volumes
+			/*th.AssertVolumeExists(barbicanTest.CABundleSecret.Name, d.Spec.Template.Spec.Volumes)
+			th.AssertVolumeExists(barbicanTest.InternalCertSecret.Name, d.Spec.Template.Spec.Volumes)
+			th.AssertVolumeExists(barbicanTest.PublicCertSecret.Name, d.Spec.Template.Spec.Volumes)
+
+			// cert volumeMounts
+			container := d.Spec.Template.Spec.Containers[1]
+			th.AssertVolumeMountExists(barbicanTest.InternalCertSecret.Name, "tls.key", container.VolumeMounts)
+			th.AssertVolumeMountExists(barbicanTest.InternalCertSecret.Name, "tls.crt", container.VolumeMounts)
+			th.AssertVolumeMountExists(barbicanTest.PublicCertSecret.Name, "tls.key", container.VolumeMounts)
+			th.AssertVolumeMountExists(barbicanTest.PublicCertSecret.Name, "tls.crt", container.VolumeMounts)
+			th.AssertVolumeMountExists(barbicanTest.CABundleSecret.Name, "tls-ca-bundle.pem", container.VolumeMounts)
+
+			Expect(container.ReadinessProbe.HTTPGet.Scheme).To(Equal(corev1.URISchemeHTTPS))
+			Expect(container.LivenessProbe.HTTPGet.Scheme).To(Equal(corev1.URISchemeHTTPS))*/
+		})
+
+		It("should create config-data and scripts ConfigMaps", func() {
+			cf := th.GetSecret(barbicanTest.BarbicanConfigSecret)
+			Expect(cf).ShouldNot(BeNil())
+			conf := cf.Data["my.cnf"]
+			Expect(conf).To(
+				ContainSubstring("[client]\nssl-ca=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem\nssl=1"))
+		})
+	})
+
 	// Run MariaDBAccount suite tests.  these are pre-packaged ginkgo tests
 	// that exercise standard account create / update patterns that should be
 	// common to all controllers that ensure MariaDBAccount CRs.

tests/functional/base_test.go

@@ -123,7 +123,6 @@ func BarbicanKeystoneListenerNotExists(name types.NamespacedName) {
 	}, timeout, interval).Should(Succeed())
 }
 
-// ========== TLS Stuff ==============
 func BarbicanAPIConditionGetter(name types.NamespacedName) condition.Conditions {
 	instance := GetBarbicanAPI(name)
 	return instance.Status.Conditions
@@ -145,6 +144,7 @@ func GetBarbicanAPI(name types.NamespacedName) *barbicanv1.BarbicanAPI {
 	return instance
 }
 
+// ========== TLS Stuff ==============
 func GetTLSBarbicanSpec() map[string]interface{} {
 	return map[string]interface{}{
 		"databaseInstance":          "openstack",
@@ -172,6 +172,39 @@ func GetTLSBarbicanAPISpec() map[string]interface{} {
 	return spec
 }
 
+// ========== End of TLS Stuff ============
+
+// ========== HSM Stuff ============
+func GetHSMBarbicanSpec() map[string]interface{} {
+	return map[string]interface{}{
+		"databaseInstance":          "openstack",
+		"secret":                    SecretName,
+		"simpleCryptoBackendSecret": SecretName,
+		"barbicanAPI":               GetHSMBarbicanAPISpec(),
+	}
+}
+
+func GetHSMBarbicanAPISpec() map[string]interface{} {
+	spec := GetDefaultBarbicanAPISpec()
+	maps.Copy(spec, map[string]interface{}{
+		"enabledSecretStores":      []string{"pkcs11"},
+		"globalDefaultSecretStore": "pkcs11",
+		"pkcs11": map[string]interface{}{
+			"type":          "luna", // Using them Luna model without any specific selection criteria.
+			"libraryPath":   "/usr/local/luna/libs/64/libCryptoki2.so",
+			"slotId":        "1",
+			"MKEKLabel":     "MKEKLabel",
+			"HMACLabel":     "HMACLabel",
+			"serverAddress": "192.168.0.1",
+			"clientAddress": "192.168.0.2",
+			"loginSecret":   "dummy-secret",
+		},
+	})
+	return spec
+}
+
+// ========== End of HSM Stuff ============
+
 func GetDefaultBarbicanAPISpec() map[string]interface{} {
 	return map[string]interface{}{
 		"secret":                    SecretName,