e2e.workloadsecret: add test to check for equality of set workload se…

…crets
edgelesssys · Dec 23, 2024 · 379e448 · 379e448
1 parent f5bf718
commit 379e448
Showing 1 changed file with 41 additions and 0 deletions.
diff --git a/e2e/workloadsecret/workloadsecret_test.go b/e2e/workloadsecret/workloadsecret_test.go
@@ -130,6 +130,47 @@ func TestWorkloadSecrets(t *testing.T) {
 		require.Len(emojiWorkloadSecretBytes, constants.SecretSeedSize)
 		require.NotEqual(webWorkloadSecretBytes, emojiWorkloadSecretBytes)
 	})
+
+	t.Run("workload secrets seeds can be set to be equal for different deployments", func(t *testing.T) {
+		require := require.New(t)
+		ctx, cancel := context.WithTimeout(context.Background(), ct.FactorPlatformTimeout(60*time.Second))
+		defer cancel()
+
+		ct.PatchManifest(t, ct.Platform, patchWorkloadSecretID, "web", "emoji")
+
+		t.Run("set", ct.Set)
+		require.NoError(ct.Kubeclient.Restart(ctx, kubeclient.Deployment{}, ct.Namespace, "web"))
+		require.NoError(ct.Kubeclient.WaitFor(ctx, kubeclient.Ready, kubeclient.Deployment{}, ct.Namespace, "web"))
+
+		webPods, err = ct.Kubeclient.PodsFromDeployment(ctx, ct.Namespace, "web")
+		require.NoError(err)
+		require.Len(webPods, 2, "pod not found: %s/%s", ct.Namespace, "web")
+
+		stdout, stderr, err := ct.Kubeclient.Exec(ctx, ct.Namespace, webPods[0].Name, []string{"/bin/sh", "-c", "cat /contrast/secrets/workload-secret-seed"})
+		require.NoError(err, "stderr: %q", stderr)
+		require.NotEmpty(stdout)
+		webWorkloadSecretBytes, err = hex.DecodeString(stdout)
+		require.NoError(err)
+		require.Len(webWorkloadSecretBytes, constants.SecretSeedSize)
+		require.Equal(webWorkloadSecretBytes, emojiWorkloadSecretBytes)
+	})
+}
+
+// patchWorkloadSecretID allows to overwrite the workload secret specified in string args[0] with args[1]
+// in the current manifest.
+func patchWorkloadSecretID(m *manifest.Manifest, _ platforms.Platform, args ...interface{}) {
+	if len(args) > 0 {
+		if expectedWorkloadSecretID, ok := args[0].(string); ok {
+			if patchWorkloadSecretID, ok := args[1].(string); ok {
+				for key, policy := range m.Policies {
+					if policy.WorkloadSecretID == expectedWorkloadSecretID {
+						policy.WorkloadSecretID = patchWorkloadSecretID
+						m.Policies[key] = policy
+					}
+				}
+			}
+		}
+	}
 }
 
 func TestMain(m *testing.M) {