automated testing

additionally patching fixes for clientserver downloads not available
securesign · Dec 16, 2023 · c04eb3a · c04eb3a
1 parent a2d866d
commit c04eb3a
Show file tree

Hide file tree

Showing 2 changed files with 145 additions and 0 deletions.
diff --git a/automated-testing.sh b/automated-testing.sh
@@ -0,0 +1,75 @@
+#!/bin/bash
+
+## Enablement, script meant for linux and OSX
+
+## Self-signed cert check, fix in place for mac, thank you @sabre1041, need one for linux
+### Deps: oc, curl
+oc_console_route=$(oc get route console -n openshift-console | grep "console-openshift-console" | awk '{print $2}')
+https_curl_response=$(curl -X GET https://$oc_console_route &> /dev/null)
+https_curl_status=$(echo $?)
+
+if [[ $https_curl_status == "60" ]]; then
+    echo "self-signed cert for cluster"
+    if [[ $(uname) == "Darwin" ]]; then
+        ./configure-local-env.sh
+        echo "certificate should be imported to OSX keychain, trying again"
+        https_curl_response=$(curl -X GET https://$oc_console_route &> /dev/null)
+        https_curl_status=$(echo $?)
+        if [[ $https_curl_status != "0" ]]; then
+            echo "Error: \`curl -X GET https://$oc_console_route produced status code $https_curl_status \`"
+            exit 1
+        fi
+    else 
+        echo  "currently no option scripted for linux, please add the certificate for your cluster to your trusted store and continue"
+        exit 1
+    fi
+fi
+
+source ./tas-env-variables.sh
+
+## Binary testing
+### Deps: jq, yq, 
+clientserver_namespace=$(cat charts/trusted-artifact-signer/values.yaml | yq .configs.clientserver.namespace)
+OS_FAMILY=$(uname | tr '[:upper:]' '[:lower:]')
+ARCH=$(uname -m)
+
+#### Cosign
+binary="cosign"
+cosign_download_link=""
+if [[ $OS_FAMILY == "linux" && $ARCH == "amd64" ]]; then
+    cosign_download_link="https://$clientserver_namespace.$BASE_HOSTNAME/clients/$OS_FAMILY/$binary.gz"
+else
+    cosign_download_options=($(oc get -n $clientserver_namespace consoleclidownloads.console.openshift.io cosign -o json | jq ".spec.links[].href"))
+    for cosign_download_option in "${cosign_download_options[@]}"; do
+        if [[ $cosign_download_option == "https://$clientserver_namespace.$BASE_HOSTNAME/clients/$OS_FAMILY/$binary-$ARCH.gz" ]]; then
+            cosign_download_link=$cosign_download_option
+        fi
+    done
+fi
+
+if [[ -z $cosign_download_link ]]; then
+    echo  "error getting cosign download link"
+    exit 1 #THIS IS A TEMPORARY PLACEHOLDER
+fi
+
+cosign_download=$(curl -sL $cosign_download_link -o /tmp/cosign-$OS_FAMIL-$ARCH.gz)
+not_found_html_string="<head>
+<title>404 Not Found</title>
+</head>"
+if [[ $(cat $cosign_download | grep )]]
+
+
+# 2 options for testing cosign, could test by downloading the binary from console-cli-downloads, or we could use the cosign pod with kubectl exec
+# 1. download the binary from cluster
+
+
+# for binary in "${!binaries[@]}"; do
+#     oc get consoleclidownloads.console.openshift.io cosign -n openshift-console -o json | jq ".spec.links[].href"
+
+# cosign_options=$(oc get consoleclidownloads.console.openshift.io cosign -n openshift-console -o json | jq ".spec.links")
+# 2. kubectl exec (in progress)
+    # cosign_pod=$(oc get pods -n cosign | tail -n 1 | awk '{print $1}')1
+    # kubectl exec -n cosign $cosign_pod 
+    # oc rsh $cosign_pod
+
+# cosign --help
diff --git a/configure-local-env.sh b/configure-local-env.sh
@@ -0,0 +1,70 @@
+#!/bin/bash
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
+CERT_FILE_PREFIX="tmp-cert"
+KUBECTL_TOOL="kubectl"
+CERT_ACTION="add"
+TEMPDIR=$(mktemp -d -t rhtas-certs -p /tmp)
+trap 'rm -r "${TEMPDIR}"' EXIT
+
+function display_help {
+  echo "./$(basename "$0") [ -a | --apps-domain APPS_DOMAIN ] [ -gr | --gitops-namespace NAMESPACE ] [ -h | --help ] [ -hr | --helm-revision REVISION ] [ -hr | --helm-repository REPOSITORY ] [ -t | --tool TOOL ]
+
+Deployment of Argo CD Applications to support the managment of SPIFFE/SPIRE on OpenShift
+
+Where:
+  -d  | --delete            Delete certificates from OSX Keychain
+  -h  | --help              Display this help text
+  -t  | --tool              Tool for communicating with OpenShift cluster. Defaults to '${KUBECTL_TOOL}'
+
+"
+}
+
+
+for i in "${@}"
+do
+case $i in
+    -d | --delete )
+    CERT_ACTION="delete"
+    shift
+    ;;
+    -t | --tool )
+    KUBECTL_TOOL="${1}"
+    shift
+    ;;
+    -h | --help )
+    display_help
+    exit 0
+    ;;
+    -*) echo >&2 "Invalid option: " "${@}"
+    exit 1
+    ;;
+esac
+done
+
+# Check if split is installed
+command -v split >/dev/null 2>&1 || { echo >&2 "split is required but not installed.  Aborting."; exit 1; }
+
+# Check if kubectl or compatible is installed
+command -v ${KUBECTL_TOOL} >/dev/null 2>&1 || { echo >&2 "kubectl tool is required but not installed.  Aborting."; exit 1; } 
+
+# Grab the Kube Root Certificates
+${KUBECTL_TOOL} get -n default cm kube-root-ca.crt -o jsonpath='{.data.ca\.crt}' > ${TEMPDIR}/ca.crt
+
+# Split Certificates from bundle
+split -p "-----BEGIN CERTIFICATE-----" "${TEMPDIR}/ca.crt" ${TEMPDIR}/cert-
+
+# Find the ingress-operator certificte and add/remove it to/from the OSX keystore
+for f in ${TEMPDIR}/cert-*; do
+    COMMON_NAME=$(openssl x509 -subject -noout -nameopt multiline -in $f | grep commonName | awk '{ print $3 }')
+    if echo "${COMMON_NAME}" | grep -q "^ingress-operator"; then
+      if [ "${CERT_ACTION}" == "delete" ]; then
+        security find-certificate -c "${COMMON_NAME}" -a -Z | sudo awk '/SHA-1/{system("security delete-certificate -Z "$NF)}'
+        echo "'${COMMON_NAME}' removed from keychain"
+      else
+        sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "${f}"
+        echo "'${COMMON_NAME}' added to keychain"
+      fi
+    fi
+done