[bitnami/oauth2-proxy] Add tests and publishing using VIB (#13349)

* [bitnami/oauth2-proxy] Add tests Signed-off-by: Jose Antonio Carmona <jcarmona@vmware.com> * Publish using VIB Signed-off-by: Jose Antonio Carmona <jcarmona@vmware.com> * Remove redis arch from runtime_params Signed-off-by: Jose Antonio Carmona <jcarmona@vmware.com> * Add explanations on Cypress tests Signed-off-by: Jose Antonio Carmona <jcarmona@vmware.com> * Improve tests by adding DEX support Signed-off-by: Jose Antonio Carmona <jcarmona@vmware.com> Signed-off-by: Jose Antonio Carmona <jcarmona@vmware.com>
2026-04-02 07:17:26 +08:00 · 2022-11-30 11:56:38 +01:00
parent 3e104e7f58
commit 5e6a037c94
9 changed files with 155 additions and 2 deletions
--- a/.vib/oauth2-proxy/cypress/cypress.json
+++ b/.vib/oauth2-proxy/cypress/cypress.json
@@ -0,0 +1,11 @@
+{
+  "chromeWebSecurity": false,
+  "hosts": {
+    "vmware-oauth2-proxy.my": "{{TARGET_IP}}"
+  },
+  "env": {
+    "upstreamURL": "/bitnami/oauth2-proxy/conf/",
+    "upstreamContent": "oauth2_proxy.cfg",
+    "dexPort": "5556"
+  }
+}
--- a/.vib/oauth2-proxy/cypress/cypress/integration/oauth2-proxy_spec.js
+++ b/.vib/oauth2-proxy/cypress/cypress/integration/oauth2-proxy_spec.js
@@ -0,0 +1,18 @@
+/// <reference types="cypress" />
+
+it('allows to access auth-protected resource', () => {
+  // DEX is deployed at localhost:5556, which is not exposed. In order to prevent failed redirections
+  // to this port, direct interaction (e.g. clicking) is generally avoided.
+
+  // OAuth2
+  cy.safeRedirectVisit(`/oauth2/start?rd=${Cypress.env('upstreamURL')}`);
+
+  // DEX UI
+  cy.contains('a', 'Log in with Example').invoke('attr', 'href').then((url) => {
+    cy.safeRedirectVisit(url);
+  })
+  cy.contains('button', 'Grant Access').click();
+
+  // Back to OAuth2: Auth-protected resource
+  cy.contains(Cypress.env('upstreamContent'));
+});
--- a/.vib/oauth2-proxy/cypress/cypress/support/commands.js
+++ b/.vib/oauth2-proxy/cypress/cypress/support/commands.js
@@ -0,0 +1,21 @@
+const BASE_URL = 'http://vmware-oauth2-proxy.my';
+
+// DEX is deployed at localhost:5556/dex/, which is not exposed (only port 80 is).
+// A proxy pass in localhost/dex/ is configured to allow communication with it, but
+// the UI keeps referring to the original 5556 port. This command allows to access
+// DEX using the proxy path instead of the port.
+Cypress.Commands.add(
+  'safeRedirectVisit',
+  (initialUrl, dexPort = Cypress.env('dexPort')) => {
+    cy.request({
+      url: `${BASE_URL}${initialUrl}`,
+      followRedirect: false,
+    }).then((req) => {
+      const scopedRedirectedUrl = req.redirectedToUrl.replace(
+        `:${dexPort}`,
+        ''
+      );
+      cy.visit(scopedRedirectedUrl);
+    });
+  }
+);
--- a/.vib/oauth2-proxy/cypress/cypress/support/index.js
+++ b/.vib/oauth2-proxy/cypress/cypress/support/index.js
@@ -0,0 +1,20 @@
+// ***********************************************************
+// This example support/index.js is processed and
+// loaded automatically before your test files.
+//
+// This is a great place to put global configuration and
+// behavior that modifies Cypress.
+//
+// You can change the location of this file or turn off
+// automatically serving support files with the
+// 'supportFile' configuration option.
+//
+// You can read more here:
+// https://on.cypress.io/configuration
+// ***********************************************************
+
+// Import commands.js using ES2015 syntax:
+import './commands'
+
+// Alternatively you can use CommonJS syntax:
+// require('./commands')
--- a/.vib/oauth2-proxy/goss/goss.yaml
+++ b/.vib/oauth2-proxy/goss/goss.yaml
@@ -0,0 +1,18 @@
+http:
+  http://localhost:{{ .Vars.containerPort }}:
+    status: 403
+file:
+  /var/run/secrets/kubernetes.io/serviceaccount:
+    exists: {{ .Vars.serviceAccount.automountServiceAccountToken }}
+    filetype: directory
+    mode: "3777"
+command:
+  check-redis-auth:
+    exec: \[ $OAUTH2_PROXY_REDIS_PASSWORD = {{ .Vars.redis.auth.password }} ]
+    exit-status: 0
+  check-user-info:
+    exec: id
+    exit-status: 0
+    stdout:
+    - uid={{ .Vars.containerSecurityContext.runAsUser }}
+    - /groups=.*{{ .Vars.podSecurityContext.fsGroup }}/
--- a/.vib/oauth2-proxy/goss/vars.yaml
+++ b/.vib/oauth2-proxy/goss/vars.yaml
@@ -0,0 +1,10 @@
+containerPort: 4181
+podSecurityContext:
+  fsGroup: 1002
+containerSecurityContext:
+  runAsUser: 1002
+serviceAccount:
+  automountServiceAccountToken: true
+redis:
+  auth:
+    password: oauth2-vib-password
--- a/.vib/oauth2-proxy/vib-publish.json
+++ b/.vib/oauth2-proxy/vib-publish.json
@@ -22,7 +22,7 @@
          "url": "{SHA_ARCHIVE}",
          "path": "/bitnami/oauth2-proxy"
        },
-        "runtime_parameters": "InJlZGlzIjoKICAiYXV0aCI6CiAgICAicGFzc3dvcmQiOiAiam5kZkRGZiIKInNlcnZpY2UiOgogICJwb3J0IjogODAKICAidHlwZSI6ICJMb2FkQmFsYW5jZXIi",
+        "runtime_parameters": "c2VydmljZToKICB0eXBlOiBMb2FkQmFsYW5jZXIKICBwb3J0OiA4MApjb25maWd1cmF0aW9uOgogIGNsaWVudElEOiB2aWItZGV4LWNsaWVudAogIGNsaWVudFNlY3JldDogWlhoaGJYQnNaUzFoY0hBdGMyVmpjbVYwCiAgY29va2llU2VjcmV0OiB2aWItdGVzdHMtY29va2llCiAgY29udGVudDogfAogICAgZW1haWxfZG9tYWlucyA9IFsgIioiIF0KICAgIHByb3ZpZGVyID0gIm9pZGMiCiAgICBvaWRjX2lzc3Vlcl91cmwgPSAiaHR0cDovL3Ztd2FyZS1vYXV0aDItcHJveHkubXk6NTU1Ni9kZXgiCiAgICByZWRpcmVjdF91cmwgPSAiaHR0cDovL3Ztd2FyZS1vYXV0aDItcHJveHkubXkvb2F1dGgyL2NhbGxiYWNrIgogICAgY29va2llX3NlY3VyZSA9IGZhbHNlCiAgICBza2lwX2F1dGhfcm91dGVzID0gWyAiXlwvZGV4XC8uKiIgXQogICAgdXBzdHJlYW1zID0gWyAiZmlsZTovLy9iaXRuYW1pL29hdXRoMi1wcm94eS9jb25mLyIsICJodHRwOi8vdm13YXJlLW9hdXRoMi1wcm94eS5teTo1NTU2L2RleC8iIF0KY29udGFpbmVyUG9ydDogNDE4MQpob3N0QWxpYXNlczoKICAtIGlwOiAiMTI3LjAuMC4xIgogICAgaG9zdG5hbWVzOgogICAgICAtICJ2bXdhcmUtb2F1dGgyLXByb3h5Lm15Igpwb2RTZWN1cml0eUNvbnRleHQ6CiAgZW5hYmxlZDogdHJ1ZQogIGZzR3JvdXA6IDEwMDIKY29udGFpbmVyU2VjdXJpdHlDb250ZXh0OgogIGVuYWJsZWQ6IHRydWUKICBydW5Bc1VzZXI6IDEwMDIKc2VydmljZUFjY291bnQ6CiAgY3JlYXRlOiB0cnVlCiAgYXV0b21vdW50U2VydmljZUFjY291bnRUb2tlbjogdHJ1ZQpyZWRpczoKICBlbmFibGVkOiB0cnVlCiAgYXV0aDoKICAgIGVuYWJsZWQ6IHRydWUKICAgIHBhc3N3b3JkOiBvYXV0aDItdmliLXBhc3N3b3JkCnNpZGVjYXJzOgogIC0gbmFtZTogZGV4CiAgICBpbWFnZTogYml0bmFtaS9kZXgKICAgIGFyZ3M6IFsic2VydmUiLCAiL2NvbmZpZy9jb25maWcueWFtbCJdCiAgICBwb3J0czoKICAgICAgLSBuYW1lOiBodHRwCiAgICAgICAgY29udGFpbmVyUG9ydDogNTU1NgogICAgdm9sdW1lTW91bnRzOgogICAgICAtIG5hbWU6IGRleC12aWItY29uZmlnCiAgICAgICAgbW91bnRQYXRoOiAvY29uZmlnCmV4dHJhVm9sdW1lczoKICAtIG5hbWU6IGRleC12aWItY29uZmlnCiAgICBjb25maWdNYXA6CiAgICAgIG5hbWU6IGRleC12aWItY29uZmlnCmV4dHJhRGVwbG95OgogIC0gYXBpVmVyc2lvbjogdjEKICAgIGtpbmQ6IENvbmZpZ01hcAogICAgbWV0YWRhdGE6CiAgICAgIG5hbWU6IGRleC12aWItY29uZmlnCiAgICBkYXRhOgogICAgICBjb25maWcueWFtbDogfC0KICAgICAgICBpc3N1ZXI6IGh0dHA6Ly92bXdhcmUtb2F1dGgyLXByb3h5Lm15OjU1NTYvZGV4CiAgICAgICAgc3RvcmFnZToKICAgICAgICAgIHR5cGU6IHNxbGl0ZTMKICAgICAgICAgIGNvbmZpZzoKICAgICAgICAgICAgZmlsZTogL3RtcC9kZXguZGIKICAgICAgICB3ZWI6CiAgICAgICAgICBodHRwOiAwLjAuMC4wOjU1NTYKICAgICAgICBmcm9udGVuZDoKICAgICAgICAgIGRpcjogL29wdC9iaXRuYW1pL2RleC93ZWIKICAgICAgICBzdGF0aWNDbGllbnRzOgogICAgICAgICAgLSBpZDogdmliLWRleC1jbGllbnQKICAgICAgICAgICAgcmVkaXJlY3RVUklzOgogICAgICAgICAgICAgIC0gImh0dHA6Ly92bXdhcmUtb2F1dGgyLXByb3h5Lm15L29hdXRoMi9jYWxsYmFjayIKICAgICAgICAgICAgbmFtZTogJ1ZJQi1EZXgnCiAgICAgICAgICAgIHNlY3JldDogWlhoaGJYQnNaUzFoY0hBdGMyVmpjbVYwCiAgICAgICAgY29ubmVjdG9yczoKICAgICAgICAgIC0gdHlwZTogbW9ja0NhbGxiYWNrCiAgICAgICAgICAgIGlkOiBtb2NrCiAgICAgICAgICAgIG5hbWU6IEV4YW1wbGUKICAgICAgICBlbmFibGVQYXNzd29yZERCOiB0cnVlCiAgICAgICAgc3RhdGljUGFzc3dvcmRzOgogICAgICAgICAgLSBlbWFpbDogImFkbWluQGV4YW1wbGUuY29tIgogICAgICAgICAgICBoYXNoOiAiJDJhJDEwJDJiMmNVOENQaE9UYUdyczFIUlF1QXVlUzdKVFQ1WkhzSFN6WWlGUG0xbGVaY2s3TWM4VDRXIgogICAgICAgICAgICB1c2VybmFtZTogImFkbWluIgogICAgICAgICAgICB1c2VySUQ6ICIwOGE4Njg0Yi1kYjg4LTRiNzMtOTBhOS0zY2QxNjYxZjU0NjYi",
        "target_platform": {
          "target_platform_id": "{VIB_ENV_TARGET_PLATFORM}",
          "size": {
@@ -37,6 +37,33 @@
            "endpoint": "lb-oauth2-proxy-http",
            "app_protocol": "HTTP"
          }
+        },
+        {
+          "action_id": "goss",
+          "params": {
+            "resources": {
+              "path": "/.vib/oauth2-proxy/goss"
+            },
+            "remote": {
+              "workload": "deploy-oauth2-proxy"
+            },
+            "vars_file": "vars.yaml"
+          }
+        },
+        {
+          "action_id": "cypress",
+          "params": {
+            "resources": {
+              "path": "/.vib/oauth2-proxy/cypress"
+            },
+            "endpoint": "lb-oauth2-proxy-http",
+            "app_protocol": "HTTP",
+            "env": {
+              "upstreamURL": "/bitnami/oauth2-proxy/conf/",
+              "upstreamContent": "oauth2_proxy.cfg",
+              "dexPort": "5556"
+            }
+          }
        }
      ]
    },
--- a/.vib/oauth2-proxy/vib-verify.json
+++ b/.vib/oauth2-proxy/vib-verify.json
@@ -22,7 +22,7 @@
          "url": "{SHA_ARCHIVE}",
          "path": "/bitnami/oauth2-proxy"
        },
-        "runtime_parameters": "InJlZGlzIjoKICAiYXV0aCI6CiAgICAicGFzc3dvcmQiOiAiam5kZkRGZiIKInNlcnZpY2UiOgogICJwb3J0IjogODAKICAidHlwZSI6ICJMb2FkQmFsYW5jZXIi",
+        "runtime_parameters": "c2VydmljZToKICB0eXBlOiBMb2FkQmFsYW5jZXIKICBwb3J0OiA4MApjb25maWd1cmF0aW9uOgogIGNsaWVudElEOiB2aWItZGV4LWNsaWVudAogIGNsaWVudFNlY3JldDogWlhoaGJYQnNaUzFoY0hBdGMyVmpjbVYwCiAgY29va2llU2VjcmV0OiB2aWItdGVzdHMtY29va2llCiAgY29udGVudDogfAogICAgZW1haWxfZG9tYWlucyA9IFsgIioiIF0KICAgIHByb3ZpZGVyID0gIm9pZGMiCiAgICBvaWRjX2lzc3Vlcl91cmwgPSAiaHR0cDovL3Ztd2FyZS1vYXV0aDItcHJveHkubXk6NTU1Ni9kZXgiCiAgICByZWRpcmVjdF91cmwgPSAiaHR0cDovL3Ztd2FyZS1vYXV0aDItcHJveHkubXkvb2F1dGgyL2NhbGxiYWNrIgogICAgY29va2llX3NlY3VyZSA9IGZhbHNlCiAgICBza2lwX2F1dGhfcm91dGVzID0gWyAiXlwvZGV4XC8uKiIgXQogICAgdXBzdHJlYW1zID0gWyAiZmlsZTovLy9iaXRuYW1pL29hdXRoMi1wcm94eS9jb25mLyIsICJodHRwOi8vdm13YXJlLW9hdXRoMi1wcm94eS5teTo1NTU2L2RleC8iIF0KY29udGFpbmVyUG9ydDogNDE4MQpob3N0QWxpYXNlczoKICAtIGlwOiAiMTI3LjAuMC4xIgogICAgaG9zdG5hbWVzOgogICAgICAtICJ2bXdhcmUtb2F1dGgyLXByb3h5Lm15Igpwb2RTZWN1cml0eUNvbnRleHQ6CiAgZW5hYmxlZDogdHJ1ZQogIGZzR3JvdXA6IDEwMDIKY29udGFpbmVyU2VjdXJpdHlDb250ZXh0OgogIGVuYWJsZWQ6IHRydWUKICBydW5Bc1VzZXI6IDEwMDIKc2VydmljZUFjY291bnQ6CiAgY3JlYXRlOiB0cnVlCiAgYXV0b21vdW50U2VydmljZUFjY291bnRUb2tlbjogdHJ1ZQpyZWRpczoKICBlbmFibGVkOiB0cnVlCiAgYXV0aDoKICAgIGVuYWJsZWQ6IHRydWUKICAgIHBhc3N3b3JkOiBvYXV0aDItdmliLXBhc3N3b3JkCnNpZGVjYXJzOgogIC0gbmFtZTogZGV4CiAgICBpbWFnZTogYml0bmFtaS9kZXgKICAgIGFyZ3M6IFsic2VydmUiLCAiL2NvbmZpZy9jb25maWcueWFtbCJdCiAgICBwb3J0czoKICAgICAgLSBuYW1lOiBodHRwCiAgICAgICAgY29udGFpbmVyUG9ydDogNTU1NgogICAgdm9sdW1lTW91bnRzOgogICAgICAtIG5hbWU6IGRleC12aWItY29uZmlnCiAgICAgICAgbW91bnRQYXRoOiAvY29uZmlnCmV4dHJhVm9sdW1lczoKICAtIG5hbWU6IGRleC12aWItY29uZmlnCiAgICBjb25maWdNYXA6CiAgICAgIG5hbWU6IGRleC12aWItY29uZmlnCmV4dHJhRGVwbG95OgogIC0gYXBpVmVyc2lvbjogdjEKICAgIGtpbmQ6IENvbmZpZ01hcAogICAgbWV0YWRhdGE6CiAgICAgIG5hbWU6IGRleC12aWItY29uZmlnCiAgICBkYXRhOgogICAgICBjb25maWcueWFtbDogfC0KICAgICAgICBpc3N1ZXI6IGh0dHA6Ly92bXdhcmUtb2F1dGgyLXByb3h5Lm15OjU1NTYvZGV4CiAgICAgICAgc3RvcmFnZToKICAgICAgICAgIHR5cGU6IHNxbGl0ZTMKICAgICAgICAgIGNvbmZpZzoKICAgICAgICAgICAgZmlsZTogL3RtcC9kZXguZGIKICAgICAgICB3ZWI6CiAgICAgICAgICBodHRwOiAwLjAuMC4wOjU1NTYKICAgICAgICBmcm9udGVuZDoKICAgICAgICAgIGRpcjogL29wdC9iaXRuYW1pL2RleC93ZWIKICAgICAgICBzdGF0aWNDbGllbnRzOgogICAgICAgICAgLSBpZDogdmliLWRleC1jbGllbnQKICAgICAgICAgICAgcmVkaXJlY3RVUklzOgogICAgICAgICAgICAgIC0gImh0dHA6Ly92bXdhcmUtb2F1dGgyLXByb3h5Lm15L29hdXRoMi9jYWxsYmFjayIKICAgICAgICAgICAgbmFtZTogJ1ZJQi1EZXgnCiAgICAgICAgICAgIHNlY3JldDogWlhoaGJYQnNaUzFoY0hBdGMyVmpjbVYwCiAgICAgICAgY29ubmVjdG9yczoKICAgICAgICAgIC0gdHlwZTogbW9ja0NhbGxiYWNrCiAgICAgICAgICAgIGlkOiBtb2NrCiAgICAgICAgICAgIG5hbWU6IEV4YW1wbGUKICAgICAgICBlbmFibGVQYXNzd29yZERCOiB0cnVlCiAgICAgICAgc3RhdGljUGFzc3dvcmRzOgogICAgICAgICAgLSBlbWFpbDogImFkbWluQGV4YW1wbGUuY29tIgogICAgICAgICAgICBoYXNoOiAiJDJhJDEwJDJiMmNVOENQaE9UYUdyczFIUlF1QXVlUzdKVFQ1WkhzSFN6WWlGUG0xbGVaY2s3TWM4VDRXIgogICAgICAgICAgICB1c2VybmFtZTogImFkbWluIgogICAgICAgICAgICB1c2VySUQ6ICIwOGE4Njg0Yi1kYjg4LTRiNzMtOTBhOS0zY2QxNjYxZjU0NjYi",
        "target_platform": {
          "target_platform_id": "{VIB_ENV_TARGET_PLATFORM}",
          "size": {
@@ -37,6 +37,33 @@
            "endpoint": "lb-oauth2-proxy-http",
            "app_protocol": "HTTP"
          }
+        },
+        {
+          "action_id": "goss",
+          "params": {
+            "resources": {
+              "path": "/.vib/oauth2-proxy/goss"
+            },
+            "remote": {
+              "workload": "deploy-oauth2-proxy"
+            },
+            "vars_file": "vars.yaml"
+          }
+        },
+        {
+          "action_id": "cypress",
+          "params": {
+            "resources": {
+              "path": "/.vib/oauth2-proxy/cypress"
+            },
+            "endpoint": "lb-oauth2-proxy-http",
+            "app_protocol": "HTTP",
+            "env": {
+              "upstreamURL": "/bitnami/oauth2-proxy/conf/",
+              "upstreamContent": "oauth2_proxy.cfg",
+              "dexPort": "5556"
+            }
+          }
        }
      ]
    }