diff --git a/tests/templates/kuttl/authorizer/03-install-druid.yaml.j2 b/tests/templates/kuttl/authorizer/03-install-druid.yaml.j2 index 7eaa8279..b4fcc71a 100644 --- a/tests/templates/kuttl/authorizer/03-install-druid.yaml.j2 +++ b/tests/templates/kuttl/authorizer/03-install-druid.yaml.j2 @@ -27,12 +27,10 @@ spec: connString: jdbc:derby://localhost:1527/var/druid/metadata.db;create=true host: localhost port: 1527 - tls: - serverAndInternalSecretClass: null zookeeperConfigMapName: druid-znode brokers: configOverrides: - runtime.properties: + runtime.properties: &runtime-properties druid.auth.authenticatorChain: "[\"MyBasicMetadataAuthenticator\"]" druid.auth.authenticator.MyBasicMetadataAuthenticator.type: basic @@ -59,109 +57,25 @@ spec: replicas: 1 coordinators: configOverrides: - runtime.properties: - druid.auth.authenticatorChain: "[\"MyBasicMetadataAuthenticator\"]" - druid.auth.authenticator.MyBasicMetadataAuthenticator.type: basic - - # Default password for 'admin' user, should be changed for production. - druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPassword: password1 - - # Default password for internal 'druid_system' user, should be changed for production. - druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword: password2 - - # Uses the metadata store for storing users, you can use authentication API to create new users and grant permissions - druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.type: metadata - - # If true and the request credential doesn't exists in this credentials store, the request will proceed to next Authenticator in the chain. - druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure: "false" - druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName: OpaAuthorizer - - # Escalator - druid.escalator.type: basic - druid.escalator.internalClientUsername: druid_system - druid.escalator.internalClientPassword: password2 - druid.escalator.authorizerName: OpaAuthorizer + runtime.properties: *runtime-properties roleGroups: default: replicas: 1 historicals: configOverrides: - runtime.properties: - druid.auth.authenticatorChain: "[\"MyBasicMetadataAuthenticator\"]" - druid.auth.authenticator.MyBasicMetadataAuthenticator.type: basic - - # Default password for 'admin' user, should be changed for production. - druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPassword: password1 - - # Default password for internal 'druid_system' user, should be changed for production. - druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword: password2 - - # Uses the metadata store for storing users, you can use authentication API to create new users and grant permissions - druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.type: metadata - - # If true and the request credential doesn't exists in this credentials store, the request will proceed to next Authenticator in the chain. - druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure: "false" - druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName: OpaAuthorizer - - # Escalator - druid.escalator.type: basic - druid.escalator.internalClientUsername: druid_system - druid.escalator.internalClientPassword: password2 - druid.escalator.authorizerName: OpaAuthorizer + runtime.properties: *runtime-properties roleGroups: default: replicas: 1 middleManagers: configOverrides: - runtime.properties: - druid.auth.authenticatorChain: "[\"MyBasicMetadataAuthenticator\"]" - druid.auth.authenticator.MyBasicMetadataAuthenticator.type: basic - - # Default password for 'admin' user, should be changed for production. - druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPassword: password1 - - # Default password for internal 'druid_system' user, should be changed for production. - druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword: password2 - - # Uses the metadata store for storing users, you can use authentication API to create new users and grant permissions - druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.type: metadata - - # If true and the request credential doesn't exists in this credentials store, the request will proceed to next Authenticator in the chain. - druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure: "false" - druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName: OpaAuthorizer - - # Escalator - druid.escalator.type: basic - druid.escalator.internalClientUsername: druid_system - druid.escalator.internalClientPassword: password2 - druid.escalator.authorizerName: OpaAuthorizer + runtime.properties: *runtime-properties roleGroups: default: replicas: 1 routers: configOverrides: - runtime.properties: - druid.auth.authenticatorChain: "[\"MyBasicMetadataAuthenticator\"]" - druid.auth.authenticator.MyBasicMetadataAuthenticator.type: basic - - # Default password for 'admin' user, should be changed for production. - druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPassword: password1 - - # Default password for internal 'druid_system' user, should be changed for production. - druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword: password2 - - # Uses the metadata store for storing users, you can use authentication API to create new users and grant permissions - druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.type: metadata - - # If true and the request credential doesn't exists in this credentials store, the request will proceed to next Authenticator in the chain. - druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure: "false" - druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName: OpaAuthorizer - - # Escalator - druid.escalator.type: basic - druid.escalator.internalClientUsername: druid_system - druid.escalator.internalClientPassword: password2 - druid.escalator.authorizerName: OpaAuthorizer + runtime.properties: *runtime-properties roleGroups: default: replicas: 1 diff --git a/tests/templates/kuttl/authorizer/05-assert.yaml b/tests/templates/kuttl/authorizer/05-assert.yaml index a3cc6c3f..1f6e20c9 100644 --- a/tests/templates/kuttl/authorizer/05-assert.yaml +++ b/tests/templates/kuttl/authorizer/05-assert.yaml @@ -2,5 +2,5 @@ apiVersion: kuttl.dev/v1beta1 kind: TestAssert commands: - - script: kubectl exec -n $NAMESPACE checks-0 -- python /tmp/authcheck.py + - script: kubectl exec -n $NAMESPACE checks-0 -- python /tmp/authcheck.py derby-druid timeout: 600 diff --git a/tests/templates/kuttl/authorizer/authcheck.py b/tests/templates/kuttl/authorizer/authcheck.py index d6cab56b..ae62af80 100755 --- a/tests/templates/kuttl/authorizer/authcheck.py +++ b/tests/templates/kuttl/authorizer/authcheck.py @@ -3,20 +3,27 @@ import logging coordinator_host = "derby-druid-coordinator-default" -coordinator_port = "8081" +coordinator_port = "8281" authenticator_name = "MyBasicMetadataAuthenticator" def create_user(user_name): requests.post( - f"http://{coordinator_host}:{coordinator_port}/druid-ext/basic-security/authentication/db/{authenticator_name}/users/{user_name}", - auth=("admin", "password1") + f"https://{coordinator_host}:{coordinator_port}/druid-ext/basic-security/authentication/db/{authenticator_name}/users/{user_name}", + auth=("admin", "password1"), + verify=False, ) data = f"{{\"password\": \"{user_name}\"}}" headers = { 'Content-Type': 'application/json', } - requests.post(f"http://{coordinator_host}:{coordinator_port}/druid-ext/basic-security/authentication/db/{authenticator_name}/users/{user_name}/credentials", headers=headers, data=data, auth=('admin', 'password1')) + requests.post( + f"https://{coordinator_host}:{coordinator_port}/druid-ext/basic-security/authentication/db/{authenticator_name}/users/{user_name}/credentials", + headers=headers, + data=data, + auth=('admin', 'password1'), + verify=False, + ) if __name__ == "__main__": @@ -30,39 +37,33 @@ def create_user(user_name): create_user("eve") print("USERS CREATED!") - druid_cluster_name = "derby-druid" - druid_roles = [ - "broker", - "coordinator", - "middlemanager", - "historical", - "router" - ] - druid_ports = { - "broker": 8082, - "coordinator": 8081, - "middlemanager": 8091, - "historical": 8083, - "router": 8888 + druid_cluster_name = sys.argv[1] + + druid_role_ports = { + "broker": 8282, + "coordinator": 8281, + "middlemanager": 8291, + "historical": 8283, + "router": 9088, } - for role in druid_roles: - url = f"http://{druid_cluster_name}-{role}-default:{druid_ports[role]}/status" + for role, port in druid_role_ports.items(): + url = f"https://{druid_cluster_name}-{role}-default:{port}/status" # make an authorized request -> return 401 expected print("Checking Unauthorized") - res = requests.get(url) + res = requests.get(url, verify=False) if res.status_code != 401: result = 1 break # make an authorized request -> return 200 expected print("Checking Alice") - res = requests.get(url, auth=("alice", "alice")) + res = requests.get(url, auth=("alice", "alice"), verify=False) if res.status_code != 200: result = 1 break # make an unauthorized request -> return 403 expected print("Checking Eve") - res = requests.get(url, auth=("eve", "eve")) + res = requests.get(url, auth=("eve", "eve"), verify=False) if res.status_code != 403: result = 1 break diff --git a/tests/templates/kuttl/ingestion-no-s3-ext/02-install-druid.yaml.j2 b/tests/templates/kuttl/ingestion-no-s3-ext/02-install-druid.yaml.j2 index 0a8d578d..1de84747 100644 --- a/tests/templates/kuttl/ingestion-no-s3-ext/02-install-druid.yaml.j2 +++ b/tests/templates/kuttl/ingestion-no-s3-ext/02-install-druid.yaml.j2 @@ -23,8 +23,6 @@ spec: connString: jdbc:derby://localhost:1527/var/druid/metadata.db;create=true host: localhost port: 1527 - tls: - serverAndInternalSecretClass: null zookeeperConfigMapName: druid-znode brokers: roleGroups: diff --git a/tests/templates/kuttl/ingestion-no-s3-ext/04-assert.yaml b/tests/templates/kuttl/ingestion-no-s3-ext/04-assert.yaml index bf22ffe7..07a25600 100644 --- a/tests/templates/kuttl/ingestion-no-s3-ext/04-assert.yaml +++ b/tests/templates/kuttl/ingestion-no-s3-ext/04-assert.yaml @@ -2,5 +2,5 @@ apiVersion: kuttl.dev/v1beta1 kind: TestAssert commands: - - script: kubectl exec -n $NAMESPACE checks-0 -- python /tmp/healthcheck.py + - script: kubectl exec -n $NAMESPACE checks-0 -- python /tmp/healthcheck.py derby-druid timeout: 300 diff --git a/tests/templates/kuttl/ingestion-no-s3-ext/healthcheck.py b/tests/templates/kuttl/ingestion-no-s3-ext/healthcheck.py index 4bf19cfc..96815fd8 100755 --- a/tests/templates/kuttl/ingestion-no-s3-ext/healthcheck.py +++ b/tests/templates/kuttl/ingestion-no-s3-ext/healthcheck.py @@ -9,24 +9,18 @@ log_level = 'DEBUG' # if args.debug else 'INFO' logging.basicConfig(level=log_level, format='%(asctime)s %(levelname)s: %(message)s', stream=sys.stdout) - druid_cluster_name = "derby-druid" - druid_roles = [ - "broker", - "coordinator", - "middlemanager", - "historical", - "router" - ] - druid_ports = { - "broker": 8082, - "coordinator": 8081, - "middlemanager": 8091, - "historical": 8083, - "router": 8888 + druid_cluster_name = sys.argv[1] + + druid_role_ports = { + "broker": 8282, + "coordinator": 8281, + "middlemanager": 8291, + "historical": 8283, + "router": 9088, } - for role in druid_roles: - url = f"http://{druid_cluster_name}-{role}-default:{druid_ports[role]}/status/health" + for role, port in druid_role_ports.items(): + url = f"https://{druid_cluster_name}-{role}-default:{port}/status/health" count = 1 # As this script is intended to be executed by Kuttl which is in charge of overall test timeouts it is ok @@ -43,7 +37,7 @@ try: count = count + 1 print(f"Checking role [{role}] on url [{url}]") - res = requests.get(url, timeout=5) + res = requests.get(url, verify=False, timeout=5) code = res.status_code if res.status_code == 200 and res.text.lower() == "true": break @@ -60,5 +54,4 @@ # Wait a little bit before retrying time.sleep(1) - sys.exit(0) diff --git a/tests/templates/kuttl/ingestion-no-s3-ext/ingestioncheck.py b/tests/templates/kuttl/ingestion-no-s3-ext/ingestioncheck.py index dd0c1b9e..2269b5d6 100755 --- a/tests/templates/kuttl/ingestion-no-s3-ext/ingestioncheck.py +++ b/tests/templates/kuttl/ingestion-no-s3-ext/ingestioncheck.py @@ -11,6 +11,7 @@ class DruidClient: def __init__(self): self.session = requests.Session() self.session.headers.update({'Accept': 'application/json', 'Content-Type': 'application/json'}) + self.session.verify = False http.client.HTTPConnection.debuglevel = 1 def get(self, url): @@ -52,7 +53,7 @@ def query_datasource(self, url, sql, expected, iterations): Query tasks ===========''') tasks = druid.get_tasks( - url=f"http://{druid_cluster_name}-coordinator-default:8081/druid/indexer/v1/tasks", + url=f"https://{druid_cluster_name}-coordinator-default:8281/druid/indexer/v1/tasks", ) task_count = len(json.loads(tasks)) print(f'existing tasks: {task_count}') @@ -61,7 +62,7 @@ def query_datasource(self, url, sql, expected, iterations): Start ingestion task ====================''') ingestion = druid.post_task( - url=f"http://{druid_cluster_name}-coordinator-default:8081/druid/indexer/v1/task", + url=f"https://{druid_cluster_name}-coordinator-default:8281/druid/indexer/v1/task", input='/tmp/druid-quickstartimport.json' ) task_id = json.loads(ingestion)["task"] @@ -71,7 +72,7 @@ def query_datasource(self, url, sql, expected, iterations): Re-query tasks ==============''') tasks = druid.get_tasks( - url=f"http://{druid_cluster_name}-coordinator-default:8081/druid/indexer/v1/tasks", + url=f"https://{druid_cluster_name}-coordinator-default:8281/druid/indexer/v1/tasks", ) new_task_count = len(json.loads(tasks)) print(f'new tasks: {new_task_count}') @@ -85,7 +86,7 @@ def query_datasource(self, url, sql, expected, iterations): while not job_finished: time.sleep(5) task = druid.get( - url=f"http://{druid_cluster_name}-coordinator-default:8081/druid/indexer/v1/task/{url_encoded_taskid}/status", + url=f"https://{druid_cluster_name}-coordinator-default:8281/druid/indexer/v1/task/{url_encoded_taskid}/status", ) task_status = json.loads(task)["status"]["statusCode"] print(f"Current task status: [{task_status}]") @@ -98,7 +99,7 @@ def query_datasource(self, url, sql, expected, iterations): broker_ready = False while not broker_ready: time.sleep(2) - broker_ready_rc = druid.check_rc(f"http://{druid_cluster_name}-broker-default:8082/druid/broker/v1/readiness") + broker_ready_rc = druid.check_rc(f"https://{druid_cluster_name}-broker-default:8282/druid/broker/v1/readiness") broker_ready = broker_ready_rc == 200 print(f"Broker respondend with [{broker_ready_rc}] to readiness check") @@ -107,7 +108,7 @@ def query_datasource(self, url, sql, expected, iterations): ==============''') sample_data_size = 39244 result = druid.query_datasource( - url=f"http://{druid_cluster_name}-broker-default:8082/druid/v2/sql", + url=f"https://{druid_cluster_name}-broker-default:8282/druid/v2/sql", sql={"query": "select count(*) as c from \"wikipedia-2015-09-12\""}, expected=sample_data_size, iterations=12 diff --git a/tests/templates/kuttl/ingestion-s3-ext/02-install-druid.yaml.j2 b/tests/templates/kuttl/ingestion-s3-ext/02-install-druid.yaml.j2 index 2c14e48d..4e6ba1da 100644 --- a/tests/templates/kuttl/ingestion-s3-ext/02-install-druid.yaml.j2 +++ b/tests/templates/kuttl/ingestion-s3-ext/02-install-druid.yaml.j2 @@ -29,8 +29,6 @@ spec: connString: jdbc:derby://localhost:1527/var/druid/metadata.db;create=true host: localhost port: 1527 - tls: - serverAndInternalSecretClass: null zookeeperConfigMapName: druid-znode brokers: roleGroups: diff --git a/tests/templates/kuttl/ingestion-s3-ext/04-assert.yaml b/tests/templates/kuttl/ingestion-s3-ext/04-assert.yaml index bf22ffe7..07a25600 100644 --- a/tests/templates/kuttl/ingestion-s3-ext/04-assert.yaml +++ b/tests/templates/kuttl/ingestion-s3-ext/04-assert.yaml @@ -2,5 +2,5 @@ apiVersion: kuttl.dev/v1beta1 kind: TestAssert commands: - - script: kubectl exec -n $NAMESPACE checks-0 -- python /tmp/healthcheck.py + - script: kubectl exec -n $NAMESPACE checks-0 -- python /tmp/healthcheck.py derby-druid timeout: 300 diff --git a/tests/templates/kuttl/ingestion-s3-ext/healthcheck.py b/tests/templates/kuttl/ingestion-s3-ext/healthcheck.py index 3136b8a5..96815fd8 100755 --- a/tests/templates/kuttl/ingestion-s3-ext/healthcheck.py +++ b/tests/templates/kuttl/ingestion-s3-ext/healthcheck.py @@ -9,24 +9,18 @@ log_level = 'DEBUG' # if args.debug else 'INFO' logging.basicConfig(level=log_level, format='%(asctime)s %(levelname)s: %(message)s', stream=sys.stdout) - druid_cluster_name = "derby-druid" - druid_roles = [ - "broker", - "coordinator", - "middlemanager", - "historical", - "router" - ] - druid_ports = { - "broker": 8082, - "coordinator": 8081, - "middlemanager": 8091, - "historical": 8083, - "router": 8888 + druid_cluster_name = sys.argv[1] + + druid_role_ports = { + "broker": 8282, + "coordinator": 8281, + "middlemanager": 8291, + "historical": 8283, + "router": 9088, } - for role in druid_roles: - url = f"http://{druid_cluster_name}-{role}-default:{druid_ports[role]}/status/health" + for role, port in druid_role_ports.items(): + url = f"https://{druid_cluster_name}-{role}-default:{port}/status/health" count = 1 # As this script is intended to be executed by Kuttl which is in charge of overall test timeouts it is ok @@ -43,7 +37,7 @@ try: count = count + 1 print(f"Checking role [{role}] on url [{url}]") - res = requests.get(url, timeout=5) + res = requests.get(url, verify=False, timeout=5) code = res.status_code if res.status_code == 200 and res.text.lower() == "true": break diff --git a/tests/templates/kuttl/ingestion-s3-ext/ingestioncheck.py b/tests/templates/kuttl/ingestion-s3-ext/ingestioncheck.py index dd0c1b9e..2269b5d6 100755 --- a/tests/templates/kuttl/ingestion-s3-ext/ingestioncheck.py +++ b/tests/templates/kuttl/ingestion-s3-ext/ingestioncheck.py @@ -11,6 +11,7 @@ class DruidClient: def __init__(self): self.session = requests.Session() self.session.headers.update({'Accept': 'application/json', 'Content-Type': 'application/json'}) + self.session.verify = False http.client.HTTPConnection.debuglevel = 1 def get(self, url): @@ -52,7 +53,7 @@ def query_datasource(self, url, sql, expected, iterations): Query tasks ===========''') tasks = druid.get_tasks( - url=f"http://{druid_cluster_name}-coordinator-default:8081/druid/indexer/v1/tasks", + url=f"https://{druid_cluster_name}-coordinator-default:8281/druid/indexer/v1/tasks", ) task_count = len(json.loads(tasks)) print(f'existing tasks: {task_count}') @@ -61,7 +62,7 @@ def query_datasource(self, url, sql, expected, iterations): Start ingestion task ====================''') ingestion = druid.post_task( - url=f"http://{druid_cluster_name}-coordinator-default:8081/druid/indexer/v1/task", + url=f"https://{druid_cluster_name}-coordinator-default:8281/druid/indexer/v1/task", input='/tmp/druid-quickstartimport.json' ) task_id = json.loads(ingestion)["task"] @@ -71,7 +72,7 @@ def query_datasource(self, url, sql, expected, iterations): Re-query tasks ==============''') tasks = druid.get_tasks( - url=f"http://{druid_cluster_name}-coordinator-default:8081/druid/indexer/v1/tasks", + url=f"https://{druid_cluster_name}-coordinator-default:8281/druid/indexer/v1/tasks", ) new_task_count = len(json.loads(tasks)) print(f'new tasks: {new_task_count}') @@ -85,7 +86,7 @@ def query_datasource(self, url, sql, expected, iterations): while not job_finished: time.sleep(5) task = druid.get( - url=f"http://{druid_cluster_name}-coordinator-default:8081/druid/indexer/v1/task/{url_encoded_taskid}/status", + url=f"https://{druid_cluster_name}-coordinator-default:8281/druid/indexer/v1/task/{url_encoded_taskid}/status", ) task_status = json.loads(task)["status"]["statusCode"] print(f"Current task status: [{task_status}]") @@ -98,7 +99,7 @@ def query_datasource(self, url, sql, expected, iterations): broker_ready = False while not broker_ready: time.sleep(2) - broker_ready_rc = druid.check_rc(f"http://{druid_cluster_name}-broker-default:8082/druid/broker/v1/readiness") + broker_ready_rc = druid.check_rc(f"https://{druid_cluster_name}-broker-default:8282/druid/broker/v1/readiness") broker_ready = broker_ready_rc == 200 print(f"Broker respondend with [{broker_ready_rc}] to readiness check") @@ -107,7 +108,7 @@ def query_datasource(self, url, sql, expected, iterations): ==============''') sample_data_size = 39244 result = druid.query_datasource( - url=f"http://{druid_cluster_name}-broker-default:8082/druid/v2/sql", + url=f"https://{druid_cluster_name}-broker-default:8282/druid/v2/sql", sql={"query": "select count(*) as c from \"wikipedia-2015-09-12\""}, expected=sample_data_size, iterations=12 diff --git a/tests/templates/kuttl/orphaned-resources/02-install-druid.yaml.j2 b/tests/templates/kuttl/orphaned-resources/02-install-druid.yaml.j2 index 0a8d578d..1de84747 100644 --- a/tests/templates/kuttl/orphaned-resources/02-install-druid.yaml.j2 +++ b/tests/templates/kuttl/orphaned-resources/02-install-druid.yaml.j2 @@ -23,8 +23,6 @@ spec: connString: jdbc:derby://localhost:1527/var/druid/metadata.db;create=true host: localhost port: 1527 - tls: - serverAndInternalSecretClass: null zookeeperConfigMapName: druid-znode brokers: roleGroups: diff --git a/tests/templates/kuttl/resources/20-assert.yaml b/tests/templates/kuttl/resources/20-assert.yaml index 65d0b244..dff64083 100644 --- a/tests/templates/kuttl/resources/20-assert.yaml +++ b/tests/templates/kuttl/resources/20-assert.yaml @@ -60,14 +60,26 @@ spec: cpu: "4" memory: 2Gi volumes: - - configMap: + - name: tls-mount + ephemeral: + volumeClaimTemplate: + metadata: + annotations: + secrets.stackable.tech/class: tls + secrets.stackable.tech/scope: pod,node + creationTimestamp: null + spec: + storageClassName: secrets.stackable.tech + - name: tls + emptyDir: {} + - name: config + configMap: name: druid-resources-historical-default - name: config - - emptyDir: {} - name: rwconfig - - emptyDir: + - name: rwconfig + emptyDir: {} + - name: segment-cache + emptyDir: sizeLimit: 2G - name: segment-cache status: readyReplicas: 1 replicas: 1 diff --git a/tests/templates/kuttl/resources/20-install-druid.yaml.j2 b/tests/templates/kuttl/resources/20-install-druid.yaml.j2 index da4d177e..dce0a12f 100644 --- a/tests/templates/kuttl/resources/20-install-druid.yaml.j2 +++ b/tests/templates/kuttl/resources/20-install-druid.yaml.j2 @@ -27,8 +27,6 @@ spec: connString: jdbc:derby://localhost:1527/var/druid/metadata.db;create=true host: localhost port: 1527 - tls: - serverAndInternalSecretClass: null zookeeperConfigMapName: druid-znode brokers: roleGroups: diff --git a/tests/templates/kuttl/smoke/03-assert.yaml b/tests/templates/kuttl/smoke/03-assert.yaml index 7db399d9..a37d231d 100644 --- a/tests/templates/kuttl/smoke/03-assert.yaml +++ b/tests/templates/kuttl/smoke/03-assert.yaml @@ -30,29 +30,29 @@ spec: template: spec: volumes: - - name: tls-mount - ephemeral: - volumeClaimTemplate: - metadata: - annotations: - secrets.stackable.tech/class: tls - secrets.stackable.tech/scope: pod,node - creationTimestamp: null - spec: - storageClassName: secrets.stackable.tech - - name: tls - emptyDir: {} - - name: config - configMap: - name: druid-historical-default - - name: rwconfig - emptyDir: {} - - name: hdfs - configMap: - name: druid-hdfs - - name: segment-cache - emptyDir: - sizeLimit: 1G + - name: tls-mount + ephemeral: + volumeClaimTemplate: + metadata: + annotations: + secrets.stackable.tech/class: tls + secrets.stackable.tech/scope: pod,node + creationTimestamp: null + spec: + storageClassName: secrets.stackable.tech + - name: tls + emptyDir: {} + - name: config + configMap: + name: druid-historical-default + - name: rwconfig + emptyDir: {} + - name: hdfs + configMap: + name: druid-hdfs + - name: segment-cache + emptyDir: + sizeLimit: 1G --- apiVersion: apps/v1 kind: StatefulSet diff --git a/tests/templates/kuttl/tls/03-assert.yaml.j2 b/tests/templates/kuttl/tls/03-assert.yaml.j2 index cb7954a4..871f7d28 100644 --- a/tests/templates/kuttl/tls/03-assert.yaml.j2 +++ b/tests/templates/kuttl/tls/03-assert.yaml.j2 @@ -53,16 +53,16 @@ spec: port: 9090 protocol: TCP targetPort: 9090 -{% if test_scenario['values']['use-tls'] == 'false' %} - - name: http - port: 8081 - protocol: TCP - targetPort: 8081 -{% else %} +{% if test_scenario['values']['tls-mode'] == 'internal-tls' or test_scenario['values']['tls-mode'] == 'internal-tls-and-tls-client-auth' %} - name: https port: 8281 protocol: TCP targetPort: 8281 +{% else %} + - name: http + port: 8081 + protocol: TCP + targetPort: 8081 {% endif %} --- apiVersion: v1 @@ -75,16 +75,16 @@ spec: port: 9090 protocol: TCP targetPort: 9090 -{% if test_scenario['values']['use-tls'] == 'false' %} - - name: http - port: 8091 - protocol: TCP - targetPort: 8091 -{% else %} +{% if test_scenario['values']['tls-mode'] == 'internal-tls' or test_scenario['values']['tls-mode'] == 'internal-tls-and-tls-client-auth' %} - name: https port: 8291 protocol: TCP targetPort: 8291 +{% else %} + - name: http + port: 8091 + protocol: TCP + targetPort: 8091 {% endif %} --- apiVersion: v1 @@ -97,16 +97,16 @@ spec: port: 9090 protocol: TCP targetPort: 9090 -{% if test_scenario['values']['use-tls'] == 'false' %} - - name: http - port: 8083 - protocol: TCP - targetPort: 8083 -{% else %} +{% if test_scenario['values']['tls-mode'] == 'internal-tls' or test_scenario['values']['tls-mode'] == 'internal-tls-and-tls-client-auth' %} - name: https port: 8283 protocol: TCP targetPort: 8283 +{% else %} + - name: http + port: 8083 + protocol: TCP + targetPort: 8083 {% endif %} --- apiVersion: v1 @@ -119,16 +119,16 @@ spec: port: 9090 protocol: TCP targetPort: 9090 -{% if test_scenario['values']['use-tls'] == 'false' %} - - name: http - port: 8888 - protocol: TCP - targetPort: 8888 -{% else %} +{% if test_scenario['values']['tls-mode'] == 'internal-tls' or test_scenario['values']['tls-mode'] == 'internal-tls-and-tls-client-auth' %} - name: https port: 9088 protocol: TCP targetPort: 9088 +{% else %} + - name: http + port: 8888 + protocol: TCP + targetPort: 8888 {% endif %} --- apiVersion: v1 @@ -141,14 +141,14 @@ spec: port: 9090 protocol: TCP targetPort: 9090 -{% if test_scenario['values']['use-tls'] == 'false' %} - - name: http - port: 8082 - protocol: TCP - targetPort: 8082 -{% else %} +{% if test_scenario['values']['tls-mode'] == 'internal-tls' or test_scenario['values']['tls-mode'] == 'internal-tls-and-tls-client-auth' %} - name: https port: 8282 protocol: TCP targetPort: 8282 +{% else %} + - name: http + port: 8082 + protocol: TCP + targetPort: 8082 {% endif %} diff --git a/tests/templates/kuttl/tls/03-install-druid.yaml.j2 b/tests/templates/kuttl/tls/03-install-druid.yaml.j2 index 5c32036b..7d859856 100644 --- a/tests/templates/kuttl/tls/03-install-druid.yaml.j2 +++ b/tests/templates/kuttl/tls/03-install-druid.yaml.j2 @@ -24,18 +24,17 @@ metadata: stringData: accessKey: druid secretKey: druiddruid -{% if test_scenario['values']['use-tls'] == 'true' and test_scenario['values']['use-tls-auth'] == 'true' %} --- apiVersion: secrets.stackable.tech/v1alpha1 kind: SecretClass metadata: - name: druid-tls-auth + name: druid-tls spec: backend: autoTls: ca: secret: - name: secret-provisioner-druid-tls-auth-ca + name: secret-provisioner-druid-tls-ca namespace: default autoGenerate: true --- @@ -46,8 +45,7 @@ metadata: spec: provider: tls: - clientCertSecretClass: druid-tls-auth -{% endif %} + clientCertSecretClass: druid-tls # This SecretClass must match the SecretClass used for internal Druid communication --- apiVersion: druid.stackable.tech/v1alpha1 kind: DruidCluster @@ -58,7 +56,7 @@ spec: productVersion: "{{ test_scenario['values']['druid-latest'].split('-stackable')[0] }}" stackableVersion: "{{ test_scenario['values']['druid-latest'].split('-stackable')[1] }}" clusterConfig: -{% if test_scenario['values']['use-tls'] == 'true' and test_scenario['values']['use-tls-auth'] == 'true' %} +{% if test_scenario['values']['tls-mode'] == 'internal-tls-and-tls-client-auth' %} authentication: - authenticationClass: druid-tls-auth-class {% endif %} @@ -85,9 +83,9 @@ spec: connString: jdbc:derby://localhost:1527/var/druid/metadata.db;create=true host: localhost port: 1527 -{% if test_scenario['values']['use-tls'] == 'true' %} +{% if test_scenario['values']['tls-mode'] == 'internal-tls' or test_scenario['values']['tls-mode'] == 'internal-tls-and-tls-client-auth' %} tls: - serverAndInternalSecretClass: tls + serverAndInternalSecretClass: druid-tls {% else %} tls: serverAndInternalSecretClass: null diff --git a/tests/templates/kuttl/tls/04-install-checks.yaml.j2 b/tests/templates/kuttl/tls/04-install-checks.yaml.j2 index 76fefe76..baafd198 100644 --- a/tests/templates/kuttl/tls/04-install-checks.yaml.j2 +++ b/tests/templates/kuttl/tls/04-install-checks.yaml.j2 @@ -23,45 +23,38 @@ spec: image: docker.stackable.tech/stackable/testing-tools:0.1.0-stackable0.1.0 command: ["sleep", "infinity"] volumeMounts: - - mountPath: /tmp/tls - name: tls -{% if test_scenario['values']['use-tls'] == 'true' and test_scenario['values']['use-tls-auth'] == 'true' %} - - mountPath: /tmp/tls_auth - name: tls-auth -{% endif %} +{% if test_scenario['values']['tls-mode'] == 'internal-tls' or test_scenario['values']['tls-mode'] == 'internal-tls-and-tls-client-auth' %} + - name: druid-tls + mountPath: /tmp/druid-tls + - name: tls + mountPath: /tmp/tls volumes: - - ephemeral: + - name: druid-tls + ephemeral: volumeClaimTemplate: metadata: annotations: - secrets.stackable.tech/class: tls + secrets.stackable.tech/class: druid-tls secrets.stackable.tech/scope: pod,node - creationTimestamp: null spec: + storageClassName: secrets.stackable.tech accessModes: - ReadWriteOnce resources: requests: storage: "1" - storageClassName: secrets.stackable.tech - volumeMode: Filesystem - name: tls -{% if test_scenario['values']['use-tls'] == 'true' and test_scenario['values']['use-tls-auth'] == 'true' %} - - ephemeral: + - name: tls + ephemeral: volumeClaimTemplate: metadata: annotations: - secrets.stackable.tech/class: druid-tls-auth + secrets.stackable.tech/class: tls secrets.stackable.tech/scope: pod,node - creationTimestamp: null spec: + storageClassName: secrets.stackable.tech accessModes: - ReadWriteOnce resources: requests: storage: "1" - storageClassName: secrets.stackable.tech - volumeMode: Filesystem - name: tls-auth {% endif %} - diff --git a/tests/templates/kuttl/tls/10-assert.yaml.j2 b/tests/templates/kuttl/tls/10-assert.yaml.j2 index db6032ef..d2bb2146 100644 --- a/tests/templates/kuttl/tls/10-assert.yaml.j2 +++ b/tests/templates/kuttl/tls/10-assert.yaml.j2 @@ -3,12 +3,4 @@ apiVersion: kuttl.dev/v1beta1 kind: TestAssert timeout: 300 commands: -{% if test_scenario['values']['use-tls-auth'] == 'true' and test_scenario['values']['use-tls'] == 'true' %} - - script: kubectl exec -n $NAMESPACE druid-checks-0 -- /tmp/check-tls.sh $NAMESPACE secure_auth -{% endif %} -{% if test_scenario['values']['use-tls-auth'] == 'false' and test_scenario['values']['use-tls'] == 'true' %} - - script: kubectl exec -n $NAMESPACE druid-checks-0 -- /tmp/check-tls.sh $NAMESPACE secure -{% endif %} -{% if test_scenario['values']['use-tls-auth'] == 'false' and test_scenario['values']['use-tls'] == 'false' %} - - script: kubectl exec -n $NAMESPACE druid-checks-0 -- /tmp/check-tls.sh $NAMESPACE insecure -{% endif %} + - script: kubectl exec -n $NAMESPACE druid-checks-0 -- /tmp/check-tls.sh $NAMESPACE {{ test_scenario['values']['tls-mode'] }} diff --git a/tests/templates/kuttl/tls/10-tls-checks.yaml b/tests/templates/kuttl/tls/10-tls-checks.yaml index f48a57d8..9ff950a9 100644 --- a/tests/templates/kuttl/tls/10-tls-checks.yaml +++ b/tests/templates/kuttl/tls/10-tls-checks.yaml @@ -4,4 +4,4 @@ kind: TestStep timeout: 600 commands: - script: kubectl cp -n $NAMESPACE ./check-tls.sh druid-checks-0:/tmp/check-tls.sh - - script: kubectl cp -n $NAMESPACE ./untrusted-ca.crt druid-checks-0:/tmp/tls/untrusted-ca.crt + - script: kubectl cp -n $NAMESPACE ./untrusted-ca.crt druid-checks-0:/tmp/untrusted-ca.crt diff --git a/tests/templates/kuttl/tls/11-assert.yaml.j2 b/tests/templates/kuttl/tls/11-assert.yaml.j2 index 8f02e3ac..b9419eff 100644 --- a/tests/templates/kuttl/tls/11-assert.yaml.j2 +++ b/tests/templates/kuttl/tls/11-assert.yaml.j2 @@ -3,12 +3,4 @@ apiVersion: kuttl.dev/v1beta1 kind: TestAssert timeout: 300 commands: -{% if test_scenario['values']['use-tls-auth'] == 'true' and test_scenario['values']['use-tls'] == 'true' %} - - script: kubectl exec -n $NAMESPACE druid-checks-0 -- python /tmp/ingestioncheck.py $NAMESPACE derby-druid secure_auth -{% endif %} -{% if test_scenario['values']['use-tls-auth'] == 'false' and test_scenario['values']['use-tls'] == 'true' %} - - script: kubectl exec -n $NAMESPACE druid-checks-0 -- python /tmp/ingestioncheck.py $NAMESPACE derby-druid secure -{% endif %} -{% if test_scenario['values']['use-tls-auth'] == 'false' and test_scenario['values']['use-tls'] == 'false' %} - - script: kubectl exec -n $NAMESPACE druid-checks-0 -- python /tmp/ingestioncheck.py $NAMESPACE derby-druid insecure -{% endif %} + - script: kubectl exec -n $NAMESPACE druid-checks-0 -- python /tmp/ingestioncheck.py $NAMESPACE derby-druid {{ test_scenario['values']['tls-mode'] }} diff --git a/tests/templates/kuttl/tls/check-tls.sh b/tests/templates/kuttl/tls/check-tls.sh index 416d5c8c..0dad5ee1 100755 --- a/tests/templates/kuttl/tls/check-tls.sh +++ b/tests/templates/kuttl/tls/check-tls.sh @@ -1,11 +1,11 @@ #!/usr/bin/env bash -# Usage: check-tls.sh namespace type [insecure,secure,secure_auth] +# Usage: check-tls.sh namespace type [no-tls,internal-tls,internal-tls-and-tls-client-auth] NAMESPACE=$1 TYPE=$2 # No encryption -if [[ $TYPE == "insecure" ]] +if [[ $TYPE == "no-tls" ]] then HOST=http://derby-druid-router-default-0.derby-druid-router-default.${NAMESPACE}.svc.cluster.local:8888/status/health @@ -21,7 +21,7 @@ then fi # Only encryption -if [[ $TYPE == "secure" ]] +if [[ $TYPE == "internal-tls" ]] then HOST=https://derby-druid-router-default-0.derby-druid-router-default.${NAMESPACE}.svc.cluster.local:9088/status/health @@ -47,7 +47,7 @@ then # should work without insecure but with certificate echo "[TLS_ENCRYPTION] Test TLS with trusted certificate" - if curl --cacert /tmp/tls/ca.crt "$HOST" &> /dev/null + if curl --cacert /tmp/druid-tls/ca.crt "$HOST" &> /dev/null then echo "[SUCCESS] Could establish connection to server with trusted certificate!" else @@ -57,7 +57,7 @@ then # should not work with wrong certificate echo "[TLS_ENCRYPTION] Test TLS with untrusted certificate" - if curl --cacert /tmp/tls/untrusted-ca.crt "$HOST" &> /dev/null + if curl --cacert /tmp/untrusted-ca.crt "$HOST" &> /dev/null then echo "[ERROR] Could establish connection to server with untrusted certificate. Should not be happening!" exit 1 @@ -67,7 +67,7 @@ then fi # Encryption and TLS client auth -if [[ $TYPE == "secure_auth" ]] +if [[ $TYPE == "internal-tls-and-tls-client-auth" ]] then HOST=https://derby-druid-router-default-0.derby-druid-router-default.${NAMESPACE}.svc.cluster.local:9088/status/health @@ -83,7 +83,7 @@ then # Should fail echo "[TLS_AUTH] Test access providing CA" - if curl --cacert "$HOST" &> /dev/null + if curl --cacert /tmp/druid-tls/ca.crt "$HOST" &> /dev/null then echo "[ERROR] Could establish insecure connection to server! This should not be happening!" exit 1 @@ -92,8 +92,8 @@ then fi # Should fail - echo "[TLS_AUTH] Test access providing wrong ca, cert and key" - if curl --cacert /tmp/tls/ca.crt --cert /tmp/tls/tls.crt --key /tmp/tls/tls.key "$HOST" &> /dev/null + echo "[TLS_AUTH] Test access providing wrong cert and key" + if curl --cacert /tmp/druid-tls/ca.crt --cert /tmp/tls/tls.crt --key /tmp/tls/tls.key "$HOST" &> /dev/null then echo "[ERROR] Could establish authenticated connection to server with wrong credentials! This should not be happening!" exit 1 @@ -103,7 +103,7 @@ then # Should work echo "[TLS_AUTH] Test access providing correct ca, cert and key" - if curl --cacert /tmp/tls_auth/ca.crt --cert /tmp/tls_auth/tls.crt --key /tmp/tls_auth/tls.key "$HOST" &> /dev/null + if curl --cacert /tmp/druid-tls/ca.crt --cert /tmp/druid-tls/tls.crt --key /tmp/druid-tls/tls.key "$HOST" &> /dev/null then echo "[SUCCESS] Could establish authenticated connection to server!" else diff --git a/tests/templates/kuttl/tls/ingestioncheck.py b/tests/templates/kuttl/tls/ingestioncheck.py index 73bc6cd4..b35e9353 100755 --- a/tests/templates/kuttl/tls/ingestioncheck.py +++ b/tests/templates/kuttl/tls/ingestioncheck.py @@ -52,26 +52,26 @@ def query_datasource(self, url, sql, expected, iterations): druid_cluster_name = sys.argv[2] security = sys.argv[3] -if security == "insecure": +if security == "no-tls": protocol = "http" coordinator_port = "8081" broker_port = "8082" cert = None verify = False -elif security == "secure": +elif security == "internal-tls": protocol = "https" coordinator_port = "8281" broker_port = "8282" cert = None - verify = "/tmp/tls/ca.crt" -elif security == "secure_auth": + verify = "/tmp/druid-tls/ca.crt" +elif security == "internal-tls-and-tls-client-auth": protocol = "https" coordinator_port = "8281" broker_port = "8282" - cert = ("/tmp/tls_auth/tls.crt", "/tmp/tls_auth/tls.key") - verify = "/tmp/tls_auth/ca.crt" + cert = ("/tmp/druid-tls/tls.crt", "/tmp/druid-tls/tls.key") + verify = "/tmp/druid-tls/ca.crt" else: - sys.exit("Usage: python ./ingestioncheck.py ") + sys.exit("Usage: python ./ingestioncheck.py ") druid = DruidClient(cert, verify) diff --git a/tests/test-definition.yaml b/tests/test-definition.yaml index e005b357..55b610d7 100644 --- a/tests/test-definition.yaml +++ b/tests/test-definition.yaml @@ -24,14 +24,11 @@ dimensions: values: - "true" - "false" - - name: use-tls + - name: tls-mode values: - - "true" - - "false" - - name: use-tls-auth - values: - - "true" - - "false" + - "no-tls" + - "internal-tls" + - "internal-tls-and-tls-client-auth" tests: - name: smoke dimensions: @@ -77,5 +74,4 @@ tests: dimensions: - druid-latest - zookeeper-latest - - use-tls - - use-tls-auth + - tls-mode