Resolves "Update Scripted Test to Remove Dependency on Cypress Created UI Tests" | SKIP UPDATE

e3a47955 · Daniel Pritchett · Alfredo Diaz · fb5bba84 · e3a47955 · e3a47955
Commit e3a47955 authored 8 months ago by Daniel Pritchett Committed by Alfredo Diaz 8 months ago
--- a/chart/templates/bigbang/allow-gitlab-sa-to-exec-pods.yaml
+++ b/chart/templates/bigbang/allow-gitlab-sa-to-exec-pods.yaml
+{{- if .Values.bbtests }}
+{{- if .Values.bbtests.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: {{ $.Release.Namespace }}
+  name: gitlab-test-pod-exec
+  labels:
+    bigbang.dso.mil/purpose: gitlab-gluon-script
+  ########################################################################
+  # Script needed: kubectl -n gitlab exec -ti deploy/gitlab-toolbox
+  ########################################################################
+rules:
+  # look up a pod from deployments/gitlab-toolbox
+  # fails like:
+  # User "system:serviceaccount:gitlab:default" cannot get resource "deployments" in API group "apps" in the namespace "gitlab"
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list"]
+  # look up a pod from deployments/gitlab-toolbox
+  # fails like:
+  # User "system:serviceaccount:gitlab:default" cannot list resource "pods" in API group "" in the namespace "gitlab"
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list"]
+  # exec into that pod to run gitlab-rails console and create a temporary admin token
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["create"]
+  # clean up this role after we're done with it
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["roles", "rolebindings"]
+    verbs: ["delete", "list", "get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  namespace: {{ $.Release.Namespace }}
+  name: gitlab-test-pod-exec
+  labels:
+    bigbang.dso.mil/purpose: gitlab-gluon-script
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: gitlab-test-pod-exec
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: 'system:serviceaccounts:{{ .Release.Namespace }}'
+    namespace: {{ $.Release.Namespace }}
+{{- end }}
+{{- end }}
\ No newline at end of file
--- a/chart/tests/cypress/e2e/01-gitlab-health-spec.cy.js
+++ b/chart/tests/cypress/e2e/01-gitlab-health-spec.cy.js
@@ -90,26 +90,23 @@ describe('Create Gitlab Project', () => {
      }
    })

-    // Commenting out call to delete cypress created gitlab project as test script is also dependent on it
-    // Revisit once https://repo1.dso.mil/big-bang/product/packages/gitlab/-/issues/233 has been addressed
-    //cy.deleteGitlabProject(Cypress.env('url'), Cypress.env('gitlab_username'), Cypress.env('gitlab_project'))
+    // Cleanup: delete the just-created gitlab project
+    cy.deleteGitlabProject(Cypress.env('url'), Cypress.env('gitlab_username'), Cypress.env('gitlab_project'))
  })

-  // Commenting out this part of the test as script test is dependent on cypress created user
-  // Revisit once https://repo1.dso.mil/big-bang/product/packages/gitlab/-/issues/233 has been addressed
-  //it('Login as Root and Delete Test User', () => {
-  //  // clear user data before starting test
-  //  cy.clearAllUserData()
-  //
-  //  //Sign in as Root
-  //  cy.visit(`${Cypress.env('url')}/users/sign_in`)
-  //  cy.performGitlabLogin('root', Cypress.env('adminpassword'))
-  //
-  //  //Browse to created user and delete
-  //  cy.visit(`${Cypress.env('url')}/admin/users/${Cypress.env('gitlab_username')}`)
-  //  cy.get('div[data-testid="user-actions-2"]').find('button[data-testid="base-dropdown-toggle"]').click()
-  //  cy.get('li[data-testid="delete-deleteWithContributions"]').find('button').click()
-  //  cy.get('input[name="username"]').type(`${Cypress.env('gitlab_first_name')} ${Cypress.env('gitlab_last_name')}`)
-  //  cy.contains('span', 'Delete user and contributions').click({force: true})
-  //})
+  it('Login as Root and Delete Test User', () => {
+   // clear user data before starting test
+   cy.clearAllUserData()
+
+   //Sign in as Root
+   cy.visit(`${Cypress.env('url')}/users/sign_in`)
+   cy.performGitlabLogin('root', Cypress.env('adminpassword'))
+
+   //Browse to created user and delete
+   cy.visit(`${Cypress.env('url')}/admin/users/${Cypress.env('gitlab_username')}`)
+   cy.get('div[data-testid="user-actions-2"]').find('button[data-testid="base-dropdown-toggle"]').click()
+   cy.get('li[data-testid="delete-deleteWithContributions"]').find('button').click()
+   cy.get('input[name="username"]').type(`${Cypress.env('gitlab_first_name')} ${Cypress.env('gitlab_last_name')}`)
+   cy.contains('span', 'Delete user and contributions').click({force: true})
+  })
 })
\ No newline at end of file
--- a/chart/tests/scripts/test.sh
+++ b/chart/tests/scripts/test.sh
 #!/bin/bash
-set -ex
+set -euo pipefail

-export HOME=/test
+##############################################################
+# Colorized logging functions
+#

-echo "cloning repo..."
-git clone ${GITLAB_REPOSITORY}/${GITLAB_USER}/${GITLAB_PROJECT}.git
+GREEN="\e[32m"
+YELLOW="\e[33m"
+MAGENTA="\e[35m"
+CYAN="\e[36m"
+ENDCOLOR="\e[0m"

-echo "changing into repo directory..."
-cd ${GITLAB_PROJECT}
+slug="${MAGENTA}[test log]${ENDCOLOR} | "

-# set credentials
-git config --local user.email ${GITLAB_EMAIL}
-git config --local user.name ${GITLAB_USER}
-git config --local user.password ${GITLAB_PASS}
+# Basic info-level colorized logging.
+function info {
+  local text=${1}
+  echo -e "${slug}${YELLOW}${text}${ENDCOLOR}"
+}

-/go/bin/crane auth login ${GITLAB_REGISTRY} -u ${GITLAB_USER} -p ${GITLAB_PASS}
+# Formatted test descriptor log:
+# > Can we.... do a testable thing here ?
+function canwe {
+  local text=${1}
+  echo -e "${slug}${CYAN}Can we... ${YELLOW}${text}${CYAN}?${ENDCOLOR}"
+}

-echo "modifying repo..."
-touch Dockerfile
-echo "FROM alpine" > Dockerfile
+# Formatted test success log:
+# > ✅ test succeeded.
+function success {
+  local text=${1}
+  echo -e "${slug}✅\t${GREEN}${text}${ENDCOLOR}"
+}

-echo "pushing changes to repo..."
-git add Dockerfile
-git commit -m 'initial commit' --allow-empty
-git remote rm origin
-git remote add origin ${GITLAB_ORIGIN}/${GITLAB_USER}/${GITLAB_PROJECT}.git
-export testbranch=test-$RANDOM
-git checkout -b $testbranch
-git push -u origin $testbranch
+#############################################################
+# General shell helper functions
+#

-echo "pulling image..."
-/go/bin/crane pull alpine:latest alpine-latest.tar
+### Sample PAT value: glpat-bigbangtest-9ae6aca43f841f89f7d08b212d2fa009
+function generate_pat {
+  # generate random 32-char string and then add glpat-bigbangtest- to it
+  head -c 128 /dev/urandom \
+    | sha256sum \
+    | head -c 32 \
+    | awk '{ print "glpat-bigbangtest-" $1 }'
+}

-echo "pushing image to gitlab registry..."
-/go/bin/crane push alpine-latest.tar ${GITLAB_REGISTRY}/${GITLAB_USER}/${GITLAB_PROJECT}/alpine:latest
+#############################################################
+# GitLab accessors and mutators
+#

-echo "All tests complete!"
\ No newline at end of file
+# fetch a gitlab project's ID by project name
+function get_project_id {
+  local token=${1}
+  local api_host=${2}
+  local project_name=${3}
+
+  curl --fail --request GET \
+    --header "PRIVATE-TOKEN: ${token}" \
+    "http://${api_host}/api/v4/projects?search=${project_name}" \
+      | jq '.[].id' --raw-output
+}
+
+# delete a gitlab project by project ID
+function delete_project {
+  local token=${1}
+  local api_host=${2}
+  local project_id=${3}
+
+  curl --fail --request DELETE --header "PRIVATE-TOKEN: ${token}" "http://${api_host}/api/v4/projects/${project_id}"
+}
+
+# Creates a 24-hour personal access token (PAT) for gitlab's root user.
+# ⚠️ Sets the token value to the second argument here rather than letting
+# gitlab randomize one for us. This makes it a bit easier to pass the token
+# around in these test scripts.
+function create_pat {
+  local pat_name=${1}
+  local pat_value=${2}
+
+  SETUP_CMD="t=User.find_by!(username: 'root').personal_access_tokens.new(name: '${pat_name}', scopes:[:api], expires_at: 1.day.from_now.utc); t.set_token('${pat_value}'); t.save!"
+  kubectl -n gitlab exec -ti deploy/gitlab-toolbox -- gitlab-rails runner "${SETUP_CMD}"
+}
+
+# Deactivate the supplied gitlab personal access token.
+function deactivate_pat {
+  local token=${1}
+  local api_host=${2}
+
+  curl --fail --request DELETE --header "PRIVATE-TOKEN: ${token}" "http://${api_host}/api/v4/personal_access_tokens/self"
+}
+
+function main {
+  export HOME=/test
+  export project_name="${GITLAB_PROJECT}-${RANDOM}"
+  export base_branch=main
+  export test_branch="test-${RANDOM}"
+  export reference_image=alpine:latest
+
+
+  ####################################################
+  # CREATE TEMPORARY TEST TOKEN (PAT) FOR ROOT USER
+
+  export pat_name="bb-test-automation-pat_value-${RANDOM}"
+  pat_value=$(generate_pat)
+  export pat_value
+
+
+  canwe "create a temporary PAT for gitlab user root via gitlab-rails runner"
+  create_pat "${pat_name}" "${pat_value}"
+  info "temporary PAT created."
+
+
+  ####################################################
+  # CREATE LOCAL GIT REPO
+
+  canwe "create a new local git repository"
+
+  rm -rf "${project_name}"
+  mkdir -p "${project_name}"
+  pushd "${project_name}"
+
+  echo "Hi from a new bigbang test repository!" >> README.md
+  git init --initial-branch=$base_branch
+
+  git config --local user.email "${GITLAB_EMAIL}"
+  git config --local user.name "${GITLAB_USER}"
+  git config --local user.password "${pat_value}"
+
+  git add README.md
+  git commit -m "initial commit to a new bigbang test repository"
+
+  info "local git repository created: [${project_name}]"
+
+
+  ####################################################
+  # PUSH LOCAL GIT REPO AS NEW GITLAB PROJECT
+
+  canwe "push a local git repository to gitlab as a new project"
+  git remote add origin "http://${GITLAB_USER}:${pat_value}@${GITLAB_HOST}/${GITLAB_USER}/${project_name}.git"
+  git push -u origin $base_branch
+  success "pushed a new project to Gitlab."
+
+  canwe "fetch a gitlab project ID by project name using cURL"
+  project_id=$(get_project_id "${pat_value}" "${GITLAB_HOST}" "${project_name}")
+  export project_id
+  success "project ID fetched: [${project_id}]"
+
+  #################################################################
+  # PUSH IMAGE TO CONTAINER REGISTRY UNDER OUR GITLAB PROJECT
+
+  # skopeo needs to save registry auth to a writeable folder
+  # see https://github.com/containers/skopeo/blob/main/docs/skopeo-login.1.md
+  export REGISTRY_AUTH_FILE="${HOME}/.container_auth.json"
+
+  canwe "log in to a gitlab container registry with our new PAT"
+  skopeo login --tls-verify=false "${GITLAB_REGISTRY}" --username "${GITLAB_USER}" --password "${pat_value}"
+  success "logged in to gitlab container registry using our PAT."
+
+
+  canwe "push local changes to our new project"
+  echo "FROM ${reference_image}" > ./Dockerfile
+  git add Dockerfile
+  git commit -m "adds new Dockerfile from ${reference_image}" --allow-empty
+  git checkout -b $test_branch
+  git push -u origin $test_branch
+  success "pushed local changes to our new project."
+
+  canwe "push a copy of [${reference_image}] to a gitlab container registry under our new project"
+  skopeo sync --dest-tls-verify=false --src docker --dest docker $reference_image "${GITLAB_REGISTRY}/${GITLAB_USER}/${project_name}/"
+  success "pushed a copy of ${reference_image} to a new container repository under project ${project_name}."
+
+
+  ####################################################
+  # CLEANUP
+
+  # delete project
+  canwe "delete our new gitlab project [${project_name}] via cURL"
+  delete_project "${pat_value}" "${GITLAB_HOST}" "${project_id}"
+  success "deleted project."
+
+  # deactivate PAT
+  canwe "deactivate our new gitlab PAT [${pat_name}] via cURL"
+  deactivate_pat "${pat_value}" "${GITLAB_HOST}"
+  success "deactivated PAT ${pat_name}]"
+
+  # remove our kubectl exec test's Role
+  #
+  # 💡 n.b. we can't delete *both* the Role and the RoleBinding because removing either
+  # one drops our ability to remove the other.
+  # even a `kubectl delete roles,rolebindings` command appears to delete them serially
+  # rather than in parallel.
+  canwe "delete the kubeapi role that enabled us to run kubectl exec"
+  kubectl -n gitlab delete roles -l bigbang.dso.mil/purpose=gitlab-gluon-script
+  success "role and rolebinding removed."
+
+  popd
+  rm -rf "${project_name}"
+
+  info "All tests completed successfully."
+}
+
+main
\ No newline at end of file
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -2155,12 +2155,11 @@ bbtests:
            name: gitlab-gitlab-initial-root-password
            key: password
  scripts:
-    image: "registry1.dso.mil/bigbang-ci/gitlab-tester:0.0.4"
+    image: "registry1.dso.mil/bigbang-ci/devops-tester:1.1.1"
    envs:
-      GITLAB_USER: "testuser"
-      GITLAB_PASS: "Password123h56a78"
-      GITLAB_EMAIL: "testuser@example.com"
-      GITLAB_PROJECT: "my-awesome-project"
-      GITLAB_REPOSITORY: http://gitlab-webservice-default.gitlab.svc.cluster.local:8181
-      GITLAB_ORIGIN: http://testuser:Password123h56a78@gitlab-webservice-default.gitlab.svc.cluster.local:8181
+      GITLAB_USER: "root"
+      GITLAB_EMAIL: "gitlab-root-user@example.com"
+      GITLAB_HOST: gitlab-webservice-default.gitlab.svc.cluster.local:8181
+      GITLAB_PROJECT: "bigbang-test-project-2"
      GITLAB_REGISTRY: gitlab-registry-test-svc.gitlab.svc.cluster.local:80
+      GITLAB_REPOSITORY: http://gitlab-webservice-default.gitlab.svc.cluster.local:8181
\ No newline at end of file
--- a/docs/DEVELOPMENT_MAINTENANCE.md
+++ b/docs/DEVELOPMENT_MAINTENANCE.md
@@ -50,9 +50,14 @@ BigBang makes modifications to the upstream helm chart. The full list of changes
        export cypress_gitlab_first_name=test
        export cypress_gitlab_last_name=user
        export cypress_gitlab_username=testuser
-        export cypress_gitlab_password=12345678
        export cypress_gitlab_email=testuser@example.com
        export cypress_gitlab_project=my-awesome-project
+
+        # actual user password doesn't matter much but gitlab rejects it if it's too simple
+        export cypress_gitlab_password=aa32b3ba7d5bbf537d745fd62469b15b
+
+        # fetch gitlab admin password via CLI:
+        #   kubectl -n gitlab get secrets gitlab-gitlab-initial-root-password -ojson | jq .data.password -r | base64 -d | pbcopy
        export cypress_adminpassword=put-the-gitlab-root-password-here
        ```
    1. Run cypress from the parent directory of the gitlab and cypress directories.