tektoncd · tekton-robot · May 4, 2023 · Apr 18, 2023 · chuangw6 · May 4, 2023
diff --git a/test/e2e-common.sh b/test/e2e-common.sh
@@ -48,6 +48,69 @@ function install_pipeline_crd_version() {
   verify_pipeline_installation
 }
 
+# Add the provided spiffeId to the spire-server.
+function spire_apply() {
+  if [ $# -lt 2 -o "$1" != "-spiffeID" ]; then
+    echo "spire_apply requires a spiffeID as the first arg" >&2
+    exit 1
+  fi
+  echo "Checking if spiffeID $2 already exists..."
+  show=$(kubectl exec -n spire deployment/spire-server -- \
+    /opt/spire/bin/spire-server entry show $1 $2)
+  if [ "$show" != "Found 0 entries" ]; then
+    # delete to recreate
+    entryid=$(echo "$show" | grep "^Entry ID" | cut -f2 -d:)
+    echo "Deleting previously existing spiffeID $2 ..."
+    kubectl exec -n spire deployment/spire-server -- \
+      /opt/spire/bin/spire-server entry delete -entryID $entryid
+  fi
+  echo "Adding spiffeID $2 to spire-server."
+  kubectl exec -n spire deployment/spire-server -- \
+    /opt/spire/bin/spire-server entry create "$@"
+}
+
+function install_spire() {
+  echo ">> Deploying Spire"
+  DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+
+  echo "Creating SPIRE namespace..."
+  kubectl create ns spire
+
+  echo "Applying SPIFFE CSI Driver configuration..."
+  kubectl apply -f "$DIR"/testdata/spire/spiffe-csi-driver.yaml
+
+  echo "Deploying SPIRE server"
+  kubectl apply -f "$DIR"/testdata/spire/spire-server.yaml
+
+  echo "Deploying SPIRE agent"
+  kubectl apply -f "$DIR"/testdata/spire/spire-agent.yaml
+
+  wait_until_pods_running spire || fail_test "SPIRE did not come up"
+
+  spire_apply \
+    -spiffeID spiffe://example.org/ns/spire/node/example \
+    -selector k8s_psat:cluster:example-cluster \
+    -selector k8s_psat:agent_ns:spire \
+    -selector k8s_psat:agent_sa:spire-agent \
+    -node
+  spire_apply \
+    -spiffeID spiffe://example.org/ns/tekton-pipelines/sa/tekton-pipelines-controller \
+    -parentID spiffe://example.org/ns/spire/node/example \
+    -selector k8s:ns:tekton-pipelines \
+    -selector k8s:pod-label:app:tekton-pipelines-controller \
+    -selector k8s:sa:tekton-pipelines-controller \
+    -admin
+}
+
+function patch_pipeline_spire() {
+  kubectl patch \
+      deployment tekton-pipelines-controller \
+      -n tekton-pipelines \
+      --patch-file "$DIR"/testdata/patch/pipeline-controller-spire.json
+
+  verify_pipeline_installation
+}
+
 function verify_pipeline_installation() {
   # Make sure that everything is cleaned up in the current namespace.
   delete_pipeline_resources

diff --git a/test/e2e-tests.sh b/test/e2e-tests.sh
@@ -41,6 +41,18 @@ install_pipeline_crd
 
 failed=0
 
+function add_spire() {
+  local gate="$1"
+  if [ "$gate" == "alpha" ] ; then
+    DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+    printf "Setting up environment for alpha features"
+    install_spire
+    patch_pipeline_spire
+    kubectl apply -n tekton-pipelines -f "$DIR"/testdata/spire/config-spire.yaml
+    failed=0
+  fi
+}
+
 function set_feature_gate() {
   local gate="$1"
   local resolver="false"
@@ -91,6 +103,7 @@ function run_e2e() {
   fi
 }
 
+add_spire "$PIPELINE_FEATURE_GATE"
 set_feature_gate "$PIPELINE_FEATURE_GATE"
 set_result_extraction_method "$RESULTS_FROM"
 run_e2e

diff --git a/test/testdata/patch/pipeline-controller-spire.json b/test/testdata/patch/pipeline-controller-spire.json
@@ -0,0 +1,57 @@
+{
+    "spec":{
+       "template":{
+          "spec":{
+             "$setElementOrder/containers":[
+                {
+                   "name":"tekton-pipelines-controller"
+                }
+             ],
+             "$setElementOrder/volumes":[
+                {
+                   "name":"config-logging"
+                },
+                {
+                   "name":"config-registry-cert"
+                },
+                {
+                   "name":"spiffe-workload-api"
+                }
+             ],
+             "containers":[
+                {
+                   "$setElementOrder/volumeMounts":[
+                      {
+                         "mountPath":"/etc/config-logging"
+                      },
+                      {
+                         "mountPath":"/etc/config-registry-cert"
+                      },
+                      {
+                         "mountPath":"/spiffe-workload-api"
+                      }
+                   ],
+                   "name":"tekton-pipelines-controller",
+                   "volumeMounts":[
+                      {
+                         "mountPath":"/spiffe-workload-api",
+                         "name":"spiffe-workload-api",
+                         "readOnly":true
+                      }
+                   ]
+                }
+             ],
+             "volumes":[
+                {
+                   "csi":{
+                      "driver":"csi.spiffe.io",
+                      "readOnly":true
+                   },
+                   "name":"spiffe-workload-api"
+                }
+             ]
+          }
+       }
+    }
+ }
+
diff --git a/test/testdata/spire/config-spire.yaml b/test/testdata/spire/config-spire.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config-spire
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-pipelines
+data:
+  # spire-trust-domain specifies the SPIRE trust domain to use.
+  spire-trust-domain: "example.org"
+  # spire-socket-path specifies the SPIRE agent socket for SPIFFE workload API.
+  spire-socket-path: "unix:///spiffe-workload-api/spire-agent.sock"
+  # spire-server-addr specifies the SPIRE server address for workload/node registration.
+  spire-server-addr: "spire-server.spire.svc.cluster.local:8081"
+  # spire-node-alias-prefix specifies the SPIRE node alias prefix to use.
+  spire-node-alias-prefix: "/tekton-node/"
diff --git a/test/testdata/spire/spiffe-csi-driver.yaml b/test/testdata/spire/spiffe-csi-driver.yaml
@@ -0,0 +1,20 @@
+apiVersion: storage.k8s.io/v1
+kind: CSIDriver
+metadata:
+  name: "csi.spiffe.io"
+spec:
+  # Only ephemeral, inline volumes are supported. There is no need for a
+  # controller to provision and attach volumes.
+  attachRequired: false
+
+  # Request the pod information which the CSI driver uses to verify that an
+  # ephemeral mount was requested.
+  podInfoOnMount: true
+
+  # Don't change ownership on the contents of the mount since the Workload API
+  # Unix Domain Socket is typically open to all (i.e. 0777).
+  fsGroupPolicy: None
+
+  # Declare support for ephemeral volumes only.
+  volumeLifecycleModes:
+    - Ephemeral