fix&test(e2e): mariner containerized e2e test (#149)

test: - added containerized azure-kv plugin E2E test based on mcr.microsoft.com/cbl-mariner/base/core:2.0 fix: - set InvariantGlobalization mode to avoid access culture-specific data, which removes the dependency of icu-libs (not contained in mariner image) Signed-off-by: Junjie Gao <junjiegao@microsoft.com> --------- Signed-off-by: Junjie Gao <junjiegao@microsoft.com>
2024-01-26 09:03:03 +08:00 · 2024-01-26 09:03:03 +08:00 · e1442cd979
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -77,6 +77,29 @@ jobs:
          name: win-amd64-binary
          path: ./bin/artifacts/notation-azure-kv_0.0.1_windows_amd64.zip
          retention-days: 1
+  e2e-mariner-container:
+    name: E2E testing for Mariner container
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - name: Check out code into the project directory
+        uses: actions/checkout@v3
+      - uses: actions/download-artifact@v3
+        with:
+          name: linux-amd64-binary
+          path: ./bin/artifacts
+      - name: Prepare container registry
+        run: |
+          docker run --name registry --rm -d -p 5000:5000 registry:2
+          docker pull hello-world:latest
+          docker tag hello-world:latest localhost:5000/hello-world:v1
+          docker push localhost:5000/hello-world:v1
+      - name: Build notation-akv:v1 image
+        run: docker build -t notation-akv:v1 -f ./test/e2e/containerized/Dockerfile.mariner .
+      - name: Run e2e
+        run: bash ./test/e2e/containerized/test.sh
+        env:
+          AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
  e2e-linux:
    name: E2E testing on Linux
    runs-on: ubuntu-latest
@ -100,7 +123,7 @@ jobs:
          echo "pluginDownloadURL=http://localhost:8000/$artifactName" >> "$GITHUB_ENV"
      - name: Prepare container registry
        run: |
-          docker run  --name registry --rm -d -p 5000:5000 registry:2
+          docker run --name registry --rm -d -p 5000:5000 registry:2
          docker pull hello-world:latest
          docker tag hello-world:latest localhost:5000/hello-world:v1
          docker push localhost:5000/hello-world:v1
@ -138,7 +161,7 @@ jobs:
        shell: pwsh
      - name: Prepare container registry
        run: |
-          docker run  --name registry --rm -d -p 5000:5000 junjiegaomsft/registry:v2.8.2-ltsc2022
+          docker run --name registry --rm -d -p 5000:5000 junjiegaomsft/registry:v2.8.2-ltsc2022
          docker pull hello-world:latest
          docker tag hello-world:latest localhost:5000/hello-world:v1
          docker push localhost:5000/hello-world:v1
--- a/Notation.Plugin.AzureKeyVault/Notation.Plugin.AzureKeyVault.csproj
+++ b/Notation.Plugin.AzureKeyVault/Notation.Plugin.AzureKeyVault.csproj
@ -13,6 +13,7 @@
    <CommitHash Condition="'$(CommitHash)' != ''">$(CommitHash)</CommitHash>
    <Version Condition="'$(Version)' == ''">1.0.0+unreleased</Version>
    <CommitHash Condition="'$(CommitHash)' == ''"></CommitHash>
+    <InvariantGlobalization>true</InvariantGlobalization>
  </PropertyGroup>

  <ItemGroup>
--- a/test/e2e/containerized/Dockerfile.mariner
+++ b/test/e2e/containerized/Dockerfile.mariner
@ -0,0 +1,16 @@
+FROM busybox:latest as base
+
+RUN wget https://github.com/notaryproject/notation/releases/download/v1.0.1/notation_1.0.1_linux_amd64.tar.gz 
+RUN tar -xzf notation_1.0.1_linux_amd64.tar.gz 
+COPY ./bin/artifacts/notation-azure-kv_0.0.1_linux_amd64.tar.gz .
+RUN tar -xzf notation-azure-kv_0.0.1_linux_amd64.tar.gz
+
+FROM mcr.microsoft.com/cbl-mariner/base/core:2.0
+
+RUN mkdir -p $HOME/.config/notation/plugins/azure-kv
+RUN yum install ca-certificates -y
+
+COPY --from=base ./notation /usr/local/bin
+COPY --from=base ./notation-azure-kv /root/.config/notation/plugins/azure-kv
+
+CMD ["notation"]
--- a/test/e2e/containerized/test.sh
+++ b/test/e2e/containerized/test.sh
@ -0,0 +1,79 @@
+#!/bin/bash
+#
+# containerized e2e test for azure-kv plugin
+# prerequisite: 
+#   - notation-akv:v1 image
+#   - AZURE_CREDENTIALS environment variable
+
+set -e
+
+# setup credentials
+if [ -z "$AZURE_CREDENTIALS" ]; then
+    echo "AZURE_CREDENTIALS is not set"
+    exit 1
+fi
+
+AZURE_TENANT_ID=$(echo "$AZURE_CREDENTIALS" | jq -r .tenantId)
+AZURE_CLIENT_ID=$(echo "$AZURE_CREDENTIALS" | jq -r .clientId)
+AZURE_CLIENT_SECRET=$(echo "$AZURE_CREDENTIALS" | jq -r .clientSecret)
+
+function testSign(){
+    # print all the arguments
+    echo "notation sign --signature-format cose localhost:5000/hello-world:v1 --plugin azure-kv" "$@"
+    docker run \
+        -v "$(pwd)"/test/:/test \
+        -e AZURE_CLIENT_SECRET="$AZURE_CLIENT_SECRET" \
+        -e AZURE_CLIENT_ID="$AZURE_CLIENT_ID" \
+        -e AZURE_TENANT_ID="$AZURE_TENANT_ID" \
+        --network host notation-akv:v1 \
+        notation sign --signature-format cose localhost:5000/hello-world:v1 --plugin azure-kv "$@"
+    local result=$?
+    echo ""
+    return $result
+}
+
+function assertSucceeded(){
+    if [ $? -ne 0 ]; then
+        echo "test failed"
+        exit 1
+    fi
+}
+
+function assertFailed(){
+    if [ $? -eq 0 ]; then
+        echo "test failed"
+        exit 1
+    fi
+}
+
+set +e
+echo "start notation azure-kv plugin containerized test"
+testSign --id https://acrci-test-kv.vault.azure.net/keys/self-signed-pkcs12/70747b2064c0488e936eba7a29acc4c6 --plugin-config self_signed=true
+assertSucceeded
+testSign --id https://acrci-test-kv.vault.azure.net/keys/self-signed-pem/a2c329545a934f0aaf434afe64bb392d --plugin-config self_signed=true
+assertSucceeded
+testSign --id https://acrci-test-kv.vault.azure.net/keys/imported-ca-issued-pem/5a768b6209564c3cb30ecc30d800dc43
+assertSucceeded
+testSign --id https://acrci-test-kv.vault.azure.net/keys/imported-ca-issued-pem-unordered/c0dcfcda9a454880aec242c70dcb1e2a
+assertSucceeded
+testSign --id https://acrci-test-kv.vault.azure.net/keys/imported-ca-issued-pkcs12/20548a2bcaba42308f609df2d79682b5
+assertSucceeded
+testSign --id https://acrci-test-kv.vault.azure.net/keys/imported-ca-issued-pkcs12-unordered/b4fdf86062e44839b666ce8ff3f3a470 
+assertSucceeded
+testSign --id https://acrci-test-kv.vault.azure.net/keys/csr-ca-issued-pem-chain/09cd1aeaaa894e60b0ef83f062604863
+assertSucceeded
+testSign --id https://acrci-test-kv.vault.azure.net/keys/csr-ca-issued-pkcs12-chain/aad06a96a2684d6ab79a4ad84cbe917e
+assertSucceeded
+testSign --id https://acrci-test-kv.vault.azure.net/keys/partial-pem-cert-chain/bf6299c95b96492894be0230935bdab8 --plugin-config ca_certs=/test/e2e/certs/cert-bundle.pem
+assertSucceeded
+testSign --id https://acrci-test-kv.vault.azure.net/keys/partial-pkcs12-cert-chain/c90493832b4148ee80e2aa10ada67a0b --plugin-config ca_certs=/test/e2e/certs/cert-bundle.pem
+assertSucceeded
+
+testSign --id https://acrci-test-kv.vault.azure.net/keys/partial-pem-cert-chain/bf6299c95b96492894be0230935bdab8 --plugin-config ca_certs=./test/e2e/certs/root.pem
+assertFailed
+testSign --id https://acrci-test-kv.vault.azure.net/keys/partial-pem-cert-chain/bf6299c95b96492894be0230935bdab8
+assertFailed
+testSign --id https://acrci-test-kv.vault.azure.net/keys/imported-ca-issued-pem/5a768b6209564c3cb30ecc30d800dc43 --plugin-config self_signed=true
+assertFailed
+testSign --id https://acrci-test-kv.vault.azure.net/keys/imported-ca-issued-pem/5a768b6209564c3cb30ecc30d800dc43 --plugin-config self_signed=true --plugin-config ca_certs=./test/e2e/certs/cert-bundle.pem
+assertFailed