openshift · openshift-merge-robot · Jan 21, 2022 · Nov 29, 2021
diff --git a/test/extended/builds/volumes.go b/test/extended/builds/volumes.go
@@ -1,11 +1,18 @@
 package builds
 
 import (
+	"context"
 	"path/filepath"
 	"time"
 
 	g "github.com/onsi/ginkgo"
 	o "github.com/onsi/gomega"
+	kapierrs "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	e2e "k8s.io/kubernetes/test/e2e/framework"
+
+	buildv1 "github.com/openshift/api/build/v1"
+	configv1 "github.com/openshift/api/config/v1"
 
 	deploymentutil "github.com/openshift/origin/test/extended/deployments"
 	exutil "github.com/openshift/origin/test/extended/util"
@@ -126,3 +133,276 @@ var _ = g.Describe("[sig-builds][Feature:Builds][volumes] build volumes", func()
 		})
 	})
 })
+
+var _ = g.Describe("[sig-builds][Feature:Builds][volumes] csi build volumes within Tech Preview disabled clusters", func() {
+	var (
+		oc                   = exutil.NewCLI("build-volumes")
+		baseDir              = exutil.FixturePath("testdata", "builds", "volumes")
+		s2iImageStream       = filepath.Join(baseDir, "s2i-imagestream.yaml")
+		dockerImageStream    = filepath.Join(baseDir, "docker-imagestream.yaml")
+		csiS2iBuildConfig    = filepath.Join(baseDir, "csi-s2i-buildconfig.yaml")
+		csiDockerBuildConfig = filepath.Join(baseDir, "csi-docker-buildconfig.yaml")
+	)
+
+	g.Context("", func() {
+		g.BeforeEach(func() {
+			exutil.PreTestDump()
+		})
+
+		g.JustBeforeEach(func() {
+			if isTechPreviewNoUpgrade(oc) {
+				g.Skip("the test is not expected to work within Tech Preview enabled clusters")
+			}
+		})
+
+		g.AfterEach(func() {
+			if g.CurrentGinkgoTestDescription().Failed {
+				exutil.DumpPodStates(oc)
+				exutil.DumpConfigMapStates(oc)
+				exutil.DumpPodLogsStartingWith("", oc)
+			}
+		})
+
+		g.It("should fail mounting given csi shared resource secret into the build pod for source strategy builds", func() {
+			g.By("creating an imagestream")
+			err := oc.Run("create").Args("-f", s2iImageStream).Execute()
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("creating a build config")
+			err = oc.Run("create").Args("-f", csiS2iBuildConfig).Execute()
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("starting a build and waiting for it to complete")
+			br, err := exutil.StartBuildAndWait(oc, "mys2itest")
+			o.Expect(err).NotTo(o.HaveOccurred())
+			br.DumpLogs()
+
+			build, err := oc.BuildClient().BuildV1().Builds(oc.Namespace()).Get(context.Background(), br.Build.Name, metav1.GetOptions{})
+			o.Expect(err).NotTo(o.HaveOccurred())
+			o.Expect(build.Status.Phase).To(o.Equal(buildv1.BuildPhaseNew))
+			o.Expect(build.Status.Reason).To(o.BeEquivalentTo("CannotCreateBuildPodSpec"))
+			o.Expect(build.Status.Message).To(o.BeEquivalentTo("Failed to create pod spec."))
+
+		})
+		g.It("should fail mounting given csi shared resource secret into the build pod for docker strategy builds", func() {
+			g.By("creating an imagestream")
+			err := oc.Run("create").Args("-f", dockerImageStream).Execute()
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("creating a build config")
+			err = oc.Run("create").Args("-f", csiDockerBuildConfig).Execute()
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("starting a build and waiting for it to complete")
+			br, err := exutil.StartBuildAndWait(oc, "mydockertest")
+			o.Expect(err).NotTo(o.HaveOccurred())
+			br.DumpLogs()
+
+			build, err := oc.BuildClient().BuildV1().Builds(oc.Namespace()).Get(context.Background(), br.Build.Name, metav1.GetOptions{})
+			o.Expect(err).NotTo(o.HaveOccurred())
+			o.Expect(build.Status.Phase).To(o.Equal(buildv1.BuildPhaseNew))
+			o.Expect(build.Status.Reason).To(o.BeEquivalentTo("CannotCreateBuildPodSpec"))
+			o.Expect(build.Status.Message).To(o.BeEquivalentTo("Failed to create pod spec."))
+		})
+	})
+})
+
+var _ = g.Describe("[sig-builds][Feature:Builds][volumes] csi build volumes within Tech Preview enabled cluster", func() {
+	var (
+		oc                     = exutil.NewCLI("build-volumes")
+		oc1                    = exutil.NewCLI("build-volumes-1")
+		baseDir                = exutil.FixturePath("testdata", "builds", "volumes")
+		secret                 = filepath.Join(baseDir, "secret.yaml")
+		s2iDeploymentConfig    = filepath.Join(baseDir, "s2i-deploymentconfig.yaml")
+		s2iImageStream         = filepath.Join(baseDir, "s2i-imagestream.yaml")
+		dockerDeploymentConfig = filepath.Join(baseDir, "docker-deploymentconfig.yaml")
+		dockerImageStream      = filepath.Join(baseDir, "docker-imagestream.yaml")
+		// csi enabled volume specifics
+		csiSharedSecret                            = filepath.Join(baseDir, "csi-shared-secret.yaml")
+		csiSharedRole                              = filepath.Join(baseDir, "csi-sharedresourcerole.yaml")
+		csiSharedRoleBinding                       = filepath.Join(baseDir, "csi-sharedresourcerolebinding.yaml")
+		csiS2iBuildConfig                          = filepath.Join(baseDir, "csi-s2i-buildconfig.yaml")
+		csiDockerBuildConfig                       = filepath.Join(baseDir, "csi-docker-buildconfig.yaml")
+		csiWihthoutResourceRefreshS2iBuildConfig   = filepath.Join(baseDir, "csi-without-rr-s2i-buildconfig.yaml")
+		csiWithoutResourceRefreshDockerBuildConfig = filepath.Join(baseDir, "csi-without-rr-docker-buildconfig.yaml")
+	)
+
+	g.Context("", func() {
+		g.BeforeEach(func() {
+			exutil.PreTestDump()
+		})
+
+		g.JustBeforeEach(func() {
+			if !isTechPreviewNoUpgrade(oc) {
+				g.Skip("the test is not expected to work within Tech Preview disabled clusters")
+			}
+
+			// create the csi shared resource
+			g.By("creating a secret")
+			err := oc.Run("create").Args("-f", secret).Execute()
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("creating a csi shared secret resource")
+			err = oc.Run("create").Args("-f", csiSharedSecret).Execute()
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("creating a csi shared role resource")
+			err = oc1.Run("create").Args("-f", csiSharedRole).Execute()
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("creating a csi shared role binding resource")
+			err = oc1.Run("create").Args("-f", csiSharedRoleBinding).Execute()
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+		})
+
+		g.AfterEach(func() {
+			if g.CurrentGinkgoTestDescription().Failed {
+				exutil.DumpPodStates(oc)
+				exutil.DumpConfigMapStates(oc)
+				exutil.DumpPodLogsStartingWith("", oc)
+			}
+		})
+
+		g.It("should mount given csi shared resource secret into the build pod for source strategy builds", func() {
+			g.By("creating an imagestream")
+			err := oc1.Run("create").Args("-f", s2iImageStream).Execute()
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("creating a build config")
+			err = oc1.Run("create").Args("-f", csiS2iBuildConfig).Execute()
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("starting a build and waiting for it to complete")
+			br, _ := exutil.StartBuildAndWait(oc1, "mys2itest")
+			br.AssertSuccess()
+
+			g.By("ensuring that the build pod logs contain the provided shared secret")
+			buildPodLogs, err := br.Logs()
+			o.Expect(err).NotTo(o.HaveOccurred())
+			o.Expect(buildPodLogs).To(o.ContainSubstring("my-secret-value"))
+
+			g.By("creating a deployment config")
+			err = oc1.Run("create").Args("-f", s2iDeploymentConfig).Execute()
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("waiting for the deployment to complete")
+			_, err = deploymentutil.WaitForDeployerToComplete(oc, "mys2itest-1", 5*time.Minute)
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("ensuring that the shared secret does not exist in the build image")
+			out, err := oc1.Run("rsh").Args("dc/mys2itest", "cat", "/var/run/secrets/some-secret/key").Output()
+			o.Expect(err).To(o.HaveOccurred())
+			o.Expect(out).To(o.ContainSubstring("cat: /var/run/secrets/some-secret/key: No such file or directory"))
+		})
+
+		g.It("should mount given csi shared resource secret without resource refresh into the build pod for source strategy builds", func() {
+			g.By("creating an imagestream")
+			err := oc1.Run("create").Args("-f", s2iImageStream).Execute()
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("creating a build config")
+			err = oc1.Run("create").Args("-f", csiWihthoutResourceRefreshS2iBuildConfig).Execute()
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("starting a build and waiting for it to complete")
+			br, _ := exutil.StartBuildAndWait(oc1, "mys2itest")
+			br.AssertSuccess()
+
+			g.By("ensuring that the build pod logs contain the provided shared secret")
+			buildPodLogs, err := br.Logs()
+			o.Expect(err).NotTo(o.HaveOccurred())
+			o.Expect(buildPodLogs).To(o.ContainSubstring("my-secret-value"))
+
+			g.By("creating a deployment config")
+			err = oc1.Run("create").Args("-f", s2iDeploymentConfig).Execute()
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("waiting for the deployment to complete")
+			_, err = deploymentutil.WaitForDeployerToComplete(oc, "mys2itest-1", 5*time.Minute)
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("ensuring that the shared secret does not exist in the build image")
+			out, err := oc1.Run("rsh").Args("dc/mys2itest", "cat", "/var/run/secrets/some-secret/key").Output()
+			o.Expect(err).To(o.HaveOccurred())
+			o.Expect(out).To(o.ContainSubstring("cat: /var/run/secrets/some-secret/key: No such file or directory"))
+		})
+
+		g.It("should mount given csi shared resource secret into the build pod for docker strategy builds", func() {
+			g.By("creating an imagestream")
+			err := oc1.Run("create").Args("-f", dockerImageStream).Execute()
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("creating a build config")
+			err = oc1.Run("create").Args("-f", csiDockerBuildConfig).Execute()
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("starting a build and waiting for it to complete")
+			br, _ := exutil.StartBuildAndWait(oc, "mydockertest")
+			br.AssertSuccess()
+
+			g.By("ensuring that the build pod logs contain the provided shared")
+			buildPodLogs, err := br.Logs()
+			o.Expect(err).NotTo(o.HaveOccurred())
+			o.Expect(buildPodLogs).To(o.ContainSubstring("my-secret-value"))
+
+			g.By("creating a deployment config")
+			err = oc1.Run("create").Args("-f", dockerDeploymentConfig).Execute()
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("waiting for the deployment to complete")
+			_, err = deploymentutil.WaitForDeployerToComplete(oc, "mydockertest-1", 5*time.Minute)
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("ensuring that the shared secret does not exist in the build image")
+			out, err := oc1.Run("rsh").Args("dc/mydockertest", "cat", "/var/run/secrets/some-secret/key").Output()
+			o.Expect(err).To(o.HaveOccurred())
+			o.Expect(out).To(o.ContainSubstring("cat: /var/run/secrets/some-secret/key: No such file or directory"))
+		})
+
+		g.It("should mount given csi shared resource secret without resource refresh into the build pod for docker strategy builds", func() {
+			g.By("creating an imagestream")
+			err := oc1.Run("create").Args("-f", dockerImageStream).Execute()
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("creating a build config")
+			err = oc1.Run("create").Args("-f", csiWithoutResourceRefreshDockerBuildConfig).Execute()
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("starting a build and waiting for it to complete")
+			br, _ := exutil.StartBuildAndWait(oc, "mydockertest")
+			br.AssertSuccess()
+
+			g.By("ensuring that the build pod logs contain the provided shared")
+			buildPodLogs, err := br.Logs()
+			o.Expect(err).NotTo(o.HaveOccurred())
+			o.Expect(buildPodLogs).To(o.ContainSubstring("my-secret-value"))
+
+			g.By("creating a deployment config")
+			err = oc1.Run("create").Args("-f", dockerDeploymentConfig).Execute()
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("waiting for the deployment to complete")
+			_, err = deploymentutil.WaitForDeployerToComplete(oc, "mydockertest-1", 5*time.Minute)
+			o.Expect(err).NotTo(o.HaveOccurred())
+
+			g.By("ensuring that the shared secret does not exist in the build image")
+			out, err := oc1.Run("rsh").Args("dc/mydockertest", "cat", "/var/run/secrets/some-secret/key").Output()
+			o.Expect(err).To(o.HaveOccurred())
+			o.Expect(out).To(o.ContainSubstring("cat: /var/run/secrets/some-secret/key: No such file or directory"))
+		})
+	})
+})
+
+// isTechPreviewNoUpgrade checks if a cluster is a TechPreviewNoUpgrade cluster
+func isTechPreviewNoUpgrade(oc *exutil.CLI) bool {
+	featureGate, err := oc.AdminConfigClient().ConfigV1().FeatureGates().Get(context.Background(), "cluster", metav1.GetOptions{})
+	if err != nil {
+		if kapierrs.IsNotFound(err) {
+			return false
+		}
+		e2e.Failf("could not retrieve feature-gate: %v", err)
+	}
+
+	return featureGate.Spec.FeatureSet == configv1.TechPreviewNoUpgrade
+}