test: add E2E test using endpoint CA with Azurite

wadlejitendra · Jitendra Wadle · litaocdl · web-flow · commit dc59f0feb739 · 2022-01-19T00:13:27.000+08:00
Co-authored-by: Jitendra Wadle &lt;jitendrawadle@Laptop566-pn-in.local&gt;
Co-authored-by: Tao &lt;tao.li@enterprisedb.com&gt;
diff --git a/tests/e2e/asserts_test.go b/tests/e2e/asserts_test.go
@@ -1424,10 +1424,6 @@ func prepareClusterForPITROnAzureBlob(namespace, clusterName, backupSampleFile,
 }
 
 func prepareClusterOnAzurite(namespace, clusterName, clusterSampleFile string) {
-	// Create a cluster in a namespace we'll delete after the test
-	err := env.CreateNamespace(namespace)
-	Expect(err).ToNot(HaveOccurred())
-
 	By("creating the Azurite storage credentials", func() {
 		AssertStorageCredentialsAreCreatedOnAzurite(namespace)
 	})
diff --git a/tests/e2e/backup_restore_test.go b/tests/e2e/backup_restore_test.go
@@ -449,6 +449,8 @@ var _ = Describe("Backup and restore", func() {
 			scheduledBackupImmediateSampleFile = fixturesDir +
 				"/backup/scheduled_backup_immediate/scheduled-backup-immediate-azurite.yaml"
 			backupFile = fixturesDir + "/backup/azurite/backup.yaml"
+			caSecName  = "azurite-ca-secret"
+			tlsSecName = "azurite-tls-secret"
 		)
 
 		BeforeAll(func() {
@@ -461,6 +463,24 @@ var _ = Describe("Backup and restore", func() {
 			clusterName, err := env.GetResourceNameFromYAML(azuriteBlobSampleFile)
 			Expect(err).ToNot(HaveOccurred())
 
+			// Create a cluster in a namespace we'll delete after the test
+			err = env.CreateNamespace(namespace)
+			Expect(err).ToNot(HaveOccurred())
+
+			By("creating ca and tls certificate secrets", func() {
+				// create CA certificates
+				_, caPair := testUtils.CreateSecretCA(namespace, clusterName, caSecName, true, env)
+
+				// sign and create secret using CA certificate and key
+				serverPair, err := caPair.CreateAndSignPair("azurite", certs.CertTypeServer,
+					[]string{"azurite.internal.mydomain.net, azurite.default.svc, azurite.default,"},
+				)
+				Expect(err).ToNot(HaveOccurred())
+				serverSecret := serverPair.GenerateCertificateSecret(namespace, tlsSecName)
+				err = env.Client.Create(env.Ctx, serverSecret)
+				Expect(err).ToNot(HaveOccurred())
+			})
+
 			// Setup Azurite and az cli along with Postgresql cluster
 			prepareClusterBackupOnAzurite(namespace, clusterName, azuriteBlobSampleFile, backupFile, tableName)
 		})
@@ -547,6 +567,8 @@ var _ = Describe("Clusters Recovery From Barman Object Store", func() {
 		sourceBackupFileAzureSAS        = fixturesBackupDir + "backup-azure-blob-sas.yaml"
 		sourceBackupFileAzurePITRSAS    = fixturesBackupDir + "backup-azure-blob-pitr-sas.yaml"
 		level                           = tests.High
+		caSecName                       = "azurite-ca-secret"
+		tlsSecName                      = "azurite-tls-secret"
 	)
 
 	var namespace, clusterName, azStorageAccount, azStorageKey string
@@ -838,6 +860,24 @@ var _ = Describe("Clusters Recovery From Barman Object Store", func() {
 			clusterName, err := env.GetResourceNameFromYAML(azuriteBlobSampleFile)
 			Expect(err).ToNot(HaveOccurred())
 
+			// Create a cluster in a namespace we'll delete after the test
+			err = env.CreateNamespace(namespace)
+			Expect(err).ToNot(HaveOccurred())
+
+			By("creating ca and tls certificate secrets", func() {
+				// create CA certificates
+				_, caPair := testUtils.CreateSecretCA(namespace, clusterName, caSecName, true, env)
+
+				// sign and create secret using CA certificate and key
+				serverPair, err := caPair.CreateAndSignPair("azurite", certs.CertTypeServer,
+					[]string{"azurite.internal.mydomain.net, azurite.default.svc, azurite.default,"},
+				)
+				Expect(err).ToNot(HaveOccurred())
+				serverSecret := serverPair.GenerateCertificateSecret(namespace, tlsSecName)
+				err = env.Client.Create(env.Ctx, serverSecret)
+				Expect(err).ToNot(HaveOccurred())
+			})
+
 			// Setup Azurite and az cli along with PostgreSQL cluster
 			prepareClusterBackupOnAzurite(namespace, clusterName, azuriteBlobSampleFile, backupFileAzurite, tableName)
 		})
diff --git a/tests/e2e/fixtures/backup/azurite/az-cli.yaml b/tests/e2e/fixtures/backup/azurite/az-cli.yaml
@@ -1,3 +1,5 @@
+# In az cli client pod we need to export env 'REQUESTS_CA_BUNDLE' variable with value "/etc/ssl/certs/rootCA.pem"
+# for custom CA bundle to connect azurite server
 apiVersion: v1
 kind: Pod
 metadata:
@@ -19,3 +21,15 @@ spec:
             secretKeyRef:
               name: azurite
               key: AZURE_CONNECTION_STRING
+        - name: REQUESTS_CA_BUNDLE
+          value: "/etc/ssl/certs/rootCA.pem"
+      volumeMounts:
+        - name: cert
+          mountPath: "/etc/ssl/certs"
+  volumes:
+    - name: cert
+      secret:
+        secretName: azurite-ca-secret
+        items:
+          - key: ca.crt
+            path: rootCA.pem
diff --git a/tests/e2e/fixtures/backup/azurite/azurite-deployment.yaml b/tests/e2e/fixtures/backup/azurite/azurite-deployment.yaml
@@ -1,3 +1,5 @@
+# We need pass custom --cert and --key in .pem format to start azurite as https mode
+# refer "https://github.com/Azure/Azurite#https-setup"
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -18,19 +20,31 @@ spec:
         app: azurite
     spec:
       containers:
-      - image: mcr.microsoft.com/azure-storage/azurite
-        name: azurite
-        env:
-          - name: AZURITE_ACCOUNTS
-            valueFrom:
-              secretKeyRef:
-                name: azurite
-                key: AZURITE_ACCOUNTS
-        ports:
-          - containerPort: 10000
-        volumeMounts:
-        - mountPath: /data
-          name: data-volume
+        - image: mcr.microsoft.com/azure-storage/azurite
+          name: azurite
+          command: ["azurite"]
+          args: ["-l", "/data", "--cert", "/etc/ssl/certs/azurite.pem", "--key", "/etc/ssl/certs/azurite-key.pem", "--oauth", "basic", "--blobHost", "0.0.0.0"]
+          env:
+            - name: AZURITE_ACCOUNTS
+              valueFrom:
+                secretKeyRef:
+                  name: azurite
+                  key: AZURITE_ACCOUNTS
+          ports:
+            - containerPort: 10000
+          volumeMounts:
+            - mountPath: /data
+              name: data-volume
+            - name: cert
+              mountPath: "/etc/ssl/certs"
       volumes:
-      - name: data-volume
-        emptyDir: { }
+        - name: data-volume
+          emptyDir: { }
+        - name: cert
+          secret:
+            secretName: azurite-tls-secret
+            items:
+              - key: tls.crt
+                path: azurite.pem
+              - key: tls.key
+                path: azurite-key.pem
diff --git a/tests/e2e/fixtures/backup/azurite/azurite-secret.yaml b/tests/e2e/fixtures/backup/azurite/azurite-secret.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 stringData:
   AZURITE_ACCOUNTS: storageaccountname:c3RvcmFnZWFjY291bnRrZXk=
-  AZURE_CONNECTION_STRING: DefaultEndpointsProtocol=http;AccountName=storageaccountname;AccountKey=c3RvcmFnZWFjY291bnRrZXk=;BlobEndpoint=http://azurite:10000/storageaccountname;
+  AZURE_CONNECTION_STRING: DefaultEndpointsProtocol=https;AccountName=storageaccountname;AccountKey=c3RvcmFnZWFjY291bnRrZXk=;BlobEndpoint=https://azurite:10000/storageaccountname;
 kind: Secret
 metadata:
   creationTimestamp: null
diff --git a/tests/e2e/fixtures/backup/azurite/cluster-backup.yaml.template b/tests/e2e/fixtures/backup/azurite/cluster-backup.yaml.template
@@ -13,7 +13,10 @@ spec:
   # Backup properties
   backup:
     barmanObjectStore:
-      destinationPath: http://azurite:10000/storageaccountname/pg-backup-azurite
+      destinationPath: https://azurite:10000/storageaccountname/pg-backup-azurite
+      endpointCA:
+        key: ca.crt
+        name: azurite-ca-secret
       azureCredentials:
         connectionString:
           name: azurite
diff --git a/tests/e2e/fixtures/backup/recovery_external_clusters/external-clusters-azurite-03.yaml.template b/tests/e2e/fixtures/backup/recovery_external_clusters/external-clusters-azurite-03.yaml.template
@@ -34,7 +34,10 @@ spec:
   externalClusters:
     - name: pg-backup-azurite
       barmanObjectStore:
-        destinationPath: http://azurite:10000/storageaccountname/pg-backup-azurite
+        destinationPath: https://azurite:10000/storageaccountname/pg-backup-azurite
+        endpointCA:
+          key: ca.crt
+          name: azurite-ca-secret
         azureCredentials:
           connectionString:
             name: azurite
diff --git a/tests/utils/backup.go b/tests/utils/backup.go
@@ -267,7 +267,7 @@ func CreateClusterFromExternalClusterBackupWithPITROnAzurite(
 	targetTime string,
 	env *TestingEnvironment) error {
 	storageClassName := os.Getenv("E2E_DEFAULT_STORAGE_CLASS")
-	DestinationPath := fmt.Sprintf("http://azurite:10000/storageaccountname/%v", sourceClusterName)
+	DestinationPath := fmt.Sprintf("https://azurite:10000/storageaccountname/%v", sourceClusterName)
 
 	restoreCluster := &apiv1.Cluster{
 		ObjectMeta: v1.ObjectMeta{
@@ -308,6 +308,12 @@ func CreateClusterFromExternalClusterBackupWithPITROnAzurite(
 					Name: sourceClusterName,
 					BarmanObjectStore: &apiv1.BarmanObjectStoreConfiguration{
 						DestinationPath: DestinationPath,
+						EndpointCA: &apiv1.SecretKeySelector{
+							LocalObjectReference: apiv1.LocalObjectReference{
+								Name: "azurite-ca-secret",
+							},
+							Key: "ca.crt",
+						},
 						AzureCredentials: &apiv1.AzureCredentials{
 							ConnectionString: &apiv1.SecretKeySelector{
 								LocalObjectReference: apiv1.LocalObjectReference{
