tests: implement opensearch-client for irsa

camunda · Oct 2, 2024 · 9df3d7e · 9df3d7e
1 parent 5239e44
commit 9df3d7e
Show file tree

Hide file tree

Showing 4 changed files with 89 additions and 23 deletions.
diff --git a/modules/fixtures/opensearch-client.yml b/modules/fixtures/opensearch-client.yml
@@ -19,23 +19,53 @@ spec:
                       - -c
                       - |
                         /bin/bash <<'EOF'
-                        set -e
+                        set -euxo pipefail
 
                         echo "Installing dependencies..."
-                        yum install -y python3-pip curl unzip
+                        yum install -y unzip
 
                         echo "Installing AWS CLI..."
                         curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
                         unzip awscliv2.zip
                         ./aws/install
 
+                        echo "Installing OpenSearch CLI..."
+                        curl -L "https://github.com/opensearch-project/opensearch-cli/releases/download/v1.2.0/opensearch-cli-1.2.0-linux-x64.zip" -o "opensearch.zip"
+                        unzip opensearch.zip
+
+                        # Create or replace the ~/.aws/config file with the values from the environment variables
+                        mkdir -p ~/.aws
+                        cat <<EOCONFIG > ~/.aws/config
+                        [profile opensearch]
+                        role_arn = "$AWS_ROLE_ARN"
+                        web_identity_token_file = "$AWS_WEB_IDENTITY_TOKEN_FILE"
+                        EOCONFIG
+                        chmod 0600 ~/.aws/config
+
+                        echo "AWS IRSA profile configured:"
+                        cat ~/.aws/config
+
                         echo "Testing OpenSearch connection using IRSA..."
-                        export AWS_OPENSEARCH_PASSWORD=$(aws opensearch get-signature-v4-auth-token \
-                          --region $AWS_REGION \
-                          --host $OPENSEARCH_ENDPOINT \
-                          --username $OPENSEARCH_USERNAME)
 
-                        curl -XGET -u "admin:$AWS_OPENSEARCH_PASSWORD" "https://$OPENSEARCH_ENDPOINT/_cluster/health?pretty"
+                        # Create or replace the /root/.opensearch-cli/config.yaml file with the values from the environment variables
+                        mkdir -p ~/.opensearch-cli
+                        cat <<EOCONFIG_OPENSEARCH > ~/.opensearch-cli/config.yaml
+                        profiles:
+                          - name: opensearch
+                            endpoint: https://$OPENSEARCH_ENDPOINT
+                            aws_iam:
+                              profile: opensearch
+                              service: es
+                            max_retry: 3
+                            timeout: 10
+                        EOCONFIG_OPENSEARCH
+                        chmod 0600 ~/.opensearch-cli/config.yaml
+
+                        echo "OpenSearch CLI profile configured:"
+                        cat ~/.opensearch-cli/config.yaml
+
+                        # Test OpenSearch connection using the opensearch profile
+                        ./opensearch-cli curl get --path _cluster/health --profile opensearch
 
                         EOF
                   env:
@@ -44,11 +74,6 @@ spec:
                             configMapKeyRef:
                                 name: opensearch-config
                                 key: opensearch_endpoint
-                      - name: OPENSEARCH_USERNAME
-                        valueFrom:
-                            configMapKeyRef:
-                                name: opensearch-config
-                                key: opensearch_username
                       - name: AWS_REGION
                         valueFrom:
                             configMapKeyRef:

diff --git a/modules/opensearch/main.tf b/modules/opensearch/main.tf
@@ -126,13 +126,11 @@ resource "aws_security_group_rule" "allow_egress" {
 }
 
 resource "aws_security_group_rule" "allow_ingress" {
-  for_each = toset(["9200", "9300"])
-
-  description = "Allow incoming traffic for the OpenSearch on port ${each.key}"
+  description = "Allow incoming traffic for the OpenSearch on port 443"
 
   type        = "ingress"
-  from_port   = tonumber(each.key)
-  to_port     = tonumber(each.key)
+  from_port   = 443
+  to_port     = 443
   protocol    = "tcp"
   cidr_blocks = var.cidr_blocks
 

diff --git a/test/src/custom_eks_opensearch_test.go b/test/src/custom_eks_opensearch_test.go
@@ -15,10 +15,14 @@ import (
 	"github.com/stretchr/testify/suite"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zaptest"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"os"
 	"path/filepath"
 	"strings"
 	"testing"
+	"time"
 )
 
 type CustomEKSOpenSearchTestSuite struct {
@@ -134,7 +138,7 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() {
 	suite.sugaredLogger.Infow("eks describe cluster result", "result", result, "err", err)
 	suite.Assert().NoError(err)
 
-	_, errKubeClient := utils.NewKubeClientSet(result.Cluster)
+	kubeClient, errKubeClient := utils.NewKubeClientSet(result.Cluster)
 	suite.Require().NoError(errKubeClient)
 	utils.GenerateKubeConfigFromAWS(suite.T(), suite.region, suite.clusterName, utils.GetAwsProfile(), suite.kubeConfigPath)
 
@@ -144,10 +148,13 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() {
 
 	opensearchDomainName := fmt.Sprintf("os-%s", suite.clusterName)
 	opensearchMasterUserName := "opensearch-admin"
-	opensearchMasterUserPassword := "password"
+	opensearchMasterUserPassword := "password" // TODO: replace this by a random value
 
 	// Extract OIDC issuer and create the IRSA role with OpenSearch access
-	oidcProvider := *result.Cluster.Identity.Oidc.Issuer
+	oidcProviderURL := *result.Cluster.Identity.Oidc.Issuer
+	partsOIDC := strings.Split(oidcProviderURL, "/")
+	oidcProviderID := partsOIDC[len(partsOIDC)-1]
+
 	stsIdentity, err := stsSvc.GetCallerIdentity(context.TODO(), &sts.GetCallerIdentityInput{})
 	suite.Require().NoError(err, "Failed to get AWS account ID")
 	accountId := *stsIdentity.Account
@@ -195,7 +202,7 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() {
       }
     }
   ]
-}`, accountId, suite.region, oidcProvider, suite.region, oidcProvider, openSearchNamespace, openSearchServiceAccount)
+}`, accountId, suite.region, oidcProviderID, suite.region, oidcProviderID, openSearchNamespace, openSearchServiceAccount)
 
 	varsConfigOpenSearch := map[string]interface{}{
 		"domain_name":                            opensearchDomainName,
@@ -254,7 +261,42 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() {
 
 	// Perform assertions on the OpenSearch domain configuration
 
-	// TODO
+	// ))))))))
+
+	// Test the OpenSearch connection and perform additional tests as needed
+
+	configMapScript := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "opensearch-config",
+			Namespace: openSearchNamespace,
+		},
+		Data: map[string]string{
+			"opensearch_endpoint": opensearchEndpoint,
+			"aws_region":          suite.region,
+		},
+	}
+
+	err = kubeClient.CoreV1().ConfigMaps(openSearchNamespace).Delete(context.Background(), configMapScript.Name, metav1.DeleteOptions{})
+	if err != nil && !errors.IsNotFound(err) {
+		suite.Require().NoError(err)
+	}
+	_, err = kubeClient.CoreV1().ConfigMaps(openSearchNamespace).Create(context.Background(), configMapScript, metav1.CreateOptions{})
+	k8s.WaitUntilConfigMapAvailable(suite.T(), openSearchKubectlOptions, configMapScript.Name, 6, 10*time.Second)
+
+	// cleanup existing jobs
+	jobListOptions := metav1.ListOptions{LabelSelector: "app=opensearch-client"}
+	existingJobs := k8s.ListJobs(suite.T(), openSearchKubectlOptions, jobListOptions)
+	backgroundDeletion := metav1.DeletePropagationBackground
+	for _, job := range existingJobs {
+		err := kubeClient.BatchV1().Jobs(openSearchNamespace).Delete(context.Background(), job.Name, metav1.DeleteOptions{PropagationPolicy: &backgroundDeletion})
+		suite.Assert().NoError(err)
+	}
+
+	// deploy the postgres-client Job to test the connection
+	k8s.KubectlApply(suite.T(), openSearchKubectlOptions, "../../modules/fixtures/opensearch-client.yml")
+	errJob := utils.WaitForJobCompletion(kubeClient, openSearchNamespace, "opensearch-client", 5*time.Minute, jobListOptions)
+	suite.Require().NoError(errJob)
+	// TODO: test that without auth, the same command fails in the job
 }
 
 func TestCustomEKSOpenSearchTestSuite(t *testing.T) {

diff --git a/test/src/custom_eks_rds_test.go b/test/src/custom_eks_rds_test.go
@@ -265,8 +265,9 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() {
 	// cleanup existing jobs
 	jobListOptions := metav1.ListOptions{LabelSelector: "app=postgres-client"}
 	existingJobs := k8s.ListJobs(suite.T(), pgKubeCtlOptions, jobListOptions)
+	backgroundDeletion := metav1.DeletePropagationBackground
 	for _, job := range existingJobs {
-		err := kubeClient.BatchV1().Jobs(namespace).Delete(context.Background(), job.Name, metav1.DeleteOptions{})
+		err := kubeClient.BatchV1().Jobs(namespace).Delete(context.Background(), job.Name, metav1.DeleteOptions{PropagationPolicy: &backgroundDeletion})
 		suite.Assert().NoError(err)
 	}