acceptance-tests: connect tests verify that the ACL token was deleted (…

…hashicorp#1056)
bngopale · Aug 4, 2021 · 3e6ac94 · 3e6ac94
1 parent 1eaabb7
commit 3e6ac94
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 14 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -55,7 +55,7 @@ commands:
         type: string
       consul-k8s-image:
         type: string
-        default: "hashicorpdev/consul-k8s:2dfffed"
+        default: "docker.mirror.hashicorp.services/hashicorpdev/consul-k8s:latest"
     steps:
       - when:
           condition: << parameters.failfast >>

diff --git a/test/acceptance/tests/connect/connect_inject_namespaces_test.go b/test/acceptance/tests/connect/connect_inject_namespaces_test.go
@@ -108,6 +108,40 @@ func TestConnectInjectNamespaces(t *testing.T) {
 				k8s.RunKubectl(t, ctx.KubectlOptions(t), "delete", "ns", staticClientNamespace)
 			})
 
+			consulClient := consulCluster.SetupConsulClient(t, c.secure)
+
+			serverQueryOpts := &api.QueryOptions{Namespace: staticServerNamespace}
+			clientQueryOpts := &api.QueryOptions{Namespace: staticClientNamespace}
+
+			if !c.mirrorK8S {
+				serverQueryOpts = &api.QueryOptions{Namespace: c.destinationNamespace}
+				clientQueryOpts = &api.QueryOptions{Namespace: c.destinationNamespace}
+			}
+
+			// Check that the ACL token is deleted.
+			if c.secure {
+				// We need to register the cleanup function before we create the deployments
+				// because golang will execute them in reverse order i.e. the last registered
+				// cleanup function will be executed first.
+				t.Cleanup(func() {
+					if c.secure {
+						retry.Run(t, func(r *retry.R) {
+							tokens, _, err := consulClient.ACL().TokenList(serverQueryOpts)
+							require.NoError(r, err)
+							for _, token := range tokens {
+								require.NotContains(r, token.Description, staticServerName)
+							}
+
+							tokens, _, err = consulClient.ACL().TokenList(clientQueryOpts)
+							require.NoError(r, err)
+							for _, token := range tokens {
+								require.NotContains(r, token.Description, staticClientName)
+							}
+						})
+					}
+				})
+			}
+
 			logger.Log(t, "creating static-server and static-client deployments")
 			k8s.DeployKustomize(t, staticServerOpts, cfg.NoCleanupOnFailure, cfg.DebugDirectory, "../fixtures/cases/static-server-inject")
 			if cfg.EnableTransparentProxy {
@@ -126,21 +160,12 @@ func TestConnectInjectNamespaces(t *testing.T) {
 				require.Len(t, podList.Items[0].Spec.Containers, 2)
 			}
 
-			consulClient := consulCluster.SetupConsulClient(t, c.secure)
-
 			// Make sure that services are registered in the correct namespace.
 			// If mirroring is enabled, we expect services to be registered in the
 			// Consul namespace with the same name as their source
 			// Kubernetes namespace.
 			// If a single destination namespace is set, we expect all services
 			// to be registered in that destination Consul namespace.
-			serverQueryOpts := &api.QueryOptions{Namespace: staticServerNamespace}
-			clientQueryOpts := &api.QueryOptions{Namespace: staticClientNamespace}
-
-			if !c.mirrorK8S {
-				serverQueryOpts = &api.QueryOptions{Namespace: c.destinationNamespace}
-				clientQueryOpts = &api.QueryOptions{Namespace: c.destinationNamespace}
-			}
 			services, _, err := consulClient.Catalog().Service(staticServerName, "", serverQueryOpts)
 			require.NoError(t, err)
 			require.Len(t, services, 1)

diff --git a/test/acceptance/tests/connect/connect_inject_test.go b/test/acceptance/tests/connect/connect_inject_test.go
@@ -20,7 +20,7 @@ import (
 const staticClientName = "static-client"
 const staticServerName = "static-server"
 
-// Test that Connect works in a default and a secure installation
+// Test that Connect works in a default and a secure installation.
 func TestConnectInject(t *testing.T) {
 	cases := []struct {
 		secure      bool
@@ -50,6 +50,25 @@ func TestConnectInject(t *testing.T) {
 
 			consulCluster.Create(t)
 
+			consulClient := consulCluster.SetupConsulClient(t, c.secure)
+
+			// Check that the ACL token is deleted.
+			if c.secure {
+				// We need to register the cleanup function before we create the deployments
+				// because golang will execute them in reverse order i.e. the last registered
+				// cleanup function will be executed first.
+				t.Cleanup(func() {
+					retry.Run(t, func(r *retry.R) {
+						tokens, _, err := consulClient.ACL().TokenList(nil)
+						require.NoError(r, err)
+						for _, token := range tokens {
+							require.NotContains(r, token.Description, staticServerName)
+							require.NotContains(r, token.Description, staticClientName)
+						}
+					})
+				})
+			}
+
 			logger.Log(t, "creating static-server and static-client deployments")
 			k8s.DeployKustomize(t, ctx.KubectlOptions(t), cfg.NoCleanupOnFailure, cfg.DebugDirectory, "../fixtures/cases/static-server-inject")
 			if cfg.EnableTransparentProxy {
@@ -76,10 +95,8 @@ func TestConnectInject(t *testing.T) {
 					k8s.CheckStaticServerConnectionFailing(t, ctx.KubectlOptions(t), "http://localhost:1234")
 				}
 
-				consulClient := consulCluster.SetupConsulClient(t, true)
-
 				logger.Log(t, "creating intention")
-				_, _, err := consulClient.Connect().IntentionCreate(&api.Intention{
+				_, err := consulClient.Connect().IntentionUpsert(&api.Intention{
 					SourceName:      staticClientName,
 					DestinationName: staticServerName,
 					Action:          api.IntentionActionAllow,