add e2e test

Author: gkech

e2e-tests/run-pr.csv

@@ -10,6 +10,7 @@ dynamic-configuration
 finalizers
 init-deploy
 huge-pages
+ldap
 monitoring
 monitoring-pmm3
 one-pod

e2e-tests/run-release.csv

@@ -10,6 +10,7 @@ dynamic-configuration
 finalizers
 init-deploy
 huge-pages
+ldap
 major-upgrade
 monitoring
 monitoring-pmm3

e2e-tests/tests/ldap/00-assert.yaml

@@ -0,0 +1,24 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 120
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: perconapgclusters.pgv2.percona.com
+spec:
+  group: pgv2.percona.com
+  names:
+    kind: PerconaPGCluster
+    listKind: PerconaPGClusterList
+    plural: perconapgclusters
+    singular: perconapgcluster
+  scope: Namespaced
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+metadata:
+  name: check-operator-deploy-status
+timeout: 120
+commands:
+  - script: kubectl assert exist-enhanced deployment percona-postgresql-operator -n ${OPERATOR_NS:-$NAMESPACE} --field-selector status.readyReplicas=1

e2e-tests/tests/ldap/00-deploy-operator.yaml

@@ -0,0 +1,13 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+timeout: 10
+commands:
+    - script: |-
+          set -o errexit
+          set -o xtrace
+          
+          source ../../functions
+          init_temp_dir # do this only in the first TestStep
+          
+          deploy_operator
+          deploy_client

e2e-tests/tests/ldap/01-assert.yaml

@@ -0,0 +1,12 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+# OpenLDAP readiness probe has initialDelaySeconds: 60, so allow extra time.
+timeout: 180
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openldap
+status:
+  availableReplicas: 1
+  readyReplicas: 1

e2e-tests/tests/ldap/01-openldap.yaml

@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+  - files/openldap.yaml

e2e-tests/tests/ldap/02-assert.yaml

@@ -0,0 +1,20 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 600
+---
+apiVersion: postgres-operator.crunchydata.com/v1beta1
+kind: PostgresCluster
+metadata:
+  name: ldap
+status:
+  instances:
+    - name: instance1
+      readyReplicas: 3
+      replicas: 3
+      updatedReplicas: 3
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ldap-primary
+

e2e-tests/tests/ldap/02-cluster.yaml

@@ -0,0 +1,16 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+timeout: 10
+commands:
+  - script: |-
+      set -o errexit
+      set -o xtrace
+
+      source ../../functions
+
+      get_cr \
+        | yq eval '
+            .spec.users += [{"name":"percona","databases":["percona"]}] |
+            .spec.authentication.rules = [{"connection":"host","method":"ldap","users":["percona"],"options":{"ldapserver":"openldap","ldapport":389,"ldapprefix":"uid=","ldapsuffix":",ou=perconadba,dc=ldap,dc=local"}}]
+          ' - \
+        | kubectl -n "${NAMESPACE}" apply -f -

e2e-tests/tests/ldap/03-verify-ldap-auth.yaml

@@ -0,0 +1,60 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |
+      set -e
+
+      PRIMARY=$(
+        kubectl get pod --namespace "${NAMESPACE}" \
+          --output name --selector \
+          'postgres-operator.crunchydata.com/cluster=ldap,postgres-operator.crunchydata.com/role=primary' \
+          | head -1
+      )
+
+      HBA=$(kubectl exec --namespace "${NAMESPACE}" "${PRIMARY}" -c database \
+        -- psql -tAc "SELECT pg_read_file('pg_hba.conf');" 2>&1)
+
+      contains() { bash -ceu '[[ "$1" == *"$2"* ]]' - "$@"; }
+      contains "${HBA}" "ldap" || {
+        echo >&2 'pg_hba.conf does not contain an ldap rule'
+        exit 1
+      }
+
+      ## verify ldap directories
+      for i in $(seq 12); do
+        if kubectl exec --namespace "${NAMESPACE}" deployment/openldap -c ldap-setup \
+          -- ldapsearch -x -H ldap://localhost:389 \
+             -D "cn=admin,dc=ldap,dc=local" -w adminpassword \
+             -b "uid=percona,ou=perconadba,dc=ldap,dc=local" 2>&1 \
+          | grep -q "uid: percona"; then
+          echo "LDAP entry for percona found"
+          break
+        fi
+        echo "Attempt ${i}: LDAP entry not yet available, waiting..."
+        sleep 10
+      done
+
+      # verify LDAP auth
+      result=""
+      for i in $(seq 6); do
+        result=$(kubectl exec --namespace "${NAMESPACE}" "${PRIMARY}" -c database \
+          -- bash -c 'PGPASSWORD=mysecretpassword PGSSLMODE=disable \
+            psql -h 127.0.0.1 -U percona -d percona -tAc "SELECT current_user;" 2>&1') && break
+        echo "Attempt ${i} failed: ${result}"
+        sleep 10
+      done
+
+      [[ "${result}" == "percona" ]] || {
+        echo >&2 "Expected current_user='percona', got: ${result}"
+        exit 1
+      }
+
+      # verify wrong password is rejected
+      if bad_result=$(kubectl exec --namespace "${NAMESPACE}" "${PRIMARY}" -c database \
+        -- bash -c 'PGPASSWORD=wrongpassword PGSSLMODE=disable \
+          psql -h 127.0.0.1 -U percona -d percona -tAc "SELECT current_user;" 2>&1'); then
+        echo >&2 "Expected authentication failure with wrong password, but login succeeded: ${bad_result}"
+        exit 1
+      fi
+      echo "Wrong password correctly rejected"

e2e-tests/tests/ldap/files/cluster.yaml

@@ -0,0 +1,23 @@
+apiVersion: pgv2.percona.com/v2
+kind: PerconaPGCluster
+metadata:
+  name: ldap
+spec:
+  # postgresVersion, images, backups, etc. are injected by get_cr() from deploy/cr.yaml
+  users:
+    - name: percona
+      databases:
+        - percona
+  # LDAP simple-bind: constructs DN as uid={username},ou=perconadba,dc=ldap,dc=local
+  # and binds with the user's password against the openldap Service (port 389).
+  authentication:
+    rules:
+      - connection: host
+        method: ldap
+        users:
+          - percona
+        options:
+          ldapserver: openldap
+          ldapport: 389
+          ldapprefix: "uid="
+          ldapsuffix: ",ou=perconadba,dc=ldap,dc=local"