|
| 1 | +--- |
| 2 | +apiVersion: kuttl.dev/v1beta1 |
| 3 | +kind: TestStep |
| 4 | +commands: |
| 5 | + - script: | |
| 6 | + set -e |
| 7 | +
|
| 8 | + PRIMARY=$( |
| 9 | + kubectl get pod --namespace "${NAMESPACE}" \ |
| 10 | + --output name --selector \ |
| 11 | + 'postgres-operator.crunchydata.com/cluster=ldap,postgres-operator.crunchydata.com/role=primary' \ |
| 12 | + | head -1 |
| 13 | + ) |
| 14 | +
|
| 15 | + HBA=$(kubectl exec --namespace "${NAMESPACE}" "${PRIMARY}" -c database \ |
| 16 | + -- psql -tAc "SELECT pg_read_file('pg_hba.conf');" 2>&1) |
| 17 | +
|
| 18 | + contains() { bash -ceu '[[ "$1" == *"$2"* ]]' - "$@"; } |
| 19 | + contains "${HBA}" "ldap" || { |
| 20 | + echo >&2 'pg_hba.conf does not contain an ldap rule' |
| 21 | + exit 1 |
| 22 | + } |
| 23 | +
|
| 24 | + ## verify ldap directories |
| 25 | + for i in $(seq 12); do |
| 26 | + if kubectl exec --namespace "${NAMESPACE}" deployment/openldap -c ldap-setup \ |
| 27 | + -- ldapsearch -x -H ldap://localhost:389 \ |
| 28 | + -D "cn=admin,dc=ldap,dc=local" -w adminpassword \ |
| 29 | + -b "uid=percona,ou=perconadba,dc=ldap,dc=local" 2>&1 \ |
| 30 | + | grep -q "uid: percona"; then |
| 31 | + echo "LDAP entry for percona found" |
| 32 | + break |
| 33 | + fi |
| 34 | + echo "Attempt ${i}: LDAP entry not yet available, waiting..." |
| 35 | + sleep 10 |
| 36 | + done |
| 37 | +
|
| 38 | + # verify LDAP auth |
| 39 | + result="" |
| 40 | + for i in $(seq 6); do |
| 41 | + result=$(kubectl exec --namespace "${NAMESPACE}" "${PRIMARY}" -c database \ |
| 42 | + -- bash -c 'PGPASSWORD=mysecretpassword PGSSLMODE=disable \ |
| 43 | + psql -h 127.0.0.1 -U percona -d percona -tAc "SELECT current_user;" 2>&1') && break |
| 44 | + echo "Attempt ${i} failed: ${result}" |
| 45 | + sleep 10 |
| 46 | + done |
| 47 | +
|
| 48 | + [[ "${result}" == "percona" ]] || { |
| 49 | + echo >&2 "Expected current_user='percona', got: ${result}" |
| 50 | + exit 1 |
| 51 | + } |
| 52 | +
|
| 53 | + # verify wrong password is rejected |
| 54 | + if bad_result=$(kubectl exec --namespace "${NAMESPACE}" "${PRIMARY}" -c database \ |
| 55 | + -- bash -c 'PGPASSWORD=wrongpassword PGSSLMODE=disable \ |
| 56 | + psql -h 127.0.0.1 -U percona -d percona -tAc "SELECT current_user;" 2>&1'); then |
| 57 | + echo >&2 "Expected authentication failure with wrong password, but login succeeded: ${bad_result}" |
| 58 | + exit 1 |
| 59 | + fi |
| 60 | + echo "Wrong password correctly rejected" |
0 commit comments