Adding testing job for Vault KV engine

[gautambaghel]

*Issue #26

Description of changes: Testing the KV engine in this PR, might create more tests later for k8s engine.

@elamaran11 @shapirov103: Not sure how you guys are thinking about adding/testing custom images but I added a Dockerfile in this PR, I can remove it if needed. The image is hosted in docker.io/baghelg/vault-k8ctl:latest

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[elamaran11]

@gautambaghel First of all thankyou so much for following with a functional test job. The approach seems to be fine with me. You are introducing a custom image to functionally test the vault product deployed on to our clusters. Only thing we want to make sure is, the docker image should not introduce any vulnerabilities to the environment or underlying host. I dont see anything flashy which can introduce a problem. I would appreciate if you can double check or do vulnerability scanning on the docker image and share the results in the PR to be on a safer side. Hope this makes sense to you.

[gautambaghel]

let me see if I can include a Clair/Snyk scan screenshot in this PR. The image is simple however, ubuntu + vault + kubectl

[gautambaghel]

It seems both scanners are telling me there is some medium-level vuln in the base image (ubuntu 22):

But nothing in the steps I'm adding (i.e. installing kubectl & Vault)

Let me know how you'd like to proceed @elamaran11

[elamaran11]

@gautambaghel Could we use ubuntu 20.04 to mitigate any of these risks. Looks good to me otherwise. @shapirov103 Thoughts?

[shapirov103]

@gautambaghel Could we use ubuntu 20.04 to mitigate any of these risks. Looks good to me otherwise. @shapirov103 Thoughts?

@gautambaghel thank you for doing it! I am fine with the current direction to use a different base image, if Ubuntu 20.04 (slim) works, then great. If a slimmer runtime works (alpine and such) even better.

We will be onboarding container runtime security on the test clusters, so they will flag such cases in the future. Eventually we will move these images to ECR as well.

[gautambaghel]

@shapirov103 @elamaran11 -- Done and Done! lmk if this works

[elamaran11]

@gautambaghel It looks good. I will test it tomorrow morning and will let you know.

[elamaran11]

@gautambaghel The job failed in my environment. Please see the error below. Did you test it in your K8s cluster ? Sample incase you need one https://github.com/aws-samples/eks-anywhere-addons/blob/main/eks-anywhere-common/Testers/Sample/testJob.yaml

❯ k logs test-vault-kv-v52rz -n vault
exec /bin/bash: exec format error

[gautambaghel]

works for me, idk why there's exec format error. I'll look into a bit

[gautambaghel]

is it a problem because I built this image on the arm processor v/s the amd processor? Because the bash error is saying that

[elamaran11]

is it a problem because I built this image on the arm processor v/s the amd processor? Because the bash error is saying that

Yes, Please use X86_64 or Multi Architecture build is even better.

[gautambaghel]

Done, try now, since the ImagePullPolicy is Always it should just work if you try again

[elamaran11]

@gautambaghel The test works fine for me. I can see the secrets are getting created and read. @shapirov103 Please check if you are good from your end.

❯ k logs test-vault-kv-r2dn7 -n vault                                                                                                                                              ─╯
waiting
Success! Enabled the kv secrets engine at: kv/
== Secret Path ==
kv/data/my-secret

======= Metadata =======
Key                Value
---                -----
created_time       2023-02-09T21:18:35.195920253Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1
Vault KV engine works!

[shapirov103]

@gautambaghel The job succeeds but my output was this:

 test-vault-kv-v94xd waiting                                                                                                                                                                                     │
│ test-vault-kv-v94xd Error enabling: Error making API request.                                                                                                                                                   │
│ test-vault-kv-v94xd                                                                                                                                                                                             │
│ test-vault-kv-v94xd URL: POST http://vault-vault:8200/v1/sys/mounts/kv                                                                                                                                          │
│ test-vault-kv-v94xd Code: 400. Errors:                                                                                                                                                                          │
│ test-vault-kv-v94xd                                                                                                                                                                                             │
│ test-vault-kv-v94xd * path is already in use at kv/                                                                                                                                                             │
│ test-vault-kv-v94xd == Secret Path ==                                                                                                                                                                           │
│ test-vault-kv-v94xd kv/data/my-secret                                                                                                                                                                           │
│ test-vault-kv-v94xd                                                                                                                                                                                             │
│ test-vault-kv-v94xd ======= Metadata =======                                                                                                                                                                    │
│ test-vault-kv-v94xd Key                Value                                                                                                                                                                    │
│ test-vault-kv-v94xd ---                -----                                                                                                                                                                    │
│ test-vault-kv-v94xd created_time       2023-02-09T22:00:33.478551446Z                                                                                                                                           │
│ test-vault-kv-v94xd custom_metadata    <nil>                                                                                                                                                                    │
│ test-vault-kv-v94xd deletion_time      n/a                                                                                                                                                                      │
│ test-vault-kv-v94xd destroyed          false                                                                                                                                                                    │
│ test-vault-kv-v94xd version            1                                                                                                                                                                        │
│ test-vault-kv-v94xd Vault KV engine works!

The end message states it works. confirming if this is expected.

[gautambaghel]

@shapirov103 - Yeah Mikhail, that’s expected if the engine is already active, I could write an if stmt to do a safety check but it’s not a huge issue.

TL;DR it’s fine, pls go ahead.