Add acceptance tests (#48)

* initial import

* fix to namespaces endpoint

* default to no filters on workloads

* call initialize correctly on retry

* add reducer for cluster.namespaces

* request namespaces list on login

* add additional empty list image

* serve up /swagger.json to any/everyone

* refactor row actions popup

* fetch namespaces and swagger at startup

* fetch ns and swagger at start; fallback to ns-level requests

* add cleanup methods to do gc on logout

* consolidate permissions checks in AccessEvaluator

* allow for multiple watches per kind

* init session with accessEvaluator

* fallback to ns-level fetch

* init with access evaluator

* return swagger from fetch swagger

* proxy namespaces as well

* update to correct apiVersion

* add access to fetch swagger.json

* code cleanup

* add read-only user for tests

* add readOnly mode for editor

* breakout resource actions into menu

* add row action menu

* remove stray brace

* remove editor title from info pages; decide it in the editor

* include get permissions

* code cleanup

* clear latest error after it has been displayed

* remove unused 'resource' actions

* remember retries for individual sockets

* adjust mode names

* make empty list page work for nodes tab

* code cleanup

* use golang reverseproxy

* updates for basic acceptance tests

* try to run acceptance tests in build

* space out

* cleanup dependencies

* need sudo

* try with kvm

* add to the libvirtd group

* debug libvirtd...

* try double sudo -g trick...

* try agian

* add more debugging commands

* try with minikube driver 'none'

* sort the login links

* include login method ids

* need to start localkube with sudo

* apply sudo to the entire kube process to use consistent kubeconfig

* need to wait for minikube to be available

* use a consistent base64 decode

* no minikube ssh for localkube

* derp [[ => [

* try again :/

* use correct environment vars

* wait for kuill to be available

* reduce verbosity

* complete read-only spec

* now with moar specific css selectors

* only run acceptance locally for now :/

.gitignore

@@ -10,4 +10,5 @@ node_modules/
 /pkg/ui/src/**/*.css
 Dockerfile.test
 /pkg/server/ui.go
-certs/
+certs/
+/pkg/ui/cypress/videos/

.travis.yml

@@ -1,3 +1,4 @@
+sudo: required
 language: go
 services:
 - docker
@@ -9,29 +10,41 @@ addons:
   apt:
     packages:
     - upx-ucl
+    - openssl
+    - procps
+    - jq
+
 cache:
   directories:
-    - "/pkg/ui/node_modules"
+  - "/pkg/ui/node_modules"
+
 before_install:
-  - npm i -g [email protected]
+- npm i -g [email protected]
+
 install:
 - go get github.com/golang/dep/cmd/dep
 - dep ensure
+- hack/travis/setup.sh
+
 script:
 - make release
 - upx bin/kuill
+# - MINIKUBE_OPTIONS="--vm-driver none" MINIKUBE_SUDO="sudo" make acceptance
 - make docker
+
 after_deploy:
 - make docker VERSION=$TRAVIS_TAG
 - docker login -u $DOCKER_USER -p $DOCKER_PASS
 - export REPO=mattdeboer/kuill
 - docker push $REPO:$TRAVIS_TAG
 - docker tag $REPO:$TRAVIS_TAG $REPO:latest
 - docker push $REPO:latest
+
 env:
   global:
   - secure: PfV2T/Vu6ic3e4YPFtLIw1DWhQOsZelwwk5e5kN9ngQ3os2o66N2S9VBliuy4dS6sHC+ArYDSEqBwUi2pjlZXomavjgs2QzUeflhr6LNk8mXXR6cIhs71pKJ/uI2eHU8rFgut9FaDowEz2kxdpXKTRchUAjNe7FwF8PCJohZ53GwJyN4Q8QzhcdT2+L7ypWtifCL8ni4RuZylMiSk7DEAIB78ruDhzxwVtoTrvUjlTWjku8zN6xhNT6SFv5aV6FzwXX+A0V7wap8eUTeSgXFXg5MpjZktut7pJ3O1n7bNcvkawrP4btxwLSyMiEi4xo0rOZbmVCScVuaLRlSAQfqbKbntLedJAV7lRqsJFmR8STqpQFDpIbW1uQynAkolcESomTP8dEirIx8PNqgJju7JHDY3HXOMsCywSe4ErxhRb3EmlKnO62X79vLHKI4IrsWjdz6Mtzq8f4P1cqtcDECei90DyYp5O4zva5cTdlkqdYBc1ZFmn0QIEif5fSMMnhf+FT8z6cc4MeqiexZN2KPO9autXWwz2JTEraRnCiZBvOjeVeqejUvK5lKiRutIiNNHsXcXAaI8H/JUfSZW/NJe5ybkOePBOUO00TEVltV9Jrulmqq2UlL3Oz7grsOMliquT5bp2CAuSXnXwU41xWZVaz77Ir+1uuPbkpoliecCf8=
   - secure: JOeNFbN4OCQ1nBGVqmjHWYfDmnlaEQsSBMYuMoZ71jEBYyP1TZALJsv+k0pd263EGS2TshQ7ODSWDfM/Zl3CaEO1sUDhn/hvytd3WoiXz4v/wy/QbfZdRejk0XjNxbU4mAwsRfGv1Z4Mo1Jd1StLEIP7c8PAh5wpDiusW3vwaAnsy5+riz1pxU546RgkJvsoXInp/4EMIDB8QZQ4igIslBlRwwv4Sn4YcIE4khJNl73DgM4r8sxupdfQiProYlRe0zcJRkqVUckHibmUQUiM7YHavqJiKPANzWaM+JQnGCohZmnS6ED1IzYJIGU9STvtgUo2GVOpdlvJNSXqma1+M/noXhFru+bmdc0G8Tqd3sTpCMouD+0iWIRN6mB6LRNy9Rzf5nWqhisv2NU6DGjZNe9V/jQSBX7ZSwOj11aXv8yQLqG7NZw8ioB9jnjxOGZqujoyqrgF+3q2O3F9GyNHtQofXivnp5PLOQ1teUvGjKh2U6DpjEAb1f7kCQh+9//PcuGFOSSEnAsC0/SvkW8gFpQI7x6e0m4jOsV8ZlYOm6aa9K5K3jpH3pB7Mq4gWeyVcKoSog7k2DE5EZ+rI7LLhuv2KQSAdA2caAh6av1AFbFjC6VCqXwYP5mwKAEJq8pEWGlrhsF1P/Nya9LTUXT4cX4naY9154lH0RvWFHrOX0Q=
+
 deploy:
   provider: releases
   skip_cleanup: true

Makefile

@@ -23,8 +23,6 @@ pkg/ui/build:
 
 release-ui: pkg/ui/build
 	@go get github.com/jteeuwen/go-bindata/...
-	# @go get github.com/elazarl/go-bindata-assetfs/...
-
 	go-bindata -o pkg/server/ui.go -prefix "pkg/ui/build" pkg/ui/build/...
 
 release: clean release-ui
@@ -60,6 +58,12 @@ dev-ui: | pkg/ui/node_modules pkg/ui/test-proxy/node_modules
 minidev: build pkg/ui/node_modules
 	hack/minikube-dev.sh
 
+acceptance:
+	hack/acceptance-tests.sh
+
+acceptance-dev:
+	cd pkg/ui && CYPRESS_baseUrl=http://localhost:3000 npm run cypress:open
+
 start-ui: | pkg/ui/node_modules pkg/ui/test-proxy/node_modules 
 	cd pkg/ui && npm start
 

hack/acceptance-tests.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+KUILL_PORT=8889
+SCRIPT_DIR=$(cd $(dirname $0) && pwd)
+MINIKUBE_SUDO=${MINIKUBE_SUDO:-}
+
+# launch a new minikube environment
+CI=true KUILL_PORT=${KUILL_PORT} ${MINIKUBE_SUDO} ${SCRIPT_DIR}/minikube-dev.sh &
+
+# Save the PID of the server to a variable
+KUILL_PID=$!
+echo "KUILL pid: ${KUILL_PID}"
+
+echo "Waiting for minikube context..."
+while [ "$(${MINIKUBE_SUDO} kubectl config current-context)" != "minikube" ]; do sleep 2; done
+
+apiserver=$(${MINIKUBE_SUDO} kubectl config view --flatten --minify -o json | jq -r '.clusters[0].cluster.server')
+echo "Waiting for minikube to be available at ${apiserver}..."
+while ! curl -skL --fail "${apiserver}/healthz"; do sleep 2; done
+
+${MINIKUBE_SUDO} kubectl --context minikube apply -f ${SCRIPT_DIR}/aceptance-tests/manifests/
+
+export KUILL_URL="https://localhost:${KUILL_PORT}"
+echo "Waiting for kuill to be available at ${KUILL_URL}..."
+while ! curl -skL --fail "${KUILL_URL}/"; do sleep 2; done
+
+# Execute tests
+pushd ${SCRIPT_DIR}/../pkg/ui > /dev/null
+CYPRESS_baseUrl="${KUILL_URL}" npm run cypress:run
+TEST_RESULTS=$?
+popd > /dev/null
+
+# Kill the server
+kill $KUILL_PID
+kill $(pgrep kuill)
+
+exit $TEST_RESULTS

hack/acceptance-tests/manifests/app-group-3.yml

@@ -0,0 +1,21 @@
+kind: List
+apiVersion: v1
+items:
+
+- kind: Namespace
+  apiVersion: v1
+  metadata:
+    name: app-group-3
+
+- kind: ResourceQuota
+  apiVersion: v1
+  metadata:
+    name: compute-resources
+    namespace: app-group-3
+  spec:
+    hard:
+      pods: "5"
+      requests.cpu: "0.6"
+      requests.memory: 250Mi
+      limits.cpu: "0.7"
+      limits.memory: 350Mi

hack/acceptance-tests/manifests/nsadmin.yml

@@ -0,0 +1,30 @@
+kind: List
+apiVersion: v1
+items:
+- kind: RoleBinding
+  apiVersion: rbac.authorization.k8s.io/v1beta1
+  metadata:
+    name: kube-system-admin
+    namespace: kube-system
+  subjects:
+    - kind: User
+      name: nsadmin
+
+  roleRef:
+    kind: ClusterRole
+    name: cluster-admin
+    apiGroup: "rbac.authorization.k8s.io"
+
+- kind: RoleBinding
+  apiVersion: rbac.authorization.k8s.io/v1beta1
+  metadata:
+    name: app-group-1-admin
+    namespace: app-group-1
+  subjects:
+    - kind: User
+      name: nsadmin
+
+  roleRef:
+    kind: ClusterRole
+    name: cluster-admin
+    apiGroup: "rbac.authorization.k8s.io"

hack/acceptance-tests/manifests/reader.yml

@@ -0,0 +1,17 @@
+kind: List
+apiVersion: v1
+items:
+- kind: ClusterRoleBinding
+  apiVersion: rbac.authorization.k8s.io/v1beta1
+  metadata:
+    name: cluster-reader
+    namespace: kube-system
+  subjects:
+    - kind: User
+      name: reader
+
+  roleRef:
+    kind: ClusterRole
+    name: view
+    apiGroup: "rbac.authorization.k8s.io"
+

hack/deploy/kuill-minikube.yml

@@ -14,9 +14,26 @@ items:
     name: kuill-serviceaccount
     namespace: kube-system
   rules:
+  # ability to list namespaces is required in order
+  # to drive self-subject-access-reviews for users
+  # who are not authorized to all namespaces
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["list"]
+  # the following permissions are used to provide
+  # metrics details (requested from the master 
+  # via nodes/proxy -> status)
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: [list"]
   - apiGroups: [""]
     resources: ["nodes"]
-    verbs: ["get", "list", "watch"]
+    verbs: ["proxy"]
+  - apiGroups: [""]
+    resources: ["nodes/proxy"]
+    verbs: ["*"]
+  - nonResourceUrls: ["/swagger.json"]
+    verbs: ["get"]
 
 - kind: RoleBinding
   apiVersion: rbac.authorization.k8s.io/v1alpha1
@@ -26,11 +43,28 @@ items:
   subjects:
     - kind: ServiceAccount
       name: kuill
+    - kind: User
+      name: auth-proxy
   roleRef:
     kind: Role
     name: kuill-serviceaccount
     apiGroup: "rbac.authorization.k8s.io"
 
+- kind: RoleBinding
+  apiVersion: rbac.authorization.k8s.io/v1alpha1
+  metadata:
+    name: kuill-discovery
+    namespace: kube-system
+  subjects:
+    - kind: ServiceAccount
+      name: kuill
+    - kind: User
+      name: auth-proxy
+  roleRef:
+    kind: ClusterRole
+    name: system:discovery
+    apiGroup: "rbac.authorization.k8s.io"
+
 - kind: Deployment
   apiVersion: extensions/v1beta1
   metadata:

hack/get-certs.sh

@@ -1,5 +1,11 @@
 #!/bin/bash
+
+base64Decode="base64 -d"
+if [ "$(uname -s)" == "Darwin" ]; then
+  base64Decode="base64 -D"
+fi
+
 mkdir -p ./certs
-kubectl get secret -n kube-system auth-proxy-certs -o json | jq -r '.data."auth-proxy.pem"' | base64 -D > ./certs/server-cert.pem
-kubectl get secret -n kube-system auth-proxy-certs -o json | jq -r '.data."auth-proxy-key.pem"' | base64 -D > ./certs/server-key.pem
-kubectl get secret -n kube-system auth-proxy-certs -o json | jq -r '.data."ca.pem"' | base64 -D > ./certs/ca.pem
+kubectl get secret -n kube-system auth-proxy-certs -o json | jq -r '.data."auth-proxy.pem"' | $base64Decode > ./certs/server-cert.pem
+kubectl get secret -n kube-system auth-proxy-certs -o json | jq -r '.data."auth-proxy-key.pem"' | $base64Decode > ./certs/server-key.pem
+kubectl get secret -n kube-system auth-proxy-certs -o json | jq -r '.data."ca.pem"' | $base64Decode > ./certs/ca.pem

hack/minikube-dev.sh

@@ -1,30 +1,36 @@
 #!/bin/sh
 set -e
 
+KUILL_PORT=${KUILL_PORT:-8888}
+KUILL_FRONTEND_PORT=${KUILL_FRONTEND_PORT:-3000}
 SCRIPT_DIR=$(cd $(dirname $0) && pwd)
 ROOT=$(cd ${SCRIPT_DIR}/.. && pwd)
 # starts up kuill locally, pointed at the apiserver from minikube
 
 status=$(minikube status)
 
 if [ -z "$(echo $status | grep 'minikube: Running')" ]; then
+  echo "Launching minikube cluster..."
   ${SCRIPT_DIR}/test-drive-minikube.sh nodeploy
 fi
 
 kubectl config use-context minikube
 apiserver=$(kubectl config view --flatten --minify -o json | jq -r '.clusters[0].cluster.server')
+echo "Kube apiserver is at ${apiserver}"
 
-
+echo "Pulling certificates for use by kuill..."
 ${SCRIPT_DIR}/get-certs.sh
 
-make -s -C ${ROOT} start-ui &
+if [ "${CI}" != "true" ]; then
+  PORT=${KUILL_FRONTEND_PORT} make -s -C ${ROOT} start-ui &
+fi
 
+echo "Launching kuill..."
 ${ROOT}/bin/kuill \
-  --port 8888 \
-  --verbose --trace-requests \
+  --port ${KUILL_PORT} \
   --server-cert ${ROOT}/certs/server-cert.pem \
   --server-key ${ROOT}/certs/server-key.pem \
-  --password-file ./hack/test-users.tsv \
+  --password-file hack/test-users.tsv \
   --kubernetes-client-ca ${ROOT}/certs/ca.pem \
   --kubernetes-client-cert ${ROOT}/certs/server-cert.pem \
   --kubernetes-client-key ${ROOT}/certs/server-key.pem \

hack/test-drive-minikube.sh

@@ -1,6 +1,8 @@
 #!/bin/sh
+MINIKUBE_OPTIONS=${MINIKUBE_OPTIONS:-}
 
-minikube start \
+echo "Starting minikube..."
+minikube start ${MINIKUBE_OPTIONS} \
   --kubernetes-version v1.7.5 \
   --extra-config apiserver.Authorization.Mode=RBAC \
   --extra-config apiserver.Authentication.RequestHeader.AllowedNames=auth-proxy \
@@ -10,18 +12,32 @@ minikube start \
   --extra-config apiserver.Authentication.RequestHeader.ExtraHeaderPrefixes=X-Remote-Extra-
 
 
+echo "Waiting for minikube apiserver..."
 apiserver=$(kubectl config view --flatten --minify -o json | jq -r '.clusters[0].cluster.server')
-while ! curl -skL --fail "${apiserver}/apis"; do sleep 2; done
+while ! curl -skL --fail "${apiserver}/healthz"; do sleep 2; done
 
+echo "Creating cluster role binding for kube-system serviceaccount"
 kubectl create clusterrolebinding kube-system-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default
 
 
 mkdir -p ~/.minikube/certs/auth-proxy && rm -rf ~/.minikube/certs/auth-proxy/*
 
-while ! minikube ssh 'true'; do sleep 5; done
-minikube ssh 'sudo cat /var/lib/localkube/certs/ca.key' > ~/.minikube/certs/auth-proxy/ca.key
-minikube ssh 'sudo cat /var/lib/localkube/certs/ca.crt' > ~/.minikube/certs/auth-proxy/ca.crt
+if [ -e /var/lib/localkube/certs/ca.key ]; then
+  echo "Copying minikube certs from localkube certs..."
+  sudo cat /var/lib/localkube/certs/ca.key > ~/.minikube/certs/auth-proxy/ca.key
+  sudo cat /var/lib/localkube/certs/ca.crt > ~/.minikube/certs/auth-proxy/ca.crt
+else
+  echo "Copying minikube certs from vm..."
+  while ! minikube ssh 'true'; do sleep 5; done
+  minikube ssh 'sudo cat /var/lib/localkube/certs/ca.key' > ~/.minikube/certs/auth-proxy/ca.key
+  minikube ssh 'sudo cat /var/lib/localkube/certs/ca.crt' > ~/.minikube/certs/auth-proxy/ca.crt
+fi
 
+echo "Certs in ~/.minikube/certs/auth-proxy/ :"
+ls -la ~/.minikube/certs/auth-proxy/
+
+
+echo "Generating auth proxy certs..."
 docker run --rm \
   -v ~/.minikube/certs/auth-proxy:/certs/auth-proxy \
   -w /certs/auth-proxy --entrypoint sh cfssl/cfssl \
@@ -30,7 +46,7 @@ docker run --rm \
     cfssl gencert -ca /certs/auth-proxy/ca.crt -ca-key /certs/auth-proxy/ca.key -config /ca-config.json - | \
     cfssljson -bare auth-proxy - && rm -f auth-proxy.csr && rm -f ca.key && mv ca.crt ca.pem'
 
-
+echo "Creating kube secret for auth proxy certs..."
 kubectl --context minikube create secret generic auth-proxy-certs \
   --from-file  ~/.minikube/certs/auth-proxy -n kube-system
 

hack/test-users.tsv

@@ -1,3 +1,5 @@
 admin	password	system:masters
 guest	guest	system:authenticated
-toad	toad	system:nodes
+toad	toad	system:nodes
+nsadmin	nsadmin	system:authenticated
+reader	reader	

hack/travis/setup.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# install kubectl
+curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.7.5/bin/linux/amd64/kubectl
+chmod +x kubectl && sudo mv kubectl /usr/local/bin/
+
+# install minikube
+curl -Lo minikube https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64
+chmod +x minikube && sudo mv minikube /usr/local/bin/
+
+# install docker-machine-driver-kvm
+# curl -Lo docker-machine-driver-kvm https://github.com/dhiltgen/docker-machine-kvm/releases/download/v0.10.0/docker-machine-driver-kvm-ubuntu14.04
+# chmod +x docker-machine-driver-kvm && sudo mv docker-machine-driver-kvm /usr/local/bin/
+
+# add current user to the libvirtd group
+# sudo usermod -a -G libvirtd $(whoami)
+
+# trigger udevadm to make kvm available ?
+# sudo udevadm trigger