Also validate we can share some secrets between services but not all secrets, without leaking secrets.

Signed-off-by: Guillaume Tardif <guillaume.tardif@docker.com>
2025-04-08 17:05:13 +02:00 · 2020-11-03 14:17:55 +01:00 · 2020-11-03 14:17:55 +01:00 · ba0d2907ed
commit ba0d2907ed
parent a26e1bd1a5
4 changed files with 56 additions and 30 deletions
--- a/tests/aci-e2e/e2e-aci_test.go
+++ b/tests/aci-e2e/e2e-aci_test.go
@ -517,8 +517,8 @@ func overwriteFileStorageAccount(t *testing.T, absComposefileName string, storag
 func TestUpSecretsResources(t *testing.T) {
 	const (
 		composeProjectName = "aci_test"
-		serverContainer    = composeProjectName + "_web"
-		secondContainer    = composeProjectName + "_web2"
+		web1               = composeProjectName + "_web1"
+		web2               = composeProjectName + "_web2"

 		secret1Name  = "mytarget1"
 		secret1Value = "myPassword1\n"
@ -537,16 +537,8 @@ func TestUpSecretsResources(t *testing.T) {
 		c.RunDockerCmd("compose", "up", "-f", composefilePath, "--project-name", composeProjectName)
 		res := c.RunDockerCmd("ps")
 		out := lines(res.Stdout())
-		// Check one container running
+		// Check 2 containers running
 		assert.Assert(t, is.Len(out, 3))
-		webRunning := false
-		for _, l := range out {
-			if strings.Contains(l, serverContainer) {
-				webRunning = true
-				strings.Contains(l, ":80->80/tcp")
-			}
-		}
-		assert.Assert(t, webRunning, "web container not running ; ps:\n"+res.Stdout())
 	})

 	t.Cleanup(func() {
@ -556,13 +548,16 @@ func TestUpSecretsResources(t *testing.T) {
 		assert.Equal(t, len(out), 1)
 	})

-	res := c.RunDockerCmd("inspect", serverContainer)
-	webInspect, err := ParseContainerInspect(res.Stdout())
+	res := c.RunDockerCmd("inspect", web1)
+	web1Inspect, err := ParseContainerInspect(res.Stdout())
+	assert.NilError(t, err)
+	res = c.RunDockerCmd("inspect", web2)
+	web2Inspect, err := ParseContainerInspect(res.Stdout())
 	assert.NilError(t, err)

-	t.Run("read secrets", func(t *testing.T) {
-		assert.Assert(t, is.Len(webInspect.Ports, 1))
-		endpoint := fmt.Sprintf("http://%s:%d", webInspect.Ports[0].HostIP, webInspect.Ports[0].HostPort)
+	t.Run("read secrets in service 1", func(t *testing.T) {
+		assert.Assert(t, is.Len(web1Inspect.Ports, 1))
+		endpoint := fmt.Sprintf("http://%s:%d", web1Inspect.Ports[0].HostIP, web1Inspect.Ports[0].HostPort)

 		output := HTTPGetWithRetry(t, endpoint+"/"+secret1Name, http.StatusOK, 2*time.Second, 20*time.Second)
 		// replace windows carriage return
@ -574,16 +569,23 @@ func TestUpSecretsResources(t *testing.T) {
 		assert.Equal(t, output, secret2Value)
 	})

-	t.Run("check resource limits", func(t *testing.T) {
-		assert.Equal(t, webInspect.HostConfig.CPULimit, 0.7)
-		assert.Equal(t, webInspect.HostConfig.MemoryLimit, uint64(1073741824))
-		assert.Equal(t, webInspect.HostConfig.CPUReservation, 0.5)
-		assert.Equal(t, webInspect.HostConfig.MemoryReservation, uint64(536870912))
+	t.Run("read secrets in service 2", func(t *testing.T) {
+		assert.Assert(t, is.Len(web2Inspect.Ports, 1))
+		endpoint := fmt.Sprintf("http://%s:%d", web2Inspect.Ports[0].HostIP, web2Inspect.Ports[0].HostPort)
+
+		output := HTTPGetWithRetry(t, endpoint+"/"+secret2Name, http.StatusOK, 2*time.Second, 20*time.Second)
+		output = strings.ReplaceAll(output, "\r", "")
+		assert.Equal(t, output, secret2Value)
+
+		HTTPGetWithRetry(t, endpoint+"/"+secret1Name, http.StatusNotFound, 2*time.Second, 20*time.Second)
+	})
+
+	t.Run("check resource limits", func(t *testing.T) {
+		assert.Equal(t, web1Inspect.HostConfig.CPULimit, 0.7)
+		assert.Equal(t, web1Inspect.HostConfig.MemoryLimit, uint64(1073741824))
+		assert.Equal(t, web1Inspect.HostConfig.CPUReservation, 0.5)
+		assert.Equal(t, web1Inspect.HostConfig.MemoryReservation, uint64(536870912))

-		res = c.RunDockerCmd("inspect", secondContainer)
-		web2Inspect, err := ParseContainerInspect(res.Stdout())
-		assert.NilError(t, err)
-		assert.NilError(t, err)
 		assert.Equal(t, web2Inspect.HostConfig.CPULimit, 0.5)
 		assert.Equal(t, web2Inspect.HostConfig.MemoryLimit, uint64(751619276))
 		assert.Equal(t, web2Inspect.HostConfig.CPUReservation, 0.5)
--- a/tests/composefiles/aci_secrets_resources/compose.yml
+++ b/tests/composefiles/aci_secrets_resources/compose.yml
@ -1,7 +1,7 @@
 services:
-  web:
-    build: .
-    image: ulyssessouza/secrets_server
+  web1:
+    build: ./web1
+    image: dockereng/e2e_test_secret_server1
    ports:
      - "80:80"
    secrets:
@ -18,13 +18,17 @@ services:
          memory: 0.5G

  web2:
-    build: .
-    image:  gtardif/sentences-api
+    build: ./web2
+    image:  dockereng/e2e_test_secret_server2
+    ports:
+      - "8080:8080"
    deploy:
      resources:
        reservations:
          cpus: '0.5'
          memory: 0.7G
+    secrets:
+      - mysecret2

 secrets:
  mysecret1:
--- a/tests/composefiles/aci_secrets_resources/web1/Dockerfile
+++ b/tests/composefiles/aci_secrets_resources/web1/Dockerfile
--- a/tests/composefiles/aci_secrets_resources/web2/Dockerfile
+++ b/tests/composefiles/aci_secrets_resources/web2/Dockerfile
@ -0,0 +1,20 @@
+#   Copyright 2020 Docker Compose CLI authors
+
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+
+#       http://www.apache.org/licenses/LICENSE-2.0
+
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+
+FROM python:3.8
+WORKDIR /run/secrets
+
+EXPOSE 8080
+ENTRYPOINT ["python"]
+CMD ["-m", "http.server", "8080"]