From a26e1bd1a5e25e5bc266f6fdfdbae2ea97017b90 Mon Sep 17 00:00:00 2001
From: Guillaume Tardif <guillaume.tardif@docker.com>
Date: Tue, 3 Nov 2020 12:04:33 +0100
Subject: [PATCH 1/2] Regroup secret and resource ACI E2E test, and deploy a
 single compose file, to gain ~1 min test exec time

Signed-off-by: Guillaume Tardif <guillaume.tardif@docker.com>
---
 tests/aci-e2e/e2e-aci_test.go                 | 82 ++++++++-----------
 tests/composefiles/aci_secrets/compose.yml    | 16 ----
 .../Dockerfile                                |  0
 .../compose.yml}                              | 33 +++++---
 .../my_secret1.txt                            |  0
 .../my_secret2.txt                            |  0
 6 files changed, 55 insertions(+), 76 deletions(-)
 delete mode 100644 tests/composefiles/aci_secrets/compose.yml
 rename tests/composefiles/{aci_secrets => aci_secrets_resources}/Dockerfile (100%)
 rename tests/composefiles/{aci-demo/aci_demo_port_resources.yaml => aci_secrets_resources/compose.yml} (51%)
 rename tests/composefiles/{aci_secrets => aci_secrets_resources}/my_secret1.txt (100%)
 rename tests/composefiles/{aci_secrets => aci_secrets_resources}/my_secret2.txt (100%)

diff --git a/tests/aci-e2e/e2e-aci_test.go b/tests/aci-e2e/e2e-aci_test.go
index 1c580c818..f439d8909 100644
--- a/tests/aci-e2e/e2e-aci_test.go
+++ b/tests/aci-e2e/e2e-aci_test.go
@@ -514,43 +514,11 @@ func overwriteFileStorageAccount(t *testing.T, absComposefileName string, storag
 	assert.NilError(t, err)
 }
 
-func TestUpResources(t *testing.T) {
+func TestUpSecretsResources(t *testing.T) {
 	const (
-		composeProjectName = "testresources"
-		serverContainer    = composeProjectName + "_web"
-		wordsContainer     = composeProjectName + "_words"
-	)
-
-	c := NewParallelE2eCLI(t, binDir)
-	setupTestResourceGroup(t, c)
-
-	t.Run("compose up", func(t *testing.T) {
-		c.RunDockerCmd("compose", "up", "-f", "../composefiles/aci-demo/aci_demo_port_resources.yaml", "--project-name", composeProjectName)
-
-		res := c.RunDockerCmd("inspect", serverContainer)
-
-		webInspect, err := ParseContainerInspect(res.Stdout())
-		assert.NilError(t, err)
-		assert.Equal(t, webInspect.HostConfig.CPULimit, 0.7)
-		assert.Equal(t, webInspect.HostConfig.MemoryLimit, uint64(1073741824))
-		assert.Equal(t, webInspect.HostConfig.CPUReservation, 0.5)
-		assert.Equal(t, webInspect.HostConfig.MemoryReservation, uint64(536870912))
-
-		res = c.RunDockerCmd("inspect", wordsContainer)
-
-		wordsInspect, err := ParseContainerInspect(res.Stdout())
-		assert.NilError(t, err)
-		assert.Equal(t, wordsInspect.HostConfig.CPULimit, 0.5)
-		assert.Equal(t, wordsInspect.HostConfig.MemoryLimit, uint64(751619276))
-		assert.Equal(t, wordsInspect.HostConfig.CPUReservation, 0.5)
-		assert.Equal(t, wordsInspect.HostConfig.MemoryReservation, uint64(751619276))
-	})
-}
-
-func TestUpSecrets(t *testing.T) {
-	const (
-		composeProjectName = "aci_secrets"
+		composeProjectName = "aci_test"
 		serverContainer    = composeProjectName + "_web"
+		secondContainer    = composeProjectName + "_web2"
 
 		secret1Name  = "mytarget1"
 		secret1Value = "myPassword1\n"
@@ -559,7 +527,7 @@ func TestUpSecrets(t *testing.T) {
 		secret2Value = "another_password\n"
 	)
 	var (
-		basefilePath    = filepath.Join("..", "composefiles", composeProjectName)
+		basefilePath    = filepath.Join("..", "composefiles", "aci_secrets_resources")
 		composefilePath = filepath.Join(basefilePath, "compose.yml")
 	)
 	c := NewParallelE2eCLI(t, binDir)
@@ -570,7 +538,7 @@ func TestUpSecrets(t *testing.T) {
 		res := c.RunDockerCmd("ps")
 		out := lines(res.Stdout())
 		// Check one container running
-		assert.Assert(t, is.Len(out, 2))
+		assert.Assert(t, is.Len(out, 3))
 		webRunning := false
 		for _, l := range out {
 			if strings.Contains(l, serverContainer) {
@@ -579,13 +547,22 @@ func TestUpSecrets(t *testing.T) {
 			}
 		}
 		assert.Assert(t, webRunning, "web container not running ; ps:\n"+res.Stdout())
+	})
 
-		res = c.RunDockerCmd("inspect", serverContainer)
+	t.Cleanup(func() {
+		c.RunDockerCmd("compose", "down", "--project-name", composeProjectName)
+		res := c.RunDockerCmd("ps")
+		out := lines(res.Stdout())
+		assert.Equal(t, len(out), 1)
+	})
 
-		containerInspect, err := ParseContainerInspect(res.Stdout())
-		assert.NilError(t, err)
-		assert.Assert(t, is.Len(containerInspect.Ports, 1))
-		endpoint := fmt.Sprintf("http://%s:%d", containerInspect.Ports[0].HostIP, containerInspect.Ports[0].HostPort)
+	res := c.RunDockerCmd("inspect", serverContainer)
+	webInspect, err := ParseContainerInspect(res.Stdout())
+	assert.NilError(t, err)
+
+	t.Run("read secrets", func(t *testing.T) {
+		assert.Assert(t, is.Len(webInspect.Ports, 1))
+		endpoint := fmt.Sprintf("http://%s:%d", webInspect.Ports[0].HostIP, webInspect.Ports[0].HostPort)
 
 		output := HTTPGetWithRetry(t, endpoint+"/"+secret1Name, http.StatusOK, 2*time.Second, 20*time.Second)
 		// replace windows carriage return
@@ -595,13 +572,22 @@ func TestUpSecrets(t *testing.T) {
 		output = HTTPGetWithRetry(t, endpoint+"/"+secret2Name, http.StatusOK, 2*time.Second, 20*time.Second)
 		output = strings.ReplaceAll(output, "\r", "")
 		assert.Equal(t, output, secret2Value)
+	})
 
-		t.Cleanup(func() {
-			c.RunDockerCmd("compose", "down", "--project-name", composeProjectName)
-			res := c.RunDockerCmd("ps")
-			out := lines(res.Stdout())
-			assert.Equal(t, len(out), 1)
-		})
+	t.Run("check resource limits", func(t *testing.T) {
+		assert.Equal(t, webInspect.HostConfig.CPULimit, 0.7)
+		assert.Equal(t, webInspect.HostConfig.MemoryLimit, uint64(1073741824))
+		assert.Equal(t, webInspect.HostConfig.CPUReservation, 0.5)
+		assert.Equal(t, webInspect.HostConfig.MemoryReservation, uint64(536870912))
+
+		res = c.RunDockerCmd("inspect", secondContainer)
+		web2Inspect, err := ParseContainerInspect(res.Stdout())
+		assert.NilError(t, err)
+		assert.NilError(t, err)
+		assert.Equal(t, web2Inspect.HostConfig.CPULimit, 0.5)
+		assert.Equal(t, web2Inspect.HostConfig.MemoryLimit, uint64(751619276))
+		assert.Equal(t, web2Inspect.HostConfig.CPUReservation, 0.5)
+		assert.Equal(t, web2Inspect.HostConfig.MemoryReservation, uint64(751619276))
 	})
 }
 
diff --git a/tests/composefiles/aci_secrets/compose.yml b/tests/composefiles/aci_secrets/compose.yml
deleted file mode 100644
index 5ca58ed8e..000000000
--- a/tests/composefiles/aci_secrets/compose.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-services:
-  web:
-    build: .
-    image: ulyssessouza/secrets_server
-    ports:
-      - "80:80"
-    secrets:
-      - source: mysecret1
-        target: mytarget1
-      - mysecret2
-
-secrets:
-  mysecret1:
-    file: ./my_secret1.txt
-  mysecret2:
-    file: ./my_secret2.txt
diff --git a/tests/composefiles/aci_secrets/Dockerfile b/tests/composefiles/aci_secrets_resources/Dockerfile
similarity index 100%
rename from tests/composefiles/aci_secrets/Dockerfile
rename to tests/composefiles/aci_secrets_resources/Dockerfile
diff --git a/tests/composefiles/aci-demo/aci_demo_port_resources.yaml b/tests/composefiles/aci_secrets_resources/compose.yml
similarity index 51%
rename from tests/composefiles/aci-demo/aci_demo_port_resources.yaml
rename to tests/composefiles/aci_secrets_resources/compose.yml
index 7f76be39e..6a7ae7bdf 100644
--- a/tests/composefiles/aci-demo/aci_demo_port_resources.yaml
+++ b/tests/composefiles/aci_secrets_resources/compose.yml
@@ -1,19 +1,13 @@
 services:
-  db:
-    image: gtardif/sentences-db
-
-  words:
-    image: gtardif/sentences-api
-    deploy:
-      resources:
-        reservations:
-          cpus: '0.5'
-          memory: 0.7G
-
   web:
-    image: gtardif/sentences-web
+    build: .
+    image: ulyssessouza/secrets_server
     ports:
       - "80:80"
+    secrets:
+      - source: mysecret1
+        target: mytarget1
+      - mysecret2
     deploy:
       resources:
         limits:
@@ -22,3 +16,18 @@ services:
         reservations:
           cpus: '0.5'
           memory: 0.5G
+
+  web2:
+    build: .
+    image:  gtardif/sentences-api
+    deploy:
+      resources:
+        reservations:
+          cpus: '0.5'
+          memory: 0.7G
+
+secrets:
+  mysecret1:
+    file: ./my_secret1.txt
+  mysecret2:
+    file: ./my_secret2.txt
diff --git a/tests/composefiles/aci_secrets/my_secret1.txt b/tests/composefiles/aci_secrets_resources/my_secret1.txt
similarity index 100%
rename from tests/composefiles/aci_secrets/my_secret1.txt
rename to tests/composefiles/aci_secrets_resources/my_secret1.txt
diff --git a/tests/composefiles/aci_secrets/my_secret2.txt b/tests/composefiles/aci_secrets_resources/my_secret2.txt
similarity index 100%
rename from tests/composefiles/aci_secrets/my_secret2.txt
rename to tests/composefiles/aci_secrets_resources/my_secret2.txt

From ba0d2907ede924c48f038fb1cf576822c2f3e2ce Mon Sep 17 00:00:00 2001
From: Guillaume Tardif <guillaume.tardif@docker.com>
Date: Tue, 3 Nov 2020 14:17:55 +0100
Subject: [PATCH 2/2] Also validate we can share some secrets between services
 but not all secrets, without leaking secrets.

Signed-off-by: Guillaume Tardif <guillaume.tardif@docker.com>
---
 tests/aci-e2e/e2e-aci_test.go                 | 52 ++++++++++---------
 .../aci_secrets_resources/compose.yml         | 14 +++--
 .../{ => web1}/Dockerfile                     |  0
 .../aci_secrets_resources/web2/Dockerfile     | 20 +++++++
 4 files changed, 56 insertions(+), 30 deletions(-)
 rename tests/composefiles/aci_secrets_resources/{ => web1}/Dockerfile (100%)
 create mode 100644 tests/composefiles/aci_secrets_resources/web2/Dockerfile

diff --git a/tests/aci-e2e/e2e-aci_test.go b/tests/aci-e2e/e2e-aci_test.go
index f439d8909..f13a2c33a 100644
--- a/tests/aci-e2e/e2e-aci_test.go
+++ b/tests/aci-e2e/e2e-aci_test.go
@@ -517,8 +517,8 @@ func overwriteFileStorageAccount(t *testing.T, absComposefileName string, storag
 func TestUpSecretsResources(t *testing.T) {
 	const (
 		composeProjectName = "aci_test"
-		serverContainer    = composeProjectName + "_web"
-		secondContainer    = composeProjectName + "_web2"
+		web1               = composeProjectName + "_web1"
+		web2               = composeProjectName + "_web2"
 
 		secret1Name  = "mytarget1"
 		secret1Value = "myPassword1\n"
@@ -537,16 +537,8 @@ func TestUpSecretsResources(t *testing.T) {
 		c.RunDockerCmd("compose", "up", "-f", composefilePath, "--project-name", composeProjectName)
 		res := c.RunDockerCmd("ps")
 		out := lines(res.Stdout())
-		// Check one container running
+		// Check 2 containers running
 		assert.Assert(t, is.Len(out, 3))
-		webRunning := false
-		for _, l := range out {
-			if strings.Contains(l, serverContainer) {
-				webRunning = true
-				strings.Contains(l, ":80->80/tcp")
-			}
-		}
-		assert.Assert(t, webRunning, "web container not running ; ps:\n"+res.Stdout())
 	})
 
 	t.Cleanup(func() {
@@ -556,13 +548,16 @@ func TestUpSecretsResources(t *testing.T) {
 		assert.Equal(t, len(out), 1)
 	})
 
-	res := c.RunDockerCmd("inspect", serverContainer)
-	webInspect, err := ParseContainerInspect(res.Stdout())
+	res := c.RunDockerCmd("inspect", web1)
+	web1Inspect, err := ParseContainerInspect(res.Stdout())
+	assert.NilError(t, err)
+	res = c.RunDockerCmd("inspect", web2)
+	web2Inspect, err := ParseContainerInspect(res.Stdout())
 	assert.NilError(t, err)
 
-	t.Run("read secrets", func(t *testing.T) {
-		assert.Assert(t, is.Len(webInspect.Ports, 1))
-		endpoint := fmt.Sprintf("http://%s:%d", webInspect.Ports[0].HostIP, webInspect.Ports[0].HostPort)
+	t.Run("read secrets in service 1", func(t *testing.T) {
+		assert.Assert(t, is.Len(web1Inspect.Ports, 1))
+		endpoint := fmt.Sprintf("http://%s:%d", web1Inspect.Ports[0].HostIP, web1Inspect.Ports[0].HostPort)
 
 		output := HTTPGetWithRetry(t, endpoint+"/"+secret1Name, http.StatusOK, 2*time.Second, 20*time.Second)
 		// replace windows carriage return
@@ -574,16 +569,23 @@ func TestUpSecretsResources(t *testing.T) {
 		assert.Equal(t, output, secret2Value)
 	})
 
-	t.Run("check resource limits", func(t *testing.T) {
-		assert.Equal(t, webInspect.HostConfig.CPULimit, 0.7)
-		assert.Equal(t, webInspect.HostConfig.MemoryLimit, uint64(1073741824))
-		assert.Equal(t, webInspect.HostConfig.CPUReservation, 0.5)
-		assert.Equal(t, webInspect.HostConfig.MemoryReservation, uint64(536870912))
+	t.Run("read secrets in service 2", func(t *testing.T) {
+		assert.Assert(t, is.Len(web2Inspect.Ports, 1))
+		endpoint := fmt.Sprintf("http://%s:%d", web2Inspect.Ports[0].HostIP, web2Inspect.Ports[0].HostPort)
+
+		output := HTTPGetWithRetry(t, endpoint+"/"+secret2Name, http.StatusOK, 2*time.Second, 20*time.Second)
+		output = strings.ReplaceAll(output, "\r", "")
+		assert.Equal(t, output, secret2Value)
+
+		HTTPGetWithRetry(t, endpoint+"/"+secret1Name, http.StatusNotFound, 2*time.Second, 20*time.Second)
+	})
+
+	t.Run("check resource limits", func(t *testing.T) {
+		assert.Equal(t, web1Inspect.HostConfig.CPULimit, 0.7)
+		assert.Equal(t, web1Inspect.HostConfig.MemoryLimit, uint64(1073741824))
+		assert.Equal(t, web1Inspect.HostConfig.CPUReservation, 0.5)
+		assert.Equal(t, web1Inspect.HostConfig.MemoryReservation, uint64(536870912))
 
-		res = c.RunDockerCmd("inspect", secondContainer)
-		web2Inspect, err := ParseContainerInspect(res.Stdout())
-		assert.NilError(t, err)
-		assert.NilError(t, err)
 		assert.Equal(t, web2Inspect.HostConfig.CPULimit, 0.5)
 		assert.Equal(t, web2Inspect.HostConfig.MemoryLimit, uint64(751619276))
 		assert.Equal(t, web2Inspect.HostConfig.CPUReservation, 0.5)
diff --git a/tests/composefiles/aci_secrets_resources/compose.yml b/tests/composefiles/aci_secrets_resources/compose.yml
index 6a7ae7bdf..0ff840ccb 100644
--- a/tests/composefiles/aci_secrets_resources/compose.yml
+++ b/tests/composefiles/aci_secrets_resources/compose.yml
@@ -1,7 +1,7 @@
 services:
-  web:
-    build: .
-    image: ulyssessouza/secrets_server
+  web1:
+    build: ./web1
+    image: dockereng/e2e_test_secret_server1
     ports:
       - "80:80"
     secrets:
@@ -18,13 +18,17 @@ services:
           memory: 0.5G
 
   web2:
-    build: .
-    image:  gtardif/sentences-api
+    build: ./web2
+    image:  dockereng/e2e_test_secret_server2
+    ports:
+      - "8080:8080"
     deploy:
       resources:
         reservations:
           cpus: '0.5'
           memory: 0.7G
+    secrets:
+      - mysecret2
 
 secrets:
   mysecret1:
diff --git a/tests/composefiles/aci_secrets_resources/Dockerfile b/tests/composefiles/aci_secrets_resources/web1/Dockerfile
similarity index 100%
rename from tests/composefiles/aci_secrets_resources/Dockerfile
rename to tests/composefiles/aci_secrets_resources/web1/Dockerfile
diff --git a/tests/composefiles/aci_secrets_resources/web2/Dockerfile b/tests/composefiles/aci_secrets_resources/web2/Dockerfile
new file mode 100644
index 000000000..0e139d094
--- /dev/null
+++ b/tests/composefiles/aci_secrets_resources/web2/Dockerfile
@@ -0,0 +1,20 @@
+#   Copyright 2020 Docker Compose CLI authors
+
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+
+#       http://www.apache.org/licenses/LICENSE-2.0
+
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+
+FROM python:3.8
+WORKDIR /run/secrets
+
+EXPOSE 8080
+ENTRYPOINT ["python"]
+CMD ["-m", "http.server", "8080"]