deckhand/deckhand/tests/integration/gabbits/document-substitution-secret.yaml

# Tests success paths for secret substitution:
#
# 1. Tests that creating a secret passphrase alongside other documents
#    results in the Barbican secret ref being returned.
# 2. Tests that the secret payload is included in the destination
#    and source documents after document rendering.

defaults:
  request_headers:
    content-type: application/x-yaml
    X-Auth-Token: $ENVIRON['TEST_AUTH_TOKEN']
  response_headers:
    content-type: application/x-yaml
  verbose: true

tests:
  - name: purge
    desc: Begin testing from known state.
    DELETE: /api/v1.0/revisions
    status: 204
    response_headers: null

  - name: create_documents_for_secret_substitution
    desc: Create documents with substitution source with storagePolicy=encrypted
    PUT: /api/v1.0/buckets/secret/documents
    status: 200
    data: |-
      ---
      schema: deckhand/LayeringPolicy/v1
      metadata:
        schema: metadata/Control/v1
        name: layering-policy
      data:
        layerOrder:
          - site
      ---
      schema: deckhand/Certificate/v1
      metadata:
        name: example-cert
        schema: metadata/Document/v1
        layeringDefinition:
          layer: site
        storagePolicy: encrypted
      data: CERTIFICATE DATA
      ---
      schema: armada/Chart/v1
      metadata:
        schema: metadata/Document/v1
        name: armada-chart-01
        layeringDefinition:
          layer: site
        substitutions:
          - dest:
              path: .chart.values.tls.certificate
            src:
              schema: deckhand/Certificate/v1
              name: example-cert
              path: .
      data: {}
      ...      

  - name: verify_multiple_revision_documents_returns_secret_ref
    desc: Verify that secret ref was created for example-cert among multiple created documents.
    GET: /api/v1.0/revisions/$RESPONSE['$.[0].status.revision']/documents
    status: 200
    query_parameters:
      metadata.name: example-cert
    response_multidoc_jsonpaths:
      $.`len`: 1
      # NOTE(fmontei): jsonpath-rw-ext uses a 1 character separator (rather than allowing a string)
      # leading to this nastiness:
      $.[0].data.`split(:, 0, 1)` + "://" + $.[0].data.`split(/, 2, 3)` + "/v1": $ENVIRON['TEST_BARBICAN_URL']

  - name: verify_secret_payload_in_destination_document
    desc: Verify secret payload is injected in destination document as well as example-cert.
    GET: /api/v1.0/revisions/$RESPONSE['$.[0].status.revision']/rendered-documents
    status: 200
    query_parameters:
      metadata.name:
        - armada-chart-01
        - example-cert
      sort: metadata.name
    response_multidoc_jsonpaths:
      $.`len`: 2
      $.[0].metadata.name: armada-chart-01
      $.[0].data:
        chart:
          values:
            tls:
              certificate: CERTIFICATE DATA
      $.[1].metadata.name: example-cert
      $.[1].data: CERTIFICATE DATA