tests(*): add vault related cmd tests

spec/02-integration/02-cmd/02-start_stop_spec.lua

@@ -1,6 +1,7 @@
 local helpers   = require "spec.helpers"
 local constants = require "kong.constants"
 local pl_file   = require("pl.file")
+local ssl_fixtures = require "spec.fixtures.ssl"
 
 local cjson = require "cjson"
 
@@ -1255,5 +1256,102 @@ describe("kong start/stop #" .. strategy, function()
     end)
   end)
 
+  describe("start/stop with vault references ", function()
+    before_each(function()
+      helpers.clean_prefix(PREFIX)
+    end)
+
+    it("resolve array-like configuration", function ()
+      helpers.clean_logfile()
+      helpers.setenv("PG_PASSWORD", "dummy")
+      helpers.setenv("CERT", ssl_fixtures.cert)
+      helpers.setenv("KEY", ssl_fixtures.key)
+
+      finally(function()
+        helpers.unsetenv("PG_PASSWORD")
+        helpers.unsetenv("CERT")
+        helpers.unsetenv("KEY")
+      end)
+
+      local _, stderr, stdout = assert(kong_exec("start", {
+        prefix = PREFIX,
+        database = TEST_CONF.database,
+        pg_password = "{vault://env/pg_password}",
+        pg_database = TEST_CONF.pg_database,
+        lua_ssl_trusted_certificate = "{vault://env/cert}, system",
+        ssl_cert_key = "{vault://env/key}",
+        ssl_cert = "{vault://env/cert}",
+        vaults = "env",
+      }))
+
+      assert.not_matches("failed to dereference {vault://env/pg_password}", stderr, nil, true)
+      assert.not_matches("failed to dereference {vault://env/cert}", stderr, nil, true)
+      assert.not_matches("failed to dereference {vault://env/key}", stderr, nil, true)
+      assert.logfile().has.no.line("[warn]", true)
+      assert.logfile().has.no.line("bad value type", true)
+      assert.logfile().has.no.line("env/pg_password", true)
+      assert.logfile().has.no.line("env/cert", true)
+      assert.logfile().has.no.line("env/key", true)
+      assert.matches("Kong started", stdout, nil, true)
+      assert(kong_exec("stop", {
+        prefix = PREFIX,
+      }))
+    end)
+
+    it("resolve secrets when both http and stream subsystem are enabled", function ()
+      helpers.clean_logfile()
+      helpers.setenv("PG_PASSWORD", "dummy")
+      helpers.setenv("CERT", ssl_fixtures.cert)
+      helpers.setenv("KEY", ssl_fixtures.key)
+      helpers.setenv("CERT_ALT", ssl_fixtures.cert_alt)
+      helpers.setenv("KEY_ALT", ssl_fixtures.key_alt)
+      helpers.setenv("LOGLEVEL", "error")
+
+      finally(function()
+        helpers.unsetenv("PG_PASSWORD")
+        helpers.unsetenv("CERT")
+        helpers.unsetenv("KEY")
+        helpers.unsetenv("LOGLEVEL")
+      end)
+
+      local avail_port = helpers.get_available_port()
+
+      local _, stderr, stdout = assert(kong_exec("start", {
+        prefix = PREFIX,
+        database = TEST_CONF.database,
+        pg_password = "{vault://env/pg_password}",
+        pg_database = TEST_CONF.pg_database,
+        loglevel = "{vault://env/loglevel}",
+        lua_ssl_trusted_certificate = "{vault://env/cert}, system",
+        ssl_cert_key = "{vault://env/key}, {vault://env/key_alt}",
+        ssl_cert = "{vault://env/cert}, {vault://env/cert_alt}",
+        vaults = "env",
+        stream_listen = "127.0.0.1:" .. avail_port .. " reuseport"
+      }))
+
+      assert.not_matches("init_by_lua error", stderr, nil, true)
+      assert.not_matches("failed to dereference {vault://env/pg_password}", stderr, nil, true)
+      assert.not_matches("failed to dereference {vault://env/cert}", stderr, nil, true)
+      assert.not_matches("failed to dereference {vault://env/cert_alt}", stderr, nil, true)
+      assert.not_matches("failed to dereference {vault://env/key}", stderr, nil, true)
+      assert.not_matches("failed to dereference {vault://env/key_alt}", stderr, nil, true)
+      assert.not_matches("failed to dereference {vault://env/loglevel}", stderr, nil, true)
+
+      assert.logfile().has.no.line("[warn]", true)
+      assert.logfile().has.no.line("bad value type", true)
+      assert.logfile().has.no.line("env/pg_password", true)
+      assert.logfile().has.no.line("env/cert", true)
+      assert.logfile().has.no.line("env/cert_alt", true)
+      assert.logfile().has.no.line("env/key", true)
+      assert.logfile().has.no.line("env/key_alt", true)
+      assert.logfile().has.no.line("env/loglevel", true)
+
+      assert.matches("Kong started", stdout, nil, true)
+      assert(kong_exec("stop", {
+        prefix = PREFIX,
+      }))
+    end)
+  end)
+
 end)
 end

spec/02-integration/02-cmd/09-prepare_spec.lua

@@ -1,6 +1,7 @@
 local helpers = require "spec.helpers"
 local signals = require "kong.cmd.utils.nginx_signals"
 local shell = require "resty.shell"
+local ssl_fixtures = require "spec.fixtures.ssl"
 
 
 local fmt = string.format
@@ -154,6 +155,81 @@ describe("kong prepare", function()
         assert.matches("kong_tests_unknown", stderr)
         assert.falsy(ok)
       end)
+
+      it("prepares a prefix and starts kong with http and stream submodule correctly [#" .. strategy .. "]", function ()
+        helpers.setenv("CERT", ssl_fixtures.cert)
+        helpers.setenv("KEY", ssl_fixtures.key)
+        helpers.setenv("CERT_ALT", ssl_fixtures.cert_alt)
+        helpers.setenv("KEY_ALT", ssl_fixtures.key_alt)
+        helpers.setenv("LOGLEVEL", "error")
+        finally(function()
+          helpers.unsetenv("CERT")
+          helpers.unsetenv("CERT_ALT")
+          helpers.unsetenv("KEY")
+          helpers.unsetenv("KEY_ALT")
+          helpers.unsetenv("LOGLEVEL")
+        end)
+        assert(helpers.kong_exec("prepare -c " .. helpers.test_conf_path, {
+          prefix = TEST_PREFIX,
+          database = strategy,
+          loglevel = "{vault://env/loglevel}",
+          lua_ssl_trusted_certificate = "{vault://env/cert}, system",
+          ssl_cert_key = "{vault://env/key}, {vault://env/key_alt}",
+          ssl_cert = "{vault://env/cert}, {vault://env/cert_alt}",
+          vaults = "env",
+          proxy_listen = "127.0.0.1:8000",
+          stream_listen = "127.0.0.1:9000",
+          admin_listen  = "127.0.0.1:8001",
+        }))
+        assert.truthy(helpers.path.exists(TEST_PREFIX))
+
+        local process_secrets_http = helpers.path.join(TEST_PREFIX, ".kong_process_secrets_http")
+        local process_secrets_stream = helpers.path.join(TEST_PREFIX, ".kong_process_secrets_stream")
+
+        local admin_access_log_path = helpers.path.join(TEST_PREFIX, helpers.test_conf.admin_access_log)
+        local admin_error_log_path = helpers.path.join(TEST_PREFIX, helpers.test_conf.admin_error_log)
+
+        assert.truthy(helpers.path.exists(process_secrets_http))
+        assert.truthy(helpers.path.exists(process_secrets_stream))
+        assert.truthy(helpers.path.exists(admin_access_log_path))
+        assert.truthy(helpers.path.exists(admin_error_log_path))
+
+        local nginx_bin, err = signals.find_nginx_bin()
+        assert.is_nil(err)
+
+        local cmd = fmt("%s -p %s -c %s", nginx_bin, TEST_PREFIX, "nginx.conf")
+        local ok, _, stderr = shell.run(cmd, nil, 0)
+
+        assert.equal("", stderr)
+        assert.truthy(ok)
+        local error_log_path = helpers.path.join(TEST_PREFIX, "logs/error.log")
+        assert.logfile(error_log_path).has.no.line("[error]", true, 0)
+        assert.logfile(error_log_path).has.no.line("[alert]", true, 0)
+        assert.logfile(error_log_path).has.no.line("[crit]",  true, 0)
+        assert.logfile(error_log_path).has.no.line("[emerg]", true, 0)
+        assert
+        .with_timeout(5)
+        .ignore_exceptions(true)
+        .eventually(function()
+          local client = helpers.admin_client(nil, 8001)
+          local res, err = client:send({ path = "/status", method = "GET" })
+
+          if res then res:read_body() end
+
+          client:close()
+
+          if not res then
+            return nil, err
+          end
+
+          if res.status ~= 200 then
+            return nil, res
+          end
+
+          return true
+        end)
+        .is_truthy("/status API did not return 200")
+      end)
     end)
   end
 end)