Merge branch 'feature/PB-36900-rootless-support' into develop

.github/workflows/push_pr_main.yaml

@@ -49,6 +49,16 @@ jobs:
       - name: Run integration tests
         run: bash run_tests.sh --integration
 
+  integration-tests-mariadb-rootless:
+    name: Integration Tests Mariadb
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run integration tests
+        run: ROOTLESS=true bash run_tests.sh --integration
+
   integration-tests-postgresql:
     name: Integration Tests Postgresql
     runs-on: ubuntu-latest
@@ -58,3 +68,13 @@ jobs:
 
       - name: Run integration tests
         run: bash run_tests.sh --integration -d postgresql
+
+  integration-tests-postgresql-rootless:
+    name: Integration Tests Postgresql
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run integration tests
+        run: ROOTLESS=true bash run_tests.sh --integration -d postgresql

.gitlab-ci.yml

@@ -32,21 +32,35 @@ test Helm Charts:
     - bash run_tests.sh --unit
 
 integration Tests Helm Charts Mariadb:
+  variables:
+    ROOTLESS: false
   image: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/docker:dind
   script:
     - |
       apk update && apk add -U curl bash
       sleep 10 # Wait for docker service
       bash run_tests.sh --integration
 
+integration Tests Helm Charts Mariadb Rootless:
+  variables:
+    ROOTLESS: true
+  extends: integration Tests Helm Charts Mariadb
+
 integration Tests Helm Charts Postgresql:
+  variables:
+    ROOTLESS: false
   image: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/docker:dind
   script:
     - |
       apk update && apk add -U curl bash
       sleep 10 # Wait for docker service
       bash run_tests.sh --integration -d postgresql
 
+integration Tests Helm Charts Postgresql Rootless:
+  variables:
+    ROOTLESS: true
+  extends: integration Tests Helm Charts Postgresql
+
 publish:
   stage: publish
   image: ${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/alpine/helm

templates/tests/integration-tests-runner.yaml

@@ -20,7 +20,9 @@ spec:
           bash /tests/run_tests.sh
       env:
         - name: TESTS_DEBUG
-          value: {{ quote .Values.integrationTests.debug  }}
+          value: {{ quote .Values.integrationTests.debug | default false }}
+        - name: ROOTLESS
+          value: {{ quote .Values.integrationTests.rootless | default false }}
       volumeMounts:
         - name: integration-tests-runner
           mountPath: "/tests/run_tests.sh"

tests/integration/fixtures/create-cluster-with-passbolt.sh

@@ -12,82 +12,116 @@ SSL_KEY_PATH="/tmp/ssl.key"
 SSL_CERT_PATH="/tmp/ssl.crt"
 
 function createKindCluster {
-	echo "Creating kind cluster: $KIND_CLUSTER_NAME"
-	"$KIND_BINARY" create cluster --config "$KIND_CLUSTER_CONFIG_FILE" --name "$KIND_CLUSTER_NAME"
+  echo "Creating kind cluster: $KIND_CLUSTER_NAME"
+  "$KIND_BINARY" create cluster --config "$KIND_CLUSTER_CONFIG_FILE" --name "$KIND_CLUSTER_NAME"
 }
 
 function installNginxIngress {
-	"$KUBECTL_BINARY" apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
-	"$KUBECTL_BINARY" rollout status deployment ingress-nginx-controller --timeout=120s -n ingress-nginx
+  "$KUBECTL_BINARY" apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
+  "$KUBECTL_BINARY" rollout status deployment ingress-nginx-controller --timeout=120s -n ingress-nginx
+}
+
+function http_port {
+  if [ "$ROOTLESS" == true ]; then
+    echo 8080
+  else
+    echo 80
+  fi
+}
+
+function https_port {
+  if [ "$ROOTLESS" == true ]; then
+    echo 4433
+  else
+    echo 443
+  fi
+}
+
+function image_tag {
+  tag="$(awk -F ' ' '/^    tag:/ {print $2}' values.yaml)"
+  if [ "$ROOTLESS" == true ]; then
+    echo "$tag"-non-root
+  else
+    echo "$tag"
+  fi
 }
 
 function upgradePassboltChart {
-	local private_key=""
-	local public_key=""
-	local fingerprint=""
-	local jwt_private_key=""
-	local jwt_public_key=""
-	private_key=$(kubectl get secret passbolt-sec-gpg --namespace default -o jsonpath="{.data.serverkey_private\.asc}")  ✔ │ 56m 0s 
-	public_key=$(kubectl get secret passbolt-sec-gpg --namespace default -o jsonpath="{.data.serverkey\.asc}")
-	fingerprint=$(kubectl exec deploy/passbolt-depl-srv -c passbolt-depl-srv -- grep PASSBOLT_GPG_SERVER_KEY_FINGERPRINT /etc/environment | awk -F= '{gsub(/"/, ""); print $2}')
-	jwt_private_key=$(kubectl get secret passbolt-sec-jwt --namespace default -o jsonpath="{.data.jwt\.key}")
-	jwt_public_key=$(kubectl get secret passbolt-sec-jwt --namespace default -o jsonpath="{.data.jwt\.pem}")
-	"$HELM_BINARY" upgrade -i passbolt . \
-		-f $HELM_TESTING_VALUES \
-		-n default \
-		--set integrationTests.debug="$DEBUG" \
-		--set gpgServerKeyPrivate="$private_key" \
-		--set gpgServerKeyPublic="$public_key" \
-		--set passboltEnv.secret.PASSBOLT_GPG_SERVER_KEY_FINGERPRINT="$fingerprint" \
-		--set jwtServerPrivate="$jwt_private_key" \
-		--set jwtServerPublic="$jwt_public_key"
+  local private_key=""
+  local public_key=""
+  local fingerprint=""
+  local jwt_private_key=""
+  local jwt_public_key=""
+  private_key=$(kubectl get secret passbolt-sec-gpg --namespace default -o jsonpath="{.data.serverkey_private\.asc}")  ✔ │ 56m 0s 
+  public_key=$(kubectl get secret passbolt-sec-gpg --namespace default -o jsonpath="{.data.serverkey\.asc}")
+  fingerprint=$(kubectl exec deploy/passbolt-depl-srv -c passbolt-depl-srv -- grep PASSBOLT_GPG_SERVER_KEY_FINGERPRINT /etc/environment | awk -F= '{gsub(/"/, ""); print $2}')
+  jwt_private_key=$(kubectl get secret passbolt-sec-jwt --namespace default -o jsonpath="{.data.jwt\.key}")
+  jwt_public_key=$(kubectl get secret passbolt-sec-jwt --namespace default -o jsonpath="{.data.jwt\.pem}")
+  "$HELM_BINARY" upgrade -i passbolt . \
+    -f "$HELM_TESTING_VALUES" \
+    -n default \
+    --set integrationTests.debug="$DEBUG" \
+    --set integrationTests.rootless="$ROOTLESS" \
+    --set app.image.tag="$(image_tag)" \
+    --set gpgServerKeyPrivate="$private_key" \
+    --set gpgServerKeyPublic="$public_key" \
+    --set passboltEnv.secret.PASSBOLT_GPG_SERVER_KEY_FINGERPRINT="$fingerprint" \
+    --set jwtServerPrivate="$jwt_private_key" \
+    --set jwtServerPublic="$jwt_public_key" \
+    --set service.ports.https.targetPort="$(https_port)" \
+    --set service.ports.http.targetPort="$(http_port)"
 }
 
 function installPassboltChart {
-	if [[ ! -z "$GITLAB_CI" || ! -z "$GITHUB_WORKFLOW" ]]; then
-		"$HELM_BINARY" repo add bitnami https://charts.bitnami.com/bitnami
-		"$HELM_BINARY" repo add passbolt-library https://download.passbolt.com/charts/passbolt-library
-		"$HELM_BINARY" dependency build
-	fi
-	if "$HELM_BINARY" status passbolt; then
-		upgradePassboltChart
-	else
-		"$HELM_BINARY" install passbolt . -f $HELM_TESTING_VALUES -n default --set integrationTests.debug="$DEBUG"
-	fi
-	"$KUBECTL_BINARY" rollout status deployment passbolt-depl-srv --timeout=120s -n default
+  if [[ ! -z "$GITLAB_CI" || ! -z "$GITHUB_WORKFLOW" ]]; then
+    "$HELM_BINARY" repo add bitnami https://charts.bitnami.com/bitnami
+    "$HELM_BINARY" repo add passbolt-library https://download.passbolt.com/charts/passbolt-library
+    "$HELM_BINARY" dependency build
+  fi
+  if "$HELM_BINARY" status passbolt; then
+    upgradePassboltChart
+  else
+    "$HELM_BINARY" install passbolt . -f $HELM_TESTING_VALUES -n default \
+      --set service.ports.https.targetPort="$(https_port)" \
+      --set service.ports.http.targetPort="$(http_port)" \
+      --set app.image.tag="$(image_tag)" \
+      --set integrationTests.debug="$DEBUG" \
+      --set integrationTests.rootless="$ROOTLESS"
+  fi
+  "$KUBECTL_BINARY" rollout status deployment passbolt-depl-srv --timeout=120s -n default
 }
 
 function createAndInstallSSLCertificates {
-	local domain="${1-passbolt.local}"
-	local ssl_key_path="$SSL_KEY_PATH"
-	local ssl_cert_path="$SSL_CERT_PATH"
-	"$MKCERT_BINARY" -install
-	"$MKCERT_BINARY" -cert-file "$ssl_cert_path" -key-file "$ssl_key_path" "$domain"
-	"$KUBECTL_BINARY" create secret generic mkcert-ca \
-		--from-file=rootCA-key.pem=$("$MKCERT_BINARY" -CAROOT)/rootCA-key.pem \
-		--from-file=rootCA.pem=$("$MKCERT_BINARY" -CAROOT)/rootCA.pem \
-		-n default
+  local domain="${1-passbolt.local}"
+  local ssl_key_path="$SSL_KEY_PATH"
+  local ssl_cert_path="$SSL_CERT_PATH"
+  "$MKCERT_BINARY" -install
+  "$MKCERT_BINARY" -cert-file "$ssl_cert_path" -key-file "$ssl_key_path" "$domain"
+  "$KUBECTL_BINARY" create secret generic mkcert-ca \
+    --from-file=rootCA-key.pem=$("$MKCERT_BINARY" -CAROOT)/rootCA-key.pem \
+    --from-file=rootCA.pem=$("$MKCERT_BINARY" -CAROOT)/rootCA.pem \
+    -n default
 }
 
 function createSecretWithTLS {
-	local secret_name="$K8S_LOCAL_TLS_SECRET"
-	local ssl_key_path="$SSL_KEY_PATH"
-	local ssl_cert_path="$SSL_CERT_PATH"
-	if "$KUBECTL_BINARY" get secret $secret_name -n default &>/dev/null; then
-		"$KUBECTL_BINARY" delete secret $secret_name -n default
-	fi
-	"$KUBECTL_BINARY" create secret tls $secret_name --cert="$ssl_cert_path" --key="$ssl_key_path" -n default
+  local secret_name="$K8S_LOCAL_TLS_SECRET"
+  local ssl_key_path="$SSL_KEY_PATH"
+  local ssl_cert_path="$SSL_CERT_PATH"
+  if "$KUBECTL_BINARY" get secret $secret_name -n default &>/dev/null; then
+    "$KUBECTL_BINARY" delete secret $secret_name -n default
+  fi
+  "$KUBECTL_BINARY" create secret tls $secret_name --cert="$ssl_cert_path" --key="$ssl_key_path" -n default
 }
 function createInfraAndInstallPassboltChart {
-	if ! "$KUBECTL_BINARY" config view -o jsonpath='{.contexts[*].name}' | grep -q "$KIND_CLUSTER_NAME"; then
-		createKindCluster
-		createAndInstallSSLCertificates
-		createSecretWithTLS
-		installNginxIngress
-		installPassboltChart
-	else
-		echo "Cluster $KIND_CLUSTER_NAME already exists"
-	fi
+  if ! "$KUBECTL_BINARY" config view -o jsonpath='{.contexts[*].name}' | grep -q "$KIND_CLUSTER_NAME"; then
+    createKindCluster
+    createAndInstallSSLCertificates
+    createSecretWithTLS
+    installNginxIngress
+    installPassboltChart
+  else
+    echo "Cluster $KIND_CLUSTER_NAME already exists"
+  fi
 }
 
 createInfraAndInstallPassboltChart

tests/integration/fixtures/passbolt.sh

@@ -1,73 +1,87 @@
 #!/bin/bash
 
 function registerPassboltUser {
-	local firstname=$1
-	local lastname=$2
-	local email=$3
-	registration=$("$KUBECTL_BINARY" exec -it deployment/passbolt-depl-srv -n default -- su -c "bin/cake passbolt register_user -u $email -f $firstname -l $lastname -r admin" -s /bin/bash www-data 2>/dev/null)
-	_log "$registration"
-	user_uuid=$(echo "${registration}" | grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*" | cut -d/ -f6)
-	user_token=$(echo "${registration}" | grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*" | cut -d/ -f7)
+  local firstname=$1
+  local lastname=$2
+  local email=$3
+  local register_command='bin/cake passbolt register_user -u $0 -f $1 -l $2 -r admin'
+  #local command_as_root="su -c "$register_command" -- $email $firstname $lastname -s /bin/bash www-data"
+  #local command_as_www="bash -c "$register_command" -- $email $firstname $lastname"
+  if [ "$ROOTLESS" == true ]; then
+    registration=$("$KUBECTL_BINARY" exec -it deployment/passbolt-depl-srv -n default -- bash -c "$register_command" $email $firstname $lastname 2>/dev/null)
+  else
+    registration=$("$KUBECTL_BINARY" exec -it deployment/passbolt-depl-srv -n default -- su www-data -c "$register_command" $email $firstname $lastname -s /bin/bash 2>/dev/null)
+  fi
+  _log "$registration"
+  regex='(https?)://[-[:alnum:]\+&@#/%?=~_|!:,.;]*[-[:alnum:]\+&@#/%=~_|]'
+  if [[ $registration =~ $regex ]]; then
+    _log User created on database
+  else
+    _log User creation failed
+    return 1
+  fi
+  user_uuid=$(echo "${registration}" | grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*" | cut -d/ -f6)
+  user_token=$(echo "${registration}" | grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*" | cut -d/ -f7)
 
-	createGPGKey "$email"
+  createGPGKey "$email"
 
-	_log Registering user on passbolt api...
-	curl -s "https://${PASSBOLT_FQDN}/setup/complete/${user_uuid}" \
-		-H "authority: ${PASSBOLT_FQDN}" \
-		-H "accept: application/json" \
-		-H "content-type: application/json" \
-		--data-raw "{\"authenticationtoken\":{\"token\":\"${user_token}\"},\"gpgkey\":{\"armored_key\":\"$(awk '{printf "%s\\n", $0}' public-${email}.asc)\"}}" \
-		--compressed >/dev/null
-	_log User "$email" succesfully registered
-	# Fixes an issue on the CI, where user with this key isn't found.
-	sleep 10
+  _log Registering user on passbolt api...
+  curl -s "https://${PASSBOLT_FQDN}/setup/complete/${user_uuid}" \
+    -H "authority: ${PASSBOLT_FQDN}" \
+    -H "accept: application/json" \
+    -H "content-type: application/json" \
+    --data-raw "{\"authenticationtoken\":{\"token\":\"${user_token}\"},\"gpgkey\":{\"armored_key\":\"$(awk '{printf "%s\\n", $0}' public-${email}.asc)\"}}" \
+    --compressed >/dev/null
+  _log User "$email" succesfully registered
+  # Fixes an issue on the CI, where user with this key isn't found.
+  sleep 10
 }
 
 function configurePassbolt {
-	local id=$1
-	_log Configuring passbolt cli...
-	_log $PASSBOLT_CLI_BINARY configure --serverAddress "https://${PASSBOLT_FQDN}" --userPassword "$PASSPHRASE" --userPrivateKeyFile "secret-${id}.asc"
-	$PASSBOLT_CLI_BINARY configure --serverAddress "https://${PASSBOLT_FQDN}" --userPassword "$PASSPHRASE" --userPrivateKeyFile "secret-${id}.asc"
-	_log passbolt cli configured
+  local id=$1
+  _log Configuring passbolt cli...
+  _log $PASSBOLT_CLI_BINARY configure --serverAddress "https://${PASSBOLT_FQDN}" --userPassword "$PASSPHRASE" --userPrivateKeyFile "secret-${id}.asc"
+  $PASSBOLT_CLI_BINARY configure --serverAddress "https://${PASSBOLT_FQDN}" --userPassword "$PASSPHRASE" --userPrivateKeyFile "secret-${id}.asc"
+  _log passbolt cli configured
 }
 
 function createPassword {
-	local name="$1"
-	local secret="$2"
-	_log $PASSBOLT_CLI_BINARY create resource --name "${name}" --password "$secret" -j
-	$PASSBOLT_CLI_BINARY create resource --name "${name}" --password "$secret" -j
+  local name="$1"
+  local secret="$2"
+  _log $PASSBOLT_CLI_BINARY create resource --name "${name}" --password "$secret" -j
+  $PASSBOLT_CLI_BINARY create resource --name "${name}" --password "$secret" -j
 }
 
 function createPasswordInFolder {
-	local name="$1"
-	local secret="$2"
-	local folder="$3"
-	_log $PASSBOLT_CLI_BINARY create resource --name "${name}" --password "$secret" -f "$folder" -j
-	$PASSBOLT_CLI_BINARY create resource --name "${name}" --password "$secret" -f "$folder" -j
+  local name="$1"
+  local secret="$2"
+  local folder="$3"
+  _log $PASSBOLT_CLI_BINARY create resource --name "${name}" --password "$secret" -f "$folder" -j
+  $PASSBOLT_CLI_BINARY create resource --name "${name}" --password "$secret" -f "$folder" -j
 }
 
 function createFolder {
-	local name="$1"
-	_log $PASSBOLT_CLI_BINARY create folder --name "${name}" -j
-	$PASSBOLT_CLI_BINARY create folder --name "${name}" -j
+  local name="$1"
+  _log $PASSBOLT_CLI_BINARY create folder --name "${name}" -j
+  $PASSBOLT_CLI_BINARY create folder --name "${name}" -j
 }
 
 function sharePassword {
-	local id=$1
-	local user_id=$2
-	local type="$3"
-	_log $PASSBOLT_CLI_BINARY share resource --id "$id" --user "$user_id" --type "$type"
-	$PASSBOLT_CLI_BINARY share resource --id "$id" --user "$user_id" --type "$type"
+  local id=$1
+  local user_id=$2
+  local type="$3"
+  _log $PASSBOLT_CLI_BINARY share resource --id "$id" --user "$user_id" --type "$type"
+  $PASSBOLT_CLI_BINARY share resource --id "$id" --user "$user_id" --type "$type"
 }
 
 function getUserIdByUsername {
-	local username="$1"
-	_log $PASSBOLT_CLI_BINARY list user --filter "Username == \"$username\"" -j | jq -r .[0].id
-	$PASSBOLT_CLI_BINARY list user --filter "Username == \"$username\"" -j | jq -r .[0].id
+  local username="$1"
+  _log $PASSBOLT_CLI_BINARY list user --filter "Username == \"$username\"" -j | jq -r .[0].id
+  $PASSBOLT_CLI_BINARY list user --filter "Username == \"$username\"" -j | jq -r .[0].id
 }
 
 function getPasswordSecretById {
-	local id="$1"
-	_log "$PASSBOLT_CLI_BINARY" get resource --id "$id" -j | jq -r .password
-	"$PASSBOLT_CLI_BINARY" get resource --id "$id" -j | jq -r .password
+  local id="$1"
+  _log "$PASSBOLT_CLI_BINARY" get resource --id "$id" -j | jq -r .password
+  "$PASSBOLT_CLI_BINARY" get resource --id "$id" -j | jq -r .password
 }