Add tls-san, disable rootful tests

joebowbeer · joebowbeer · commit 4d9e5ec95b64 · 2024-11-17T01:37:33.000-08:00
diff --git a/docs/modules/k3s.md b/docs/modules/k3s.md
@@ -11,9 +11,16 @@ npm install @testcontainers/k3s --save-dev
 ## Examples
 
 <!--codeinclude-->
-[Starting a K3S server](../../packages/modules/k3s/src/k3s-container.test.ts) inside_block:starting_k3s
+[Starting a K3s server:](../../packages/modules/k3s/src/k3s-container.test.ts) inside_block:starting_k3s
 <!--/codeinclude-->
 
 <!--codeinclude-->
-[Connecting to the server](../../packages/modules/k3s/src/k3s-container.test.ts) inside_block:connecting_with_client
+[Connecting to the server using the Kubernetes JavaScript client:](../../packages/modules/k3s/src/k3s-container.test.ts) inside_block:connecting_with_client
 <!--/codeinclude-->
+
+## Known limitations
+
+!!! warning
+    * K3sContainer runs as a privileged container and needs to be able to spawn its own containers. For these reasons,
+    K3sContainer will not work in certain rootless Docker, Docker-in-Docker, or other environments where privileged
+    containers are disallowed.
diff --git a/packages/modules/k3s/src/k3s-container.test.ts b/packages/modules/k3s/src/k3s-container.test.ts
@@ -1,80 +1,117 @@
 import { K3sContainer } from "./k3s-container";
 import * as k8s from "@kubernetes/client-node";
 import { setTimeout } from "node:timers/promises";
+import { GenericContainer, Network, Wait } from "testcontainers";
 
 describe("K3s", () => {
-  jest.setTimeout(150_000);
+  jest.setTimeout(120_000);
 
-  it("should start and have listable node", async () => {
-    // starting_k3s {
-    const container = await new K3sContainer().start();
-    // }
+  it("should construct", () => {
+    new K3sContainer("rancher/k3s:v1.31.2-k3s1");
+  });
 
-    // connecting_with_client {
-    // obtain a kubeconfig file which allows us to connect to k3s
-    const kubeConfig = container.getKubeConfig();
+  // K3sContainer runs as a privileged container
+  if (!process.env["CI_ROOTLESS"]) {
+    it("should start and have listable node", async () => {
+      // starting_k3s {
+      const container = await new K3sContainer("rancher/k3s:v1.31.2-k3s1").start();
+      // }
 
-    const kc = new k8s.KubeConfig();
-    kc.loadFromString(kubeConfig);
+      // connecting_with_client {
+      // obtain a kubeconfig file that allows us to connect to k3s
+      const kubeConfig = container.getKubeConfig();
 
-    const client = kc.makeApiClient(k8s.CoreV1Api);
+      const kc = new k8s.KubeConfig();
+      kc.loadFromString(kubeConfig);
 
-    // interact with the running K3s server, e.g.:
-    const nodeList = await client.listNode();
-    // }
+      const client = kc.makeApiClient(k8s.CoreV1Api);
 
-    expect(nodeList.items).toHaveLength(1);
+      // interact with the running K3s server, e.g.:
+      const nodeList = await client.listNode();
+      // }
 
-    await container.stop();
-  });
+      expect(nodeList.items).toHaveLength(1);
 
-  it("should start a pod", async () => {
-    const container = await new K3sContainer().start();
-    const kc = new k8s.KubeConfig();
-    kc.loadFromString(container.getKubeConfig());
-
-    const pod = {
-      metadata: {
-        name: "helloworld",
-      },
-      spec: {
-        containers: [
-          {
-            name: "helloworld",
-            image: "testcontainers/helloworld:1.1.0",
-            ports: [
-              {
-                containerPort: 8080,
-              },
-            ],
-            readinessProbe: {
-              tcpSocket: {
-                port: 8080,
+      await container.stop();
+    });
+
+    it("should expose kubeconfig for a network alias", async () => {
+      const network = await new Network().start();
+      const container = await new K3sContainer("rancher/k3s:v1.31.2-k3s1")
+        .withNetwork(network)
+        .withNetworkAliases("k3s")
+        .start();
+
+      // obtain a kubeconfig that allows us to connect on the custom network
+      const kubeConfig = container.getAliasedKubeConfig("k3s");
+
+      const kubectlContainer = await new GenericContainer("rancher/kubectl:v1.31.2")
+        .withNetwork(network)
+        .withCopyContentToContainer([{ content: kubeConfig, target: "/home/kubectl/.kube/config" }])
+        .withCommand(["get", "namespaces"])
+        .withWaitStrategy(Wait.forOneShotStartup())
+        .withStartupTimeout(30_000)
+        .start();
+
+      const chunks = [];
+      for await (const chunk of await kubectlContainer.logs()) {
+        chunks.push(chunk);
+      }
+      expect(chunks).toEqual(expect.arrayContaining([expect.stringContaining("kube-system")]));
+
+      await kubectlContainer.stop();
+      await container.stop();
+      await network.stop();
+    });
+
+    it("should start a pod", async () => {
+      const container = await new K3sContainer("rancher/k3s:v1.31.2-k3s1").start();
+      const kc = new k8s.KubeConfig();
+      kc.loadFromString(container.getKubeConfig());
+
+      const pod = {
+        metadata: {
+          name: "helloworld",
+        },
+        spec: {
+          containers: [
+            {
+              name: "helloworld",
+              image: "testcontainers/helloworld:1.1.0",
+              ports: [
+                {
+                  containerPort: 8080,
+                },
+              ],
+              readinessProbe: {
+                tcpSocket: {
+                  port: 8080,
+                },
               },
             },
-          },
-        ],
-      },
-    };
-
-    const client = kc.makeApiClient(k8s.CoreV1Api);
-    await client.createNamespacedPod({ namespace: "default", body: pod });
-
-    // wait for pod to be ready
-    let ready = false;
-    for (const startTime = Date.now(); Date.now() - startTime < 60_000; ) {
-      const podList = await client.listNamespacedPod({ namespace: "default" });
-      const pod = podList.items.find((pod) => pod.metadata?.name === "helloworld");
-      const status = pod?.status;
-      ready =
-        status?.phase === "Running" &&
-        !!status?.conditions?.some((cond) => cond.type === "Ready" && cond.status === "True");
-      if (ready) break;
-      await setTimeout(3_000);
-    }
-
-    expect(ready).toBe(true);
-
-    await container.stop();
-  });
+          ],
+        },
+      };
+
+      const client = kc.makeApiClient(k8s.CoreV1Api);
+      await client.createNamespacedPod({ namespace: "default", body: pod });
+
+      // wait for pod to be ready
+      expect(await podIsReady(client, "default", "helloworld", 60_000)).toBe(true);
+
+      await container.stop();
+    });
+  }
 });
+
+async function podIsReady(client: k8s.CoreV1Api, namespace: string, name: string, timeout: number): Promise<boolean> {
+  for (const startTime = Date.now(); Date.now() - startTime < timeout; ) {
+    const res = await client.readNamespacedPodStatus({ namespace, name });
+    const ready =
+      res.status?.phase === "Running" &&
+      !!res.status?.conditions?.some((cond) => cond.type === "Ready" && cond.status === "True");
+    if (ready) return true;
+    await setTimeout(3_000);
+  }
+  return false;
+}
diff --git a/packages/modules/k3s/src/k3s-container.ts b/packages/modules/k3s/src/k3s-container.ts
@@ -1,51 +1,59 @@
-import { AbstractStartedContainer, GenericContainer, Wait, type StartedTestContainer } from "testcontainers";
+import { AbstractStartedContainer, GenericContainer, StartedTestContainer, Wait } from "testcontainers";
 import tar from "tar-stream";
 import { basename } from "node:path";
 
-// TODO: Update @types/dockerode
+// TODO: Implement GenericContainer.withCgroupnsMode
 // https://github.com/DefinitelyTyped/DefinitelyTyped/discussions/71160
 type CgroupnsModeConfig = { CgroupnsMode?: "private" | "host" };
 
 const KUBE_CONFIG_PATH = "/etc/rancher/k3s/k3s.yaml";
 const KUBE_SECURE_PORT = 6443;
 const RANCHER_WEBHOOK_PORT = 8443;
 
-/** Path to the k3s manifests directory. These are applied automatically on startup. */
-export const K3S_SERVER_MANIFESTS = "/var/lib/rancher/k3s/server/manifests/";
-
 export class K3sContainer extends GenericContainer {
-  constructor(image = "rancher/k3s:v1.31.2-k3s1") {
+  constructor(image: string) {
     super(image);
     (this.hostConfig as CgroupnsModeConfig).CgroupnsMode = "host";
     this.withExposedPorts(KUBE_SECURE_PORT, RANCHER_WEBHOOK_PORT)
       .withPrivilegedMode()
-      // TODO: Determine if/when bind mount is needed
-      .withBindMounts([{ mode: "rw", source: "/sys/fs/cgroup", target: "/sys/fs/cgroup" }])
+      // Why do Java and .NET implementations bind cgroup but Golang does not?
+      .withBindMounts([{ source: "/sys/fs/cgroup", target: "/sys/fs/cgroup" }])
       .withTmpFs({ "/run": "rw" })
       .withTmpFs({ "/var/run": "rw" })
-      // TODO: If tls-san is desirable, determine how to obtain the host address
-      // .withCommand(["server", "--disable=traefik", `--tls-san=${this.getHost()}`])
-      .withCommand(["server", "--disable=traefik"])
       .withWaitStrategy(Wait.forLogMessage("Node controller sync successful"))
       .withStartupTimeout(120_000);
   }
 
   public override async start(): Promise<StartedK3sContainer> {
     const container = await super.start();
     const tarStream = await container.copyArchiveFromContainer(KUBE_CONFIG_PATH);
-    const kubeConfig = await extractFromTarStream(tarStream, basename(KUBE_CONFIG_PATH));
-    return new StartedK3sContainer(container, kubeConfig);
+    const rawKubeConfig = await extractFromTarStream(tarStream, basename(KUBE_CONFIG_PATH));
+    return new StartedK3sContainer(container, rawKubeConfig);
+  }
+
+  protected override async beforeContainerCreated() {
+    let command = this.createOpts.Cmd ?? ["server", "--disable=traefik"];
+    if (this.networkMode && this.networkAliases.length > 0) {
+      const aliases = this.networkAliases.join();
+      command = [...command, `--tls-san=${aliases}`];
+    }
+    this.withCommand(command);
   }
 }
 
 export class StartedK3sContainer extends AbstractStartedContainer {
-  constructor(startedTestContainer: StartedTestContainer, private readonly kubeConfig: string) {
+  constructor(startedTestContainer: StartedTestContainer, private readonly rawKubeConfig: string) {
     super(startedTestContainer);
   }
 
   public getKubeConfig(): string {
     const serverUrl = `https://${this.getHost()}:${this.getMappedPort(KUBE_SECURE_PORT)}`;
-    return kubeConfigWithServerUrl(this.kubeConfig, serverUrl);
+    return kubeConfigWithServerUrl(this.rawKubeConfig, serverUrl);
+  }
+
+  public getAliasedKubeConfig(networkAlias: string) {
+    const serverUrl = `https://${networkAlias}:${KUBE_SECURE_PORT}`;
+    return kubeConfigWithServerUrl(this.rawKubeConfig, serverUrl);
   }
 }
 
@@ -73,6 +81,6 @@ async function extractFromTarStream(tarStream: NodeJS.ReadableStream, entryName:
   return extracted;
 }
 
-export function kubeConfigWithServerUrl(kubeConfig: string, server: string): string {
+function kubeConfigWithServerUrl(kubeConfig: string, server: string): string {
   return kubeConfig.replace(/server:\s?[:/.\d\w]+/, `server: ${server}`);
 }
