#!/usr/bin/env bash
# tests/phase-06-kubeconfig-gate/run-tests.sh -- offline regression for
# phase-06-kubeconfig-gate.sh. Fake ssh + kubectl; real bash.
# Key assertion: DOCFIX-062 -- the emitted kubeconfig server (tenant IP) is
# rewritten to the FIP before the gate runs.
set -euo pipefail
IFS=$'\n\t'
HERE="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
SCRIPTS="$(cd "$HERE/../../scripts" && pwd)"
TARGET="$SCRIPTS/phase-06-kubeconfig-gate.sh"
BIN="$HERE/fakebin"
[ -f "$TARGET" ] || { echo "FAIL: $TARGET missing" >&2; exit 1; }
chmod +x "$BIN"/* 2>/dev/null || true
WORK="$(mktemp -d)"; trap 'rm -rf "$WORK"' EXIT
rc_all=0
FIP=10.12.7.222
mkenv() { printf 'MGMT_FIP=%s\n' "$FIP" > "$WORK/net.env"; }
: > "$WORK/id_key"
run() { # want_rc regex label [extra env...]
local want="$1" re="$2" label="$3"; shift 3
local rc
rm -f "$WORK/kc"
set +e
PATH="$BIN:$PATH" HOME="$WORK" ENVFILE="$WORK/net.env" SSH_KEY="$WORK/id_key" \
KUBECONFIG_OUT="$WORK/kc" PROBE_TRIES=2 PROBE_SLEEP=0 \
env "$@" bash "$TARGET" >"$WORK/out" 2>&1
rc=$?
set -e
if [ "$rc" -eq "$want" ] && grep -qE "$re" "$WORK/out"; then
printf ' [OK] %-48s exit %s\n' "$label" "$rc"
else
printf ' [XX] %-48s exit %s (want %s; /%s/)\n' "$label" "$rc" "$want" "$re"
sed 's/^/ /' "$WORK/out"; rc_all=1
fi
}
echo "=== phase-06-kubeconfig-gate.sh ==="
mkenv
run 0 'GATE 2 passed' "happy path (pull + rewrite + probe)"
run 0 'Keystone public endpoint: 10.12.4.50:5000' "keystone = as-run literal default (no discovery)"
run 0 'server rewritten to https' "DOCFIX-062 rewrite message"
run 0 'GATE 2 passed' "KEYSTONE_HOSTPORT override" KEYSTONE_HOSTPORT=1.2.3.4:5000
run 1 'could not pull kubeconfig' "pull fail -> exit 1" PULL_FAIL=1
run 1 'is empty' "empty kubeconfig -> exit 1" PULL_EMPTY=1
run 1 'does not look like' "bad head -> exit 1" PULL_BADHEAD=1
run 1 'did not take' "set-cluster no-op -> exit 1 (DOCFIX-062 guard)" SET_CLUSTER_NOOP=1
run 1 'node is not Ready' "node NotReady -> exit 1" NODE_NOTREADY=1
run 1 'probe pod Failed' "GATE 2 pod Failed -> exit 1" POD_PHASE=Failed
run 1 'did not reach Succeeded' "GATE 2 exitCode!=0 -> exit 1" POD_STATE='{"terminated":{"reason":"Error","exitCode":1}}'
run 1 'did not reach Succeeded' "GATE 2 Pending timeout -> exit 1" POD_PHASE=Pending
# preconditions
run 2 'not found' "precondition: no ENVFILE -> exit 2" ENVFILE="$WORK/nope.env"
: > "$WORK/net.env"
run 2 'MGMT_FIP unset' "precondition: MGMT_FIP unset -> exit 2"
mkenv
echo "=== assert DOCFIX-062: kubeconfig server rewritten tenant-IP -> FIP ==="
rm -f "$WORK/kc"
PATH="$BIN:$PATH" HOME="$WORK" ENVFILE="$WORK/net.env" SSH_KEY="$WORK/id_key" \
KUBECONFIG_OUT="$WORK/kc" PROBE_TRIES=2 PROBE_SLEEP=0 \
bash "$TARGET" >/dev/null 2>&1 || true
if grep -qE "server:[[:space:]]*https://${FIP//./\\.}:6443" "$WORK/kc" \
&& ! grep -q '10.20.0.207:6443' "$WORK/kc"; then
perm=$(stat -c '%a' "$WORK/kc" 2>/dev/null || echo '?')
if [ "$perm" = 600 ]; then
echo " [OK] server rewritten to FIP; tenant IP gone; mode 600"
else
echo " [XX] kubeconfig mode=$perm (want 600)"; rc_all=1
fi
else
echo " [XX] server not rewritten to FIP (DOCFIX-062 regression)"; sed 's/^/ /' "$WORK/kc"; rc_all=1
fi
echo "=== assert as-run fidelity: no dynamic Keystone discovery ==="
PATH="$BIN:$PATH" HOME="$WORK" ENVFILE="$WORK/net.env" SSH_KEY="$WORK/id_key" \
KUBECONFIG_OUT="$WORK/kc" PROBE_TRIES=2 PROBE_SLEEP=0 \
bash "$TARGET" >"$WORK/fid" 2>&1 || true
if grep -qiE 'discovered|endpoint list' "$WORK/fid"; then
echo " [XX] performed discovery; must use as-run literal"; rc_all=1
else
echo " [OK] no dynamic discovery (as-run literal 10.12.4.50:5000)"
fi
echo
[ "$rc_all" -eq 0 ] && echo "ALL PASS" || echo "SOME FAILED"
exit "$rc_all"