From 0ebce264f1f0cdae13b6fdf67c4c1d9d21e059d3 Mon Sep 17 00:00:00 2001 From: irbekrm Date: Wed, 19 May 2021 16:35:30 +0100 Subject: [PATCH] Allow to optionally configure Vault intermediate PKI with root CA Signed-off-by: irbekrm --- test/e2e/framework/addon/vault/setup.go | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/test/e2e/framework/addon/vault/setup.go b/test/e2e/framework/addon/vault/setup.go index db0cac19c..5d7c6c5cb 100644 --- a/test/e2e/framework/addon/vault/setup.go +++ b/test/e2e/framework/addon/vault/setup.go @@ -39,8 +39,10 @@ type VaultInitializer struct { Details - RootMount string - IntermediateMount string + RootMount string + IntermediateMount string + // Whether the intermediate CA should be configured with root CA + ConfigureWithRoot bool Role string // AppRole auth Role AppRoleAuthPath string // AppRole auth mount point in Vault KubernetesAuthPath string // Kubernetes auth mount point in Vault @@ -188,8 +190,12 @@ func (v *VaultInitializer) Setup() error { } // Set the engine at v.IntermediateMount as an intermediateCA using the cert - // issued by v.RootMount, above. - if err := v.importSignIntermediate(intermediateCa, rootCa, v.IntermediateMount); err != nil { + // issued by v.RootMount, above and optionally the root CA cert. + caChain := intermediateCa + if v.ConfigureWithRoot { + caChain = fmt.Sprintf("%s\n%s", intermediateCa, rootCa) + } + if err := v.importSignIntermediate(caChain, v.IntermediateMount); err != nil { return err } @@ -339,9 +345,9 @@ func (v *VaultInitializer) signCertificate(csr string) (string, error) { return cert, nil } -func (v *VaultInitializer) importSignIntermediate(intermediateCa, rootCa, intermediateMount string) error { +func (v *VaultInitializer) importSignIntermediate(caChain, intermediateMount string) error { params := map[string]string{ - "certificate": intermediateCa, + "certificate": caChain, } url := path.Join("/v1", intermediateMount, "intermediate", "set-signed")