weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Refactor WaitCertificateValidTLS and run kubectl describe on test failure

Browse Source 
Signed-off-by: James Munnelly <james@munnelly.eu>
This commit is contained in:
James Munnelly 2019-01-24 15:43:18 +00:00
parent 2cfd7cf82b
commit 31eeb5fe2a
18 changed files with 521 additions and 378 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
test/e2e/framework/config/config.go
View File

@ -28,6 +28,7 @@ import (
type Config struct {
KubeConfig string
KubeContext string
Kubectl string
// If Cleanup is true, addons will be cleaned up both before and after provisioning
Cleanup bool
@ -64,6 +65,7 @@ func (c *Config) AddFlags(fs *flag.FlagSet) {
// Kubernetes API server config
fs.StringVar(&c.KubeConfig, "kubernetes-config", os.Getenv(clientcmd.RecommendedConfigPathEnvVar), "Path to config containing embedded authinfo for kubernetes. Default value is from environment variable "+clientcmd.RecommendedConfigPathEnvVar)
fs.StringVar(&c.KubeContext, "kubernetes-context", "", "config context to use for kuberentes. If unset, will use value from 'current-context'")
fs.StringVar(&c.Kubectl, "kubectl-path", "kubectl", "path to the kubectl binary to use during e2e tests.")
fs.BoolVar(&c.Cleanup, "cleanup", true, "If true, addons will be cleaned up both before and after provisioning")
// TODO: get rid of this variable by bundling required files as part of test suite

9
test/e2e/framework/framework.go
View File

@ -67,6 +67,7 @@ type Framework struct {
cleanupHandle CleanupActionHandle
requiredAddons []addon.Addon
helper *helper.Helper
}
// NewDefaultFramework makes a new framework for you, similar to NewFramework.
@ -85,6 +86,7 @@ func NewFramework(baseName string, cfg *config.Config) *Framework {
BaseName: baseName,
}
f.helper = helper.NewHelper(cfg)
BeforeEach(f.BeforeEach)
AfterEach(f.AfterEach)
@ -120,6 +122,9 @@ func (f *Framework) BeforeEach() {
By("Building a ResourceQuota api object")
_, err = f.CreateKubeResourceQuota()
Expect(err).NotTo(HaveOccurred())
f.helper.CMClient = f.CertManagerClientSet
f.helper.KubeClient = f.KubeClientSet
}
// AfterEach deletes the namespace, after reading its events.
@ -196,9 +201,7 @@ func (f *Framework) RequireAddon(a addon.Addon) {
}
func (f *Framework) Helper() *helper.Helper {
return &helper.Helper{
KubeClient: f.KubeClientSet,
}
return f.helper
}
func (f *Framework) CertificateDurationValid(c *v1alpha1.Certificate, duration time.Duration) {

7
test/e2e/framework/helper/BUILD.bazel
View File

@ -3,13 +3,20 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library")
go_library(
name = "go_default_library",
srcs = [
"certificates.go",
"helper.go",
"kubectl.go",
"pod_start.go",
],
importpath = "github.com/jetstack/cert-manager/test/e2e/framework/helper",
tags = ["manual"],
visibility = ["//visibility:public"],
deps = [
"//pkg/apis/certmanager/v1alpha1:go_default_library",
"//pkg/client/clientset/versioned:go_default_library",
"//pkg/util:go_default_library",
"//pkg/util/pki:go_default_library",
"//test/e2e/framework/config:go_default_library",
"//test/e2e/framework/log:go_default_library",
"//vendor/github.com/onsi/ginkgo:go_default_library",
"//vendor/k8s.io/api/core/v1:go_default_library",

182
test/e2e/framework/helper/certificates.go Normal file
View File

@ -0,0 +1,182 @@
/*
Copyright 2019 The Jetstack cert-manager contributors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package helper
import (
"crypto/ecdsa"
"crypto/rsa"
"crypto/x509"
"fmt"
"time"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/wait"
"github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1"
"github.com/jetstack/cert-manager/pkg/util"
"github.com/jetstack/cert-manager/pkg/util/pki"
"github.com/jetstack/cert-manager/test/e2e/framework/log"
)
// WaitForCertificateReady waits for the certificate resource to enter a Ready
// state.
func (h *Helper) WaitForCertificateReady(ns, name string, timeout time.Duration) (*v1alpha1.Certificate, error) {
var certificate *v1alpha1.Certificate
err := wait.PollImmediate(time.Second, timeout,
func() (bool, error) {
var err error
log.Logf("Waiting for Certificate %v to be ready", name)
certificate, err = h.CMClient.CertmanagerV1alpha1().Certificates(ns).Get(name, metav1.GetOptions{})
if err != nil {
return false, fmt.Errorf("error getting Certificate %v: %v", name, err)
}
isReady := certificate.HasCondition(v1alpha1.CertificateCondition{
Type: v1alpha1.CertificateConditionReady,
Status: v1alpha1.ConditionTrue,
})
if !isReady {
log.Logf("Expected Certificate to have Ready condition 'true' but it has: %v", certificate.Status.Conditions)
return false, nil
}
return true, nil
},
)
if err != nil {
return nil, err
}
return certificate, nil
}
// ValidateIssuedCertificate will ensure that the given Certificate has a
// certificate issued for it, and that the details on the x509 certificate are
// correct as defined by the Certificate's spec.
func (h *Helper) ValidateIssuedCertificate(certificate *v1alpha1.Certificate, rootCAPEM []byte) (*x509.Certificate, error) {
log.Logf("Getting the TLS certificate Secret resource")
secret, err := h.KubeClient.CoreV1().Secrets(certificate.Namespace).Get(certificate.Spec.SecretName, metav1.GetOptions{})
if err != nil {
return nil, err
}
if !(len(secret.Data) == 2 || len(secret.Data) == 3) {
return nil, fmt.Errorf("Expected 2 keys in certificate secret, but there was %d", len(secret.Data))
}
keyBytes, ok := secret.Data[corev1.TLSPrivateKeyKey]
if !ok {
return nil, fmt.Errorf("No private key data found for Certificate %q (secret %q)", certificate.Name, certificate.Spec.SecretName)
}
key, err := pki.DecodePrivateKeyBytes(keyBytes)
if err != nil {
return nil, err
}
// validate private key is of the correct type (rsa or ecdsa)
switch certificate.Spec.KeyAlgorithm {
case v1alpha1.KeyAlgorithm(""),
v1alpha1.RSAKeyAlgorithm:
_, ok := key.(*rsa.PrivateKey)
if !ok {
return nil, fmt.Errorf("Expected private key of type RSA, but it was: %T", key)
}
case v1alpha1.ECDSAKeyAlgorithm:
_, ok := key.(*ecdsa.PrivateKey)
if !ok {
return nil, fmt.Errorf("Expected private key of type ECDSA, but it was: %T", key)
}
default:
return nil, fmt.Errorf("unrecognised requested private key algorithm %q", certificate.Spec.KeyAlgorithm)
}
// TODO: validate private key KeySize
// check the provided certificate is valid
expectedCN := pki.CommonNameForCertificate(certificate)
expectedOrganization := pki.OrganizationForCertificate(certificate)
expectedDNSNames := pki.DNSNamesForCertificate(certificate)
certBytes, ok := secret.Data[corev1.TLSCertKey]
if !ok {
return nil, fmt.Errorf("No certificate data found for Certificate %q (secret %q)", certificate.Name, certificate.Spec.SecretName)
}
cert, err := pki.DecodeX509CertificateBytes(certBytes)
if err != nil {
return nil, err
}
if expectedCN != cert.Subject.CommonName || !util.EqualUnsorted(cert.DNSNames, expectedDNSNames) || !(len(cert.Subject.Organization) == 0 || util.EqualUnsorted(cert.Subject.Organization, expectedOrganization)) {
return nil, fmt.Errorf("Expected certificate valid for CN %q, O %v, dnsNames %v but got a certificate valid for CN %q, O %v, dnsNames %v", expectedCN, expectedOrganization, expectedDNSNames, cert.Subject.CommonName, cert.Subject.Organization, cert.DNSNames)
}
if certificate.Status.NotAfter == nil {
return nil, fmt.Errorf("No certificate expiration found for Certificate %q", certificate.Name)
}
if !cert.NotAfter.Equal(certificate.Status.NotAfter.Time) {
return nil, fmt.Errorf("Expected certificate expiry date to be %v, but got %v", certificate.Status.NotAfter, cert.NotAfter)
}
label, ok := secret.Labels[v1alpha1.CertificateNameKey]
if !ok {
return nil, fmt.Errorf("Expected secret to have certificate-name label, but had none")
}
if label != certificate.Name {
return nil, fmt.Errorf("Expected secret to have certificate-name label with a value of %q, but got %q", certificate.Name, label)
}
// TODO: move this verification step out of this function
if rootCAPEM != nil {
rootCertPool := x509.NewCertPool()
rootCertPool.AppendCertsFromPEM(rootCAPEM)
intermediateCertPool := x509.NewCertPool()
intermediateCertPool.AppendCertsFromPEM(certBytes)
opts := x509.VerifyOptions{
DNSName: expectedDNSNames[0],
Intermediates: intermediateCertPool,
Roots: rootCertPool,
}
if _, err := cert.Verify(opts); err != nil {
return nil, err
}
}
return cert, nil
}
func (h *Helper) WaitCertificateIssuedValid(ns, name string, timeout time.Duration) error {
return h.WaitCertificateIssuedValidTLS(ns, name, timeout, nil)
}
func (h *Helper) WaitCertificateIssuedValidTLS(ns, name string, timeout time.Duration, rootCAPEM []byte) error {
certificate, err := h.WaitForCertificateReady(ns, name, timeout)
if err != nil {
log.Logf("Error waiting for Certificate to become Ready: %v", err)
h.Kubectl(ns).DescribeResource("certificate", name)
return err
}
_, err = h.ValidateIssuedCertificate(certificate, rootCAPEM)
if err != nil {
log.Logf("Error validating issued certificate: %v", err)
h.Kubectl(ns).DescribeResource("certificate", name)
return err
}
return nil
}

16
test/e2e/framework/helper/helper.go
View File

@ -16,9 +16,23 @@ limitations under the License.
package helper
import "k8s.io/client-go/kubernetes"
import (
"k8s.io/client-go/kubernetes"
cmclient "github.com/jetstack/cert-manager/pkg/client/clientset/versioned"
"github.com/jetstack/cert-manager/test/e2e/framework/config"
)
// Helper provides methods for common operations needed during tests.
type Helper struct {
cfg *config.Config
KubeClient kubernetes.Interface
CMClient cmclient.Interface
}
func NewHelper(cfg *config.Config) *Helper {
return &Helper{
cfg: cfg,
}
}

63
test/e2e/framework/helper/kubectl.go Normal file
View File

@ -0,0 +1,63 @@
/*
Copyright 2019 The Jetstack cert-manager contributors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package helper
import (
"os/exec"
"strings"
"github.com/jetstack/cert-manager/test/e2e/framework/log"
)
type Kubectl struct {
namespace string
kubectl string
kubeconfig string
kubecontext string
}
func (k *Kubectl) Describe(resources ...string) error {
resourceNames := strings.Join(resources, ",")
return k.Run("describe", resourceNames)
}
func (k *Kubectl) DescribeResource(resource, name string) error {
return k.Run("describe", resource, name)
}
func (h *Helper) Kubectl(ns string) *Kubectl {
return &Kubectl{
namespace: ns,
kubectl: h.cfg.Kubectl,
kubeconfig: h.cfg.KubeConfig,
kubecontext: h.cfg.KubeContext,
}
}
func (k *Kubectl) Run(args ...string) error {
baseArgs := []string{"--kubeconfig", k.kubeconfig, "--context", k.kubecontext}
if k.namespace == "" {
baseArgs = append(baseArgs, "--all-namespaces")
} else {
baseArgs = []string{"--namespace", k.namespace}
}
args = append(baseArgs, args...)
cmd := exec.Command(k.kubectl, args...)
cmd.Stdout = log.Writer
cmd.Stderr = log.Writer
return cmd.Run()
}

14
test/e2e/suite/issuers/acme/certificate/dns01.go
View File

@ -49,6 +49,7 @@ var _ = framework.CertManagerDescribe("ACME Certificate (DNS01)", func() {
func testDNSProvider(name string, p dns01Provider) bool {
return Context("With "+name+" credentials configured", func() {
f := framework.NewDefaultFramework("create-acme-certificate-dns01-" + name)
h := f.Helper()
BeforeEach(func() {
p.SetNamespace(f.Namespace.Name)
@ -119,7 +120,6 @@ func testDNSProvider(name string, p dns01Provider) bool {
By("Creating a Certificate")
certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name)
secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name)
cert := generate.Certificate(generate.CertificateConfig{
Name: certificateName,
@ -135,16 +135,13 @@ func testDNSProvider(name string, p dns01Provider) bool {
})
cert, err := certClient.Create(cert)
Expect(err).NotTo(HaveOccurred())
err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5)
err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5)
Expect(err).NotTo(HaveOccurred())
})
It("should obtain a signed certificate for a wildcard domain", func() {
By("Creating a Certificate")
certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name)
secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name)
cert := generate.Certificate(generate.CertificateConfig{
Name: certificateName,
Namespace: f.Namespace.Name,
@ -159,16 +156,13 @@ func testDNSProvider(name string, p dns01Provider) bool {
})
cert, err := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name).Create(cert)
Expect(err).NotTo(HaveOccurred())
err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5)
err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5)
Expect(err).NotTo(HaveOccurred())
})
It("should obtain a signed certificate for a wildcard and apex domain", func() {
By("Creating a Certificate")
certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name)
secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name)
cert := generate.Certificate(generate.CertificateConfig{
Name: certificateName,
Namespace: f.Namespace.Name,
@ -184,7 +178,7 @@ func testDNSProvider(name string, p dns01Provider) bool {
cert, err := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name).Create(cert)
Expect(err).NotTo(HaveOccurred())
// use a longer timeout for this, as it requires performing 2 dns validations in serial
err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*10)
err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*10)
Expect(err).NotTo(HaveOccurred())
})
})

18
test/e2e/suite/issuers/acme/certificate/http01.go
View File

@ -40,6 +40,7 @@ const foreverTestTimeout = time.Second * 60
var _ = framework.CertManagerDescribe("ACME Certificate (HTTP01)", func() {
f := framework.NewDefaultFramework("create-acme-certificate-http01")
h := f.Helper()
var (
tiller = &tiller.Tiller{
@ -113,50 +114,46 @@ var _ = framework.CertManagerDescribe("ACME Certificate (HTTP01)", func() {
It("should obtain a signed certificate with a single CN from the ACME server", func() {
certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name)
secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name)
By("Creating a Certificate")
_, err := certClient.Create(util.NewCertManagerACMECertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, nil, nil, acmeIngressClass, acmeIngressDomain))
Expect(err).NotTo(HaveOccurred())
By("Verifying the Certificate is valid")
err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5)
err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5)
Expect(err).NotTo(HaveOccurred())
})
It("should obtain a signed certificate for a long domain using http01 validation", func() {
certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name)
secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name)
// the maximum length of a single segment of the domain being requested
const maxLengthOfDomainSegment = 63
By("Creating a Certificate")
_, err := certClient.Create(util.NewCertManagerACMECertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, nil, nil, acmeIngressClass, fmt.Sprintf("%s.%s", cmutil.RandStringRunes(maxLengthOfDomainSegment), acmeIngressDomain)))
Expect(err).NotTo(HaveOccurred())
err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5)
err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5)
Expect(err).NotTo(HaveOccurred())
})
It("should obtain a signed certificate with a CN and single subdomain as dns name from the ACME server", func() {
certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name)
secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name)
By("Creating a Certificate")
_, err := certClient.Create(util.NewCertManagerACMECertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, nil, nil, acmeIngressClass, acmeIngressDomain, fmt.Sprintf("%s.%s", cmutil.RandStringRunes(5), acmeIngressDomain)))
Expect(err).NotTo(HaveOccurred())
By("Verifying the Certificate is valid")
err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5)
err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5)
Expect(err).NotTo(HaveOccurred())
})
It("should allow updating an existing certificate with a new dns name", func() {
certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name)
secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name)
By("Creating a Certificate")
cert, err := certClient.Create(util.NewCertManagerACMECertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, nil, nil, acmeIngressClass, acmeIngressDomain, fmt.Sprintf("%s.%s", cmutil.RandStringRunes(5), acmeIngressDomain)))
Expect(err).NotTo(HaveOccurred())
By("Verifying the Certificate is valid")
err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5)
err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5)
Expect(err).NotTo(HaveOccurred())
By("Getting the latest version of the Certificate")
@ -172,7 +169,7 @@ var _ = framework.CertManagerDescribe("ACME Certificate (HTTP01)", func() {
cert, err = certClient.Update(cert)
Expect(err).NotTo(HaveOccurred())
err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5)
err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5)
Expect(err).NotTo(HaveOccurred())
})
@ -204,7 +201,6 @@ var _ = framework.CertManagerDescribe("ACME Certificate (HTTP01)", func() {
It("should obtain a signed certificate with a single CN from the ACME server when putting an annotation on an ingress resource", func() {
ingClient := f.KubeClientSet.ExtensionsV1beta1().Ingresses(f.Namespace.Name)
certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name)
secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name)
By("Creating an Ingress with the issuer name annotation set")
_, err := ingClient.Create(util.NewIngress(certificateSecretName, certificateSecretName, map[string]string{
@ -218,7 +214,7 @@ var _ = framework.CertManagerDescribe("ACME Certificate (HTTP01)", func() {
Expect(err).NotTo(HaveOccurred())
By("Verifying the Certificate is valid")
err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5)
err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5)
Expect(err).NotTo(HaveOccurred())
})
})

2
test/e2e/suite/issuers/ca/BUILD.bazel
View File

@ -5,6 +5,7 @@ go_library(
srcs = [
"certificate.go",
"clusterissuer.go",
"fixtures.go",
"issuer.go",
],
importpath = "github.com/jetstack/cert-manager/test/e2e/suite/issuers/ca",
@ -18,6 +19,7 @@ go_library(
"//test/e2e/util:go_default_library",
"//vendor/github.com/onsi/ginkgo:go_default_library",
"//vendor/github.com/onsi/gomega:go_default_library",
"//vendor/k8s.io/api/core/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
],
)

22
test/e2e/suite/issuers/ca/certificate.go
View File

@ -30,6 +30,7 @@ import (
var _ = framework.CertManagerDescribe("CA Certificate", func() {
f := framework.NewDefaultFramework("create-ca-certificate")
h := f.Helper()
issuerName := "test-ca-issuer"
issuerSecretName := "ca-issuer-signing-keypair"
@ -59,25 +60,23 @@ var _ = framework.CertManagerDescribe("CA Certificate", func() {
Context("when the CA is the root", func() {
BeforeEach(func() {
By("Creating a signing keypair fixture")
_, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(util.NewSigningKeypairSecret(issuerSecretName))
_, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(newSigningKeypairSecret(issuerSecretName))
Expect(err).NotTo(HaveOccurred())
})
It("should generate a signed keypair", func() {
certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name)
secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name)
By("Creating a Certificate")
_, err := certClient.Create(util.NewCertManagerBasicCertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, nil, nil))
Expect(err).NotTo(HaveOccurred())
By("Verifying the Certificate is valid")
err = util.WaitCertificateIssuedValidTLS(certClient, secretClient, certificateName, time.Second*30, true)
err = h.WaitCertificateIssuedValidTLS(f.Namespace.Name, certificateName, time.Second*30, []byte(rootCert))
Expect(err).NotTo(HaveOccurred())
})
It("should be able to obtain an ECDSA key from a RSA backed issuer", func() {
certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name)
secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name)
crt := util.NewCertManagerBasicCertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, nil, nil)
crt.Spec.KeyAlgorithm = v1alpha1.ECDSAKeyAlgorithm
@ -88,7 +87,7 @@ var _ = framework.CertManagerDescribe("CA Certificate", func() {
Expect(err).NotTo(HaveOccurred())
By("Verifying the Certificate is valid")
err = util.WaitCertificateIssuedValidTLS(certClient, secretClient, certificateName, time.Second*30, true)
err = h.WaitCertificateIssuedValidTLS(f.Namespace.Name, certificateName, time.Second*30, []byte(rootCert))
Expect(err).NotTo(HaveOccurred())
})
@ -115,13 +114,12 @@ var _ = framework.CertManagerDescribe("CA Certificate", func() {
v := v
It("should generate a signed keypair valid for "+v.label, func() {
certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name)
secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name)
By("Creating a Certificate")
cert, err := certClient.Create(util.NewCertManagerBasicCertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, v.inputDuration, v.inputRenewBefore))
Expect(err).NotTo(HaveOccurred())
By("Verifying the Certificate is valid")
err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Second*30)
err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Second*30)
Expect(err).NotTo(HaveOccurred())
f.CertificateDurationValid(cert, v.expectedDuration)
})
@ -131,19 +129,18 @@ var _ = framework.CertManagerDescribe("CA Certificate", func() {
Context("when the CA is an issuer", func() {
BeforeEach(func() {
By("Creating a signing keypair fixture")
_, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(util.NewSigningIssuer1KeypairSecret(issuerSecretName))
_, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(newSigningIssuer1KeypairSecret(issuerSecretName))
Expect(err).NotTo(HaveOccurred())
})
It("should generate a signed keypair", func() {
certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name)
secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name)
By("Creating a Certificate")
_, err := certClient.Create(util.NewCertManagerBasicCertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, nil, nil))
Expect(err).NotTo(HaveOccurred())
By("Verifying the Certificate is valid")
err = util.WaitCertificateIssuedValidTLS(certClient, secretClient, certificateName, time.Second*30, true)
err = h.WaitCertificateIssuedValidTLS(f.Namespace.Name, certificateName, time.Second*30, []byte(rootCert))
Expect(err).NotTo(HaveOccurred())
})
})
@ -151,19 +148,18 @@ var _ = framework.CertManagerDescribe("CA Certificate", func() {
Context("when the CA is a second level issuer", func() {
BeforeEach(func() {
By("Creating a signing keypair fixture")
_, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(util.NewSigningIssuer2KeypairSecret(issuerSecretName))
_, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(newSigningIssuer2KeypairSecret(issuerSecretName))
Expect(err).NotTo(HaveOccurred())
})
It("should generate a signed keypair", func() {
certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name)
secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name)
By("Creating a Certificate")
_, err := certClient.Create(util.NewCertManagerBasicCertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, nil, nil))
Expect(err).NotTo(HaveOccurred())
By("Verifying the Certificate is valid")
err = util.WaitCertificateIssuedValidTLS(certClient, secretClient, certificateName, time.Second*30, true)
err = h.WaitCertificateIssuedValidTLS(f.Namespace.Name, certificateName, time.Second*30, []byte(rootCert))
Expect(err).NotTo(HaveOccurred())
})
})

2
test/e2e/suite/issuers/ca/clusterissuer.go
View File

@ -42,7 +42,7 @@ var _ = framework.CertManagerDescribe("CA ClusterIssuer", func() {
BeforeEach(func() {
By("Creating a signing keypair fixture")
_, err := f.KubeClientSet.CoreV1().Secrets(clusterResourceNamespace).Create(util.NewSigningKeypairSecret(secretName))
_, err := f.KubeClientSet.CoreV1().Secrets(clusterResourceNamespace).Create(newSigningKeypairSecret(secretName))
Expect(err).NotTo(HaveOccurred())
})

214
test/e2e/suite/issuers/ca/fixtures.go Normal file
View File

@ -0,0 +1,214 @@
/*
Copyright 2019 The Jetstack cert-manager contributors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package ca
import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const rootCert = `-----BEGIN CERTIFICATE-----
MIID4DCCAsigAwIBAgIJAJzTROInmDkQMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV
BAYTAlVLMQswCQYDVQQIEwJOQTEVMBMGA1UEChMMY2VydC1tYW5hZ2VyMSAwHgYD
VQQDExdjZXJ0LW1hbmFnZXIgdGVzdGluZyBDQTAeFw0xNzA5MTAxODMzNDNaFw0y
NzA5MDgxODMzNDNaMFMxCzAJBgNVBAYTAlVLMQswCQYDVQQIEwJOQTEVMBMGA1UE
ChMMY2VydC1tYW5hZ2VyMSAwHgYDVQQDExdjZXJ0LW1hbmFnZXIgdGVzdGluZyBD
QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+Q2AO4hARav0qwjk7I
4mEh5R201HS8s7HpaLOXBNvvh7qJ9yJz6jLqYg6EvP0K/bK56Cp2oe2igd7GOxpV
3YPOc3CG0CCqHMprEcvxj2xBKX00Rtcn4oVLhDPhAb0BV/R7NFLeWxzh+ggvPI1X
m1qLaWYqYZEJ5bBsYXD3tPdS4GGINRz8Zvih46f0Z2wVkCGoTpsbX8HO74sa2Day
UjzAsWGlO5bZGiMSHjDEnf9yek2TcjEyVoohoOLaQg/ng21T5RWzeZKTl1cznwuG
Vr9tZfHFqxQ5qeaId+1ICtxNvkEjbTnZl6Wy9Cthn0dxwOeS5TqMJ7SFNXy1gp4j
f/MCAwEAAaOBtjCBszAdBgNVHQ4EFgQUBtrjvWfbkLA0iX6sKVRhKUo864kwgYMG
A1UdIwR8MHqAFAba471n25CwNIl+rClUYSlKPOuJoVekVTBTMQswCQYDVQQGEwJV
SzELMAkGA1UECBMCTkExFTATBgNVBAoTDGNlcnQtbWFuYWdlcjEgMB4GA1UEAxMX
Y2VydC1tYW5hZ2VyIHRlc3RpbmcgQ0GCCQCc00TiJ5g5EDAMBgNVHRMEBTADAQH/
MA0GCSqGSIb3DQEBCwUAA4IBAQCR+jXhup5tCKwhAf8xgvp589BczQOjmotuZGEL
Dcint2y263ChEdsoLhyJfvFCAZfTSm+UT95Hl+ZKVuoVEcAS7udaFUFpC/gIYVOi
H4/uvJps4SpVCB7+T/orcTjZ2ewT23mQAQg+B+iwX9VCof+fadkYOg1XD9/eaj6E
9McXID3iuCXg02RmEOwVMrTggHPwHrOGAilSaZc58cJZHmMYlT5rGrJcWS/AyXnH
VOodKC004yjh7w9aSbCCbAL0tDEnhm4Jrb8cxt7pDWbdEVUeuk9LZRQtluYBnmJU
kQ7ALfUfUh/RUpCV4uI6sEI3NDX2YqQbOtsBD/hNaL1F85FA
-----END CERTIFICATE-----`
const rootKey = `-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAz5DYA7iEBFq/SrCOTsjiYSHlHbTUdLyzselos5cE2++Huon3
InPqMupiDoS8/Qr9srnoKnah7aKB3sY7GlXdg85zcIbQIKocymsRy/GPbEEpfTRG
1yfihUuEM+EBvQFX9Hs0Ut5bHOH6CC88jVebWotpZiphkQnlsGxhcPe091LgYYg1
HPxm+KHjp/RnbBWQIahOmxtfwc7vixrYNrJSPMCxYaU7ltkaIxIeMMSd/3J6TZNy
MTJWiiGg4tpCD+eDbVPlFbN5kpOXVzOfC4ZWv21l8cWrFDmp5oh37UgK3E2+QSNt
OdmXpbL0K2GfR3HA55LlOowntIU1fLWCniN/8wIDAQABAoIBAQCYvGvIKSG0FpbG
vi6pmLbEZO20s1jW4fiUxT2PUWR49sR4pocdahB/EOvA5TowNcNDnftSK+Ox+q/4
HwRkt6R+Fg/qULmcH7F53dnFqeYw8a42/J3YOvg7v7rzdfISg4eWVobFJ+wBz+Nt
3FyBYWLm+MlBLZSH5rGG5em59/zJNHWIhH+oQPfCxAkYEvd8tXOTUzjhqvEfjaJy
FZghnT9xto4MwDdNCPbtzdNjTMhiv0AHkcZGGtRJfkehXX2qhXOQ2UzzO9XrMZnv
5KgYf+bXKJsyS3SPl6TTl7vg2gKBciRvsdFhMy5I5GyIADrEDJnNNmXQRtiaFLfd
k/aqfPT5AoGBAPquMouZUbVS/Qh+qbls7G4zAuznfCiqdctcKmUGPRP4sTTjWdUp
fjI+UTt1e8hncmr4RY7Oa9kUV/kDwzS5spUZZ+u0PczS3XKxOwNOleoH00dfc9vt
cxctHdPdDTndRi8Z4k3m931jIX7jB/Pyx8qeNYB3pj0k3ThktwMbAVLnAoGBANP4
beI5zpbvtAdExJcuxx2mRDGF0lIdKC0bvQaeqM3Lwqnmc0Fz1dbP7KXDa+SdJWPd
res+NHPZoEPeEJuDTSngXOLNECZe4Ja9frn1TeY858vMJBwIkyc8zu+sgXxjQUM+
TWUlTUhtXyybkRnxAEny4OT2TTgmXITJaKOmV1UVAoGAHaXSlo4YitB42rNYUXTf
dZ0U4H30Qj7+1YFeBjq5qI4GL1IgQsS4hyq1osmfTTFm593bJCunt7HfQbU/NhIs
W9P4ZXkYwgvCYxkw+JAnzNkGFO/mHQG1Ve1hFLiVIt3XuiRejoYdiTfbM02YmDKD
jKQvgbUk9SBSBaRrvLNJ8csCgYAYnrZEnGo+ZcEHRxl+ZdSCwRkSl3SCTRiphJtD
9ZGttYj6quWgKJAhzyyxZC1X9FivbMQSmrsE6bYPq+9J4MpJnuGrBh5mFocHeyMI
/lD5+QEDTsay6twMpqdydxrjE7Q01zuuD9MWIn33dGo6FR/vduJgNatqZipA0hPx
ThS+sQKBgQDh0+cVo1mfYiCkp3IQPB8QYiJ/g2/UBk6pH8ZZDZ+A5td6NveiWO1y
wTEUWkX2qyz9SLxWDGOhdKqxNrLCUSYSOV/5/JQEtBm6K50ArFtrY40JP/T/5KvM
tSK2ayFX1wQ3PuEmewAogy/20tWo80cr556AXA62Utl2PzLK30Db8w==
-----END RSA PRIVATE KEY-----`
func newSigningKeypairSecret(name string) *corev1.Secret {
return &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
},
StringData: map[string]string{
corev1.TLSCertKey: rootCert,
corev1.TLSPrivateKeyKey: rootKey,
},
}
}
const issuer1Cert = `-----BEGIN CERTIFICATE-----
MIIDnjCCAoagAwIBAgIUCAJmM4rqnkj65/0sFRSIjXNlmGYwDQYJKoZIhvcNAQEL
BQAwUzELMAkGA1UEBhMCVUsxCzAJBgNVBAgTAk5BMRUwEwYDVQQKEwxjZXJ0LW1h
bmFnZXIxIDAeBgNVBAMTF2NlcnQtbWFuYWdlciB0ZXN0aW5nIENBMB4XDTE4MTEx
NTAwMDQwMFoXDTIzMTExNDAwMDQwMFowVzELMAkGA1UEBhMCVUsxCzAJBgNVBAgT
Ak5BMRUwEwYDVQQKEwxjZXJ0LW1hbmFnZXIxJDAiBgNVBAMTG2NlcnQtbWFuYWdl
ciB0ZXN0aW5nIElzc3VlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKubAgcLJfXspsDNNR/TO+UUy0s9DE28w4OXs7pAppe7rtK1a531M9lGg+jZPryT
PER4HeobhIk7h1iTmcVHp1mDB3IFDfKL8jKNEnsHGTcn5xY1RkFihFPphBiyGwvY
S4nGi1NubxTA+kW0Pbcf3po2NWNdntAHaMcvMEkq+NdoSEK1HACHQ8QqtqfKUxMD
XMFDmJD21/4PM6iqhDw2HPe87FY7KKdYAsMV8KnT5DIGJ6UbuarTuMzXZq0a8/aW
sto/hrBJir+CQwmNIYg41G8m1CgUz0a3FYxtvLNZweeW9+SiVl0FCiajLws0HIW5
4RTJ44Omr2/byIB+lmV63AMCAwEAAaNmMGQwDgYDVR0PAQH/BAQDAgGmMBIGA1Ud
EwEB/wQIMAYBAf8CAQMwHQYDVR0OBBYEFESJnTHvnJn8qIOb/JD+nw4o0yxnMB8G
A1UdIwQYMBaAFAba471n25CwNIl+rClUYSlKPOuJMA0GCSqGSIb3DQEBCwUAA4IB
AQBre0a1hD4T0W9E/yGhk6O8k11i63vhgIcMeN1/RMtgJRwIWIf3iKXAwAeIjkXZ
eGGSNWh8pC1wFvE9LIomhZLPSn+98FJ9dLfcaQXDOEyZM71OTsWQKS4NVNloHOxV
zujEujIIZ4caVbOlQWxf7lPydnXP+S7GsMU8vlOsU2RC9jN+yeuho+ZVguSC76ni
CG+k/Lzf46CMAZtRLdv9FPFttodBnodapOEgkhGwhyz/J6eLR1t9DWlxpQ1vk45H
dT3HDz1CNlF/5HzYpVBus553Z7SFh2x1umKfmTUWqmbFsslr2y4w2nkhyG2+jH+k
lh+Eve9i4q7YaO0EMlOOJMar
-----END CERTIFICATE-----
`
const issuer1Key = `-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAq5sCBwsl9eymwM01H9M75RTLSz0MTbzDg5ezukCml7uu0rVr
nfUz2UaD6Nk+vJM8RHgd6huEiTuHWJOZxUenWYMHcgUN8ovyMo0SewcZNyfnFjVG
QWKEU+mEGLIbC9hLicaLU25vFMD6RbQ9tx/emjY1Y12e0Adoxy8wSSr412hIQrUc
AIdDxCq2p8pTEwNcwUOYkPbX/g8zqKqEPDYc97zsVjsop1gCwxXwqdPkMgYnpRu5
qtO4zNdmrRrz9pay2j+GsEmKv4JDCY0hiDjUbybUKBTPRrcVjG28s1nB55b35KJW
XQUKJqMvCzQchbnhFMnjg6avb9vIgH6WZXrcAwIDAQABAoIBAHm3VFTSn3YzCIOw
CYItPUpa2WbgQh3RSYvIyf3NZVwyDun9K/u5s7DkxyMdE9aFSDX4TJ+ELRl5U6KL
7oFzNUvUGC/TTfU/NeaNERKaElSAxPOHjfFKgzlRZBRwH6bjH5D1dlUS+07pIZrX
IP8GZ8lRscRs3vwGhVbiLYl4JVACydgyV/Th1yJYFEOXlmHV4Kk0ce3swsXL0NUb
BFQ53RULSxLVaYy4XXF3azSUdMkalDf8DxxeFtPUSW49zp6/iOArZTNCoiGavOHo
YvtnUXjt2QK64SdjFYMyCD8EcLlMTOUtAS10lw9NwUS3JMp3u79bO2uvRwJpT+IP
Hb0Sg8ECgYEAyi41EwEE6cwNVOAZxkOgv+ejhBjKuUrhzp0vwg3Uziuy6TZPJEoA
5e/8pFuvxbfU0lGUe6CkHdpSQPO7ifsTuxYxO/ZX8DqSaCwnRp+kJUyi7Jz3Ypfk
LsVg3TMW9Hmvntz8kPTN8DJMo6W7TC0m05L5pyfvM2BpBXqYIPNLInkCgYEA2Uk8
mnA43ME+oaqLxcqgIE1+AXeg+voH17kiuO7hVWlprxJv/b6AAjm0nxcuLcdofKJT
JgaWrwyhI676q5T/lqQn/gdJ7rwz/83WnforW7WVza2XT+aDFcwNq07vHYoeCK6B
5RJFIY4Yuk4CORXeElYipz/VyCO2mUgJfHNDs1sCgYEAkS3lBqRwtsHDwPK7D1d4
ktTu4eg7ihpvU0IkDSCJcxKGAljxM4nAY1yU+iCsczmyJORXzv5nWthuwB1Eyav1
Wx5wdDJMq0Aj6ZHrEheIcxA43ddI/Q881yj8iVoqXZsTtOvSoPRo/NXhmpFjkSvK
+ZpMku9mIGpWf4ysuNx7U2ECgYEAlOk+IVFbht7g/4aT99+f0cOJ4ZOMvbPxAASf
KUJ9Jz3w8cye97VAoUXO5WDLgxAwKYpNlbfaOOlc3cmjfUfFygWCavOv1W8h6+Oz
e9zhLh7KJYUcN+PwXlXT4F1ePk5TuvtthgH5Yr+xbqzblSfJY6OoaBq1dk4TbAUU
izerZBUCgYEAn28gG04dByfcyY/crwpRLNVlaA0J93v5H9E/wlEiV1PhEYTdj2S8
PLm9ur3V+kkBSarBur9+rRil0BHvVgC9K6kwMr60JcVT+bmZi0AbPOlPZsp9OPQf
YK5kMSMSbh4t9OUtadogDGI299P6Q9leaU65XRAar96wVsz8X/XdPPc=
-----END RSA PRIVATE KEY-----`
func newSigningIssuer1KeypairSecret(name string) *corev1.Secret {
return &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
},
StringData: map[string]string{
corev1.TLSCertKey: issuer1Cert + rootCert,
corev1.TLSPrivateKeyKey: issuer1Key,
},
}
}
const issuer2Cert = `-----BEGIN CERTIFICATE-----
MIIDqjCCApKgAwIBAgIUHqm61uyYt2ICGRcZnBSjYaPonuowDQYJKoZIhvcNAQEL
BQAwVzELMAkGA1UEBhMCVUsxCzAJBgNVBAgTAk5BMRUwEwYDVQQKEwxjZXJ0LW1h
bmFnZXIxJDAiBgNVBAMTG2NlcnQtbWFuYWdlciB0ZXN0aW5nIElzc3VlcjAeFw0x
ODExMTUwMDA0MDBaFw0yMzExMTQwMDA0MDBaMF8xCzAJBgNVBAYTAlVLMQswCQYD
VQQIEwJOQTEVMBMGA1UEChMMY2VydC1tYW5hZ2VyMSwwKgYDVQQDEyNjZXJ0LW1h
bmFnZXIgdGVzdGluZyBJc3N1ZXIgTGV2ZWwgMjCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMRm1cYCcHmA7UtF3vISLiob5eh234njNp33nkFWjDsE9Zgi
CIxVb9FBd+rkKn0xkPMke79lmr1kVkmjpAZ0Y0w/IDSEX8JMJvtyuAoS79r0W+rn
dEG5GzJGLswOK0gsvGyl4i8E9a5itUkRa01OETFIiay0iwNMUYnIflm8G/Uu2Jhr
/HSyWND+KLzX5gMDsiv4HdtCsNHstdMwBr4dkiCzpi+N/b2KTggmY84KeVQVpmRc
IVoVr06uc3YTa2mlqrw3qX16d5r9DLYrrq1UT3HXB0PJvvsIjJN8eqKk33Mcbinj
VR1Ywg9QYaJHpBPPxLL0AzNG29SebRLtGvKexoUCAwEAAaNmMGQwDgYDVR0PAQH/
BAQDAgGmMBIGA1UdEwEB/wQIMAYBAf8CAQMwHQYDVR0OBBYEFHp3C+Se1LZMcQ0B
0iycJLvwqo9lMB8GA1UdIwQYMBaAFESJnTHvnJn8qIOb/JD+nw4o0yxnMA0GCSqG
SIb3DQEBCwUAA4IBAQA/lnvr+GnMJDA+Z7MEMRAcqdIScO38LVQNO340jFMcMkmW
YTnyNoEvI4fnCon9Oz2FsFcZp90Gniu01lDLyzR+1SsfFf6zwqGVUV29hidR6BvD
VGLM6SMnbgXUd+RPvAIrHU3BuSF2sRPiw7YqzgNVZQ2dUF+Q+R+Onu5i47CwVFOd
6Dd7xr5+ECaHGyuIH/RsXLvB+2reJ5dEl3oBxiyyzY1oOkt6y4HrB8n90JWPmXIf
9oQ8T+p3PbsFkz667nbVnVCkdAKtU/ZX09S1jGVKsOKszA1qhxFcMy+wkkyHq4Jj
v+q/VgVxL5HzEw4zyKS9Y2lcwhCicMrLKIGt91fQ
-----END CERTIFICATE-----
`
const issuer2Key = `-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxGbVxgJweYDtS0Xe8hIuKhvl6HbfieM2nfeeQVaMOwT1mCII
jFVv0UF36uQqfTGQ8yR7v2WavWRWSaOkBnRjTD8gNIRfwkwm+3K4ChLv2vRb6ud0
QbkbMkYuzA4rSCy8bKXiLwT1rmK1SRFrTU4RMUiJrLSLA0xRich+Wbwb9S7YmGv8
dLJY0P4ovNfmAwOyK/gd20Kw0ey10zAGvh2SILOmL439vYpOCCZjzgp5VBWmZFwh
WhWvTq5zdhNraaWqvDepfXp3mv0MtiuurVRPcdcHQ8m++wiMk3x6oqTfcxxuKeNV
HVjCD1BhokekE8/EsvQDM0bb1J5tEu0a8p7GhQIDAQABAoIBAFwCzV3RoL3bn8/m
8Pa5e7UwkrogjsM7lkfVTOfRUysHPMPEFfsgv5zqLfL2Z811HjI6wlq9kAvwaNhg
+KQpfKeo3z6bUX1mTdD5Qq09h+8tEa7wNi/gN5SK+ruQW8iZZMEFyfw7N5o2FjYg
GgQCcd2D3TPy9TlbVMvXCRKjJPns4PvWnjcR6YryPCluhnm6t0UEdusAj5baENU5
95XG3e+7ZWzz4uejY778pyV/4yCfMXG9HZInkw9Uj3aNibiP/oKyF8Z0m1tAheLp
SfLH/KxC8sWW/Cn3YFAvq+3fSH3ezeaFNdQFi8L0uGA9h9ucZmKaT5jI1bM9Mj55
Vrsg/wECgYEA7rCQ/NFLtQ6PZNSApxRdWG+67mDrWMuaHho9KB+g0vIzGoxj2+DS
iVlk4F1zVjZ5S8yjSmBm2pxF4ornUdQUs5+iKHJqeweSQenZ3Ylx10rhACfUWhZ+
Zo/mrG30MJs2ceOaYJww1zrcjI3ktFwpZlX95J/e26gGqY8GKA8KaEECgYEA0qUp
3eWvwiTn2ztKEHZ06jNoPB1E3tAA939+W1Cy5VTDH2ZJYDE6lELTgW/7PuS6Auty
cJur3nyIJMQkb2GBqh8jgxb7huDpOkf8kAdPoD9PnmWTisF5XKO5Uv3O2t/xKQNl
pKAC9P1au3uCz8HA2ZbyLqiuXE7SKsIqQmMtbUUCgYArkAwWKDiyBcND+si0NbJH
prSuNwAdB6PMJKvOu98FQPD0wnSjN6gVKzyO+l9Hd8+xdtrCg0+iTG0wyHspYxSY
J+VXjnJCnAIkh4KcvS4Kxf7EoYBPJNXS8CaAh9zOVjWcmZaeVUNQtMx11pvMExn3
NHCPHmJ1Inh8z76m5v/WQQKBgEeQFyYs10ZU9XQ0s1fedp/ucRYjN3efIQT0ioAJ
bY2d+2BahskoUGd4QJTz716RpGRDizCYoo5GrpYXEO3KKZwbUhxCHZfYJ0RGmpZv
9WxStgDxL2vviQShFuAMHE+dzzeI0OpZ9kc3H7EcJ/ffMl55+rNBWWNA4APozSSa
vx8lAoGBAODUjD1S1w/l+OTZWqo+bUvpC58CSioZ+gvNi4KE0h+1ZgLgE1RivQOM
UxwyspRQp2exnQ3hvCpzjhx+ji/FlhK86lspGjyZqTd+ifa/tO51+tvU217/XDtx
JypkAFhZ398YzhuqsRbFNMFnxA6QT+YFsqjT+R0vSFM8n2qptJHB
-----END RSA PRIVATE KEY-----`
func newSigningIssuer2KeypairSecret(name string) *corev1.Secret {
return &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
},
StringData: map[string]string{
corev1.TLSCertKey: issuer2Cert + issuer1Cert + rootCert,
corev1.TLSPrivateKeyKey: issuer2Key,
},
}
}

2
test/e2e/suite/issuers/ca/issuer.go
View File

@ -33,7 +33,7 @@ var _ = framework.CertManagerDescribe("CA Issuer", func() {
BeforeEach(func() {
By("Creating a signing keypair fixture")
_, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(util.NewSigningKeypairSecret(secretName))
_, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(newSigningKeypairSecret(secretName))
Expect(err).NotTo(HaveOccurred())
})

7
test/e2e/suite/issuers/selfsigned/certificate.go
View File

@ -31,6 +31,7 @@ import (
var _ = framework.CertManagerDescribe("Self Signed Certificate", func() {
f := framework.NewDefaultFramework("create-selfsigned-certificate")
h := f.Helper()
issuerName := "test-selfsigned-issuer"
certificateName := "test-selfsigned-certificate"
@ -40,7 +41,6 @@ var _ = framework.CertManagerDescribe("Self Signed Certificate", func() {
By("Creating an Issuer")
certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name)
secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name)
_, err := f.CertManagerClientSet.CertmanagerV1alpha1().Issuers(f.Namespace.Name).Create(util.NewCertManagerSelfSignedIssuer(issuerName))
Expect(err).NotTo(HaveOccurred())
@ -55,7 +55,7 @@ var _ = framework.CertManagerDescribe("Self Signed Certificate", func() {
By("Creating a Certificate")
_, err = certClient.Create(util.NewCertManagerBasicCertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, nil, nil))
Expect(err).NotTo(HaveOccurred())
err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5)
err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5)
Expect(err).NotTo(HaveOccurred())
})
@ -82,7 +82,6 @@ var _ = framework.CertManagerDescribe("Self Signed Certificate", func() {
v := v
It("should generate a signed keypair valid for "+v.label, func() {
certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name)
secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name)
By("Creating an Issuer")
issuerDurationName := fmt.Sprintf("%s-%d", issuerName, v.expectedDuration)
@ -100,7 +99,7 @@ var _ = framework.CertManagerDescribe("Self Signed Certificate", func() {
By("Creating a Certificate")
cert, err := certClient.Create(util.NewCertManagerBasicCertificate(certificateName, certificateSecretName, issuerDurationName, v1alpha1.IssuerKind, v.inputDuration, v.inputRenewBefore))
Expect(err).NotTo(HaveOccurred())
err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Second*30)
err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Second*30)
Expect(err).NotTo(HaveOccurred())
f.CertificateDurationValid(cert, v.expectedDuration)
})

9
test/e2e/suite/issuers/vault/certificate/approle.go
View File

@ -33,6 +33,7 @@ import (
var _ = framework.CertManagerDescribe("Vault Certificate (AppRole)", func() {
f := framework.NewDefaultFramework("create-vault-certificate")
h := f.Helper()
var (
tiller = &tiller.Tiller{
@ -96,7 +97,6 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole)", func() {
vaultURL := vault.Details().Host
certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name)
secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name)
_, err := f.CertManagerClientSet.CertmanagerV1alpha1().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA))
@ -115,7 +115,7 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole)", func() {
_, err = certClient.Create(util.NewCertManagerVaultCertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, nil, nil))
Expect(err).NotTo(HaveOccurred())
err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5)
err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5)
Expect(err).NotTo(HaveOccurred())
})
@ -157,9 +157,6 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole)", func() {
v := v
It("should generate a new certificate "+v.label, func() {
By("Creating an Issuer")
certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name)
secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name)
_, err := f.CertManagerClientSet.CertmanagerV1alpha1().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vault.Details().Host, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA))
Expect(err).NotTo(HaveOccurred())
@ -176,7 +173,7 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole)", func() {
cert, err := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name).Create(util.NewCertManagerVaultCertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, v.inputDuration, v.inputRenewBefore))
Expect(err).NotTo(HaveOccurred())
err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5)
err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5)
Expect(err).NotTo(HaveOccurred())
// Vault substract 30 seconds to the NotBefore date.

4
test/e2e/suite/issuers/vault/certificate/approle_custom_mount.go
View File

@ -32,6 +32,7 @@ import (
var _ = framework.CertManagerDescribe("Vault Certificate (AppRole with a custom mount path)", func() {
f := framework.NewDefaultFramework("create-vault-certificate")
h := f.Helper()
var (
tiller = &tiller.Tiller{
@ -96,7 +97,6 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole with a custom
vaultURL := vault.Details().Host
certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name)
secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name)
_, err := f.CertManagerClientSet.CertmanagerV1alpha1().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA))
Expect(err).NotTo(HaveOccurred())
@ -114,7 +114,7 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole with a custom
_, err = certClient.Create(util.NewCertManagerVaultCertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, nil, nil))
Expect(err).NotTo(HaveOccurred())
err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5)
err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5)
Expect(err).NotTo(HaveOccurred())
})
})

2
test/e2e/util/BUILD.bazel
View File

@ -10,7 +10,6 @@ go_library(
"//pkg/client/clientset/versioned/scheme:go_default_library",
"//pkg/client/clientset/versioned/typed/certmanager/v1alpha1:go_default_library",
"//pkg/util:go_default_library",
"//pkg/util/pki:go_default_library",
"//test/e2e/framework/log:go_default_library",
"//vendor/k8s.io/api/core/v1:go_default_library",
"//vendor/k8s.io/api/extensions/v1beta1:go_default_library",
@ -20,7 +19,6 @@ go_library(
"//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library",
"//vendor/k8s.io/client-go/kubernetes:go_default_library",
"//vendor/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library",
],
)

324
test/e2e/util/util.go
View File

@ -19,8 +19,6 @@ package util
// TODO: we should break this file apart into separate more sane/reusable parts
import (
"crypto/ecdsa"
"crypto/rsa"
"crypto/x509"
"fmt"
"time"
@ -30,17 +28,14 @@ import (
extv1beta1 "k8s.io/api/extensions/v1beta1"
apiextcs "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1beta1"
"k8s.io/apimachinery/pkg/api/errors"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/client-go/kubernetes"
corecs "k8s.io/client-go/kubernetes/typed/core/v1"
"github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1"
clientset "github.com/jetstack/cert-manager/pkg/client/clientset/versioned/typed/certmanager/v1alpha1"
"github.com/jetstack/cert-manager/pkg/util"
"github.com/jetstack/cert-manager/pkg/util/pki"
"github.com/jetstack/cert-manager/test/e2e/framework/log"
)
@ -200,133 +195,6 @@ func wrapErrorWithCertificateStatusCondition(client clientset.CertificateInterfa
return pollErr
}
// WaitCertificateIssuedValid waits for the given Certificate to be
// 'Ready' and ensures the stored certificate is valid for the specified
// domains.
func WaitCertificateIssuedValidTLS(certClient clientset.CertificateInterface, secretClient corecs.SecretInterface, name string, timeout time.Duration, validateTLS bool) error {
return wait.PollImmediate(time.Second, timeout,
func() (bool, error) {
log.Logf("Waiting for Certificate %v to be ready", name)
certificate, err := certClient.Get(name, metav1.GetOptions{})
if err != nil {
return false, fmt.Errorf("error getting Certificate %v: %v", name, err)
}
isReady := certificate.HasCondition(v1alpha1.CertificateCondition{
Type: v1alpha1.CertificateConditionReady,
Status: v1alpha1.ConditionTrue,
})
if !isReady {
return false, nil
}
log.Logf("Getting the TLS certificate Secret resource")
secret, err := secretClient.Get(certificate.Spec.SecretName, metav1.GetOptions{})
if err != nil {
if apierrors.IsNotFound(err) {
return false, nil
}
return false, err
}
if !(len(secret.Data) == 2 || len(secret.Data) == 3) {
log.Logf("Expected 2 keys in certificate secret, but there was %d", len(secret.Data))
return false, nil
}
keyBytes, ok := secret.Data[v1.TLSPrivateKeyKey]
if !ok {
log.Logf("No private key data found for Certificate %q (secret %q)", name, certificate.Spec.SecretName)
return false, nil
}
key, err := pki.DecodePrivateKeyBytes(keyBytes)
if err != nil {
return false, err
}
// validate private key is of the correct type (rsa or ecdsa)
switch certificate.Spec.KeyAlgorithm {
case v1alpha1.KeyAlgorithm(""),
v1alpha1.RSAKeyAlgorithm:
_, ok := key.(*rsa.PrivateKey)
if !ok {
log.Logf("Expected private key of type RSA, but it was: %T", key)
return false, nil
}
case v1alpha1.ECDSAKeyAlgorithm:
_, ok := key.(*ecdsa.PrivateKey)
if !ok {
log.Logf("Expected private key of type ECDSA, but it was: %T", key)
return false, nil
}
default:
return false, fmt.Errorf("unrecognised requested private key algorithm %q", certificate.Spec.KeyAlgorithm)
}
// TODO: validate private key KeySize
// check the provided certificate is valid
expectedCN := pki.CommonNameForCertificate(certificate)
expectedOrganization := pki.OrganizationForCertificate(certificate)
expectedDNSNames := pki.DNSNamesForCertificate(certificate)
certBytes, ok := secret.Data[v1.TLSCertKey]
if !ok {
log.Logf("No certificate data found for Certificate %q (secret %q)", name, certificate.Spec.SecretName)
return false, nil
}
cert, err := pki.DecodeX509CertificateBytes(certBytes)
if err != nil {
return false, err
}
if expectedCN != cert.Subject.CommonName || !util.EqualUnsorted(cert.DNSNames, expectedDNSNames) || !(len(cert.Subject.Organization) == 0 || util.EqualUnsorted(cert.Subject.Organization, expectedOrganization)) {
log.Logf("Expected certificate valid for CN %q, O %v, dnsNames %v but got a certificate valid for CN %q, O %v, dnsNames %v", expectedCN, expectedOrganization, expectedDNSNames, cert.Subject.CommonName, cert.Subject.Organization, cert.DNSNames)
return false, nil
}
if certificate.Status.NotAfter == nil {
log.Logf("No certificate expiration found for Certificate %q", name)
return false, nil
}
if !cert.NotAfter.Equal(certificate.Status.NotAfter.Time) {
log.Logf("Expected certificate expiry date to be %v, but got %v", certificate.Status.NotAfter, cert.NotAfter)
return false, nil
}
label, ok := secret.Labels[v1alpha1.CertificateNameKey]
if !ok {
return false, fmt.Errorf("Expected secret to have certificate-name label, but had none")
}
if label != certificate.Name {
return false, fmt.Errorf("Expected secret to have certificate-name label with a value of %q, but got %q", certificate.Name, label)
}
// Run TLS Verification
if validateTLS {
rootCertPool := x509.NewCertPool()
rootCertPool.AppendCertsFromPEM([]byte(rootCert))
intermediateCertPool := x509.NewCertPool()
intermediateCertPool.AppendCertsFromPEM(certBytes)
opts := x509.VerifyOptions{
DNSName: expectedDNSNames[0],
Intermediates: intermediateCertPool,
Roots: rootCertPool,
}
if _, err := cert.Verify(opts); err != nil {
return false, err
}
}
return true, nil
},
)
}
func WaitCertificateIssuedValid(certClient clientset.CertificateInterface, secretClient corecs.SecretInterface, name string, timeout time.Duration) error {
return WaitCertificateIssuedValidTLS(certClient, secretClient, name, timeout, false)
}
// WaitForCertificateToExist waits for the named certificate to exist
func WaitForCertificateToExist(client clientset.CertificateInterface, name string, timeout time.Duration) error {
return wait.PollImmediate(500*time.Millisecond, timeout,
@ -587,195 +455,3 @@ func NewCertManagerVaultIssuerAppRole(name, vaultURL, vaultPath, roleId, vaultSe
},
}
}
const rootCert = `-----BEGIN CERTIFICATE-----
MIID4DCCAsigAwIBAgIJAJzTROInmDkQMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV
BAYTAlVLMQswCQYDVQQIEwJOQTEVMBMGA1UEChMMY2VydC1tYW5hZ2VyMSAwHgYD
VQQDExdjZXJ0LW1hbmFnZXIgdGVzdGluZyBDQTAeFw0xNzA5MTAxODMzNDNaFw0y
NzA5MDgxODMzNDNaMFMxCzAJBgNVBAYTAlVLMQswCQYDVQQIEwJOQTEVMBMGA1UE
ChMMY2VydC1tYW5hZ2VyMSAwHgYDVQQDExdjZXJ0LW1hbmFnZXIgdGVzdGluZyBD
QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+Q2AO4hARav0qwjk7I
4mEh5R201HS8s7HpaLOXBNvvh7qJ9yJz6jLqYg6EvP0K/bK56Cp2oe2igd7GOxpV
3YPOc3CG0CCqHMprEcvxj2xBKX00Rtcn4oVLhDPhAb0BV/R7NFLeWxzh+ggvPI1X
m1qLaWYqYZEJ5bBsYXD3tPdS4GGINRz8Zvih46f0Z2wVkCGoTpsbX8HO74sa2Day
UjzAsWGlO5bZGiMSHjDEnf9yek2TcjEyVoohoOLaQg/ng21T5RWzeZKTl1cznwuG
Vr9tZfHFqxQ5qeaId+1ICtxNvkEjbTnZl6Wy9Cthn0dxwOeS5TqMJ7SFNXy1gp4j
f/MCAwEAAaOBtjCBszAdBgNVHQ4EFgQUBtrjvWfbkLA0iX6sKVRhKUo864kwgYMG
A1UdIwR8MHqAFAba471n25CwNIl+rClUYSlKPOuJoVekVTBTMQswCQYDVQQGEwJV
SzELMAkGA1UECBMCTkExFTATBgNVBAoTDGNlcnQtbWFuYWdlcjEgMB4GA1UEAxMX
Y2VydC1tYW5hZ2VyIHRlc3RpbmcgQ0GCCQCc00TiJ5g5EDAMBgNVHRMEBTADAQH/
MA0GCSqGSIb3DQEBCwUAA4IBAQCR+jXhup5tCKwhAf8xgvp589BczQOjmotuZGEL
Dcint2y263ChEdsoLhyJfvFCAZfTSm+UT95Hl+ZKVuoVEcAS7udaFUFpC/gIYVOi
H4/uvJps4SpVCB7+T/orcTjZ2ewT23mQAQg+B+iwX9VCof+fadkYOg1XD9/eaj6E
9McXID3iuCXg02RmEOwVMrTggHPwHrOGAilSaZc58cJZHmMYlT5rGrJcWS/AyXnH
VOodKC004yjh7w9aSbCCbAL0tDEnhm4Jrb8cxt7pDWbdEVUeuk9LZRQtluYBnmJU
kQ7ALfUfUh/RUpCV4uI6sEI3NDX2YqQbOtsBD/hNaL1F85FA
-----END CERTIFICATE-----`
const rootKey = `-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAz5DYA7iEBFq/SrCOTsjiYSHlHbTUdLyzselos5cE2++Huon3
InPqMupiDoS8/Qr9srnoKnah7aKB3sY7GlXdg85zcIbQIKocymsRy/GPbEEpfTRG
1yfihUuEM+EBvQFX9Hs0Ut5bHOH6CC88jVebWotpZiphkQnlsGxhcPe091LgYYg1
HPxm+KHjp/RnbBWQIahOmxtfwc7vixrYNrJSPMCxYaU7ltkaIxIeMMSd/3J6TZNy
MTJWiiGg4tpCD+eDbVPlFbN5kpOXVzOfC4ZWv21l8cWrFDmp5oh37UgK3E2+QSNt
OdmXpbL0K2GfR3HA55LlOowntIU1fLWCniN/8wIDAQABAoIBAQCYvGvIKSG0FpbG
vi6pmLbEZO20s1jW4fiUxT2PUWR49sR4pocdahB/EOvA5TowNcNDnftSK+Ox+q/4
HwRkt6R+Fg/qULmcH7F53dnFqeYw8a42/J3YOvg7v7rzdfISg4eWVobFJ+wBz+Nt
3FyBYWLm+MlBLZSH5rGG5em59/zJNHWIhH+oQPfCxAkYEvd8tXOTUzjhqvEfjaJy
FZghnT9xto4MwDdNCPbtzdNjTMhiv0AHkcZGGtRJfkehXX2qhXOQ2UzzO9XrMZnv
5KgYf+bXKJsyS3SPl6TTl7vg2gKBciRvsdFhMy5I5GyIADrEDJnNNmXQRtiaFLfd
k/aqfPT5AoGBAPquMouZUbVS/Qh+qbls7G4zAuznfCiqdctcKmUGPRP4sTTjWdUp
fjI+UTt1e8hncmr4RY7Oa9kUV/kDwzS5spUZZ+u0PczS3XKxOwNOleoH00dfc9vt
cxctHdPdDTndRi8Z4k3m931jIX7jB/Pyx8qeNYB3pj0k3ThktwMbAVLnAoGBANP4
beI5zpbvtAdExJcuxx2mRDGF0lIdKC0bvQaeqM3Lwqnmc0Fz1dbP7KXDa+SdJWPd
res+NHPZoEPeEJuDTSngXOLNECZe4Ja9frn1TeY858vMJBwIkyc8zu+sgXxjQUM+
TWUlTUhtXyybkRnxAEny4OT2TTgmXITJaKOmV1UVAoGAHaXSlo4YitB42rNYUXTf
dZ0U4H30Qj7+1YFeBjq5qI4GL1IgQsS4hyq1osmfTTFm593bJCunt7HfQbU/NhIs
W9P4ZXkYwgvCYxkw+JAnzNkGFO/mHQG1Ve1hFLiVIt3XuiRejoYdiTfbM02YmDKD
jKQvgbUk9SBSBaRrvLNJ8csCgYAYnrZEnGo+ZcEHRxl+ZdSCwRkSl3SCTRiphJtD
9ZGttYj6quWgKJAhzyyxZC1X9FivbMQSmrsE6bYPq+9J4MpJnuGrBh5mFocHeyMI
/lD5+QEDTsay6twMpqdydxrjE7Q01zuuD9MWIn33dGo6FR/vduJgNatqZipA0hPx
ThS+sQKBgQDh0+cVo1mfYiCkp3IQPB8QYiJ/g2/UBk6pH8ZZDZ+A5td6NveiWO1y
wTEUWkX2qyz9SLxWDGOhdKqxNrLCUSYSOV/5/JQEtBm6K50ArFtrY40JP/T/5KvM
tSK2ayFX1wQ3PuEmewAogy/20tWo80cr556AXA62Utl2PzLK30Db8w==
-----END RSA PRIVATE KEY-----`
func NewSigningKeypairSecret(name string) *v1.Secret {
return &v1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
},
StringData: map[string]string{
v1.TLSCertKey: rootCert,
v1.TLSPrivateKeyKey: rootKey,
},
}
}
const issuer1Cert = `-----BEGIN CERTIFICATE-----
MIIDnjCCAoagAwIBAgIUCAJmM4rqnkj65/0sFRSIjXNlmGYwDQYJKoZIhvcNAQEL
BQAwUzELMAkGA1UEBhMCVUsxCzAJBgNVBAgTAk5BMRUwEwYDVQQKEwxjZXJ0LW1h
bmFnZXIxIDAeBgNVBAMTF2NlcnQtbWFuYWdlciB0ZXN0aW5nIENBMB4XDTE4MTEx
NTAwMDQwMFoXDTIzMTExNDAwMDQwMFowVzELMAkGA1UEBhMCVUsxCzAJBgNVBAgT
Ak5BMRUwEwYDVQQKEwxjZXJ0LW1hbmFnZXIxJDAiBgNVBAMTG2NlcnQtbWFuYWdl
ciB0ZXN0aW5nIElzc3VlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKubAgcLJfXspsDNNR/TO+UUy0s9DE28w4OXs7pAppe7rtK1a531M9lGg+jZPryT
PER4HeobhIk7h1iTmcVHp1mDB3IFDfKL8jKNEnsHGTcn5xY1RkFihFPphBiyGwvY
S4nGi1NubxTA+kW0Pbcf3po2NWNdntAHaMcvMEkq+NdoSEK1HACHQ8QqtqfKUxMD
XMFDmJD21/4PM6iqhDw2HPe87FY7KKdYAsMV8KnT5DIGJ6UbuarTuMzXZq0a8/aW
sto/hrBJir+CQwmNIYg41G8m1CgUz0a3FYxtvLNZweeW9+SiVl0FCiajLws0HIW5
4RTJ44Omr2/byIB+lmV63AMCAwEAAaNmMGQwDgYDVR0PAQH/BAQDAgGmMBIGA1Ud
EwEB/wQIMAYBAf8CAQMwHQYDVR0OBBYEFESJnTHvnJn8qIOb/JD+nw4o0yxnMB8G
A1UdIwQYMBaAFAba471n25CwNIl+rClUYSlKPOuJMA0GCSqGSIb3DQEBCwUAA4IB
AQBre0a1hD4T0W9E/yGhk6O8k11i63vhgIcMeN1/RMtgJRwIWIf3iKXAwAeIjkXZ
eGGSNWh8pC1wFvE9LIomhZLPSn+98FJ9dLfcaQXDOEyZM71OTsWQKS4NVNloHOxV
zujEujIIZ4caVbOlQWxf7lPydnXP+S7GsMU8vlOsU2RC9jN+yeuho+ZVguSC76ni
CG+k/Lzf46CMAZtRLdv9FPFttodBnodapOEgkhGwhyz/J6eLR1t9DWlxpQ1vk45H
dT3HDz1CNlF/5HzYpVBus553Z7SFh2x1umKfmTUWqmbFsslr2y4w2nkhyG2+jH+k
lh+Eve9i4q7YaO0EMlOOJMar
-----END CERTIFICATE-----
`
const issuer1Key = `-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAq5sCBwsl9eymwM01H9M75RTLSz0MTbzDg5ezukCml7uu0rVr
nfUz2UaD6Nk+vJM8RHgd6huEiTuHWJOZxUenWYMHcgUN8ovyMo0SewcZNyfnFjVG
QWKEU+mEGLIbC9hLicaLU25vFMD6RbQ9tx/emjY1Y12e0Adoxy8wSSr412hIQrUc
AIdDxCq2p8pTEwNcwUOYkPbX/g8zqKqEPDYc97zsVjsop1gCwxXwqdPkMgYnpRu5
qtO4zNdmrRrz9pay2j+GsEmKv4JDCY0hiDjUbybUKBTPRrcVjG28s1nB55b35KJW
XQUKJqMvCzQchbnhFMnjg6avb9vIgH6WZXrcAwIDAQABAoIBAHm3VFTSn3YzCIOw
CYItPUpa2WbgQh3RSYvIyf3NZVwyDun9K/u5s7DkxyMdE9aFSDX4TJ+ELRl5U6KL
7oFzNUvUGC/TTfU/NeaNERKaElSAxPOHjfFKgzlRZBRwH6bjH5D1dlUS+07pIZrX
IP8GZ8lRscRs3vwGhVbiLYl4JVACydgyV/Th1yJYFEOXlmHV4Kk0ce3swsXL0NUb
BFQ53RULSxLVaYy4XXF3azSUdMkalDf8DxxeFtPUSW49zp6/iOArZTNCoiGavOHo
YvtnUXjt2QK64SdjFYMyCD8EcLlMTOUtAS10lw9NwUS3JMp3u79bO2uvRwJpT+IP
Hb0Sg8ECgYEAyi41EwEE6cwNVOAZxkOgv+ejhBjKuUrhzp0vwg3Uziuy6TZPJEoA
5e/8pFuvxbfU0lGUe6CkHdpSQPO7ifsTuxYxO/ZX8DqSaCwnRp+kJUyi7Jz3Ypfk
LsVg3TMW9Hmvntz8kPTN8DJMo6W7TC0m05L5pyfvM2BpBXqYIPNLInkCgYEA2Uk8
mnA43ME+oaqLxcqgIE1+AXeg+voH17kiuO7hVWlprxJv/b6AAjm0nxcuLcdofKJT
JgaWrwyhI676q5T/lqQn/gdJ7rwz/83WnforW7WVza2XT+aDFcwNq07vHYoeCK6B
5RJFIY4Yuk4CORXeElYipz/VyCO2mUgJfHNDs1sCgYEAkS3lBqRwtsHDwPK7D1d4
ktTu4eg7ihpvU0IkDSCJcxKGAljxM4nAY1yU+iCsczmyJORXzv5nWthuwB1Eyav1
Wx5wdDJMq0Aj6ZHrEheIcxA43ddI/Q881yj8iVoqXZsTtOvSoPRo/NXhmpFjkSvK
+ZpMku9mIGpWf4ysuNx7U2ECgYEAlOk+IVFbht7g/4aT99+f0cOJ4ZOMvbPxAASf
KUJ9Jz3w8cye97VAoUXO5WDLgxAwKYpNlbfaOOlc3cmjfUfFygWCavOv1W8h6+Oz
e9zhLh7KJYUcN+PwXlXT4F1ePk5TuvtthgH5Yr+xbqzblSfJY6OoaBq1dk4TbAUU
izerZBUCgYEAn28gG04dByfcyY/crwpRLNVlaA0J93v5H9E/wlEiV1PhEYTdj2S8
PLm9ur3V+kkBSarBur9+rRil0BHvVgC9K6kwMr60JcVT+bmZi0AbPOlPZsp9OPQf
YK5kMSMSbh4t9OUtadogDGI299P6Q9leaU65XRAar96wVsz8X/XdPPc=
-----END RSA PRIVATE KEY-----`
func NewSigningIssuer1KeypairSecret(name string) *v1.Secret {
return &v1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
},
StringData: map[string]string{
v1.TLSCertKey: issuer1Cert + rootCert,
v1.TLSPrivateKeyKey: issuer1Key,
},
}
}
const issuer2Cert = `-----BEGIN CERTIFICATE-----
MIIDqjCCApKgAwIBAgIUHqm61uyYt2ICGRcZnBSjYaPonuowDQYJKoZIhvcNAQEL
BQAwVzELMAkGA1UEBhMCVUsxCzAJBgNVBAgTAk5BMRUwEwYDVQQKEwxjZXJ0LW1h
bmFnZXIxJDAiBgNVBAMTG2NlcnQtbWFuYWdlciB0ZXN0aW5nIElzc3VlcjAeFw0x
ODExMTUwMDA0MDBaFw0yMzExMTQwMDA0MDBaMF8xCzAJBgNVBAYTAlVLMQswCQYD
VQQIEwJOQTEVMBMGA1UEChMMY2VydC1tYW5hZ2VyMSwwKgYDVQQDEyNjZXJ0LW1h
bmFnZXIgdGVzdGluZyBJc3N1ZXIgTGV2ZWwgMjCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMRm1cYCcHmA7UtF3vISLiob5eh234njNp33nkFWjDsE9Zgi
CIxVb9FBd+rkKn0xkPMke79lmr1kVkmjpAZ0Y0w/IDSEX8JMJvtyuAoS79r0W+rn
dEG5GzJGLswOK0gsvGyl4i8E9a5itUkRa01OETFIiay0iwNMUYnIflm8G/Uu2Jhr
/HSyWND+KLzX5gMDsiv4HdtCsNHstdMwBr4dkiCzpi+N/b2KTggmY84KeVQVpmRc
IVoVr06uc3YTa2mlqrw3qX16d5r9DLYrrq1UT3HXB0PJvvsIjJN8eqKk33Mcbinj
VR1Ywg9QYaJHpBPPxLL0AzNG29SebRLtGvKexoUCAwEAAaNmMGQwDgYDVR0PAQH/
BAQDAgGmMBIGA1UdEwEB/wQIMAYBAf8CAQMwHQYDVR0OBBYEFHp3C+Se1LZMcQ0B
0iycJLvwqo9lMB8GA1UdIwQYMBaAFESJnTHvnJn8qIOb/JD+nw4o0yxnMA0GCSqG
SIb3DQEBCwUAA4IBAQA/lnvr+GnMJDA+Z7MEMRAcqdIScO38LVQNO340jFMcMkmW
YTnyNoEvI4fnCon9Oz2FsFcZp90Gniu01lDLyzR+1SsfFf6zwqGVUV29hidR6BvD
VGLM6SMnbgXUd+RPvAIrHU3BuSF2sRPiw7YqzgNVZQ2dUF+Q+R+Onu5i47CwVFOd
6Dd7xr5+ECaHGyuIH/RsXLvB+2reJ5dEl3oBxiyyzY1oOkt6y4HrB8n90JWPmXIf
9oQ8T+p3PbsFkz667nbVnVCkdAKtU/ZX09S1jGVKsOKszA1qhxFcMy+wkkyHq4Jj
v+q/VgVxL5HzEw4zyKS9Y2lcwhCicMrLKIGt91fQ
-----END CERTIFICATE-----
`
const issuer2Key = `-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAxGbVxgJweYDtS0Xe8hIuKhvl6HbfieM2nfeeQVaMOwT1mCII
jFVv0UF36uQqfTGQ8yR7v2WavWRWSaOkBnRjTD8gNIRfwkwm+3K4ChLv2vRb6ud0
QbkbMkYuzA4rSCy8bKXiLwT1rmK1SRFrTU4RMUiJrLSLA0xRich+Wbwb9S7YmGv8
dLJY0P4ovNfmAwOyK/gd20Kw0ey10zAGvh2SILOmL439vYpOCCZjzgp5VBWmZFwh
WhWvTq5zdhNraaWqvDepfXp3mv0MtiuurVRPcdcHQ8m++wiMk3x6oqTfcxxuKeNV
HVjCD1BhokekE8/EsvQDM0bb1J5tEu0a8p7GhQIDAQABAoIBAFwCzV3RoL3bn8/m
8Pa5e7UwkrogjsM7lkfVTOfRUysHPMPEFfsgv5zqLfL2Z811HjI6wlq9kAvwaNhg
+KQpfKeo3z6bUX1mTdD5Qq09h+8tEa7wNi/gN5SK+ruQW8iZZMEFyfw7N5o2FjYg
GgQCcd2D3TPy9TlbVMvXCRKjJPns4PvWnjcR6YryPCluhnm6t0UEdusAj5baENU5
95XG3e+7ZWzz4uejY778pyV/4yCfMXG9HZInkw9Uj3aNibiP/oKyF8Z0m1tAheLp
SfLH/KxC8sWW/Cn3YFAvq+3fSH3ezeaFNdQFi8L0uGA9h9ucZmKaT5jI1bM9Mj55
Vrsg/wECgYEA7rCQ/NFLtQ6PZNSApxRdWG+67mDrWMuaHho9KB+g0vIzGoxj2+DS
iVlk4F1zVjZ5S8yjSmBm2pxF4ornUdQUs5+iKHJqeweSQenZ3Ylx10rhACfUWhZ+
Zo/mrG30MJs2ceOaYJww1zrcjI3ktFwpZlX95J/e26gGqY8GKA8KaEECgYEA0qUp
3eWvwiTn2ztKEHZ06jNoPB1E3tAA939+W1Cy5VTDH2ZJYDE6lELTgW/7PuS6Auty
cJur3nyIJMQkb2GBqh8jgxb7huDpOkf8kAdPoD9PnmWTisF5XKO5Uv3O2t/xKQNl
pKAC9P1au3uCz8HA2ZbyLqiuXE7SKsIqQmMtbUUCgYArkAwWKDiyBcND+si0NbJH
prSuNwAdB6PMJKvOu98FQPD0wnSjN6gVKzyO+l9Hd8+xdtrCg0+iTG0wyHspYxSY
J+VXjnJCnAIkh4KcvS4Kxf7EoYBPJNXS8CaAh9zOVjWcmZaeVUNQtMx11pvMExn3
NHCPHmJ1Inh8z76m5v/WQQKBgEeQFyYs10ZU9XQ0s1fedp/ucRYjN3efIQT0ioAJ
bY2d+2BahskoUGd4QJTz716RpGRDizCYoo5GrpYXEO3KKZwbUhxCHZfYJ0RGmpZv
9WxStgDxL2vviQShFuAMHE+dzzeI0OpZ9kc3H7EcJ/ffMl55+rNBWWNA4APozSSa
vx8lAoGBAODUjD1S1w/l+OTZWqo+bUvpC58CSioZ+gvNi4KE0h+1ZgLgE1RivQOM
UxwyspRQp2exnQ3hvCpzjhx+ji/FlhK86lspGjyZqTd+ifa/tO51+tvU217/XDtx
JypkAFhZ398YzhuqsRbFNMFnxA6QT+YFsqjT+R0vSFM8n2qptJHB
-----END RSA PRIVATE KEY-----`
func NewSigningIssuer2KeypairSecret(name string) *v1.Secret {
return &v1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
},
StringData: map[string]string{
v1.TLSCertKey: issuer2Cert + issuer1Cert + rootCert,
v1.TLSPrivateKeyKey: issuer2Key,
},
}
}