From 31eeb5fe2addcbca69bf3ab7cd5d7cd9d375597c Mon Sep 17 00:00:00 2001 From: James Munnelly Date: Thu, 24 Jan 2019 15:43:18 +0000 Subject: [PATCH] Refactor WaitCertificateValidTLS and run kubectl describe on test failure Signed-off-by: James Munnelly --- test/e2e/framework/config/config.go | 2 + test/e2e/framework/framework.go | 9 +- test/e2e/framework/helper/BUILD.bazel | 7 + test/e2e/framework/helper/certificates.go | 182 ++++++++++ test/e2e/framework/helper/helper.go | 16 +- test/e2e/framework/helper/kubectl.go | 63 ++++ .../suite/issuers/acme/certificate/dns01.go | 14 +- .../suite/issuers/acme/certificate/http01.go | 18 +- test/e2e/suite/issuers/ca/BUILD.bazel | 2 + test/e2e/suite/issuers/ca/certificate.go | 22 +- test/e2e/suite/issuers/ca/clusterissuer.go | 2 +- test/e2e/suite/issuers/ca/fixtures.go | 214 ++++++++++++ test/e2e/suite/issuers/ca/issuer.go | 2 +- .../suite/issuers/selfsigned/certificate.go | 7 +- .../issuers/vault/certificate/approle.go | 9 +- .../vault/certificate/approle_custom_mount.go | 4 +- test/e2e/util/BUILD.bazel | 2 - test/e2e/util/util.go | 324 ------------------ 18 files changed, 521 insertions(+), 378 deletions(-) create mode 100644 test/e2e/framework/helper/certificates.go create mode 100644 test/e2e/framework/helper/kubectl.go create mode 100644 test/e2e/suite/issuers/ca/fixtures.go diff --git a/test/e2e/framework/config/config.go b/test/e2e/framework/config/config.go index 85d9268c3..62e552ed3 100644 --- a/test/e2e/framework/config/config.go +++ b/test/e2e/framework/config/config.go @@ -28,6 +28,7 @@ import ( type Config struct { KubeConfig string KubeContext string + Kubectl string // If Cleanup is true, addons will be cleaned up both before and after provisioning Cleanup bool @@ -64,6 +65,7 @@ func (c *Config) AddFlags(fs *flag.FlagSet) { // Kubernetes API server config fs.StringVar(&c.KubeConfig, "kubernetes-config", os.Getenv(clientcmd.RecommendedConfigPathEnvVar), "Path to config containing embedded authinfo for kubernetes. Default value is from environment variable "+clientcmd.RecommendedConfigPathEnvVar) fs.StringVar(&c.KubeContext, "kubernetes-context", "", "config context to use for kuberentes. If unset, will use value from 'current-context'") + fs.StringVar(&c.Kubectl, "kubectl-path", "kubectl", "path to the kubectl binary to use during e2e tests.") fs.BoolVar(&c.Cleanup, "cleanup", true, "If true, addons will be cleaned up both before and after provisioning") // TODO: get rid of this variable by bundling required files as part of test suite diff --git a/test/e2e/framework/framework.go b/test/e2e/framework/framework.go index a67dda8c1..f21eb1e29 100644 --- a/test/e2e/framework/framework.go +++ b/test/e2e/framework/framework.go @@ -67,6 +67,7 @@ type Framework struct { cleanupHandle CleanupActionHandle requiredAddons []addon.Addon + helper *helper.Helper } // NewDefaultFramework makes a new framework for you, similar to NewFramework. @@ -85,6 +86,7 @@ func NewFramework(baseName string, cfg *config.Config) *Framework { BaseName: baseName, } + f.helper = helper.NewHelper(cfg) BeforeEach(f.BeforeEach) AfterEach(f.AfterEach) @@ -120,6 +122,9 @@ func (f *Framework) BeforeEach() { By("Building a ResourceQuota api object") _, err = f.CreateKubeResourceQuota() Expect(err).NotTo(HaveOccurred()) + + f.helper.CMClient = f.CertManagerClientSet + f.helper.KubeClient = f.KubeClientSet } // AfterEach deletes the namespace, after reading its events. @@ -196,9 +201,7 @@ func (f *Framework) RequireAddon(a addon.Addon) { } func (f *Framework) Helper() *helper.Helper { - return &helper.Helper{ - KubeClient: f.KubeClientSet, - } + return f.helper } func (f *Framework) CertificateDurationValid(c *v1alpha1.Certificate, duration time.Duration) { diff --git a/test/e2e/framework/helper/BUILD.bazel b/test/e2e/framework/helper/BUILD.bazel index a43d5f410..fdb61b65a 100644 --- a/test/e2e/framework/helper/BUILD.bazel +++ b/test/e2e/framework/helper/BUILD.bazel @@ -3,13 +3,20 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library") go_library( name = "go_default_library", srcs = [ + "certificates.go", "helper.go", + "kubectl.go", "pod_start.go", ], importpath = "github.com/jetstack/cert-manager/test/e2e/framework/helper", tags = ["manual"], visibility = ["//visibility:public"], deps = [ + "//pkg/apis/certmanager/v1alpha1:go_default_library", + "//pkg/client/clientset/versioned:go_default_library", + "//pkg/util:go_default_library", + "//pkg/util/pki:go_default_library", + "//test/e2e/framework/config:go_default_library", "//test/e2e/framework/log:go_default_library", "//vendor/github.com/onsi/ginkgo:go_default_library", "//vendor/k8s.io/api/core/v1:go_default_library", diff --git a/test/e2e/framework/helper/certificates.go b/test/e2e/framework/helper/certificates.go new file mode 100644 index 000000000..8ed4eb327 --- /dev/null +++ b/test/e2e/framework/helper/certificates.go @@ -0,0 +1,182 @@ +/* +Copyright 2019 The Jetstack cert-manager contributors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package helper + +import ( + "crypto/ecdsa" + "crypto/rsa" + "crypto/x509" + "fmt" + "time" + + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/wait" + + "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1" + "github.com/jetstack/cert-manager/pkg/util" + "github.com/jetstack/cert-manager/pkg/util/pki" + "github.com/jetstack/cert-manager/test/e2e/framework/log" +) + +// WaitForCertificateReady waits for the certificate resource to enter a Ready +// state. +func (h *Helper) WaitForCertificateReady(ns, name string, timeout time.Duration) (*v1alpha1.Certificate, error) { + var certificate *v1alpha1.Certificate + err := wait.PollImmediate(time.Second, timeout, + func() (bool, error) { + var err error + log.Logf("Waiting for Certificate %v to be ready", name) + certificate, err = h.CMClient.CertmanagerV1alpha1().Certificates(ns).Get(name, metav1.GetOptions{}) + if err != nil { + return false, fmt.Errorf("error getting Certificate %v: %v", name, err) + } + isReady := certificate.HasCondition(v1alpha1.CertificateCondition{ + Type: v1alpha1.CertificateConditionReady, + Status: v1alpha1.ConditionTrue, + }) + if !isReady { + log.Logf("Expected Certificate to have Ready condition 'true' but it has: %v", certificate.Status.Conditions) + return false, nil + } + return true, nil + }, + ) + + if err != nil { + return nil, err + } + + return certificate, nil +} + +// ValidateIssuedCertificate will ensure that the given Certificate has a +// certificate issued for it, and that the details on the x509 certificate are +// correct as defined by the Certificate's spec. +func (h *Helper) ValidateIssuedCertificate(certificate *v1alpha1.Certificate, rootCAPEM []byte) (*x509.Certificate, error) { + log.Logf("Getting the TLS certificate Secret resource") + secret, err := h.KubeClient.CoreV1().Secrets(certificate.Namespace).Get(certificate.Spec.SecretName, metav1.GetOptions{}) + if err != nil { + return nil, err + } + if !(len(secret.Data) == 2 || len(secret.Data) == 3) { + return nil, fmt.Errorf("Expected 2 keys in certificate secret, but there was %d", len(secret.Data)) + } + + keyBytes, ok := secret.Data[corev1.TLSPrivateKeyKey] + if !ok { + return nil, fmt.Errorf("No private key data found for Certificate %q (secret %q)", certificate.Name, certificate.Spec.SecretName) + } + key, err := pki.DecodePrivateKeyBytes(keyBytes) + if err != nil { + return nil, err + } + + // validate private key is of the correct type (rsa or ecdsa) + switch certificate.Spec.KeyAlgorithm { + case v1alpha1.KeyAlgorithm(""), + v1alpha1.RSAKeyAlgorithm: + _, ok := key.(*rsa.PrivateKey) + if !ok { + return nil, fmt.Errorf("Expected private key of type RSA, but it was: %T", key) + } + case v1alpha1.ECDSAKeyAlgorithm: + _, ok := key.(*ecdsa.PrivateKey) + if !ok { + return nil, fmt.Errorf("Expected private key of type ECDSA, but it was: %T", key) + } + default: + return nil, fmt.Errorf("unrecognised requested private key algorithm %q", certificate.Spec.KeyAlgorithm) + } + + // TODO: validate private key KeySize + + // check the provided certificate is valid + expectedCN := pki.CommonNameForCertificate(certificate) + expectedOrganization := pki.OrganizationForCertificate(certificate) + expectedDNSNames := pki.DNSNamesForCertificate(certificate) + + certBytes, ok := secret.Data[corev1.TLSCertKey] + if !ok { + return nil, fmt.Errorf("No certificate data found for Certificate %q (secret %q)", certificate.Name, certificate.Spec.SecretName) + } + + cert, err := pki.DecodeX509CertificateBytes(certBytes) + if err != nil { + return nil, err + } + if expectedCN != cert.Subject.CommonName || !util.EqualUnsorted(cert.DNSNames, expectedDNSNames) || !(len(cert.Subject.Organization) == 0 || util.EqualUnsorted(cert.Subject.Organization, expectedOrganization)) { + return nil, fmt.Errorf("Expected certificate valid for CN %q, O %v, dnsNames %v but got a certificate valid for CN %q, O %v, dnsNames %v", expectedCN, expectedOrganization, expectedDNSNames, cert.Subject.CommonName, cert.Subject.Organization, cert.DNSNames) + } + + if certificate.Status.NotAfter == nil { + return nil, fmt.Errorf("No certificate expiration found for Certificate %q", certificate.Name) + } + if !cert.NotAfter.Equal(certificate.Status.NotAfter.Time) { + return nil, fmt.Errorf("Expected certificate expiry date to be %v, but got %v", certificate.Status.NotAfter, cert.NotAfter) + } + + label, ok := secret.Labels[v1alpha1.CertificateNameKey] + if !ok { + return nil, fmt.Errorf("Expected secret to have certificate-name label, but had none") + } + + if label != certificate.Name { + return nil, fmt.Errorf("Expected secret to have certificate-name label with a value of %q, but got %q", certificate.Name, label) + } + + // TODO: move this verification step out of this function + if rootCAPEM != nil { + rootCertPool := x509.NewCertPool() + rootCertPool.AppendCertsFromPEM(rootCAPEM) + intermediateCertPool := x509.NewCertPool() + intermediateCertPool.AppendCertsFromPEM(certBytes) + opts := x509.VerifyOptions{ + DNSName: expectedDNSNames[0], + Intermediates: intermediateCertPool, + Roots: rootCertPool, + } + + if _, err := cert.Verify(opts); err != nil { + return nil, err + } + } + + return cert, nil +} + +func (h *Helper) WaitCertificateIssuedValid(ns, name string, timeout time.Duration) error { + return h.WaitCertificateIssuedValidTLS(ns, name, timeout, nil) +} + +func (h *Helper) WaitCertificateIssuedValidTLS(ns, name string, timeout time.Duration, rootCAPEM []byte) error { + certificate, err := h.WaitForCertificateReady(ns, name, timeout) + if err != nil { + log.Logf("Error waiting for Certificate to become Ready: %v", err) + h.Kubectl(ns).DescribeResource("certificate", name) + return err + } + + _, err = h.ValidateIssuedCertificate(certificate, rootCAPEM) + if err != nil { + log.Logf("Error validating issued certificate: %v", err) + h.Kubectl(ns).DescribeResource("certificate", name) + return err + } + + return nil +} diff --git a/test/e2e/framework/helper/helper.go b/test/e2e/framework/helper/helper.go index 432218a42..8f324a5e9 100644 --- a/test/e2e/framework/helper/helper.go +++ b/test/e2e/framework/helper/helper.go @@ -16,9 +16,23 @@ limitations under the License. package helper -import "k8s.io/client-go/kubernetes" +import ( + "k8s.io/client-go/kubernetes" + + cmclient "github.com/jetstack/cert-manager/pkg/client/clientset/versioned" + "github.com/jetstack/cert-manager/test/e2e/framework/config" +) // Helper provides methods for common operations needed during tests. type Helper struct { + cfg *config.Config + KubeClient kubernetes.Interface + CMClient cmclient.Interface +} + +func NewHelper(cfg *config.Config) *Helper { + return &Helper{ + cfg: cfg, + } } diff --git a/test/e2e/framework/helper/kubectl.go b/test/e2e/framework/helper/kubectl.go new file mode 100644 index 000000000..ca8054672 --- /dev/null +++ b/test/e2e/framework/helper/kubectl.go @@ -0,0 +1,63 @@ +/* +Copyright 2019 The Jetstack cert-manager contributors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package helper + +import ( + "os/exec" + "strings" + + "github.com/jetstack/cert-manager/test/e2e/framework/log" +) + +type Kubectl struct { + namespace string + kubectl string + kubeconfig string + kubecontext string +} + +func (k *Kubectl) Describe(resources ...string) error { + resourceNames := strings.Join(resources, ",") + return k.Run("describe", resourceNames) +} + +func (k *Kubectl) DescribeResource(resource, name string) error { + return k.Run("describe", resource, name) +} + +func (h *Helper) Kubectl(ns string) *Kubectl { + return &Kubectl{ + namespace: ns, + kubectl: h.cfg.Kubectl, + kubeconfig: h.cfg.KubeConfig, + kubecontext: h.cfg.KubeContext, + } +} + +func (k *Kubectl) Run(args ...string) error { + baseArgs := []string{"--kubeconfig", k.kubeconfig, "--context", k.kubecontext} + if k.namespace == "" { + baseArgs = append(baseArgs, "--all-namespaces") + } else { + baseArgs = []string{"--namespace", k.namespace} + } + args = append(baseArgs, args...) + cmd := exec.Command(k.kubectl, args...) + cmd.Stdout = log.Writer + cmd.Stderr = log.Writer + return cmd.Run() +} diff --git a/test/e2e/suite/issuers/acme/certificate/dns01.go b/test/e2e/suite/issuers/acme/certificate/dns01.go index a3571d5c7..98666e1ef 100644 --- a/test/e2e/suite/issuers/acme/certificate/dns01.go +++ b/test/e2e/suite/issuers/acme/certificate/dns01.go @@ -49,6 +49,7 @@ var _ = framework.CertManagerDescribe("ACME Certificate (DNS01)", func() { func testDNSProvider(name string, p dns01Provider) bool { return Context("With "+name+" credentials configured", func() { f := framework.NewDefaultFramework("create-acme-certificate-dns01-" + name) + h := f.Helper() BeforeEach(func() { p.SetNamespace(f.Namespace.Name) @@ -119,7 +120,6 @@ func testDNSProvider(name string, p dns01Provider) bool { By("Creating a Certificate") certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name) - secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name) cert := generate.Certificate(generate.CertificateConfig{ Name: certificateName, @@ -135,16 +135,13 @@ func testDNSProvider(name string, p dns01Provider) bool { }) cert, err := certClient.Create(cert) Expect(err).NotTo(HaveOccurred()) - err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5) + err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5) Expect(err).NotTo(HaveOccurred()) }) It("should obtain a signed certificate for a wildcard domain", func() { By("Creating a Certificate") - certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name) - secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name) - cert := generate.Certificate(generate.CertificateConfig{ Name: certificateName, Namespace: f.Namespace.Name, @@ -159,16 +156,13 @@ func testDNSProvider(name string, p dns01Provider) bool { }) cert, err := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name).Create(cert) Expect(err).NotTo(HaveOccurred()) - err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5) + err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5) Expect(err).NotTo(HaveOccurred()) }) It("should obtain a signed certificate for a wildcard and apex domain", func() { By("Creating a Certificate") - certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name) - secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name) - cert := generate.Certificate(generate.CertificateConfig{ Name: certificateName, Namespace: f.Namespace.Name, @@ -184,7 +178,7 @@ func testDNSProvider(name string, p dns01Provider) bool { cert, err := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name).Create(cert) Expect(err).NotTo(HaveOccurred()) // use a longer timeout for this, as it requires performing 2 dns validations in serial - err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*10) + err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*10) Expect(err).NotTo(HaveOccurred()) }) }) diff --git a/test/e2e/suite/issuers/acme/certificate/http01.go b/test/e2e/suite/issuers/acme/certificate/http01.go index c9fd8b5a8..3a4894d3d 100644 --- a/test/e2e/suite/issuers/acme/certificate/http01.go +++ b/test/e2e/suite/issuers/acme/certificate/http01.go @@ -40,6 +40,7 @@ const foreverTestTimeout = time.Second * 60 var _ = framework.CertManagerDescribe("ACME Certificate (HTTP01)", func() { f := framework.NewDefaultFramework("create-acme-certificate-http01") + h := f.Helper() var ( tiller = &tiller.Tiller{ @@ -113,50 +114,46 @@ var _ = framework.CertManagerDescribe("ACME Certificate (HTTP01)", func() { It("should obtain a signed certificate with a single CN from the ACME server", func() { certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name) - secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name) By("Creating a Certificate") _, err := certClient.Create(util.NewCertManagerACMECertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, nil, nil, acmeIngressClass, acmeIngressDomain)) Expect(err).NotTo(HaveOccurred()) By("Verifying the Certificate is valid") - err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5) + err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5) Expect(err).NotTo(HaveOccurred()) }) It("should obtain a signed certificate for a long domain using http01 validation", func() { certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name) - secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name) // the maximum length of a single segment of the domain being requested const maxLengthOfDomainSegment = 63 By("Creating a Certificate") _, err := certClient.Create(util.NewCertManagerACMECertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, nil, nil, acmeIngressClass, fmt.Sprintf("%s.%s", cmutil.RandStringRunes(maxLengthOfDomainSegment), acmeIngressDomain))) Expect(err).NotTo(HaveOccurred()) - err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5) + err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5) Expect(err).NotTo(HaveOccurred()) }) It("should obtain a signed certificate with a CN and single subdomain as dns name from the ACME server", func() { certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name) - secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name) By("Creating a Certificate") _, err := certClient.Create(util.NewCertManagerACMECertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, nil, nil, acmeIngressClass, acmeIngressDomain, fmt.Sprintf("%s.%s", cmutil.RandStringRunes(5), acmeIngressDomain))) Expect(err).NotTo(HaveOccurred()) By("Verifying the Certificate is valid") - err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5) + err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5) Expect(err).NotTo(HaveOccurred()) }) It("should allow updating an existing certificate with a new dns name", func() { certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name) - secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name) By("Creating a Certificate") cert, err := certClient.Create(util.NewCertManagerACMECertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, nil, nil, acmeIngressClass, acmeIngressDomain, fmt.Sprintf("%s.%s", cmutil.RandStringRunes(5), acmeIngressDomain))) Expect(err).NotTo(HaveOccurred()) By("Verifying the Certificate is valid") - err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5) + err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5) Expect(err).NotTo(HaveOccurred()) By("Getting the latest version of the Certificate") @@ -172,7 +169,7 @@ var _ = framework.CertManagerDescribe("ACME Certificate (HTTP01)", func() { cert, err = certClient.Update(cert) Expect(err).NotTo(HaveOccurred()) - err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5) + err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5) Expect(err).NotTo(HaveOccurred()) }) @@ -204,7 +201,6 @@ var _ = framework.CertManagerDescribe("ACME Certificate (HTTP01)", func() { It("should obtain a signed certificate with a single CN from the ACME server when putting an annotation on an ingress resource", func() { ingClient := f.KubeClientSet.ExtensionsV1beta1().Ingresses(f.Namespace.Name) certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name) - secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name) By("Creating an Ingress with the issuer name annotation set") _, err := ingClient.Create(util.NewIngress(certificateSecretName, certificateSecretName, map[string]string{ @@ -218,7 +214,7 @@ var _ = framework.CertManagerDescribe("ACME Certificate (HTTP01)", func() { Expect(err).NotTo(HaveOccurred()) By("Verifying the Certificate is valid") - err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5) + err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5) Expect(err).NotTo(HaveOccurred()) }) }) diff --git a/test/e2e/suite/issuers/ca/BUILD.bazel b/test/e2e/suite/issuers/ca/BUILD.bazel index 9e46f7d90..f1a4d591a 100644 --- a/test/e2e/suite/issuers/ca/BUILD.bazel +++ b/test/e2e/suite/issuers/ca/BUILD.bazel @@ -5,6 +5,7 @@ go_library( srcs = [ "certificate.go", "clusterissuer.go", + "fixtures.go", "issuer.go", ], importpath = "github.com/jetstack/cert-manager/test/e2e/suite/issuers/ca", @@ -18,6 +19,7 @@ go_library( "//test/e2e/util:go_default_library", "//vendor/github.com/onsi/ginkgo:go_default_library", "//vendor/github.com/onsi/gomega:go_default_library", + "//vendor/k8s.io/api/core/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", ], ) diff --git a/test/e2e/suite/issuers/ca/certificate.go b/test/e2e/suite/issuers/ca/certificate.go index 6f5f5688f..76128b588 100644 --- a/test/e2e/suite/issuers/ca/certificate.go +++ b/test/e2e/suite/issuers/ca/certificate.go @@ -30,6 +30,7 @@ import ( var _ = framework.CertManagerDescribe("CA Certificate", func() { f := framework.NewDefaultFramework("create-ca-certificate") + h := f.Helper() issuerName := "test-ca-issuer" issuerSecretName := "ca-issuer-signing-keypair" @@ -59,25 +60,23 @@ var _ = framework.CertManagerDescribe("CA Certificate", func() { Context("when the CA is the root", func() { BeforeEach(func() { By("Creating a signing keypair fixture") - _, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(util.NewSigningKeypairSecret(issuerSecretName)) + _, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(newSigningKeypairSecret(issuerSecretName)) Expect(err).NotTo(HaveOccurred()) }) It("should generate a signed keypair", func() { certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name) - secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name) By("Creating a Certificate") _, err := certClient.Create(util.NewCertManagerBasicCertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, nil, nil)) Expect(err).NotTo(HaveOccurred()) By("Verifying the Certificate is valid") - err = util.WaitCertificateIssuedValidTLS(certClient, secretClient, certificateName, time.Second*30, true) + err = h.WaitCertificateIssuedValidTLS(f.Namespace.Name, certificateName, time.Second*30, []byte(rootCert)) Expect(err).NotTo(HaveOccurred()) }) It("should be able to obtain an ECDSA key from a RSA backed issuer", func() { certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name) - secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name) crt := util.NewCertManagerBasicCertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, nil, nil) crt.Spec.KeyAlgorithm = v1alpha1.ECDSAKeyAlgorithm @@ -88,7 +87,7 @@ var _ = framework.CertManagerDescribe("CA Certificate", func() { Expect(err).NotTo(HaveOccurred()) By("Verifying the Certificate is valid") - err = util.WaitCertificateIssuedValidTLS(certClient, secretClient, certificateName, time.Second*30, true) + err = h.WaitCertificateIssuedValidTLS(f.Namespace.Name, certificateName, time.Second*30, []byte(rootCert)) Expect(err).NotTo(HaveOccurred()) }) @@ -115,13 +114,12 @@ var _ = framework.CertManagerDescribe("CA Certificate", func() { v := v It("should generate a signed keypair valid for "+v.label, func() { certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name) - secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name) By("Creating a Certificate") cert, err := certClient.Create(util.NewCertManagerBasicCertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, v.inputDuration, v.inputRenewBefore)) Expect(err).NotTo(HaveOccurred()) By("Verifying the Certificate is valid") - err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Second*30) + err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Second*30) Expect(err).NotTo(HaveOccurred()) f.CertificateDurationValid(cert, v.expectedDuration) }) @@ -131,19 +129,18 @@ var _ = framework.CertManagerDescribe("CA Certificate", func() { Context("when the CA is an issuer", func() { BeforeEach(func() { By("Creating a signing keypair fixture") - _, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(util.NewSigningIssuer1KeypairSecret(issuerSecretName)) + _, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(newSigningIssuer1KeypairSecret(issuerSecretName)) Expect(err).NotTo(HaveOccurred()) }) It("should generate a signed keypair", func() { certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name) - secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name) By("Creating a Certificate") _, err := certClient.Create(util.NewCertManagerBasicCertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, nil, nil)) Expect(err).NotTo(HaveOccurred()) By("Verifying the Certificate is valid") - err = util.WaitCertificateIssuedValidTLS(certClient, secretClient, certificateName, time.Second*30, true) + err = h.WaitCertificateIssuedValidTLS(f.Namespace.Name, certificateName, time.Second*30, []byte(rootCert)) Expect(err).NotTo(HaveOccurred()) }) }) @@ -151,19 +148,18 @@ var _ = framework.CertManagerDescribe("CA Certificate", func() { Context("when the CA is a second level issuer", func() { BeforeEach(func() { By("Creating a signing keypair fixture") - _, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(util.NewSigningIssuer2KeypairSecret(issuerSecretName)) + _, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(newSigningIssuer2KeypairSecret(issuerSecretName)) Expect(err).NotTo(HaveOccurred()) }) It("should generate a signed keypair", func() { certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name) - secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name) By("Creating a Certificate") _, err := certClient.Create(util.NewCertManagerBasicCertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, nil, nil)) Expect(err).NotTo(HaveOccurred()) By("Verifying the Certificate is valid") - err = util.WaitCertificateIssuedValidTLS(certClient, secretClient, certificateName, time.Second*30, true) + err = h.WaitCertificateIssuedValidTLS(f.Namespace.Name, certificateName, time.Second*30, []byte(rootCert)) Expect(err).NotTo(HaveOccurred()) }) }) diff --git a/test/e2e/suite/issuers/ca/clusterissuer.go b/test/e2e/suite/issuers/ca/clusterissuer.go index 7b276661d..47eefcf0b 100644 --- a/test/e2e/suite/issuers/ca/clusterissuer.go +++ b/test/e2e/suite/issuers/ca/clusterissuer.go @@ -42,7 +42,7 @@ var _ = framework.CertManagerDescribe("CA ClusterIssuer", func() { BeforeEach(func() { By("Creating a signing keypair fixture") - _, err := f.KubeClientSet.CoreV1().Secrets(clusterResourceNamespace).Create(util.NewSigningKeypairSecret(secretName)) + _, err := f.KubeClientSet.CoreV1().Secrets(clusterResourceNamespace).Create(newSigningKeypairSecret(secretName)) Expect(err).NotTo(HaveOccurred()) }) diff --git a/test/e2e/suite/issuers/ca/fixtures.go b/test/e2e/suite/issuers/ca/fixtures.go new file mode 100644 index 000000000..47e1b1ab8 --- /dev/null +++ b/test/e2e/suite/issuers/ca/fixtures.go @@ -0,0 +1,214 @@ +/* +Copyright 2019 The Jetstack cert-manager contributors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package ca + +import ( + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +const rootCert = `-----BEGIN CERTIFICATE----- +MIID4DCCAsigAwIBAgIJAJzTROInmDkQMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV +BAYTAlVLMQswCQYDVQQIEwJOQTEVMBMGA1UEChMMY2VydC1tYW5hZ2VyMSAwHgYD +VQQDExdjZXJ0LW1hbmFnZXIgdGVzdGluZyBDQTAeFw0xNzA5MTAxODMzNDNaFw0y +NzA5MDgxODMzNDNaMFMxCzAJBgNVBAYTAlVLMQswCQYDVQQIEwJOQTEVMBMGA1UE +ChMMY2VydC1tYW5hZ2VyMSAwHgYDVQQDExdjZXJ0LW1hbmFnZXIgdGVzdGluZyBD +QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+Q2AO4hARav0qwjk7I +4mEh5R201HS8s7HpaLOXBNvvh7qJ9yJz6jLqYg6EvP0K/bK56Cp2oe2igd7GOxpV +3YPOc3CG0CCqHMprEcvxj2xBKX00Rtcn4oVLhDPhAb0BV/R7NFLeWxzh+ggvPI1X +m1qLaWYqYZEJ5bBsYXD3tPdS4GGINRz8Zvih46f0Z2wVkCGoTpsbX8HO74sa2Day +UjzAsWGlO5bZGiMSHjDEnf9yek2TcjEyVoohoOLaQg/ng21T5RWzeZKTl1cznwuG +Vr9tZfHFqxQ5qeaId+1ICtxNvkEjbTnZl6Wy9Cthn0dxwOeS5TqMJ7SFNXy1gp4j +f/MCAwEAAaOBtjCBszAdBgNVHQ4EFgQUBtrjvWfbkLA0iX6sKVRhKUo864kwgYMG +A1UdIwR8MHqAFAba471n25CwNIl+rClUYSlKPOuJoVekVTBTMQswCQYDVQQGEwJV +SzELMAkGA1UECBMCTkExFTATBgNVBAoTDGNlcnQtbWFuYWdlcjEgMB4GA1UEAxMX +Y2VydC1tYW5hZ2VyIHRlc3RpbmcgQ0GCCQCc00TiJ5g5EDAMBgNVHRMEBTADAQH/ +MA0GCSqGSIb3DQEBCwUAA4IBAQCR+jXhup5tCKwhAf8xgvp589BczQOjmotuZGEL +Dcint2y263ChEdsoLhyJfvFCAZfTSm+UT95Hl+ZKVuoVEcAS7udaFUFpC/gIYVOi +H4/uvJps4SpVCB7+T/orcTjZ2ewT23mQAQg+B+iwX9VCof+fadkYOg1XD9/eaj6E +9McXID3iuCXg02RmEOwVMrTggHPwHrOGAilSaZc58cJZHmMYlT5rGrJcWS/AyXnH +VOodKC004yjh7w9aSbCCbAL0tDEnhm4Jrb8cxt7pDWbdEVUeuk9LZRQtluYBnmJU +kQ7ALfUfUh/RUpCV4uI6sEI3NDX2YqQbOtsBD/hNaL1F85FA +-----END CERTIFICATE-----` + +const rootKey = `-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAz5DYA7iEBFq/SrCOTsjiYSHlHbTUdLyzselos5cE2++Huon3 +InPqMupiDoS8/Qr9srnoKnah7aKB3sY7GlXdg85zcIbQIKocymsRy/GPbEEpfTRG +1yfihUuEM+EBvQFX9Hs0Ut5bHOH6CC88jVebWotpZiphkQnlsGxhcPe091LgYYg1 +HPxm+KHjp/RnbBWQIahOmxtfwc7vixrYNrJSPMCxYaU7ltkaIxIeMMSd/3J6TZNy +MTJWiiGg4tpCD+eDbVPlFbN5kpOXVzOfC4ZWv21l8cWrFDmp5oh37UgK3E2+QSNt +OdmXpbL0K2GfR3HA55LlOowntIU1fLWCniN/8wIDAQABAoIBAQCYvGvIKSG0FpbG +vi6pmLbEZO20s1jW4fiUxT2PUWR49sR4pocdahB/EOvA5TowNcNDnftSK+Ox+q/4 +HwRkt6R+Fg/qULmcH7F53dnFqeYw8a42/J3YOvg7v7rzdfISg4eWVobFJ+wBz+Nt +3FyBYWLm+MlBLZSH5rGG5em59/zJNHWIhH+oQPfCxAkYEvd8tXOTUzjhqvEfjaJy +FZghnT9xto4MwDdNCPbtzdNjTMhiv0AHkcZGGtRJfkehXX2qhXOQ2UzzO9XrMZnv +5KgYf+bXKJsyS3SPl6TTl7vg2gKBciRvsdFhMy5I5GyIADrEDJnNNmXQRtiaFLfd +k/aqfPT5AoGBAPquMouZUbVS/Qh+qbls7G4zAuznfCiqdctcKmUGPRP4sTTjWdUp +fjI+UTt1e8hncmr4RY7Oa9kUV/kDwzS5spUZZ+u0PczS3XKxOwNOleoH00dfc9vt +cxctHdPdDTndRi8Z4k3m931jIX7jB/Pyx8qeNYB3pj0k3ThktwMbAVLnAoGBANP4 +beI5zpbvtAdExJcuxx2mRDGF0lIdKC0bvQaeqM3Lwqnmc0Fz1dbP7KXDa+SdJWPd +res+NHPZoEPeEJuDTSngXOLNECZe4Ja9frn1TeY858vMJBwIkyc8zu+sgXxjQUM+ +TWUlTUhtXyybkRnxAEny4OT2TTgmXITJaKOmV1UVAoGAHaXSlo4YitB42rNYUXTf +dZ0U4H30Qj7+1YFeBjq5qI4GL1IgQsS4hyq1osmfTTFm593bJCunt7HfQbU/NhIs +W9P4ZXkYwgvCYxkw+JAnzNkGFO/mHQG1Ve1hFLiVIt3XuiRejoYdiTfbM02YmDKD +jKQvgbUk9SBSBaRrvLNJ8csCgYAYnrZEnGo+ZcEHRxl+ZdSCwRkSl3SCTRiphJtD +9ZGttYj6quWgKJAhzyyxZC1X9FivbMQSmrsE6bYPq+9J4MpJnuGrBh5mFocHeyMI +/lD5+QEDTsay6twMpqdydxrjE7Q01zuuD9MWIn33dGo6FR/vduJgNatqZipA0hPx +ThS+sQKBgQDh0+cVo1mfYiCkp3IQPB8QYiJ/g2/UBk6pH8ZZDZ+A5td6NveiWO1y +wTEUWkX2qyz9SLxWDGOhdKqxNrLCUSYSOV/5/JQEtBm6K50ArFtrY40JP/T/5KvM +tSK2ayFX1wQ3PuEmewAogy/20tWo80cr556AXA62Utl2PzLK30Db8w== +-----END RSA PRIVATE KEY-----` + +func newSigningKeypairSecret(name string) *corev1.Secret { + return &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + }, + StringData: map[string]string{ + corev1.TLSCertKey: rootCert, + corev1.TLSPrivateKeyKey: rootKey, + }, + } +} + +const issuer1Cert = `-----BEGIN CERTIFICATE----- +MIIDnjCCAoagAwIBAgIUCAJmM4rqnkj65/0sFRSIjXNlmGYwDQYJKoZIhvcNAQEL +BQAwUzELMAkGA1UEBhMCVUsxCzAJBgNVBAgTAk5BMRUwEwYDVQQKEwxjZXJ0LW1h +bmFnZXIxIDAeBgNVBAMTF2NlcnQtbWFuYWdlciB0ZXN0aW5nIENBMB4XDTE4MTEx +NTAwMDQwMFoXDTIzMTExNDAwMDQwMFowVzELMAkGA1UEBhMCVUsxCzAJBgNVBAgT +Ak5BMRUwEwYDVQQKEwxjZXJ0LW1hbmFnZXIxJDAiBgNVBAMTG2NlcnQtbWFuYWdl +ciB0ZXN0aW5nIElzc3VlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AKubAgcLJfXspsDNNR/TO+UUy0s9DE28w4OXs7pAppe7rtK1a531M9lGg+jZPryT +PER4HeobhIk7h1iTmcVHp1mDB3IFDfKL8jKNEnsHGTcn5xY1RkFihFPphBiyGwvY +S4nGi1NubxTA+kW0Pbcf3po2NWNdntAHaMcvMEkq+NdoSEK1HACHQ8QqtqfKUxMD +XMFDmJD21/4PM6iqhDw2HPe87FY7KKdYAsMV8KnT5DIGJ6UbuarTuMzXZq0a8/aW +sto/hrBJir+CQwmNIYg41G8m1CgUz0a3FYxtvLNZweeW9+SiVl0FCiajLws0HIW5 +4RTJ44Omr2/byIB+lmV63AMCAwEAAaNmMGQwDgYDVR0PAQH/BAQDAgGmMBIGA1Ud +EwEB/wQIMAYBAf8CAQMwHQYDVR0OBBYEFESJnTHvnJn8qIOb/JD+nw4o0yxnMB8G +A1UdIwQYMBaAFAba471n25CwNIl+rClUYSlKPOuJMA0GCSqGSIb3DQEBCwUAA4IB +AQBre0a1hD4T0W9E/yGhk6O8k11i63vhgIcMeN1/RMtgJRwIWIf3iKXAwAeIjkXZ +eGGSNWh8pC1wFvE9LIomhZLPSn+98FJ9dLfcaQXDOEyZM71OTsWQKS4NVNloHOxV +zujEujIIZ4caVbOlQWxf7lPydnXP+S7GsMU8vlOsU2RC9jN+yeuho+ZVguSC76ni +CG+k/Lzf46CMAZtRLdv9FPFttodBnodapOEgkhGwhyz/J6eLR1t9DWlxpQ1vk45H +dT3HDz1CNlF/5HzYpVBus553Z7SFh2x1umKfmTUWqmbFsslr2y4w2nkhyG2+jH+k +lh+Eve9i4q7YaO0EMlOOJMar +-----END CERTIFICATE----- +` + +const issuer1Key = `-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAq5sCBwsl9eymwM01H9M75RTLSz0MTbzDg5ezukCml7uu0rVr +nfUz2UaD6Nk+vJM8RHgd6huEiTuHWJOZxUenWYMHcgUN8ovyMo0SewcZNyfnFjVG +QWKEU+mEGLIbC9hLicaLU25vFMD6RbQ9tx/emjY1Y12e0Adoxy8wSSr412hIQrUc +AIdDxCq2p8pTEwNcwUOYkPbX/g8zqKqEPDYc97zsVjsop1gCwxXwqdPkMgYnpRu5 +qtO4zNdmrRrz9pay2j+GsEmKv4JDCY0hiDjUbybUKBTPRrcVjG28s1nB55b35KJW +XQUKJqMvCzQchbnhFMnjg6avb9vIgH6WZXrcAwIDAQABAoIBAHm3VFTSn3YzCIOw +CYItPUpa2WbgQh3RSYvIyf3NZVwyDun9K/u5s7DkxyMdE9aFSDX4TJ+ELRl5U6KL +7oFzNUvUGC/TTfU/NeaNERKaElSAxPOHjfFKgzlRZBRwH6bjH5D1dlUS+07pIZrX +IP8GZ8lRscRs3vwGhVbiLYl4JVACydgyV/Th1yJYFEOXlmHV4Kk0ce3swsXL0NUb +BFQ53RULSxLVaYy4XXF3azSUdMkalDf8DxxeFtPUSW49zp6/iOArZTNCoiGavOHo +YvtnUXjt2QK64SdjFYMyCD8EcLlMTOUtAS10lw9NwUS3JMp3u79bO2uvRwJpT+IP +Hb0Sg8ECgYEAyi41EwEE6cwNVOAZxkOgv+ejhBjKuUrhzp0vwg3Uziuy6TZPJEoA +5e/8pFuvxbfU0lGUe6CkHdpSQPO7ifsTuxYxO/ZX8DqSaCwnRp+kJUyi7Jz3Ypfk +LsVg3TMW9Hmvntz8kPTN8DJMo6W7TC0m05L5pyfvM2BpBXqYIPNLInkCgYEA2Uk8 +mnA43ME+oaqLxcqgIE1+AXeg+voH17kiuO7hVWlprxJv/b6AAjm0nxcuLcdofKJT +JgaWrwyhI676q5T/lqQn/gdJ7rwz/83WnforW7WVza2XT+aDFcwNq07vHYoeCK6B +5RJFIY4Yuk4CORXeElYipz/VyCO2mUgJfHNDs1sCgYEAkS3lBqRwtsHDwPK7D1d4 +ktTu4eg7ihpvU0IkDSCJcxKGAljxM4nAY1yU+iCsczmyJORXzv5nWthuwB1Eyav1 +Wx5wdDJMq0Aj6ZHrEheIcxA43ddI/Q881yj8iVoqXZsTtOvSoPRo/NXhmpFjkSvK ++ZpMku9mIGpWf4ysuNx7U2ECgYEAlOk+IVFbht7g/4aT99+f0cOJ4ZOMvbPxAASf +KUJ9Jz3w8cye97VAoUXO5WDLgxAwKYpNlbfaOOlc3cmjfUfFygWCavOv1W8h6+Oz +e9zhLh7KJYUcN+PwXlXT4F1ePk5TuvtthgH5Yr+xbqzblSfJY6OoaBq1dk4TbAUU +izerZBUCgYEAn28gG04dByfcyY/crwpRLNVlaA0J93v5H9E/wlEiV1PhEYTdj2S8 +PLm9ur3V+kkBSarBur9+rRil0BHvVgC9K6kwMr60JcVT+bmZi0AbPOlPZsp9OPQf +YK5kMSMSbh4t9OUtadogDGI299P6Q9leaU65XRAar96wVsz8X/XdPPc= +-----END RSA PRIVATE KEY-----` + +func newSigningIssuer1KeypairSecret(name string) *corev1.Secret { + return &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + }, + StringData: map[string]string{ + corev1.TLSCertKey: issuer1Cert + rootCert, + corev1.TLSPrivateKeyKey: issuer1Key, + }, + } +} + +const issuer2Cert = `-----BEGIN CERTIFICATE----- +MIIDqjCCApKgAwIBAgIUHqm61uyYt2ICGRcZnBSjYaPonuowDQYJKoZIhvcNAQEL +BQAwVzELMAkGA1UEBhMCVUsxCzAJBgNVBAgTAk5BMRUwEwYDVQQKEwxjZXJ0LW1h +bmFnZXIxJDAiBgNVBAMTG2NlcnQtbWFuYWdlciB0ZXN0aW5nIElzc3VlcjAeFw0x +ODExMTUwMDA0MDBaFw0yMzExMTQwMDA0MDBaMF8xCzAJBgNVBAYTAlVLMQswCQYD +VQQIEwJOQTEVMBMGA1UEChMMY2VydC1tYW5hZ2VyMSwwKgYDVQQDEyNjZXJ0LW1h +bmFnZXIgdGVzdGluZyBJc3N1ZXIgTGV2ZWwgMjCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAMRm1cYCcHmA7UtF3vISLiob5eh234njNp33nkFWjDsE9Zgi +CIxVb9FBd+rkKn0xkPMke79lmr1kVkmjpAZ0Y0w/IDSEX8JMJvtyuAoS79r0W+rn +dEG5GzJGLswOK0gsvGyl4i8E9a5itUkRa01OETFIiay0iwNMUYnIflm8G/Uu2Jhr +/HSyWND+KLzX5gMDsiv4HdtCsNHstdMwBr4dkiCzpi+N/b2KTggmY84KeVQVpmRc +IVoVr06uc3YTa2mlqrw3qX16d5r9DLYrrq1UT3HXB0PJvvsIjJN8eqKk33Mcbinj +VR1Ywg9QYaJHpBPPxLL0AzNG29SebRLtGvKexoUCAwEAAaNmMGQwDgYDVR0PAQH/ +BAQDAgGmMBIGA1UdEwEB/wQIMAYBAf8CAQMwHQYDVR0OBBYEFHp3C+Se1LZMcQ0B +0iycJLvwqo9lMB8GA1UdIwQYMBaAFESJnTHvnJn8qIOb/JD+nw4o0yxnMA0GCSqG +SIb3DQEBCwUAA4IBAQA/lnvr+GnMJDA+Z7MEMRAcqdIScO38LVQNO340jFMcMkmW +YTnyNoEvI4fnCon9Oz2FsFcZp90Gniu01lDLyzR+1SsfFf6zwqGVUV29hidR6BvD +VGLM6SMnbgXUd+RPvAIrHU3BuSF2sRPiw7YqzgNVZQ2dUF+Q+R+Onu5i47CwVFOd +6Dd7xr5+ECaHGyuIH/RsXLvB+2reJ5dEl3oBxiyyzY1oOkt6y4HrB8n90JWPmXIf +9oQ8T+p3PbsFkz667nbVnVCkdAKtU/ZX09S1jGVKsOKszA1qhxFcMy+wkkyHq4Jj +v+q/VgVxL5HzEw4zyKS9Y2lcwhCicMrLKIGt91fQ +-----END CERTIFICATE----- +` + +const issuer2Key = `-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAxGbVxgJweYDtS0Xe8hIuKhvl6HbfieM2nfeeQVaMOwT1mCII +jFVv0UF36uQqfTGQ8yR7v2WavWRWSaOkBnRjTD8gNIRfwkwm+3K4ChLv2vRb6ud0 +QbkbMkYuzA4rSCy8bKXiLwT1rmK1SRFrTU4RMUiJrLSLA0xRich+Wbwb9S7YmGv8 +dLJY0P4ovNfmAwOyK/gd20Kw0ey10zAGvh2SILOmL439vYpOCCZjzgp5VBWmZFwh +WhWvTq5zdhNraaWqvDepfXp3mv0MtiuurVRPcdcHQ8m++wiMk3x6oqTfcxxuKeNV +HVjCD1BhokekE8/EsvQDM0bb1J5tEu0a8p7GhQIDAQABAoIBAFwCzV3RoL3bn8/m +8Pa5e7UwkrogjsM7lkfVTOfRUysHPMPEFfsgv5zqLfL2Z811HjI6wlq9kAvwaNhg ++KQpfKeo3z6bUX1mTdD5Qq09h+8tEa7wNi/gN5SK+ruQW8iZZMEFyfw7N5o2FjYg +GgQCcd2D3TPy9TlbVMvXCRKjJPns4PvWnjcR6YryPCluhnm6t0UEdusAj5baENU5 +95XG3e+7ZWzz4uejY778pyV/4yCfMXG9HZInkw9Uj3aNibiP/oKyF8Z0m1tAheLp +SfLH/KxC8sWW/Cn3YFAvq+3fSH3ezeaFNdQFi8L0uGA9h9ucZmKaT5jI1bM9Mj55 +Vrsg/wECgYEA7rCQ/NFLtQ6PZNSApxRdWG+67mDrWMuaHho9KB+g0vIzGoxj2+DS +iVlk4F1zVjZ5S8yjSmBm2pxF4ornUdQUs5+iKHJqeweSQenZ3Ylx10rhACfUWhZ+ +Zo/mrG30MJs2ceOaYJww1zrcjI3ktFwpZlX95J/e26gGqY8GKA8KaEECgYEA0qUp +3eWvwiTn2ztKEHZ06jNoPB1E3tAA939+W1Cy5VTDH2ZJYDE6lELTgW/7PuS6Auty +cJur3nyIJMQkb2GBqh8jgxb7huDpOkf8kAdPoD9PnmWTisF5XKO5Uv3O2t/xKQNl +pKAC9P1au3uCz8HA2ZbyLqiuXE7SKsIqQmMtbUUCgYArkAwWKDiyBcND+si0NbJH +prSuNwAdB6PMJKvOu98FQPD0wnSjN6gVKzyO+l9Hd8+xdtrCg0+iTG0wyHspYxSY +J+VXjnJCnAIkh4KcvS4Kxf7EoYBPJNXS8CaAh9zOVjWcmZaeVUNQtMx11pvMExn3 +NHCPHmJ1Inh8z76m5v/WQQKBgEeQFyYs10ZU9XQ0s1fedp/ucRYjN3efIQT0ioAJ +bY2d+2BahskoUGd4QJTz716RpGRDizCYoo5GrpYXEO3KKZwbUhxCHZfYJ0RGmpZv +9WxStgDxL2vviQShFuAMHE+dzzeI0OpZ9kc3H7EcJ/ffMl55+rNBWWNA4APozSSa +vx8lAoGBAODUjD1S1w/l+OTZWqo+bUvpC58CSioZ+gvNi4KE0h+1ZgLgE1RivQOM +UxwyspRQp2exnQ3hvCpzjhx+ji/FlhK86lspGjyZqTd+ifa/tO51+tvU217/XDtx +JypkAFhZ398YzhuqsRbFNMFnxA6QT+YFsqjT+R0vSFM8n2qptJHB +-----END RSA PRIVATE KEY-----` + +func newSigningIssuer2KeypairSecret(name string) *corev1.Secret { + return &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + }, + StringData: map[string]string{ + corev1.TLSCertKey: issuer2Cert + issuer1Cert + rootCert, + corev1.TLSPrivateKeyKey: issuer2Key, + }, + } +} diff --git a/test/e2e/suite/issuers/ca/issuer.go b/test/e2e/suite/issuers/ca/issuer.go index 570f0cbbf..1150eb6d5 100644 --- a/test/e2e/suite/issuers/ca/issuer.go +++ b/test/e2e/suite/issuers/ca/issuer.go @@ -33,7 +33,7 @@ var _ = framework.CertManagerDescribe("CA Issuer", func() { BeforeEach(func() { By("Creating a signing keypair fixture") - _, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(util.NewSigningKeypairSecret(secretName)) + _, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(newSigningKeypairSecret(secretName)) Expect(err).NotTo(HaveOccurred()) }) diff --git a/test/e2e/suite/issuers/selfsigned/certificate.go b/test/e2e/suite/issuers/selfsigned/certificate.go index b7f0673c4..5ba46ddd0 100644 --- a/test/e2e/suite/issuers/selfsigned/certificate.go +++ b/test/e2e/suite/issuers/selfsigned/certificate.go @@ -31,6 +31,7 @@ import ( var _ = framework.CertManagerDescribe("Self Signed Certificate", func() { f := framework.NewDefaultFramework("create-selfsigned-certificate") + h := f.Helper() issuerName := "test-selfsigned-issuer" certificateName := "test-selfsigned-certificate" @@ -40,7 +41,6 @@ var _ = framework.CertManagerDescribe("Self Signed Certificate", func() { By("Creating an Issuer") certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name) - secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name) _, err := f.CertManagerClientSet.CertmanagerV1alpha1().Issuers(f.Namespace.Name).Create(util.NewCertManagerSelfSignedIssuer(issuerName)) Expect(err).NotTo(HaveOccurred()) @@ -55,7 +55,7 @@ var _ = framework.CertManagerDescribe("Self Signed Certificate", func() { By("Creating a Certificate") _, err = certClient.Create(util.NewCertManagerBasicCertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, nil, nil)) Expect(err).NotTo(HaveOccurred()) - err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5) + err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5) Expect(err).NotTo(HaveOccurred()) }) @@ -82,7 +82,6 @@ var _ = framework.CertManagerDescribe("Self Signed Certificate", func() { v := v It("should generate a signed keypair valid for "+v.label, func() { certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name) - secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name) By("Creating an Issuer") issuerDurationName := fmt.Sprintf("%s-%d", issuerName, v.expectedDuration) @@ -100,7 +99,7 @@ var _ = framework.CertManagerDescribe("Self Signed Certificate", func() { By("Creating a Certificate") cert, err := certClient.Create(util.NewCertManagerBasicCertificate(certificateName, certificateSecretName, issuerDurationName, v1alpha1.IssuerKind, v.inputDuration, v.inputRenewBefore)) Expect(err).NotTo(HaveOccurred()) - err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Second*30) + err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Second*30) Expect(err).NotTo(HaveOccurred()) f.CertificateDurationValid(cert, v.expectedDuration) }) diff --git a/test/e2e/suite/issuers/vault/certificate/approle.go b/test/e2e/suite/issuers/vault/certificate/approle.go index fa3335925..7b2f6a65b 100644 --- a/test/e2e/suite/issuers/vault/certificate/approle.go +++ b/test/e2e/suite/issuers/vault/certificate/approle.go @@ -33,6 +33,7 @@ import ( var _ = framework.CertManagerDescribe("Vault Certificate (AppRole)", func() { f := framework.NewDefaultFramework("create-vault-certificate") + h := f.Helper() var ( tiller = &tiller.Tiller{ @@ -96,7 +97,6 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole)", func() { vaultURL := vault.Details().Host certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name) - secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name) _, err := f.CertManagerClientSet.CertmanagerV1alpha1().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA)) @@ -115,7 +115,7 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole)", func() { _, err = certClient.Create(util.NewCertManagerVaultCertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, nil, nil)) Expect(err).NotTo(HaveOccurred()) - err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5) + err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5) Expect(err).NotTo(HaveOccurred()) }) @@ -157,9 +157,6 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole)", func() { v := v It("should generate a new certificate "+v.label, func() { By("Creating an Issuer") - certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name) - secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name) - _, err := f.CertManagerClientSet.CertmanagerV1alpha1().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vault.Details().Host, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA)) Expect(err).NotTo(HaveOccurred()) @@ -176,7 +173,7 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole)", func() { cert, err := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name).Create(util.NewCertManagerVaultCertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, v.inputDuration, v.inputRenewBefore)) Expect(err).NotTo(HaveOccurred()) - err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5) + err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5) Expect(err).NotTo(HaveOccurred()) // Vault substract 30 seconds to the NotBefore date. diff --git a/test/e2e/suite/issuers/vault/certificate/approle_custom_mount.go b/test/e2e/suite/issuers/vault/certificate/approle_custom_mount.go index b4a29f7d7..c4a86ed09 100644 --- a/test/e2e/suite/issuers/vault/certificate/approle_custom_mount.go +++ b/test/e2e/suite/issuers/vault/certificate/approle_custom_mount.go @@ -32,6 +32,7 @@ import ( var _ = framework.CertManagerDescribe("Vault Certificate (AppRole with a custom mount path)", func() { f := framework.NewDefaultFramework("create-vault-certificate") + h := f.Helper() var ( tiller = &tiller.Tiller{ @@ -96,7 +97,6 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole with a custom vaultURL := vault.Details().Host certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name) - secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name) _, err := f.CertManagerClientSet.CertmanagerV1alpha1().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA)) Expect(err).NotTo(HaveOccurred()) @@ -114,7 +114,7 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole with a custom _, err = certClient.Create(util.NewCertManagerVaultCertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, nil, nil)) Expect(err).NotTo(HaveOccurred()) - err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5) + err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5) Expect(err).NotTo(HaveOccurred()) }) }) diff --git a/test/e2e/util/BUILD.bazel b/test/e2e/util/BUILD.bazel index 69dc80952..e7cb2cb22 100644 --- a/test/e2e/util/BUILD.bazel +++ b/test/e2e/util/BUILD.bazel @@ -10,7 +10,6 @@ go_library( "//pkg/client/clientset/versioned/scheme:go_default_library", "//pkg/client/clientset/versioned/typed/certmanager/v1alpha1:go_default_library", "//pkg/util:go_default_library", - "//pkg/util/pki:go_default_library", "//test/e2e/framework/log:go_default_library", "//vendor/k8s.io/api/core/v1:go_default_library", "//vendor/k8s.io/api/extensions/v1beta1:go_default_library", @@ -20,7 +19,6 @@ go_library( "//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library", "//vendor/k8s.io/client-go/kubernetes:go_default_library", - "//vendor/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library", ], ) diff --git a/test/e2e/util/util.go b/test/e2e/util/util.go index 75fa902a1..3902a084d 100644 --- a/test/e2e/util/util.go +++ b/test/e2e/util/util.go @@ -19,8 +19,6 @@ package util // TODO: we should break this file apart into separate more sane/reusable parts import ( - "crypto/ecdsa" - "crypto/rsa" "crypto/x509" "fmt" "time" @@ -30,17 +28,14 @@ import ( extv1beta1 "k8s.io/api/extensions/v1beta1" apiextcs "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1beta1" "k8s.io/apimachinery/pkg/api/errors" - apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/client-go/kubernetes" - corecs "k8s.io/client-go/kubernetes/typed/core/v1" "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1" clientset "github.com/jetstack/cert-manager/pkg/client/clientset/versioned/typed/certmanager/v1alpha1" "github.com/jetstack/cert-manager/pkg/util" - "github.com/jetstack/cert-manager/pkg/util/pki" "github.com/jetstack/cert-manager/test/e2e/framework/log" ) @@ -200,133 +195,6 @@ func wrapErrorWithCertificateStatusCondition(client clientset.CertificateInterfa return pollErr } -// WaitCertificateIssuedValid waits for the given Certificate to be -// 'Ready' and ensures the stored certificate is valid for the specified -// domains. -func WaitCertificateIssuedValidTLS(certClient clientset.CertificateInterface, secretClient corecs.SecretInterface, name string, timeout time.Duration, validateTLS bool) error { - return wait.PollImmediate(time.Second, timeout, - func() (bool, error) { - log.Logf("Waiting for Certificate %v to be ready", name) - certificate, err := certClient.Get(name, metav1.GetOptions{}) - if err != nil { - return false, fmt.Errorf("error getting Certificate %v: %v", name, err) - } - isReady := certificate.HasCondition(v1alpha1.CertificateCondition{ - Type: v1alpha1.CertificateConditionReady, - Status: v1alpha1.ConditionTrue, - }) - if !isReady { - return false, nil - } - log.Logf("Getting the TLS certificate Secret resource") - secret, err := secretClient.Get(certificate.Spec.SecretName, metav1.GetOptions{}) - if err != nil { - if apierrors.IsNotFound(err) { - return false, nil - } - - return false, err - } - if !(len(secret.Data) == 2 || len(secret.Data) == 3) { - log.Logf("Expected 2 keys in certificate secret, but there was %d", len(secret.Data)) - return false, nil - } - - keyBytes, ok := secret.Data[v1.TLSPrivateKeyKey] - if !ok { - log.Logf("No private key data found for Certificate %q (secret %q)", name, certificate.Spec.SecretName) - return false, nil - } - key, err := pki.DecodePrivateKeyBytes(keyBytes) - if err != nil { - return false, err - } - - // validate private key is of the correct type (rsa or ecdsa) - switch certificate.Spec.KeyAlgorithm { - case v1alpha1.KeyAlgorithm(""), - v1alpha1.RSAKeyAlgorithm: - _, ok := key.(*rsa.PrivateKey) - if !ok { - log.Logf("Expected private key of type RSA, but it was: %T", key) - return false, nil - } - case v1alpha1.ECDSAKeyAlgorithm: - _, ok := key.(*ecdsa.PrivateKey) - if !ok { - log.Logf("Expected private key of type ECDSA, but it was: %T", key) - return false, nil - } - default: - return false, fmt.Errorf("unrecognised requested private key algorithm %q", certificate.Spec.KeyAlgorithm) - } - - // TODO: validate private key KeySize - - // check the provided certificate is valid - expectedCN := pki.CommonNameForCertificate(certificate) - expectedOrganization := pki.OrganizationForCertificate(certificate) - expectedDNSNames := pki.DNSNamesForCertificate(certificate) - - certBytes, ok := secret.Data[v1.TLSCertKey] - if !ok { - log.Logf("No certificate data found for Certificate %q (secret %q)", name, certificate.Spec.SecretName) - return false, nil - } - - cert, err := pki.DecodeX509CertificateBytes(certBytes) - if err != nil { - return false, err - } - if expectedCN != cert.Subject.CommonName || !util.EqualUnsorted(cert.DNSNames, expectedDNSNames) || !(len(cert.Subject.Organization) == 0 || util.EqualUnsorted(cert.Subject.Organization, expectedOrganization)) { - log.Logf("Expected certificate valid for CN %q, O %v, dnsNames %v but got a certificate valid for CN %q, O %v, dnsNames %v", expectedCN, expectedOrganization, expectedDNSNames, cert.Subject.CommonName, cert.Subject.Organization, cert.DNSNames) - return false, nil - } - - if certificate.Status.NotAfter == nil { - log.Logf("No certificate expiration found for Certificate %q", name) - return false, nil - } - if !cert.NotAfter.Equal(certificate.Status.NotAfter.Time) { - log.Logf("Expected certificate expiry date to be %v, but got %v", certificate.Status.NotAfter, cert.NotAfter) - return false, nil - } - - label, ok := secret.Labels[v1alpha1.CertificateNameKey] - if !ok { - return false, fmt.Errorf("Expected secret to have certificate-name label, but had none") - } - - if label != certificate.Name { - return false, fmt.Errorf("Expected secret to have certificate-name label with a value of %q, but got %q", certificate.Name, label) - } - - // Run TLS Verification - if validateTLS { - rootCertPool := x509.NewCertPool() - rootCertPool.AppendCertsFromPEM([]byte(rootCert)) - intermediateCertPool := x509.NewCertPool() - intermediateCertPool.AppendCertsFromPEM(certBytes) - opts := x509.VerifyOptions{ - DNSName: expectedDNSNames[0], - Intermediates: intermediateCertPool, - Roots: rootCertPool, - } - - if _, err := cert.Verify(opts); err != nil { - return false, err - } - } - - return true, nil - }, - ) -} - -func WaitCertificateIssuedValid(certClient clientset.CertificateInterface, secretClient corecs.SecretInterface, name string, timeout time.Duration) error { - return WaitCertificateIssuedValidTLS(certClient, secretClient, name, timeout, false) -} - // WaitForCertificateToExist waits for the named certificate to exist func WaitForCertificateToExist(client clientset.CertificateInterface, name string, timeout time.Duration) error { return wait.PollImmediate(500*time.Millisecond, timeout, @@ -587,195 +455,3 @@ func NewCertManagerVaultIssuerAppRole(name, vaultURL, vaultPath, roleId, vaultSe }, } } - -const rootCert = `-----BEGIN CERTIFICATE----- -MIID4DCCAsigAwIBAgIJAJzTROInmDkQMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV -BAYTAlVLMQswCQYDVQQIEwJOQTEVMBMGA1UEChMMY2VydC1tYW5hZ2VyMSAwHgYD -VQQDExdjZXJ0LW1hbmFnZXIgdGVzdGluZyBDQTAeFw0xNzA5MTAxODMzNDNaFw0y -NzA5MDgxODMzNDNaMFMxCzAJBgNVBAYTAlVLMQswCQYDVQQIEwJOQTEVMBMGA1UE -ChMMY2VydC1tYW5hZ2VyMSAwHgYDVQQDExdjZXJ0LW1hbmFnZXIgdGVzdGluZyBD -QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+Q2AO4hARav0qwjk7I -4mEh5R201HS8s7HpaLOXBNvvh7qJ9yJz6jLqYg6EvP0K/bK56Cp2oe2igd7GOxpV -3YPOc3CG0CCqHMprEcvxj2xBKX00Rtcn4oVLhDPhAb0BV/R7NFLeWxzh+ggvPI1X -m1qLaWYqYZEJ5bBsYXD3tPdS4GGINRz8Zvih46f0Z2wVkCGoTpsbX8HO74sa2Day -UjzAsWGlO5bZGiMSHjDEnf9yek2TcjEyVoohoOLaQg/ng21T5RWzeZKTl1cznwuG -Vr9tZfHFqxQ5qeaId+1ICtxNvkEjbTnZl6Wy9Cthn0dxwOeS5TqMJ7SFNXy1gp4j -f/MCAwEAAaOBtjCBszAdBgNVHQ4EFgQUBtrjvWfbkLA0iX6sKVRhKUo864kwgYMG -A1UdIwR8MHqAFAba471n25CwNIl+rClUYSlKPOuJoVekVTBTMQswCQYDVQQGEwJV -SzELMAkGA1UECBMCTkExFTATBgNVBAoTDGNlcnQtbWFuYWdlcjEgMB4GA1UEAxMX -Y2VydC1tYW5hZ2VyIHRlc3RpbmcgQ0GCCQCc00TiJ5g5EDAMBgNVHRMEBTADAQH/ -MA0GCSqGSIb3DQEBCwUAA4IBAQCR+jXhup5tCKwhAf8xgvp589BczQOjmotuZGEL -Dcint2y263ChEdsoLhyJfvFCAZfTSm+UT95Hl+ZKVuoVEcAS7udaFUFpC/gIYVOi -H4/uvJps4SpVCB7+T/orcTjZ2ewT23mQAQg+B+iwX9VCof+fadkYOg1XD9/eaj6E -9McXID3iuCXg02RmEOwVMrTggHPwHrOGAilSaZc58cJZHmMYlT5rGrJcWS/AyXnH -VOodKC004yjh7w9aSbCCbAL0tDEnhm4Jrb8cxt7pDWbdEVUeuk9LZRQtluYBnmJU -kQ7ALfUfUh/RUpCV4uI6sEI3NDX2YqQbOtsBD/hNaL1F85FA ------END CERTIFICATE-----` - -const rootKey = `-----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAz5DYA7iEBFq/SrCOTsjiYSHlHbTUdLyzselos5cE2++Huon3 -InPqMupiDoS8/Qr9srnoKnah7aKB3sY7GlXdg85zcIbQIKocymsRy/GPbEEpfTRG -1yfihUuEM+EBvQFX9Hs0Ut5bHOH6CC88jVebWotpZiphkQnlsGxhcPe091LgYYg1 -HPxm+KHjp/RnbBWQIahOmxtfwc7vixrYNrJSPMCxYaU7ltkaIxIeMMSd/3J6TZNy -MTJWiiGg4tpCD+eDbVPlFbN5kpOXVzOfC4ZWv21l8cWrFDmp5oh37UgK3E2+QSNt -OdmXpbL0K2GfR3HA55LlOowntIU1fLWCniN/8wIDAQABAoIBAQCYvGvIKSG0FpbG -vi6pmLbEZO20s1jW4fiUxT2PUWR49sR4pocdahB/EOvA5TowNcNDnftSK+Ox+q/4 -HwRkt6R+Fg/qULmcH7F53dnFqeYw8a42/J3YOvg7v7rzdfISg4eWVobFJ+wBz+Nt -3FyBYWLm+MlBLZSH5rGG5em59/zJNHWIhH+oQPfCxAkYEvd8tXOTUzjhqvEfjaJy -FZghnT9xto4MwDdNCPbtzdNjTMhiv0AHkcZGGtRJfkehXX2qhXOQ2UzzO9XrMZnv -5KgYf+bXKJsyS3SPl6TTl7vg2gKBciRvsdFhMy5I5GyIADrEDJnNNmXQRtiaFLfd -k/aqfPT5AoGBAPquMouZUbVS/Qh+qbls7G4zAuznfCiqdctcKmUGPRP4sTTjWdUp -fjI+UTt1e8hncmr4RY7Oa9kUV/kDwzS5spUZZ+u0PczS3XKxOwNOleoH00dfc9vt -cxctHdPdDTndRi8Z4k3m931jIX7jB/Pyx8qeNYB3pj0k3ThktwMbAVLnAoGBANP4 -beI5zpbvtAdExJcuxx2mRDGF0lIdKC0bvQaeqM3Lwqnmc0Fz1dbP7KXDa+SdJWPd -res+NHPZoEPeEJuDTSngXOLNECZe4Ja9frn1TeY858vMJBwIkyc8zu+sgXxjQUM+ -TWUlTUhtXyybkRnxAEny4OT2TTgmXITJaKOmV1UVAoGAHaXSlo4YitB42rNYUXTf -dZ0U4H30Qj7+1YFeBjq5qI4GL1IgQsS4hyq1osmfTTFm593bJCunt7HfQbU/NhIs -W9P4ZXkYwgvCYxkw+JAnzNkGFO/mHQG1Ve1hFLiVIt3XuiRejoYdiTfbM02YmDKD -jKQvgbUk9SBSBaRrvLNJ8csCgYAYnrZEnGo+ZcEHRxl+ZdSCwRkSl3SCTRiphJtD -9ZGttYj6quWgKJAhzyyxZC1X9FivbMQSmrsE6bYPq+9J4MpJnuGrBh5mFocHeyMI -/lD5+QEDTsay6twMpqdydxrjE7Q01zuuD9MWIn33dGo6FR/vduJgNatqZipA0hPx -ThS+sQKBgQDh0+cVo1mfYiCkp3IQPB8QYiJ/g2/UBk6pH8ZZDZ+A5td6NveiWO1y -wTEUWkX2qyz9SLxWDGOhdKqxNrLCUSYSOV/5/JQEtBm6K50ArFtrY40JP/T/5KvM -tSK2ayFX1wQ3PuEmewAogy/20tWo80cr556AXA62Utl2PzLK30Db8w== ------END RSA PRIVATE KEY-----` - -func NewSigningKeypairSecret(name string) *v1.Secret { - return &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - StringData: map[string]string{ - v1.TLSCertKey: rootCert, - v1.TLSPrivateKeyKey: rootKey, - }, - } -} - -const issuer1Cert = `-----BEGIN CERTIFICATE----- -MIIDnjCCAoagAwIBAgIUCAJmM4rqnkj65/0sFRSIjXNlmGYwDQYJKoZIhvcNAQEL -BQAwUzELMAkGA1UEBhMCVUsxCzAJBgNVBAgTAk5BMRUwEwYDVQQKEwxjZXJ0LW1h -bmFnZXIxIDAeBgNVBAMTF2NlcnQtbWFuYWdlciB0ZXN0aW5nIENBMB4XDTE4MTEx -NTAwMDQwMFoXDTIzMTExNDAwMDQwMFowVzELMAkGA1UEBhMCVUsxCzAJBgNVBAgT -Ak5BMRUwEwYDVQQKEwxjZXJ0LW1hbmFnZXIxJDAiBgNVBAMTG2NlcnQtbWFuYWdl -ciB0ZXN0aW5nIElzc3VlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AKubAgcLJfXspsDNNR/TO+UUy0s9DE28w4OXs7pAppe7rtK1a531M9lGg+jZPryT -PER4HeobhIk7h1iTmcVHp1mDB3IFDfKL8jKNEnsHGTcn5xY1RkFihFPphBiyGwvY -S4nGi1NubxTA+kW0Pbcf3po2NWNdntAHaMcvMEkq+NdoSEK1HACHQ8QqtqfKUxMD -XMFDmJD21/4PM6iqhDw2HPe87FY7KKdYAsMV8KnT5DIGJ6UbuarTuMzXZq0a8/aW -sto/hrBJir+CQwmNIYg41G8m1CgUz0a3FYxtvLNZweeW9+SiVl0FCiajLws0HIW5 -4RTJ44Omr2/byIB+lmV63AMCAwEAAaNmMGQwDgYDVR0PAQH/BAQDAgGmMBIGA1Ud -EwEB/wQIMAYBAf8CAQMwHQYDVR0OBBYEFESJnTHvnJn8qIOb/JD+nw4o0yxnMB8G -A1UdIwQYMBaAFAba471n25CwNIl+rClUYSlKPOuJMA0GCSqGSIb3DQEBCwUAA4IB -AQBre0a1hD4T0W9E/yGhk6O8k11i63vhgIcMeN1/RMtgJRwIWIf3iKXAwAeIjkXZ -eGGSNWh8pC1wFvE9LIomhZLPSn+98FJ9dLfcaQXDOEyZM71OTsWQKS4NVNloHOxV -zujEujIIZ4caVbOlQWxf7lPydnXP+S7GsMU8vlOsU2RC9jN+yeuho+ZVguSC76ni -CG+k/Lzf46CMAZtRLdv9FPFttodBnodapOEgkhGwhyz/J6eLR1t9DWlxpQ1vk45H -dT3HDz1CNlF/5HzYpVBus553Z7SFh2x1umKfmTUWqmbFsslr2y4w2nkhyG2+jH+k -lh+Eve9i4q7YaO0EMlOOJMar ------END CERTIFICATE----- -` - -const issuer1Key = `-----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAq5sCBwsl9eymwM01H9M75RTLSz0MTbzDg5ezukCml7uu0rVr -nfUz2UaD6Nk+vJM8RHgd6huEiTuHWJOZxUenWYMHcgUN8ovyMo0SewcZNyfnFjVG -QWKEU+mEGLIbC9hLicaLU25vFMD6RbQ9tx/emjY1Y12e0Adoxy8wSSr412hIQrUc -AIdDxCq2p8pTEwNcwUOYkPbX/g8zqKqEPDYc97zsVjsop1gCwxXwqdPkMgYnpRu5 -qtO4zNdmrRrz9pay2j+GsEmKv4JDCY0hiDjUbybUKBTPRrcVjG28s1nB55b35KJW -XQUKJqMvCzQchbnhFMnjg6avb9vIgH6WZXrcAwIDAQABAoIBAHm3VFTSn3YzCIOw -CYItPUpa2WbgQh3RSYvIyf3NZVwyDun9K/u5s7DkxyMdE9aFSDX4TJ+ELRl5U6KL -7oFzNUvUGC/TTfU/NeaNERKaElSAxPOHjfFKgzlRZBRwH6bjH5D1dlUS+07pIZrX -IP8GZ8lRscRs3vwGhVbiLYl4JVACydgyV/Th1yJYFEOXlmHV4Kk0ce3swsXL0NUb -BFQ53RULSxLVaYy4XXF3azSUdMkalDf8DxxeFtPUSW49zp6/iOArZTNCoiGavOHo -YvtnUXjt2QK64SdjFYMyCD8EcLlMTOUtAS10lw9NwUS3JMp3u79bO2uvRwJpT+IP -Hb0Sg8ECgYEAyi41EwEE6cwNVOAZxkOgv+ejhBjKuUrhzp0vwg3Uziuy6TZPJEoA -5e/8pFuvxbfU0lGUe6CkHdpSQPO7ifsTuxYxO/ZX8DqSaCwnRp+kJUyi7Jz3Ypfk -LsVg3TMW9Hmvntz8kPTN8DJMo6W7TC0m05L5pyfvM2BpBXqYIPNLInkCgYEA2Uk8 -mnA43ME+oaqLxcqgIE1+AXeg+voH17kiuO7hVWlprxJv/b6AAjm0nxcuLcdofKJT -JgaWrwyhI676q5T/lqQn/gdJ7rwz/83WnforW7WVza2XT+aDFcwNq07vHYoeCK6B -5RJFIY4Yuk4CORXeElYipz/VyCO2mUgJfHNDs1sCgYEAkS3lBqRwtsHDwPK7D1d4 -ktTu4eg7ihpvU0IkDSCJcxKGAljxM4nAY1yU+iCsczmyJORXzv5nWthuwB1Eyav1 -Wx5wdDJMq0Aj6ZHrEheIcxA43ddI/Q881yj8iVoqXZsTtOvSoPRo/NXhmpFjkSvK -+ZpMku9mIGpWf4ysuNx7U2ECgYEAlOk+IVFbht7g/4aT99+f0cOJ4ZOMvbPxAASf -KUJ9Jz3w8cye97VAoUXO5WDLgxAwKYpNlbfaOOlc3cmjfUfFygWCavOv1W8h6+Oz -e9zhLh7KJYUcN+PwXlXT4F1ePk5TuvtthgH5Yr+xbqzblSfJY6OoaBq1dk4TbAUU -izerZBUCgYEAn28gG04dByfcyY/crwpRLNVlaA0J93v5H9E/wlEiV1PhEYTdj2S8 -PLm9ur3V+kkBSarBur9+rRil0BHvVgC9K6kwMr60JcVT+bmZi0AbPOlPZsp9OPQf -YK5kMSMSbh4t9OUtadogDGI299P6Q9leaU65XRAar96wVsz8X/XdPPc= ------END RSA PRIVATE KEY-----` - -func NewSigningIssuer1KeypairSecret(name string) *v1.Secret { - return &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - StringData: map[string]string{ - v1.TLSCertKey: issuer1Cert + rootCert, - v1.TLSPrivateKeyKey: issuer1Key, - }, - } -} - -const issuer2Cert = `-----BEGIN CERTIFICATE----- -MIIDqjCCApKgAwIBAgIUHqm61uyYt2ICGRcZnBSjYaPonuowDQYJKoZIhvcNAQEL -BQAwVzELMAkGA1UEBhMCVUsxCzAJBgNVBAgTAk5BMRUwEwYDVQQKEwxjZXJ0LW1h -bmFnZXIxJDAiBgNVBAMTG2NlcnQtbWFuYWdlciB0ZXN0aW5nIElzc3VlcjAeFw0x -ODExMTUwMDA0MDBaFw0yMzExMTQwMDA0MDBaMF8xCzAJBgNVBAYTAlVLMQswCQYD -VQQIEwJOQTEVMBMGA1UEChMMY2VydC1tYW5hZ2VyMSwwKgYDVQQDEyNjZXJ0LW1h -bmFnZXIgdGVzdGluZyBJc3N1ZXIgTGV2ZWwgMjCCASIwDQYJKoZIhvcNAQEBBQAD -ggEPADCCAQoCggEBAMRm1cYCcHmA7UtF3vISLiob5eh234njNp33nkFWjDsE9Zgi -CIxVb9FBd+rkKn0xkPMke79lmr1kVkmjpAZ0Y0w/IDSEX8JMJvtyuAoS79r0W+rn -dEG5GzJGLswOK0gsvGyl4i8E9a5itUkRa01OETFIiay0iwNMUYnIflm8G/Uu2Jhr -/HSyWND+KLzX5gMDsiv4HdtCsNHstdMwBr4dkiCzpi+N/b2KTggmY84KeVQVpmRc -IVoVr06uc3YTa2mlqrw3qX16d5r9DLYrrq1UT3HXB0PJvvsIjJN8eqKk33Mcbinj -VR1Ywg9QYaJHpBPPxLL0AzNG29SebRLtGvKexoUCAwEAAaNmMGQwDgYDVR0PAQH/ -BAQDAgGmMBIGA1UdEwEB/wQIMAYBAf8CAQMwHQYDVR0OBBYEFHp3C+Se1LZMcQ0B -0iycJLvwqo9lMB8GA1UdIwQYMBaAFESJnTHvnJn8qIOb/JD+nw4o0yxnMA0GCSqG -SIb3DQEBCwUAA4IBAQA/lnvr+GnMJDA+Z7MEMRAcqdIScO38LVQNO340jFMcMkmW -YTnyNoEvI4fnCon9Oz2FsFcZp90Gniu01lDLyzR+1SsfFf6zwqGVUV29hidR6BvD -VGLM6SMnbgXUd+RPvAIrHU3BuSF2sRPiw7YqzgNVZQ2dUF+Q+R+Onu5i47CwVFOd -6Dd7xr5+ECaHGyuIH/RsXLvB+2reJ5dEl3oBxiyyzY1oOkt6y4HrB8n90JWPmXIf -9oQ8T+p3PbsFkz667nbVnVCkdAKtU/ZX09S1jGVKsOKszA1qhxFcMy+wkkyHq4Jj -v+q/VgVxL5HzEw4zyKS9Y2lcwhCicMrLKIGt91fQ ------END CERTIFICATE----- -` - -const issuer2Key = `-----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAxGbVxgJweYDtS0Xe8hIuKhvl6HbfieM2nfeeQVaMOwT1mCII -jFVv0UF36uQqfTGQ8yR7v2WavWRWSaOkBnRjTD8gNIRfwkwm+3K4ChLv2vRb6ud0 -QbkbMkYuzA4rSCy8bKXiLwT1rmK1SRFrTU4RMUiJrLSLA0xRich+Wbwb9S7YmGv8 -dLJY0P4ovNfmAwOyK/gd20Kw0ey10zAGvh2SILOmL439vYpOCCZjzgp5VBWmZFwh -WhWvTq5zdhNraaWqvDepfXp3mv0MtiuurVRPcdcHQ8m++wiMk3x6oqTfcxxuKeNV -HVjCD1BhokekE8/EsvQDM0bb1J5tEu0a8p7GhQIDAQABAoIBAFwCzV3RoL3bn8/m -8Pa5e7UwkrogjsM7lkfVTOfRUysHPMPEFfsgv5zqLfL2Z811HjI6wlq9kAvwaNhg -+KQpfKeo3z6bUX1mTdD5Qq09h+8tEa7wNi/gN5SK+ruQW8iZZMEFyfw7N5o2FjYg -GgQCcd2D3TPy9TlbVMvXCRKjJPns4PvWnjcR6YryPCluhnm6t0UEdusAj5baENU5 -95XG3e+7ZWzz4uejY778pyV/4yCfMXG9HZInkw9Uj3aNibiP/oKyF8Z0m1tAheLp -SfLH/KxC8sWW/Cn3YFAvq+3fSH3ezeaFNdQFi8L0uGA9h9ucZmKaT5jI1bM9Mj55 -Vrsg/wECgYEA7rCQ/NFLtQ6PZNSApxRdWG+67mDrWMuaHho9KB+g0vIzGoxj2+DS -iVlk4F1zVjZ5S8yjSmBm2pxF4ornUdQUs5+iKHJqeweSQenZ3Ylx10rhACfUWhZ+ -Zo/mrG30MJs2ceOaYJww1zrcjI3ktFwpZlX95J/e26gGqY8GKA8KaEECgYEA0qUp -3eWvwiTn2ztKEHZ06jNoPB1E3tAA939+W1Cy5VTDH2ZJYDE6lELTgW/7PuS6Auty -cJur3nyIJMQkb2GBqh8jgxb7huDpOkf8kAdPoD9PnmWTisF5XKO5Uv3O2t/xKQNl -pKAC9P1au3uCz8HA2ZbyLqiuXE7SKsIqQmMtbUUCgYArkAwWKDiyBcND+si0NbJH -prSuNwAdB6PMJKvOu98FQPD0wnSjN6gVKzyO+l9Hd8+xdtrCg0+iTG0wyHspYxSY -J+VXjnJCnAIkh4KcvS4Kxf7EoYBPJNXS8CaAh9zOVjWcmZaeVUNQtMx11pvMExn3 -NHCPHmJ1Inh8z76m5v/WQQKBgEeQFyYs10ZU9XQ0s1fedp/ucRYjN3efIQT0ioAJ -bY2d+2BahskoUGd4QJTz716RpGRDizCYoo5GrpYXEO3KKZwbUhxCHZfYJ0RGmpZv -9WxStgDxL2vviQShFuAMHE+dzzeI0OpZ9kc3H7EcJ/ffMl55+rNBWWNA4APozSSa -vx8lAoGBAODUjD1S1w/l+OTZWqo+bUvpC58CSioZ+gvNi4KE0h+1ZgLgE1RivQOM -UxwyspRQp2exnQ3hvCpzjhx+ji/FlhK86lspGjyZqTd+ifa/tO51+tvU217/XDtx -JypkAFhZ398YzhuqsRbFNMFnxA6QT+YFsqjT+R0vSFM8n2qptJHB ------END RSA PRIVATE KEY-----` - -func NewSigningIssuer2KeypairSecret(name string) *v1.Secret { - return &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - }, - StringData: map[string]string{ - v1.TLSCertKey: issuer2Cert + issuer1Cert + rootCert, - v1.TLSPrivateKeyKey: issuer2Key, - }, - } -}