diff --git a/test/e2e/suite/conformance/certificates/acme/acme.go b/test/e2e/suite/conformance/certificates/acme/acme.go index 294972296..532f1ae6e 100644 --- a/test/e2e/suite/conformance/certificates/acme/acme.go +++ b/test/e2e/suite/conformance/certificates/acme/acme.go @@ -56,16 +56,30 @@ var _ = framework.ConformanceDescribe("Certificates", func() { provisionerHTTP01 := new(acmeIssuerProvisioner) (&certificates.Suite{ - Name: "ACME HTTP01", - CreateIssuerFunc: provisionerHTTP01.createHTTP01, + Name: "ACME HTTP01 Issuer", + CreateIssuerFunc: provisionerHTTP01.createHTTP01Issuer, DeleteIssuerFunc: provisionerHTTP01.delete, UnsupportedFeatures: unsupportedHTTP01Features, }).Define() provisionerDNS01 := new(acmeIssuerProvisioner) (&certificates.Suite{ - Name: "ACME DNS01", - CreateIssuerFunc: provisionerDNS01.createDNS01, + Name: "ACME DNS01 Issuer", + CreateIssuerFunc: provisionerDNS01.createDNS01Issuer, + DeleteIssuerFunc: provisionerDNS01.delete, + UnsupportedFeatures: unsupportedDNS01Features, + }).Define() + + (&certificates.Suite{ + Name: "ACME HTTP01 ClusterIssuer", + CreateIssuerFunc: provisionerHTTP01.createHTTP01ClusterIssuer, + DeleteIssuerFunc: provisionerHTTP01.delete, + UnsupportedFeatures: unsupportedHTTP01Features, + }).Define() + + (&certificates.Suite{ + Name: "ACME DNS01 ClusterIssuer", + CreateIssuerFunc: provisionerDNS01.createDNS01ClusterIssuer, DeleteIssuerFunc: provisionerDNS01.delete, UnsupportedFeatures: unsupportedDNS01Features, }).Define() @@ -93,37 +107,15 @@ func (a *acmeIssuerProvisioner) delete(f *framework.Framework, ref cmmeta.Object // - pebble // - a properly configured Issuer resource -func (a *acmeIssuerProvisioner) createHTTP01(f *framework.Framework) cmmeta.ObjectReference { +func (a *acmeIssuerProvisioner) createHTTP01Issuer(f *framework.Framework) cmmeta.ObjectReference { a.deployTiller(f, "http01") - By("Creating an ACME HTTP01 issuer") + By("Creating an ACME HTTP01 Issuer") issuer := &cmapi.Issuer{ ObjectMeta: metav1.ObjectMeta{ Name: "acme-issuer-http01", }, - Spec: cmapi.IssuerSpec{ - IssuerConfig: cmapi.IssuerConfig{ - ACME: &cmacme.ACMEIssuer{ - Server: addon.Pebble.Details().Host, - SkipTLSVerify: true, - PrivateKey: cmmeta.SecretKeySelector{ - LocalObjectReference: cmmeta.LocalObjectReference{ - Name: "acme-private-key-http01", - }, - }, - Solvers: []cmacme.ACMEChallengeSolver{ - { - HTTP01: &cmacme.ACMEChallengeSolverHTTP01{ - // Not setting the Class or Name field will cause cert-manager to create - // new ingress resources that do not specify a class to solve challenges, - // which means all Ingress controllers should act on the ingresses. - Ingress: &cmacme.ACMEChallengeSolverHTTP01Ingress{}, - }, - }, - }, - }, - }, - }, + Spec: a.createHTTP01IssuerSpec(), } issuer, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(issuer) @@ -136,7 +128,54 @@ func (a *acmeIssuerProvisioner) createHTTP01(f *framework.Framework) cmmeta.Obje } } -func (a *acmeIssuerProvisioner) createDNS01(f *framework.Framework) cmmeta.ObjectReference { +func (a *acmeIssuerProvisioner) createHTTP01ClusterIssuer(f *framework.Framework) cmmeta.ObjectReference { + a.deployTiller(f, "http01") + + By("Creating an ACME HTTP01 ClusterIssuer") + issuer := &cmapi.ClusterIssuer{ + ObjectMeta: metav1.ObjectMeta{ + Name: "acme-issuer-http01", + }, + Spec: a.createHTTP01IssuerSpec(), + } + + issuer, err := f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Create(issuer) + Expect(err).NotTo(HaveOccurred(), "failed to create acme HTTP01 cluster issuer") + + return cmmeta.ObjectReference{ + Group: cmapi.SchemeGroupVersion.Group, + Kind: cmapi.ClusterIssuerKind, + Name: issuer.Name, + } +} + +func (a *acmeIssuerProvisioner) createHTTP01IssuerSpec() cmapi.IssuerSpec { + return cmapi.IssuerSpec{ + IssuerConfig: cmapi.IssuerConfig{ + ACME: &cmacme.ACMEIssuer{ + Server: addon.Pebble.Details().Host, + SkipTLSVerify: true, + PrivateKey: cmmeta.SecretKeySelector{ + LocalObjectReference: cmmeta.LocalObjectReference{ + Name: "acme-private-key-http01", + }, + }, + Solvers: []cmacme.ACMEChallengeSolver{ + { + HTTP01: &cmacme.ACMEChallengeSolverHTTP01{ + // Not setting the Class or Name field will cause cert-manager to create + // new ingress resources that do not specify a class to solve challenges, + // which means all Ingress controllers should act on the ingresses. + Ingress: &cmacme.ACMEChallengeSolverHTTP01Ingress{}, + }, + }, + }, + }, + }, + } +} + +func (a *acmeIssuerProvisioner) createDNS01Issuer(f *framework.Framework) cmmeta.ObjectReference { a.deployTiller(f, "dns01") a.cloudflare = &dnsproviders.Cloudflare{ @@ -145,33 +184,15 @@ func (a *acmeIssuerProvisioner) createDNS01(f *framework.Framework) cmmeta.Objec Expect(a.cloudflare.Setup(f.Config)).NotTo(HaveOccurred(), "failed to setup cloudflare") Expect(a.cloudflare.Provision()).NotTo(HaveOccurred(), "failed to provision cloudflare") - By("Creating an ACME DNS01 issuer") + By("Creating an ACME DNS01 Issuer") issuer := &cmapi.Issuer{ ObjectMeta: metav1.ObjectMeta{ Name: "acme-issuer-dns01", }, - Spec: cmapi.IssuerSpec{ - IssuerConfig: cmapi.IssuerConfig{ - ACME: &cmacme.ACMEIssuer{ - // Hardcode this to the acme staging endpoint now due to issues with pebble dns resolution - Server: "https://acme-staging-v02.api.letsencrypt.org/directory", - SkipTLSVerify: true, - PrivateKey: cmmeta.SecretKeySelector{ - LocalObjectReference: cmmeta.LocalObjectReference{ - Name: "acme-private-key", - }, - }, - Solvers: []cmacme.ACMEChallengeSolver{ - { - DNS01: &a.cloudflare.Details().ProviderConfig, - }, - }, - }, - }, - }, + Spec: a.createDNS01IssuerSpec(), } issuer, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(issuer) - Expect(err).NotTo(HaveOccurred(), "failed to create acme DNS01 issuer") + Expect(err).NotTo(HaveOccurred(), "failed to create acme DNS01 Issuer") return cmmeta.ObjectReference{ Group: cmapi.SchemeGroupVersion.Group, @@ -180,6 +201,54 @@ func (a *acmeIssuerProvisioner) createDNS01(f *framework.Framework) cmmeta.Objec } } +func (a *acmeIssuerProvisioner) createDNS01ClusterIssuer(f *framework.Framework) cmmeta.ObjectReference { + a.deployTiller(f, "dns01") + + a.cloudflare = &dnsproviders.Cloudflare{ + Namespace: f.Namespace.Name, + } + Expect(a.cloudflare.Setup(f.Config)).NotTo(HaveOccurred(), "failed to setup cloudflare") + Expect(a.cloudflare.Provision()).NotTo(HaveOccurred(), "failed to provision cloudflare") + + By("Creating an ACME DNS01 ClusterIssuer") + issuer := &cmapi.ClusterIssuer{ + ObjectMeta: metav1.ObjectMeta{ + Name: "acme-issuer-dns01", + }, + Spec: a.createDNS01IssuerSpec(), + } + issuer, err := f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Create(issuer) + Expect(err).NotTo(HaveOccurred(), "failed to create acme DNS01 ClusterIssuer") + + return cmmeta.ObjectReference{ + Group: cmapi.SchemeGroupVersion.Group, + Kind: cmapi.ClusterIssuerKind, + Name: issuer.Name, + } +} + +func (a *acmeIssuerProvisioner) createDNS01IssuerSpec() cmapi.IssuerSpec { + return cmapi.IssuerSpec{ + IssuerConfig: cmapi.IssuerConfig{ + ACME: &cmacme.ACMEIssuer{ + // Hardcode this to the acme staging endpoint now due to issues with pebble dns resolution + Server: "https://acme-staging-v02.api.letsencrypt.org/directory", + SkipTLSVerify: true, + PrivateKey: cmmeta.SecretKeySelector{ + LocalObjectReference: cmmeta.LocalObjectReference{ + Name: "acme-private-key", + }, + }, + Solvers: []cmacme.ACMEChallengeSolver{ + { + DNS01: &a.cloudflare.Details().ProviderConfig, + }, + }, + }, + }, + } +} + func (a *acmeIssuerProvisioner) deployTiller(f *framework.Framework, solverType string) { a.tiller = &tiller.Tiller{ Name: "tiller-deploy-" + solverType, diff --git a/test/e2e/suite/conformance/certificates/ca/BUILD.bazel b/test/e2e/suite/conformance/certificates/ca/BUILD.bazel index ff486eafd..24524b26c 100644 --- a/test/e2e/suite/conformance/certificates/ca/BUILD.bazel +++ b/test/e2e/suite/conformance/certificates/ca/BUILD.bazel @@ -9,6 +9,7 @@ go_library( "//pkg/apis/certmanager/v1alpha2:go_default_library", "//pkg/apis/meta/v1:go_default_library", "//test/e2e/framework:go_default_library", + "//test/e2e/framework/addon:go_default_library", "//test/e2e/suite/conformance/certificates:go_default_library", "@com_github_onsi_ginkgo//:go_default_library", "@com_github_onsi_gomega//:go_default_library", diff --git a/test/e2e/suite/conformance/certificates/ca/ca.go b/test/e2e/suite/conformance/certificates/ca/ca.go index 8287579d0..fe316a48e 100644 --- a/test/e2e/suite/conformance/certificates/ca/ca.go +++ b/test/e2e/suite/conformance/certificates/ca/ca.go @@ -25,18 +25,25 @@ import ( cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2" cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1" "github.com/jetstack/cert-manager/test/e2e/framework" + "github.com/jetstack/cert-manager/test/e2e/framework/addon" "github.com/jetstack/cert-manager/test/e2e/suite/conformance/certificates" ) var _ = framework.ConformanceDescribe("Certificates", func() { (&certificates.Suite{ - Name: "CA", + Name: "CA Issuer", CreateIssuerFunc: createCAIssuer, }).Define() + + (&certificates.Suite{ + Name: "CA ClusterIssuer", + CreateIssuerFunc: createCAClusterIssuer, + }).Define() }) func createCAIssuer(f *framework.Framework) cmmeta.ObjectReference { - By("Creating a CA issuer") + By("Creating a CA Issuer") + rootCertSecret, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(newSigningKeypairSecret("root-cert")) Expect(err).NotTo(HaveOccurred(), "failed to create root signing keypair secret") @@ -44,14 +51,9 @@ func createCAIssuer(f *framework.Framework) cmmeta.ObjectReference { ObjectMeta: metav1.ObjectMeta{ Name: "ca", }, - Spec: cmapi.IssuerSpec{ - IssuerConfig: cmapi.IssuerConfig{ - CA: &cmapi.CAIssuer{ - SecretName: rootCertSecret.Name, - }, - }, - }, + Spec: createCAIssuerSpec(rootCertSecret.Name), }) + Expect(err).NotTo(HaveOccurred(), "failed to create ca issuer") return cmmeta.ObjectReference{ @@ -61,6 +63,38 @@ func createCAIssuer(f *framework.Framework) cmmeta.ObjectReference { } } +func createCAClusterIssuer(f *framework.Framework) cmmeta.ObjectReference { + By("Creating a CA ClusterIssuer") + + rootCertSecret, err := f.KubeClientSet.CoreV1().Secrets(addon.CertManager.Namespace).Create(newSigningKeypairSecret("root-cert")) + Expect(err).NotTo(HaveOccurred(), "failed to create root signing keypair secret") + + issuer, err := f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Create(&cmapi.ClusterIssuer{ + ObjectMeta: metav1.ObjectMeta{ + Name: "ca", + }, + Spec: createCAIssuerSpec(rootCertSecret.Name), + }) + + Expect(err).NotTo(HaveOccurred(), "failed to create ca issuer") + + return cmmeta.ObjectReference{ + Group: cmapi.SchemeGroupVersion.Group, + Kind: cmapi.ClusterIssuerKind, + Name: issuer.Name, + } +} + +func createCAIssuerSpec(rootCertSecretName string) cmapi.IssuerSpec { + return cmapi.IssuerSpec{ + IssuerConfig: cmapi.IssuerConfig{ + CA: &cmapi.CAIssuer{ + SecretName: rootCertSecretName, + }, + }, + } +} + const rootCert = `-----BEGIN CERTIFICATE----- MIID4DCCAsigAwIBAgIJAJzTROInmDkQMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV BAYTAlVLMQswCQYDVQQIEwJOQTEVMBMGA1UEChMMY2VydC1tYW5hZ2VyMSAwHgYD diff --git a/test/e2e/suite/conformance/certificates/selfsigned/selfsigned.go b/test/e2e/suite/conformance/certificates/selfsigned/selfsigned.go index 93915850c..8ed86079b 100644 --- a/test/e2e/suite/conformance/certificates/selfsigned/selfsigned.go +++ b/test/e2e/suite/conformance/certificates/selfsigned/selfsigned.go @@ -29,22 +29,24 @@ import ( var _ = framework.ConformanceDescribe("Certificates", func() { (&certificates.Suite{ - Name: "SelfSigned", + Name: "SelfSigned Issuer", CreateIssuerFunc: createSelfSignedIssuer, }).Define() + + (&certificates.Suite{ + Name: "SelfSigned ClusterIssuer", + CreateIssuerFunc: createSelfSignedClusterIssuer, + }).Define() }) func createSelfSignedIssuer(f *framework.Framework) cmmeta.ObjectReference { - By("Creating a SelfSigned issuer") + By("Creating a SelfSigned Issuer") + _, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(&cmapi.Issuer{ ObjectMeta: metav1.ObjectMeta{ Name: "selfsigned", }, - Spec: cmapi.IssuerSpec{ - IssuerConfig: cmapi.IssuerConfig{ - SelfSigned: &cmapi.SelfSignedIssuer{}, - }, - }, + Spec: createSelfSignedIssuerSpec(), }) Expect(err).NotTo(HaveOccurred(), "failed to create self signed issuer") @@ -54,3 +56,29 @@ func createSelfSignedIssuer(f *framework.Framework) cmmeta.ObjectReference { Name: "selfsigned", } } + +func createSelfSignedClusterIssuer(f *framework.Framework) cmmeta.ObjectReference { + By("Creating a SelfSigned ClusterIssuer") + + _, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(&cmapi.Issuer{ + ObjectMeta: metav1.ObjectMeta{ + Name: "selfsigned", + }, + Spec: createSelfSignedIssuerSpec(), + }) + Expect(err).NotTo(HaveOccurred(), "failed to create self signed issuer") + + return cmmeta.ObjectReference{ + Group: cmapi.SchemeGroupVersion.Group, + Kind: cmapi.ClusterIssuerKind, + Name: "selfsigned", + } +} + +func createSelfSignedIssuerSpec() cmapi.IssuerSpec { + return cmapi.IssuerSpec{ + IssuerConfig: cmapi.IssuerConfig{ + SelfSigned: &cmapi.SelfSignedIssuer{}, + }, + } +} diff --git a/test/e2e/suite/conformance/certificates/vault/BUILD.bazel b/test/e2e/suite/conformance/certificates/vault/BUILD.bazel index 67ecaf17f..0131bb301 100644 --- a/test/e2e/suite/conformance/certificates/vault/BUILD.bazel +++ b/test/e2e/suite/conformance/certificates/vault/BUILD.bazel @@ -9,6 +9,7 @@ go_library( "//pkg/apis/certmanager/v1alpha2:go_default_library", "//pkg/apis/meta/v1:go_default_library", "//test/e2e/framework:go_default_library", + "//test/e2e/framework/addon:go_default_library", "//test/e2e/framework/addon/tiller:go_default_library", "//test/e2e/framework/addon/vault:go_default_library", "//test/e2e/suite/conformance/certificates:go_default_library", diff --git a/test/e2e/suite/conformance/certificates/vault/vault_approle.go b/test/e2e/suite/conformance/certificates/vault/vault_approle.go index 8ebcabc76..a7069e163 100644 --- a/test/e2e/suite/conformance/certificates/vault/vault_approle.go +++ b/test/e2e/suite/conformance/certificates/vault/vault_approle.go @@ -26,11 +26,19 @@ import ( cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2" cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1" "github.com/jetstack/cert-manager/test/e2e/framework" + "github.com/jetstack/cert-manager/test/e2e/framework/addon" "github.com/jetstack/cert-manager/test/e2e/framework/addon/tiller" vault "github.com/jetstack/cert-manager/test/e2e/framework/addon/vault" "github.com/jetstack/cert-manager/test/e2e/suite/conformance/certificates" ) +const ( + intermediateMount = "intermediate-ca" + role = "kubernetes-vault" + vaultSecretAppRoleName = "vault-role" + authPath = "approle" +) + var _ = framework.ConformanceDescribe("Certificates", func() { var unsupportedFeatures = certificates.NewFeatureSet( certificates.KeyUsagesFeature, @@ -39,8 +47,15 @@ var _ = framework.ConformanceDescribe("Certificates", func() { provisioner := new(vaultAppRoleProvisioner) (&certificates.Suite{ - Name: "VaultAppRole", - CreateIssuerFunc: provisioner.create, + Name: "VaultAppRole Issuer", + CreateIssuerFunc: provisioner.createIssuer, + DeleteIssuerFunc: provisioner.delete, + UnsupportedFeatures: unsupportedFeatures, + }).Define() + + (&certificates.Suite{ + Name: "VaultAppRole ClusterIssuer", + CreateIssuerFunc: provisioner.createClusterIssuer, DeleteIssuerFunc: provisioner.delete, UnsupportedFeatures: unsupportedFeatures, }).Define() @@ -52,15 +67,64 @@ type vaultAppRoleProvisioner struct { vaultInit *vault.VaultInitializer } +type vaultSecrets struct { + roleID string + secretID string +} + func (v *vaultAppRoleProvisioner) delete(f *framework.Framework, ref cmmeta.ObjectReference) { Expect(v.vaultInit.Clean()).NotTo(HaveOccurred(), "failed to deprovision vault initializer") Expect(v.vault.Deprovision()).NotTo(HaveOccurred(), "failed to deprovision vault") Expect(v.tiller.Deprovision()).NotTo(HaveOccurred(), "failed to deprovision tiller") } -func (v *vaultAppRoleProvisioner) create(f *framework.Framework) cmmeta.ObjectReference { - By("Creating a VaultAppRole issuer") +func (v *vaultAppRoleProvisioner) createIssuer(f *framework.Framework) cmmeta.ObjectReference { + By("Creating a VaultAppRole Issuer") + vaultSecrets := v.initVault(f) + + _, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(vault.NewVaultAppRoleSecret(vaultSecretAppRoleName, vaultSecrets.secretID)) + Expect(err).NotTo(HaveOccurred(), "vault to store app role secret from vault") + + issuer, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(&cmapi.Issuer{ + ObjectMeta: metav1.ObjectMeta{ + Name: "vault-issuer", + }, + Spec: v.createIssuerSpec(f, vaultSecrets), + }) + Expect(err).NotTo(HaveOccurred(), "failed to create vault issuer") + + return cmmeta.ObjectReference{ + Group: cmapi.SchemeGroupVersion.Group, + Kind: cmapi.IssuerKind, + Name: issuer.Name, + } +} + +func (v *vaultAppRoleProvisioner) createClusterIssuer(f *framework.Framework) cmmeta.ObjectReference { + By("Creating a VaultAppRole ClusterIssuer") + + vaultSecrets := v.initVault(f) + + _, err := f.KubeClientSet.CoreV1().Secrets(addon.CertManager.Namespace).Create(vault.NewVaultAppRoleSecret(vaultSecretAppRoleName, vaultSecrets.secretID)) + Expect(err).NotTo(HaveOccurred(), "vault to store app role secret from vault") + + issuer, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(&cmapi.Issuer{ + ObjectMeta: metav1.ObjectMeta{ + Name: "vault-issuer", + }, + Spec: v.createIssuerSpec(f, vaultSecrets), + }) + Expect(err).NotTo(HaveOccurred(), "failed to create vault issuer") + + return cmmeta.ObjectReference{ + Group: cmapi.SchemeGroupVersion.Group, + Kind: cmapi.ClusterIssuerKind, + Name: issuer.Name, + } +} + +func (v *vaultAppRoleProvisioner) initVault(f *framework.Framework) *vaultSecrets { v.tiller = &tiller.Tiller{ Name: "tiller-deploy", Namespace: f.Namespace.Name, @@ -77,12 +141,6 @@ func (v *vaultAppRoleProvisioner) create(f *framework.Framework) cmmeta.ObjectRe Expect(v.vault.Setup(f.Config)).NotTo(HaveOccurred(), "failed to setup vault") Expect(v.vault.Provision()).NotTo(HaveOccurred(), "failed to provision vault") - intermediateMount := "intermediate-ca" - role := "kubernetes-vault" - vaultSecretAppRoleName := "vault-role" - vaultPath := path.Join(intermediateMount, "sign", role) - authPath := "approle" - By("Configuring the VaultAppRole server") v.vaultInit = &vault.VaultInitializer{ Details: *v.vault.Details(), @@ -97,40 +155,34 @@ func (v *vaultAppRoleProvisioner) create(f *framework.Framework) cmmeta.ObjectRe roleID, secretID, err := v.vaultInit.CreateAppRole() Expect(err).NotTo(HaveOccurred(), "vault to create app role from vault") - _, err = f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(vault.NewVaultAppRoleSecret(vaultSecretAppRoleName, secretID)) - Expect(err).NotTo(HaveOccurred(), "vault to store app role secret from vault") + return &vaultSecrets{ + roleID: roleID, + secretID: secretID, + } +} - issuer, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(&cmapi.Issuer{ - ObjectMeta: metav1.ObjectMeta{ - Name: "vault-issuer", - }, - Spec: cmapi.IssuerSpec{ - IssuerConfig: cmapi.IssuerConfig{ - Vault: &cmapi.VaultIssuer{ - Server: v.vault.Details().Host, - Path: vaultPath, - CABundle: v.vault.Details().VaultCA, - Auth: cmapi.VaultAuth{ - AppRole: &cmapi.VaultAppRole{ - Path: authPath, - RoleId: roleID, - SecretRef: cmmeta.SecretKeySelector{ - Key: "secretkey", - LocalObjectReference: cmmeta.LocalObjectReference{ - Name: vaultSecretAppRoleName, - }, +func (v *vaultAppRoleProvisioner) createIssuerSpec(f *framework.Framework, secs *vaultSecrets) cmapi.IssuerSpec { + vaultPath := path.Join(intermediateMount, "sign", role) + + return cmapi.IssuerSpec{ + IssuerConfig: cmapi.IssuerConfig{ + Vault: &cmapi.VaultIssuer{ + Server: v.vault.Details().Host, + Path: vaultPath, + CABundle: v.vault.Details().VaultCA, + Auth: cmapi.VaultAuth{ + AppRole: &cmapi.VaultAppRole{ + Path: authPath, + RoleId: secs.roleID, + SecretRef: cmmeta.SecretKeySelector{ + Key: "secretkey", + LocalObjectReference: cmmeta.LocalObjectReference{ + Name: vaultSecretAppRoleName, }, }, }, }, }, }, - }) - Expect(err).NotTo(HaveOccurred(), "failed to create vault issuer") - - return cmmeta.ObjectReference{ - Group: cmapi.SchemeGroupVersion.Group, - Kind: cmapi.IssuerKind, - Name: issuer.Name, } } diff --git a/test/e2e/suite/conformance/certificates/venafi/BUILD.bazel b/test/e2e/suite/conformance/certificates/venafi/BUILD.bazel index 99f62c15d..cbb98bd64 100644 --- a/test/e2e/suite/conformance/certificates/venafi/BUILD.bazel +++ b/test/e2e/suite/conformance/certificates/venafi/BUILD.bazel @@ -9,6 +9,7 @@ go_library( "//pkg/apis/certmanager/v1alpha2:go_default_library", "//pkg/apis/meta/v1:go_default_library", "//test/e2e/framework:go_default_library", + "//test/e2e/framework/addon:go_default_library", "//test/e2e/framework/util/errors:go_default_library", "//test/e2e/suite/issuers/venafi/addon:go_default_library", "@com_github_onsi_ginkgo//:go_default_library", diff --git a/test/e2e/suite/conformance/certificates/venafi/venafi.go b/test/e2e/suite/conformance/certificates/venafi/venafi.go index 3a1657e87..b25697c1a 100644 --- a/test/e2e/suite/conformance/certificates/venafi/venafi.go +++ b/test/e2e/suite/conformance/certificates/venafi/venafi.go @@ -23,6 +23,7 @@ import ( cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2" cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1" "github.com/jetstack/cert-manager/test/e2e/framework" + "github.com/jetstack/cert-manager/test/e2e/framework/addon" "github.com/jetstack/cert-manager/test/e2e/framework/util/errors" vaddon "github.com/jetstack/cert-manager/test/e2e/suite/issuers/venafi/addon" ) @@ -41,8 +42,15 @@ var _ = framework.ConformanceDescribe("Certificates", func() { // //provisioner := new(venafiProvisioner) //(&certificates.Suite{ - // Name: "Venafi", - // CreateIssuerFunc: provisioner.create, + // Name: "Venafi Issuer", + // CreateIssuerFunc: provisioner.createIssuer, + // DeleteIssuerFunc: provisioner.delete, + // UnsupportedFeatures: unsupportedFeatures, + //}).Define() + + //(&certificates.Suite{ + // Name: "Venafi ClusterIssuer", + // CreateIssuerFunc: provisioner.createClusterIssuer, // DeleteIssuerFunc: provisioner.delete, // UnsupportedFeatures: unsupportedFeatures, //}).Define() @@ -56,8 +64,8 @@ func (v *venafiProvisioner) delete(f *framework.Framework, ref cmmeta.ObjectRefe Expect(v.tpp.Deprovision()).NotTo(HaveOccurred(), "failed to deprovision tpp venafi") } -func (v *venafiProvisioner) create(f *framework.Framework) cmmeta.ObjectReference { - By("Creating a Venafi issuer") +func (v *venafiProvisioner) createIssuer(f *framework.Framework) cmmeta.ObjectReference { + By("Creating a Venafi Issuer") v.tpp = &vaddon.VenafiTPP{ Namespace: f.Namespace.Name, @@ -81,3 +89,29 @@ func (v *venafiProvisioner) create(f *framework.Framework) cmmeta.ObjectReferenc Name: issuer.Name, } } + +func (v *venafiProvisioner) createClusterIssuer(f *framework.Framework) cmmeta.ObjectReference { + By("Creating a Venafi ClusterIssuer") + + v.tpp = &vaddon.VenafiTPP{ + Namespace: addon.CertManager.Namespace, + } + + err := v.tpp.Setup(f.Config) + if errors.IsSkip(err) { + framework.Skipf("Skipping test as addon could not be setup: %v", err) + } + Expect(err).NotTo(HaveOccurred(), "failed to setup tpp venafi") + + Expect(v.tpp.Provision()).NotTo(HaveOccurred(), "failed to provision tpp venafi") + + issuer := v.tpp.Details().BuildClusterIssuer() + issuer, err = f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Create(issuer) + Expect(err).NotTo(HaveOccurred(), "failed to create issuer for venafi") + + return cmmeta.ObjectReference{ + Group: cmapi.SchemeGroupVersion.Group, + Kind: cmapi.ClusterIssuerKind, + Name: issuer.Name, + } +} diff --git a/test/e2e/suite/issuers/venafi/addon/tpp.go b/test/e2e/suite/issuers/venafi/addon/tpp.go index 27ed74ff3..3e20a8640 100644 --- a/test/e2e/suite/issuers/venafi/addon/tpp.go +++ b/test/e2e/suite/issuers/venafi/addon/tpp.go @@ -126,3 +126,16 @@ func (t *TPPDetails) BuildIssuer() *cmapi.Issuer { }, } } + +func (t *TPPDetails) BuildClusterIssuer() *cmapi.ClusterIssuer { + return &cmapi.ClusterIssuer{ + ObjectMeta: metav1.ObjectMeta{ + GenerateName: "venafi-tpp-", + }, + Spec: cmapi.IssuerSpec{ + IssuerConfig: cmapi.IssuerConfig{ + Venafi: &t.issuerTemplate, + }, + }, + } +}