Adds cluster issuer tests for all conformance issuer suites
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
This commit is contained in:
JoshVanL
parent
dfaf2f20c2
commit
56a40ddba7
@ -56,16 +56,30 @@ var _ = framework.ConformanceDescribe("Certificates", func() {
|
||||
|
||||
provisionerHTTP01 := new(acmeIssuerProvisioner)
|
||||
(&certificates.Suite{
|
||||
Name: "ACME HTTP01",
|
||||
CreateIssuerFunc: provisionerHTTP01.createHTTP01,
|
||||
Name: "ACME HTTP01 Issuer",
|
||||
CreateIssuerFunc: provisionerHTTP01.createHTTP01Issuer,
|
||||
DeleteIssuerFunc: provisionerHTTP01.delete,
|
||||
UnsupportedFeatures: unsupportedHTTP01Features,
|
||||
}).Define()
|
||||
|
||||
provisionerDNS01 := new(acmeIssuerProvisioner)
|
||||
(&certificates.Suite{
|
||||
Name: "ACME DNS01",
|
||||
CreateIssuerFunc: provisionerDNS01.createDNS01,
|
||||
Name: "ACME DNS01 Issuer",
|
||||
CreateIssuerFunc: provisionerDNS01.createDNS01Issuer,
|
||||
DeleteIssuerFunc: provisionerDNS01.delete,
|
||||
UnsupportedFeatures: unsupportedDNS01Features,
|
||||
}).Define()
|
||||
|
||||
(&certificates.Suite{
|
||||
Name: "ACME HTTP01 ClusterIssuer",
|
||||
CreateIssuerFunc: provisionerHTTP01.createHTTP01ClusterIssuer,
|
||||
DeleteIssuerFunc: provisionerHTTP01.delete,
|
||||
UnsupportedFeatures: unsupportedHTTP01Features,
|
||||
}).Define()
|
||||
|
||||
(&certificates.Suite{
|
||||
Name: "ACME DNS01 ClusterIssuer",
|
||||
CreateIssuerFunc: provisionerDNS01.createDNS01ClusterIssuer,
|
||||
DeleteIssuerFunc: provisionerDNS01.delete,
|
||||
UnsupportedFeatures: unsupportedDNS01Features,
|
||||
}).Define()
|
||||
@ -93,37 +107,15 @@ func (a *acmeIssuerProvisioner) delete(f *framework.Framework, ref cmmeta.Object
|
||||
// - pebble
|
||||
// - a properly configured Issuer resource
|
||||
|
||||
func (a *acmeIssuerProvisioner) createHTTP01(f *framework.Framework) cmmeta.ObjectReference {
|
||||
func (a *acmeIssuerProvisioner) createHTTP01Issuer(f *framework.Framework) cmmeta.ObjectReference {
|
||||
a.deployTiller(f, "http01")
|
||||
|
||||
By("Creating an ACME HTTP01 issuer")
|
||||
By("Creating an ACME HTTP01 Issuer")
|
||||
issuer := &cmapi.Issuer{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "acme-issuer-http01",
|
||||
},
|
||||
Spec: cmapi.IssuerSpec{
|
||||
IssuerConfig: cmapi.IssuerConfig{
|
||||
ACME: &cmacme.ACMEIssuer{
|
||||
Server: addon.Pebble.Details().Host,
|
||||
SkipTLSVerify: true,
|
||||
PrivateKey: cmmeta.SecretKeySelector{
|
||||
LocalObjectReference: cmmeta.LocalObjectReference{
|
||||
Name: "acme-private-key-http01",
|
||||
},
|
||||
},
|
||||
Solvers: []cmacme.ACMEChallengeSolver{
|
||||
{
|
||||
HTTP01: &cmacme.ACMEChallengeSolverHTTP01{
|
||||
// Not setting the Class or Name field will cause cert-manager to create
|
||||
// new ingress resources that do not specify a class to solve challenges,
|
||||
// which means all Ingress controllers should act on the ingresses.
|
||||
Ingress: &cmacme.ACMEChallengeSolverHTTP01Ingress{},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
Spec: a.createHTTP01IssuerSpec(),
|
||||
}
|
||||
|
||||
issuer, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(issuer)
|
||||
@ -136,7 +128,54 @@ func (a *acmeIssuerProvisioner) createHTTP01(f *framework.Framework) cmmeta.Obje
|
||||
}
|
||||
}
|
||||
|
||||
func (a *acmeIssuerProvisioner) createDNS01(f *framework.Framework) cmmeta.ObjectReference {
|
||||
func (a *acmeIssuerProvisioner) createHTTP01ClusterIssuer(f *framework.Framework) cmmeta.ObjectReference {
|
||||
a.deployTiller(f, "http01")
|
||||
|
||||
By("Creating an ACME HTTP01 ClusterIssuer")
|
||||
issuer := &cmapi.ClusterIssuer{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "acme-issuer-http01",
|
||||
},
|
||||
Spec: a.createHTTP01IssuerSpec(),
|
||||
}
|
||||
|
||||
issuer, err := f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Create(issuer)
|
||||
Expect(err).NotTo(HaveOccurred(), "failed to create acme HTTP01 cluster issuer")
|
||||
|
||||
return cmmeta.ObjectReference{
|
||||
Group: cmapi.SchemeGroupVersion.Group,
|
||||
Kind: cmapi.ClusterIssuerKind,
|
||||
Name: issuer.Name,
|
||||
}
|
||||
}
|
||||
|
||||
func (a *acmeIssuerProvisioner) createHTTP01IssuerSpec() cmapi.IssuerSpec {
|
||||
return cmapi.IssuerSpec{
|
||||
IssuerConfig: cmapi.IssuerConfig{
|
||||
ACME: &cmacme.ACMEIssuer{
|
||||
Server: addon.Pebble.Details().Host,
|
||||
SkipTLSVerify: true,
|
||||
PrivateKey: cmmeta.SecretKeySelector{
|
||||
LocalObjectReference: cmmeta.LocalObjectReference{
|
||||
Name: "acme-private-key-http01",
|
||||
},
|
||||
},
|
||||
Solvers: []cmacme.ACMEChallengeSolver{
|
||||
{
|
||||
HTTP01: &cmacme.ACMEChallengeSolverHTTP01{
|
||||
// Not setting the Class or Name field will cause cert-manager to create
|
||||
// new ingress resources that do not specify a class to solve challenges,
|
||||
// which means all Ingress controllers should act on the ingresses.
|
||||
Ingress: &cmacme.ACMEChallengeSolverHTTP01Ingress{},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func (a *acmeIssuerProvisioner) createDNS01Issuer(f *framework.Framework) cmmeta.ObjectReference {
|
||||
a.deployTiller(f, "dns01")
|
||||
|
||||
a.cloudflare = &dnsproviders.Cloudflare{
|
||||
@ -145,33 +184,15 @@ func (a *acmeIssuerProvisioner) createDNS01(f *framework.Framework) cmmeta.Objec
|
||||
Expect(a.cloudflare.Setup(f.Config)).NotTo(HaveOccurred(), "failed to setup cloudflare")
|
||||
Expect(a.cloudflare.Provision()).NotTo(HaveOccurred(), "failed to provision cloudflare")
|
||||
|
||||
By("Creating an ACME DNS01 issuer")
|
||||
By("Creating an ACME DNS01 Issuer")
|
||||
issuer := &cmapi.Issuer{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "acme-issuer-dns01",
|
||||
},
|
||||
Spec: cmapi.IssuerSpec{
|
||||
IssuerConfig: cmapi.IssuerConfig{
|
||||
ACME: &cmacme.ACMEIssuer{
|
||||
// Hardcode this to the acme staging endpoint now due to issues with pebble dns resolution
|
||||
Server: "https://acme-staging-v02.api.letsencrypt.org/directory",
|
||||
SkipTLSVerify: true,
|
||||
PrivateKey: cmmeta.SecretKeySelector{
|
||||
LocalObjectReference: cmmeta.LocalObjectReference{
|
||||
Name: "acme-private-key",
|
||||
},
|
||||
},
|
||||
Solvers: []cmacme.ACMEChallengeSolver{
|
||||
{
|
||||
DNS01: &a.cloudflare.Details().ProviderConfig,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
Spec: a.createDNS01IssuerSpec(),
|
||||
}
|
||||
issuer, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(issuer)
|
||||
Expect(err).NotTo(HaveOccurred(), "failed to create acme DNS01 issuer")
|
||||
Expect(err).NotTo(HaveOccurred(), "failed to create acme DNS01 Issuer")
|
||||
|
||||
return cmmeta.ObjectReference{
|
||||
Group: cmapi.SchemeGroupVersion.Group,
|
||||
@ -180,6 +201,54 @@ func (a *acmeIssuerProvisioner) createDNS01(f *framework.Framework) cmmeta.Objec
|
||||
}
|
||||
}
|
||||
|
||||
func (a *acmeIssuerProvisioner) createDNS01ClusterIssuer(f *framework.Framework) cmmeta.ObjectReference {
|
||||
a.deployTiller(f, "dns01")
|
||||
|
||||
a.cloudflare = &dnsproviders.Cloudflare{
|
||||
Namespace: f.Namespace.Name,
|
||||
}
|
||||
Expect(a.cloudflare.Setup(f.Config)).NotTo(HaveOccurred(), "failed to setup cloudflare")
|
||||
Expect(a.cloudflare.Provision()).NotTo(HaveOccurred(), "failed to provision cloudflare")
|
||||
|
||||
By("Creating an ACME DNS01 ClusterIssuer")
|
||||
issuer := &cmapi.ClusterIssuer{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "acme-issuer-dns01",
|
||||
},
|
||||
Spec: a.createDNS01IssuerSpec(),
|
||||
}
|
||||
issuer, err := f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Create(issuer)
|
||||
Expect(err).NotTo(HaveOccurred(), "failed to create acme DNS01 ClusterIssuer")
|
||||
|
||||
return cmmeta.ObjectReference{
|
||||
Group: cmapi.SchemeGroupVersion.Group,
|
||||
Kind: cmapi.ClusterIssuerKind,
|
||||
Name: issuer.Name,
|
||||
}
|
||||
}
|
||||
|
||||
func (a *acmeIssuerProvisioner) createDNS01IssuerSpec() cmapi.IssuerSpec {
|
||||
return cmapi.IssuerSpec{
|
||||
IssuerConfig: cmapi.IssuerConfig{
|
||||
ACME: &cmacme.ACMEIssuer{
|
||||
// Hardcode this to the acme staging endpoint now due to issues with pebble dns resolution
|
||||
Server: "https://acme-staging-v02.api.letsencrypt.org/directory",
|
||||
SkipTLSVerify: true,
|
||||
PrivateKey: cmmeta.SecretKeySelector{
|
||||
LocalObjectReference: cmmeta.LocalObjectReference{
|
||||
Name: "acme-private-key",
|
||||
},
|
||||
},
|
||||
Solvers: []cmacme.ACMEChallengeSolver{
|
||||
{
|
||||
DNS01: &a.cloudflare.Details().ProviderConfig,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func (a *acmeIssuerProvisioner) deployTiller(f *framework.Framework, solverType string) {
|
||||
a.tiller = &tiller.Tiller{
|
||||
Name: "tiller-deploy-" + solverType,
|
||||
|
||||
@ -9,6 +9,7 @@ go_library(
|
||||
"//pkg/apis/certmanager/v1alpha2:go_default_library",
|
||||
"//pkg/apis/meta/v1:go_default_library",
|
||||
"//test/e2e/framework:go_default_library",
|
||||
"//test/e2e/framework/addon:go_default_library",
|
||||
"//test/e2e/suite/conformance/certificates:go_default_library",
|
||||
"@com_github_onsi_ginkgo//:go_default_library",
|
||||
"@com_github_onsi_gomega//:go_default_library",
|
||||
|
||||
@ -25,18 +25,25 @@ import (
|
||||
cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2"
|
||||
cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
|
||||
"github.com/jetstack/cert-manager/test/e2e/framework"
|
||||
"github.com/jetstack/cert-manager/test/e2e/framework/addon"
|
||||
"github.com/jetstack/cert-manager/test/e2e/suite/conformance/certificates"
|
||||
)
|
||||
|
||||
var _ = framework.ConformanceDescribe("Certificates", func() {
|
||||
(&certificates.Suite{
|
||||
Name: "CA",
|
||||
Name: "CA Issuer",
|
||||
CreateIssuerFunc: createCAIssuer,
|
||||
}).Define()
|
||||
|
||||
(&certificates.Suite{
|
||||
Name: "CA ClusterIssuer",
|
||||
CreateIssuerFunc: createCAClusterIssuer,
|
||||
}).Define()
|
||||
})
|
||||
|
||||
func createCAIssuer(f *framework.Framework) cmmeta.ObjectReference {
|
||||
By("Creating a CA issuer")
|
||||
By("Creating a CA Issuer")
|
||||
|
||||
rootCertSecret, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(newSigningKeypairSecret("root-cert"))
|
||||
Expect(err).NotTo(HaveOccurred(), "failed to create root signing keypair secret")
|
||||
|
||||
@ -44,14 +51,9 @@ func createCAIssuer(f *framework.Framework) cmmeta.ObjectReference {
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "ca",
|
||||
},
|
||||
Spec: cmapi.IssuerSpec{
|
||||
IssuerConfig: cmapi.IssuerConfig{
|
||||
CA: &cmapi.CAIssuer{
|
||||
SecretName: rootCertSecret.Name,
|
||||
},
|
||||
},
|
||||
},
|
||||
Spec: createCAIssuerSpec(rootCertSecret.Name),
|
||||
})
|
||||
|
||||
Expect(err).NotTo(HaveOccurred(), "failed to create ca issuer")
|
||||
|
||||
return cmmeta.ObjectReference{
|
||||
@ -61,6 +63,38 @@ func createCAIssuer(f *framework.Framework) cmmeta.ObjectReference {
|
||||
}
|
||||
}
|
||||
|
||||
func createCAClusterIssuer(f *framework.Framework) cmmeta.ObjectReference {
|
||||
By("Creating a CA ClusterIssuer")
|
||||
|
||||
rootCertSecret, err := f.KubeClientSet.CoreV1().Secrets(addon.CertManager.Namespace).Create(newSigningKeypairSecret("root-cert"))
|
||||
Expect(err).NotTo(HaveOccurred(), "failed to create root signing keypair secret")
|
||||
|
||||
issuer, err := f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Create(&cmapi.ClusterIssuer{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "ca",
|
||||
},
|
||||
Spec: createCAIssuerSpec(rootCertSecret.Name),
|
||||
})
|
||||
|
||||
Expect(err).NotTo(HaveOccurred(), "failed to create ca issuer")
|
||||
|
||||
return cmmeta.ObjectReference{
|
||||
Group: cmapi.SchemeGroupVersion.Group,
|
||||
Kind: cmapi.ClusterIssuerKind,
|
||||
Name: issuer.Name,
|
||||
}
|
||||
}
|
||||
|
||||
func createCAIssuerSpec(rootCertSecretName string) cmapi.IssuerSpec {
|
||||
return cmapi.IssuerSpec{
|
||||
IssuerConfig: cmapi.IssuerConfig{
|
||||
CA: &cmapi.CAIssuer{
|
||||
SecretName: rootCertSecretName,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
const rootCert = `-----BEGIN CERTIFICATE-----
|
||||
MIID4DCCAsigAwIBAgIJAJzTROInmDkQMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV
|
||||
BAYTAlVLMQswCQYDVQQIEwJOQTEVMBMGA1UEChMMY2VydC1tYW5hZ2VyMSAwHgYD
|
||||
|
||||
@ -29,22 +29,24 @@ import (
|
||||
|
||||
var _ = framework.ConformanceDescribe("Certificates", func() {
|
||||
(&certificates.Suite{
|
||||
Name: "SelfSigned",
|
||||
Name: "SelfSigned Issuer",
|
||||
CreateIssuerFunc: createSelfSignedIssuer,
|
||||
}).Define()
|
||||
|
||||
(&certificates.Suite{
|
||||
Name: "SelfSigned ClusterIssuer",
|
||||
CreateIssuerFunc: createSelfSignedClusterIssuer,
|
||||
}).Define()
|
||||
})
|
||||
|
||||
func createSelfSignedIssuer(f *framework.Framework) cmmeta.ObjectReference {
|
||||
By("Creating a SelfSigned issuer")
|
||||
By("Creating a SelfSigned Issuer")
|
||||
|
||||
_, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(&cmapi.Issuer{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "selfsigned",
|
||||
},
|
||||
Spec: cmapi.IssuerSpec{
|
||||
IssuerConfig: cmapi.IssuerConfig{
|
||||
SelfSigned: &cmapi.SelfSignedIssuer{},
|
||||
},
|
||||
},
|
||||
Spec: createSelfSignedIssuerSpec(),
|
||||
})
|
||||
Expect(err).NotTo(HaveOccurred(), "failed to create self signed issuer")
|
||||
|
||||
@ -54,3 +56,29 @@ func createSelfSignedIssuer(f *framework.Framework) cmmeta.ObjectReference {
|
||||
Name: "selfsigned",
|
||||
}
|
||||
}
|
||||
|
||||
func createSelfSignedClusterIssuer(f *framework.Framework) cmmeta.ObjectReference {
|
||||
By("Creating a SelfSigned ClusterIssuer")
|
||||
|
||||
_, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(&cmapi.Issuer{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "selfsigned",
|
||||
},
|
||||
Spec: createSelfSignedIssuerSpec(),
|
||||
})
|
||||
Expect(err).NotTo(HaveOccurred(), "failed to create self signed issuer")
|
||||
|
||||
return cmmeta.ObjectReference{
|
||||
Group: cmapi.SchemeGroupVersion.Group,
|
||||
Kind: cmapi.ClusterIssuerKind,
|
||||
Name: "selfsigned",
|
||||
}
|
||||
}
|
||||
|
||||
func createSelfSignedIssuerSpec() cmapi.IssuerSpec {
|
||||
return cmapi.IssuerSpec{
|
||||
IssuerConfig: cmapi.IssuerConfig{
|
||||
SelfSigned: &cmapi.SelfSignedIssuer{},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
@ -9,6 +9,7 @@ go_library(
|
||||
"//pkg/apis/certmanager/v1alpha2:go_default_library",
|
||||
"//pkg/apis/meta/v1:go_default_library",
|
||||
"//test/e2e/framework:go_default_library",
|
||||
"//test/e2e/framework/addon:go_default_library",
|
||||
"//test/e2e/framework/addon/tiller:go_default_library",
|
||||
"//test/e2e/framework/addon/vault:go_default_library",
|
||||
"//test/e2e/suite/conformance/certificates:go_default_library",
|
||||
|
||||
@ -26,11 +26,19 @@ import (
|
||||
cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2"
|
||||
cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
|
||||
"github.com/jetstack/cert-manager/test/e2e/framework"
|
||||
"github.com/jetstack/cert-manager/test/e2e/framework/addon"
|
||||
"github.com/jetstack/cert-manager/test/e2e/framework/addon/tiller"
|
||||
vault "github.com/jetstack/cert-manager/test/e2e/framework/addon/vault"
|
||||
"github.com/jetstack/cert-manager/test/e2e/suite/conformance/certificates"
|
||||
)
|
||||
|
||||
const (
|
||||
intermediateMount = "intermediate-ca"
|
||||
role = "kubernetes-vault"
|
||||
vaultSecretAppRoleName = "vault-role"
|
||||
authPath = "approle"
|
||||
)
|
||||
|
||||
var _ = framework.ConformanceDescribe("Certificates", func() {
|
||||
var unsupportedFeatures = certificates.NewFeatureSet(
|
||||
certificates.KeyUsagesFeature,
|
||||
@ -39,8 +47,15 @@ var _ = framework.ConformanceDescribe("Certificates", func() {
|
||||
provisioner := new(vaultAppRoleProvisioner)
|
||||
|
||||
(&certificates.Suite{
|
||||
Name: "VaultAppRole",
|
||||
CreateIssuerFunc: provisioner.create,
|
||||
Name: "VaultAppRole Issuer",
|
||||
CreateIssuerFunc: provisioner.createIssuer,
|
||||
DeleteIssuerFunc: provisioner.delete,
|
||||
UnsupportedFeatures: unsupportedFeatures,
|
||||
}).Define()
|
||||
|
||||
(&certificates.Suite{
|
||||
Name: "VaultAppRole ClusterIssuer",
|
||||
CreateIssuerFunc: provisioner.createClusterIssuer,
|
||||
DeleteIssuerFunc: provisioner.delete,
|
||||
UnsupportedFeatures: unsupportedFeatures,
|
||||
}).Define()
|
||||
@ -52,15 +67,64 @@ type vaultAppRoleProvisioner struct {
|
||||
vaultInit *vault.VaultInitializer
|
||||
}
|
||||
|
||||
type vaultSecrets struct {
|
||||
roleID string
|
||||
secretID string
|
||||
}
|
||||
|
||||
func (v *vaultAppRoleProvisioner) delete(f *framework.Framework, ref cmmeta.ObjectReference) {
|
||||
Expect(v.vaultInit.Clean()).NotTo(HaveOccurred(), "failed to deprovision vault initializer")
|
||||
Expect(v.vault.Deprovision()).NotTo(HaveOccurred(), "failed to deprovision vault")
|
||||
Expect(v.tiller.Deprovision()).NotTo(HaveOccurred(), "failed to deprovision tiller")
|
||||
}
|
||||
|
||||
func (v *vaultAppRoleProvisioner) create(f *framework.Framework) cmmeta.ObjectReference {
|
||||
By("Creating a VaultAppRole issuer")
|
||||
func (v *vaultAppRoleProvisioner) createIssuer(f *framework.Framework) cmmeta.ObjectReference {
|
||||
By("Creating a VaultAppRole Issuer")
|
||||
|
||||
vaultSecrets := v.initVault(f)
|
||||
|
||||
_, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(vault.NewVaultAppRoleSecret(vaultSecretAppRoleName, vaultSecrets.secretID))
|
||||
Expect(err).NotTo(HaveOccurred(), "vault to store app role secret from vault")
|
||||
|
||||
issuer, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(&cmapi.Issuer{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "vault-issuer",
|
||||
},
|
||||
Spec: v.createIssuerSpec(f, vaultSecrets),
|
||||
})
|
||||
Expect(err).NotTo(HaveOccurred(), "failed to create vault issuer")
|
||||
|
||||
return cmmeta.ObjectReference{
|
||||
Group: cmapi.SchemeGroupVersion.Group,
|
||||
Kind: cmapi.IssuerKind,
|
||||
Name: issuer.Name,
|
||||
}
|
||||
}
|
||||
|
||||
func (v *vaultAppRoleProvisioner) createClusterIssuer(f *framework.Framework) cmmeta.ObjectReference {
|
||||
By("Creating a VaultAppRole ClusterIssuer")
|
||||
|
||||
vaultSecrets := v.initVault(f)
|
||||
|
||||
_, err := f.KubeClientSet.CoreV1().Secrets(addon.CertManager.Namespace).Create(vault.NewVaultAppRoleSecret(vaultSecretAppRoleName, vaultSecrets.secretID))
|
||||
Expect(err).NotTo(HaveOccurred(), "vault to store app role secret from vault")
|
||||
|
||||
issuer, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(&cmapi.Issuer{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "vault-issuer",
|
||||
},
|
||||
Spec: v.createIssuerSpec(f, vaultSecrets),
|
||||
})
|
||||
Expect(err).NotTo(HaveOccurred(), "failed to create vault issuer")
|
||||
|
||||
return cmmeta.ObjectReference{
|
||||
Group: cmapi.SchemeGroupVersion.Group,
|
||||
Kind: cmapi.ClusterIssuerKind,
|
||||
Name: issuer.Name,
|
||||
}
|
||||
}
|
||||
|
||||
func (v *vaultAppRoleProvisioner) initVault(f *framework.Framework) *vaultSecrets {
|
||||
v.tiller = &tiller.Tiller{
|
||||
Name: "tiller-deploy",
|
||||
Namespace: f.Namespace.Name,
|
||||
@ -77,12 +141,6 @@ func (v *vaultAppRoleProvisioner) create(f *framework.Framework) cmmeta.ObjectRe
|
||||
Expect(v.vault.Setup(f.Config)).NotTo(HaveOccurred(), "failed to setup vault")
|
||||
Expect(v.vault.Provision()).NotTo(HaveOccurred(), "failed to provision vault")
|
||||
|
||||
intermediateMount := "intermediate-ca"
|
||||
role := "kubernetes-vault"
|
||||
vaultSecretAppRoleName := "vault-role"
|
||||
vaultPath := path.Join(intermediateMount, "sign", role)
|
||||
authPath := "approle"
|
||||
|
||||
By("Configuring the VaultAppRole server")
|
||||
v.vaultInit = &vault.VaultInitializer{
|
||||
Details: *v.vault.Details(),
|
||||
@ -97,40 +155,34 @@ func (v *vaultAppRoleProvisioner) create(f *framework.Framework) cmmeta.ObjectRe
|
||||
roleID, secretID, err := v.vaultInit.CreateAppRole()
|
||||
Expect(err).NotTo(HaveOccurred(), "vault to create app role from vault")
|
||||
|
||||
_, err = f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(vault.NewVaultAppRoleSecret(vaultSecretAppRoleName, secretID))
|
||||
Expect(err).NotTo(HaveOccurred(), "vault to store app role secret from vault")
|
||||
return &vaultSecrets{
|
||||
roleID: roleID,
|
||||
secretID: secretID,
|
||||
}
|
||||
}
|
||||
|
||||
issuer, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(&cmapi.Issuer{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "vault-issuer",
|
||||
},
|
||||
Spec: cmapi.IssuerSpec{
|
||||
IssuerConfig: cmapi.IssuerConfig{
|
||||
Vault: &cmapi.VaultIssuer{
|
||||
Server: v.vault.Details().Host,
|
||||
Path: vaultPath,
|
||||
CABundle: v.vault.Details().VaultCA,
|
||||
Auth: cmapi.VaultAuth{
|
||||
AppRole: &cmapi.VaultAppRole{
|
||||
Path: authPath,
|
||||
RoleId: roleID,
|
||||
SecretRef: cmmeta.SecretKeySelector{
|
||||
Key: "secretkey",
|
||||
LocalObjectReference: cmmeta.LocalObjectReference{
|
||||
Name: vaultSecretAppRoleName,
|
||||
},
|
||||
func (v *vaultAppRoleProvisioner) createIssuerSpec(f *framework.Framework, secs *vaultSecrets) cmapi.IssuerSpec {
|
||||
vaultPath := path.Join(intermediateMount, "sign", role)
|
||||
|
||||
return cmapi.IssuerSpec{
|
||||
IssuerConfig: cmapi.IssuerConfig{
|
||||
Vault: &cmapi.VaultIssuer{
|
||||
Server: v.vault.Details().Host,
|
||||
Path: vaultPath,
|
||||
CABundle: v.vault.Details().VaultCA,
|
||||
Auth: cmapi.VaultAuth{
|
||||
AppRole: &cmapi.VaultAppRole{
|
||||
Path: authPath,
|
||||
RoleId: secs.roleID,
|
||||
SecretRef: cmmeta.SecretKeySelector{
|
||||
Key: "secretkey",
|
||||
LocalObjectReference: cmmeta.LocalObjectReference{
|
||||
Name: vaultSecretAppRoleName,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
})
|
||||
Expect(err).NotTo(HaveOccurred(), "failed to create vault issuer")
|
||||
|
||||
return cmmeta.ObjectReference{
|
||||
Group: cmapi.SchemeGroupVersion.Group,
|
||||
Kind: cmapi.IssuerKind,
|
||||
Name: issuer.Name,
|
||||
}
|
||||
}
|
||||
|
||||
@ -9,6 +9,7 @@ go_library(
|
||||
"//pkg/apis/certmanager/v1alpha2:go_default_library",
|
||||
"//pkg/apis/meta/v1:go_default_library",
|
||||
"//test/e2e/framework:go_default_library",
|
||||
"//test/e2e/framework/addon:go_default_library",
|
||||
"//test/e2e/framework/util/errors:go_default_library",
|
||||
"//test/e2e/suite/issuers/venafi/addon:go_default_library",
|
||||
"@com_github_onsi_ginkgo//:go_default_library",
|
||||
|
||||
@ -23,6 +23,7 @@ import (
|
||||
cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2"
|
||||
cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
|
||||
"github.com/jetstack/cert-manager/test/e2e/framework"
|
||||
"github.com/jetstack/cert-manager/test/e2e/framework/addon"
|
||||
"github.com/jetstack/cert-manager/test/e2e/framework/util/errors"
|
||||
vaddon "github.com/jetstack/cert-manager/test/e2e/suite/issuers/venafi/addon"
|
||||
)
|
||||
@ -41,8 +42,15 @@ var _ = framework.ConformanceDescribe("Certificates", func() {
|
||||
//
|
||||
//provisioner := new(venafiProvisioner)
|
||||
//(&certificates.Suite{
|
||||
// Name: "Venafi",
|
||||
// CreateIssuerFunc: provisioner.create,
|
||||
// Name: "Venafi Issuer",
|
||||
// CreateIssuerFunc: provisioner.createIssuer,
|
||||
// DeleteIssuerFunc: provisioner.delete,
|
||||
// UnsupportedFeatures: unsupportedFeatures,
|
||||
//}).Define()
|
||||
|
||||
//(&certificates.Suite{
|
||||
// Name: "Venafi ClusterIssuer",
|
||||
// CreateIssuerFunc: provisioner.createClusterIssuer,
|
||||
// DeleteIssuerFunc: provisioner.delete,
|
||||
// UnsupportedFeatures: unsupportedFeatures,
|
||||
//}).Define()
|
||||
@ -56,8 +64,8 @@ func (v *venafiProvisioner) delete(f *framework.Framework, ref cmmeta.ObjectRefe
|
||||
Expect(v.tpp.Deprovision()).NotTo(HaveOccurred(), "failed to deprovision tpp venafi")
|
||||
}
|
||||
|
||||
func (v *venafiProvisioner) create(f *framework.Framework) cmmeta.ObjectReference {
|
||||
By("Creating a Venafi issuer")
|
||||
func (v *venafiProvisioner) createIssuer(f *framework.Framework) cmmeta.ObjectReference {
|
||||
By("Creating a Venafi Issuer")
|
||||
|
||||
v.tpp = &vaddon.VenafiTPP{
|
||||
Namespace: f.Namespace.Name,
|
||||
@ -81,3 +89,29 @@ func (v *venafiProvisioner) create(f *framework.Framework) cmmeta.ObjectReferenc
|
||||
Name: issuer.Name,
|
||||
}
|
||||
}
|
||||
|
||||
func (v *venafiProvisioner) createClusterIssuer(f *framework.Framework) cmmeta.ObjectReference {
|
||||
By("Creating a Venafi ClusterIssuer")
|
||||
|
||||
v.tpp = &vaddon.VenafiTPP{
|
||||
Namespace: addon.CertManager.Namespace,
|
||||
}
|
||||
|
||||
err := v.tpp.Setup(f.Config)
|
||||
if errors.IsSkip(err) {
|
||||
framework.Skipf("Skipping test as addon could not be setup: %v", err)
|
||||
}
|
||||
Expect(err).NotTo(HaveOccurred(), "failed to setup tpp venafi")
|
||||
|
||||
Expect(v.tpp.Provision()).NotTo(HaveOccurred(), "failed to provision tpp venafi")
|
||||
|
||||
issuer := v.tpp.Details().BuildClusterIssuer()
|
||||
issuer, err = f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Create(issuer)
|
||||
Expect(err).NotTo(HaveOccurred(), "failed to create issuer for venafi")
|
||||
|
||||
return cmmeta.ObjectReference{
|
||||
Group: cmapi.SchemeGroupVersion.Group,
|
||||
Kind: cmapi.ClusterIssuerKind,
|
||||
Name: issuer.Name,
|
||||
}
|
||||
}
|
||||
|
||||
@ -126,3 +126,16 @@ func (t *TPPDetails) BuildIssuer() *cmapi.Issuer {
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func (t *TPPDetails) BuildClusterIssuer() *cmapi.ClusterIssuer {
|
||||
return &cmapi.ClusterIssuer{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
GenerateName: "venafi-tpp-",
|
||||
},
|
||||
Spec: cmapi.IssuerSpec{
|
||||
IssuerConfig: cmapi.IssuerConfig{
|
||||
Venafi: &t.issuerTemplate,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user