Check that Vault certs' CA contains root cert if expected

Signed-off-by: irbekrm <irbekrm@gmail.com>
2021-05-19 22:09:41 +01:00 · 2021-05-19 22:09:41 +01:00 · 63342c1d5e
commit 63342c1d5e
parent 0ebce264f1
2 changed files with 32 additions and 13 deletions
--- a/test/e2e/suite/issuers/vault/certificate/approle.go
+++ b/test/e2e/suite/issuers/vault/certificate/approle.go
@ -36,15 +36,25 @@ import (
 	"github.com/jetstack/cert-manager/test/unit/gen"
 )

-var _ = framework.CertManagerDescribe("Vault Issuer Certificate (AppRole)", func() {
-	runVaultAppRoleTests(cmapi.IssuerKind)
+var _ = framework.CertManagerDescribe("Vault Issuer Certificate (AppRole, CA without root)", func() {
+	fs := featureset.NewFeatureSet(featureset.SaveCAToSecret)
+	runVaultAppRoleTests(cmapi.IssuerKind, false, fs)
+})
+var _ = framework.CertManagerDescribe("Vault Issuer Certificate (AppRole, CA with root)", func() {
+	fs := featureset.NewFeatureSet()
+	runVaultAppRoleTests(cmapi.IssuerKind, true, fs)
 })

-var _ = framework.CertManagerDescribe("Vault ClusterIssuer Certificate (AppRole)", func() {
-	runVaultAppRoleTests(cmapi.ClusterIssuerKind)
+var _ = framework.CertManagerDescribe("Vault ClusterIssuer Certificate (AppRole, CA without root)", func() {
+	fs := featureset.NewFeatureSet(featureset.SaveCAToSecret)
+	runVaultAppRoleTests(cmapi.ClusterIssuerKind, false, fs)
+})
+var _ = framework.CertManagerDescribe("Vault ClusterIssuer Certificate (AppRole, CA with root)", func() {
+	fs := featureset.NewFeatureSet()
+	runVaultAppRoleTests(cmapi.ClusterIssuerKind, true, fs)
 })

-func runVaultAppRoleTests(issuerKind string) {
+func runVaultAppRoleTests(issuerKind string, testWithRoot bool, unsupportedFeatures featureset.FeatureSet) {
 	f := framework.NewDefaultFramework("create-vault-certificate")

 	var (
@ -85,6 +95,7 @@ func runVaultAppRoleTests(issuerKind string) {
 			Details:           *vault.Details(),
 			RootMount:         rootMount,
 			IntermediateMount: intermediateMount,
+			ConfigureWithRoot: testWithRoot,
 			Role:              role,
 			AppRoleAuthPath:   authPath,
 		}
@ -172,7 +183,6 @@ func runVaultAppRoleTests(issuerKind string) {
 		Expect(err).NotTo(HaveOccurred())

 		By("Validating the issued Certificate...")
-		unsupportedFeatures := featureset.NewFeatureSet(featureset.SaveRootCAToSecret)
 		err = f.Helper().ValidateCertificate(f.Namespace.Name, certificateName, f.Helper().ValidationSetForUnsupportedFeatureSet(unsupportedFeatures)...)
 		Expect(err).NotTo(HaveOccurred())

@ -268,7 +278,6 @@ func runVaultAppRoleTests(issuerKind string) {
 			Expect(err).NotTo(HaveOccurred())

 			By("Validating the issued Certificate...")
-			unsupportedFeatures := featureset.NewFeatureSet(featureset.SaveRootCAToSecret)
 			err = f.Helper().ValidateCertificate(f.Namespace.Name, certificateName, f.Helper().ValidationSetForUnsupportedFeatureSet(unsupportedFeatures)...)
 			Expect(err).NotTo(HaveOccurred())

--- a/test/e2e/suite/issuers/vault/certificate/approle_custom_mount.go
+++ b/test/e2e/suite/issuers/vault/certificate/approle_custom_mount.go
@ -35,15 +35,25 @@ import (
 	"github.com/jetstack/cert-manager/test/unit/gen"
 )

-var _ = framework.CertManagerDescribe("Vault Issuer Certificate (AppRole with a custom mount path)", func() {
-	runVaultCustomAppRoleTests(cmapi.IssuerKind)
+var _ = framework.CertManagerDescribe("Vault Issuer Certificate (AppRole with a custom mount path, CA without root)", func() {
+	fs := featureset.NewFeatureSet(featureset.SaveCAToSecret)
+	runVaultCustomAppRoleTests(cmapi.IssuerKind, false, fs)
 })

-var _ = framework.CertManagerDescribe("Vault ClusterIssuer Certificate (AppRole with a custom mount path)", func() {
-	runVaultCustomAppRoleTests(cmapi.ClusterIssuerKind)
+var _ = framework.CertManagerDescribe("Vault Issuer Certificate (AppRole with a custom mount path, CA with root)", func() {
+	fs := featureset.NewFeatureSet()
+	runVaultCustomAppRoleTests(cmapi.IssuerKind, true, fs)
+})
+var _ = framework.CertManagerDescribe("Vault ClusterIssuer Certificate (AppRole with a custom mount path, CA without root)", func() {
+	fs := featureset.NewFeatureSet(featureset.SaveCAToSecret)
+	runVaultCustomAppRoleTests(cmapi.ClusterIssuerKind, false, fs)
+})
+var _ = framework.CertManagerDescribe("Vault ClusterIssuer Certificate (AppRole with a custom mount path, CA with root)", func() {
+	fs := featureset.NewFeatureSet()
+	runVaultCustomAppRoleTests(cmapi.ClusterIssuerKind, true, fs)
 })

-func runVaultCustomAppRoleTests(issuerKind string) {
+func runVaultCustomAppRoleTests(issuerKind string, testWithRoot bool, unsupportedFeatures featureset.FeatureSet) {
 	f := framework.NewDefaultFramework("create-vault-certificate")

 	var (
@ -84,6 +94,7 @@ func runVaultCustomAppRoleTests(issuerKind string) {
 			Details:           *vault.Details(),
 			RootMount:         rootMount,
 			IntermediateMount: intermediateMount,
+			ConfigureWithRoot: testWithRoot,
 			Role:              role,
 			AppRoleAuthPath:   authPath,
 		}
@ -170,7 +181,6 @@ func runVaultCustomAppRoleTests(issuerKind string) {
 		Expect(err).NotTo(HaveOccurred())

 		By("Validating the issued Certificate...")
-		unsupportedFeatures := featureset.NewFeatureSet(featureset.SaveRootCAToSecret)
 		err = f.Helper().ValidateCertificate(f.Namespace.Name, certificateName, f.Helper().ValidationSetForUnsupportedFeatureSet(unsupportedFeatures)...)
 		Expect(err).NotTo(HaveOccurred())
 	})