From 63342c1d5ee7d82772de656c3f50b98bca1856d7 Mon Sep 17 00:00:00 2001 From: irbekrm Date: Wed, 19 May 2021 22:09:41 +0100 Subject: [PATCH] Check that Vault certs' CA contains root cert if expected Signed-off-by: irbekrm --- .../issuers/vault/certificate/approle.go | 23 +++++++++++++------ .../vault/certificate/approle_custom_mount.go | 22 +++++++++++++----- 2 files changed, 32 insertions(+), 13 deletions(-) diff --git a/test/e2e/suite/issuers/vault/certificate/approle.go b/test/e2e/suite/issuers/vault/certificate/approle.go index f1a1b4e86..2d1fc686b 100644 --- a/test/e2e/suite/issuers/vault/certificate/approle.go +++ b/test/e2e/suite/issuers/vault/certificate/approle.go @@ -36,15 +36,25 @@ import ( "github.com/jetstack/cert-manager/test/unit/gen" ) -var _ = framework.CertManagerDescribe("Vault Issuer Certificate (AppRole)", func() { - runVaultAppRoleTests(cmapi.IssuerKind) +var _ = framework.CertManagerDescribe("Vault Issuer Certificate (AppRole, CA without root)", func() { + fs := featureset.NewFeatureSet(featureset.SaveCAToSecret) + runVaultAppRoleTests(cmapi.IssuerKind, false, fs) +}) +var _ = framework.CertManagerDescribe("Vault Issuer Certificate (AppRole, CA with root)", func() { + fs := featureset.NewFeatureSet() + runVaultAppRoleTests(cmapi.IssuerKind, true, fs) }) -var _ = framework.CertManagerDescribe("Vault ClusterIssuer Certificate (AppRole)", func() { - runVaultAppRoleTests(cmapi.ClusterIssuerKind) +var _ = framework.CertManagerDescribe("Vault ClusterIssuer Certificate (AppRole, CA without root)", func() { + fs := featureset.NewFeatureSet(featureset.SaveCAToSecret) + runVaultAppRoleTests(cmapi.ClusterIssuerKind, false, fs) +}) +var _ = framework.CertManagerDescribe("Vault ClusterIssuer Certificate (AppRole, CA with root)", func() { + fs := featureset.NewFeatureSet() + runVaultAppRoleTests(cmapi.ClusterIssuerKind, true, fs) }) -func runVaultAppRoleTests(issuerKind string) { +func runVaultAppRoleTests(issuerKind string, testWithRoot bool, unsupportedFeatures featureset.FeatureSet) { f := framework.NewDefaultFramework("create-vault-certificate") var ( @@ -85,6 +95,7 @@ func runVaultAppRoleTests(issuerKind string) { Details: *vault.Details(), RootMount: rootMount, IntermediateMount: intermediateMount, + ConfigureWithRoot: testWithRoot, Role: role, AppRoleAuthPath: authPath, } @@ -172,7 +183,6 @@ func runVaultAppRoleTests(issuerKind string) { Expect(err).NotTo(HaveOccurred()) By("Validating the issued Certificate...") - unsupportedFeatures := featureset.NewFeatureSet(featureset.SaveRootCAToSecret) err = f.Helper().ValidateCertificate(f.Namespace.Name, certificateName, f.Helper().ValidationSetForUnsupportedFeatureSet(unsupportedFeatures)...) Expect(err).NotTo(HaveOccurred()) @@ -268,7 +278,6 @@ func runVaultAppRoleTests(issuerKind string) { Expect(err).NotTo(HaveOccurred()) By("Validating the issued Certificate...") - unsupportedFeatures := featureset.NewFeatureSet(featureset.SaveRootCAToSecret) err = f.Helper().ValidateCertificate(f.Namespace.Name, certificateName, f.Helper().ValidationSetForUnsupportedFeatureSet(unsupportedFeatures)...) Expect(err).NotTo(HaveOccurred()) diff --git a/test/e2e/suite/issuers/vault/certificate/approle_custom_mount.go b/test/e2e/suite/issuers/vault/certificate/approle_custom_mount.go index 6fb3c04d0..e9f0e5730 100644 --- a/test/e2e/suite/issuers/vault/certificate/approle_custom_mount.go +++ b/test/e2e/suite/issuers/vault/certificate/approle_custom_mount.go @@ -35,15 +35,25 @@ import ( "github.com/jetstack/cert-manager/test/unit/gen" ) -var _ = framework.CertManagerDescribe("Vault Issuer Certificate (AppRole with a custom mount path)", func() { - runVaultCustomAppRoleTests(cmapi.IssuerKind) +var _ = framework.CertManagerDescribe("Vault Issuer Certificate (AppRole with a custom mount path, CA without root)", func() { + fs := featureset.NewFeatureSet(featureset.SaveCAToSecret) + runVaultCustomAppRoleTests(cmapi.IssuerKind, false, fs) }) -var _ = framework.CertManagerDescribe("Vault ClusterIssuer Certificate (AppRole with a custom mount path)", func() { - runVaultCustomAppRoleTests(cmapi.ClusterIssuerKind) +var _ = framework.CertManagerDescribe("Vault Issuer Certificate (AppRole with a custom mount path, CA with root)", func() { + fs := featureset.NewFeatureSet() + runVaultCustomAppRoleTests(cmapi.IssuerKind, true, fs) +}) +var _ = framework.CertManagerDescribe("Vault ClusterIssuer Certificate (AppRole with a custom mount path, CA without root)", func() { + fs := featureset.NewFeatureSet(featureset.SaveCAToSecret) + runVaultCustomAppRoleTests(cmapi.ClusterIssuerKind, false, fs) +}) +var _ = framework.CertManagerDescribe("Vault ClusterIssuer Certificate (AppRole with a custom mount path, CA with root)", func() { + fs := featureset.NewFeatureSet() + runVaultCustomAppRoleTests(cmapi.ClusterIssuerKind, true, fs) }) -func runVaultCustomAppRoleTests(issuerKind string) { +func runVaultCustomAppRoleTests(issuerKind string, testWithRoot bool, unsupportedFeatures featureset.FeatureSet) { f := framework.NewDefaultFramework("create-vault-certificate") var ( @@ -84,6 +94,7 @@ func runVaultCustomAppRoleTests(issuerKind string) { Details: *vault.Details(), RootMount: rootMount, IntermediateMount: intermediateMount, + ConfigureWithRoot: testWithRoot, Role: role, AppRoleAuthPath: authPath, } @@ -170,7 +181,6 @@ func runVaultCustomAppRoleTests(issuerKind string) { Expect(err).NotTo(HaveOccurred()) By("Validating the issued Certificate...") - unsupportedFeatures := featureset.NewFeatureSet(featureset.SaveRootCAToSecret) err = f.Helper().ValidateCertificate(f.Namespace.Name, certificateName, f.Helper().ValidationSetForUnsupportedFeatureSet(unsupportedFeatures)...) Expect(err).NotTo(HaveOccurred()) })