From 918e1e04f3ec2bb6c78565e561bb0fa62a083059 Mon Sep 17 00:00:00 2001
From: Maartje Eyskens <maartje@eyskens.me>
Date: Tue, 22 Sep 2020 13:37:37 +0200
Subject: [PATCH] Add e2e tests + fix validation

Signed-off-by: Maartje Eyskens <maartje@eyskens.me>
---
 devel/lib/lib.sh                              |  1 +
 devel/run-e2e.sh                              |  1 +
 .../certmanager/validation/certificate.go     |  4 +-
 test/e2e/framework/config/acme.go             |  2 +
 .../suite/issuers/acme/certificate/http01.go  | 76 +++++++++++++++++++
 5 files changed, 82 insertions(+), 2 deletions(-)

diff --git a/devel/lib/lib.sh b/devel/lib/lib.sh
index a6789943c..353a82202 100644
--- a/devel/lib/lib.sh
+++ b/devel/lib/lib.sh
@@ -33,6 +33,7 @@ export IS_OPENSHIFT="${IS_OPENSHIFT:-"false"}"
 export OPENSHIFT_VERSION="${OPENSHIFT_VERSION:-"3.11"}"
 export SERVICE_IP_PREFIX="${SERVICE_IP_PREFIX:-10.0.0}"
 export DNS_SERVER="${SERVICE_IP_PREFIX}.16"
+export INGRESS_IP="${SERVICE_IP_PREFIX}.15"
 
 # setup_tools will build and set up the environment to use bazel-provided
 # versions of the tools required for development
diff --git a/devel/run-e2e.sh b/devel/run-e2e.sh
index f7125bc77..5f201ced6 100755
--- a/devel/run-e2e.sh
+++ b/devel/run-e2e.sh
@@ -45,4 +45,5 @@ ginkgo -nodes 10 -flakeAttempts ${FLAKE_ATTEMPTS:-1} \
 	--repo-root="${REPO_ROOT}" \
 	--report-dir="${ARTIFACTS:-$REPO_ROOT/_artifacts}" \
 	--acme-dns-server="$DNS_SERVER" \
+	--acme-ingress-ip="$INGRESS_IP" \
 	"$@"
diff --git a/pkg/internal/apis/certmanager/validation/certificate.go b/pkg/internal/apis/certmanager/validation/certificate.go
index 744b44cdd..7fde9623b 100644
--- a/pkg/internal/apis/certmanager/validation/certificate.go
+++ b/pkg/internal/apis/certmanager/validation/certificate.go
@@ -40,8 +40,8 @@ func ValidateCertificateSpec(crt *internalcmapi.CertificateSpec, fldPath *field.
 
 	el = append(el, validateIssuerRef(crt.IssuerRef, fldPath)...)
 
-	if len(crt.CommonName) == 0 && len(crt.DNSNames) == 0 && len(crt.URISANs) == 0 && len(crt.EmailSANs) == 0 {
-		el = append(el, field.Invalid(fldPath, "", "at least one of commonName, dnsNames, uris or emailAddresses must be set"))
+	if len(crt.CommonName) == 0 && len(crt.DNSNames) == 0 && len(crt.URISANs) == 0 && len(crt.EmailSANs) == 0 && len(crt.IPAddresses) == 0 {
+		el = append(el, field.Invalid(fldPath, "", "at least one of commonName, dnsNames, uris ipAddresses, or emailAddresses must be set"))
 	}
 
 	// if a common name has been specified, ensure it is no longer than 64 chars
diff --git a/test/e2e/framework/config/acme.go b/test/e2e/framework/config/acme.go
index 623636c9e..aa8fdef4e 100644
--- a/test/e2e/framework/config/acme.go
+++ b/test/e2e/framework/config/acme.go
@@ -23,11 +23,13 @@ import (
 type ACMEServer struct {
 	URL       string
 	DNSServer string
+	IngressIP string
 }
 
 func (p *ACMEServer) AddFlags(fs *flag.FlagSet) {
 	fs.StringVar(&p.URL, "acme-server-url", "https://pebble.pebble.svc.cluster.local/dir", "URL for the ACME server used during end-to-end tests")
 	fs.StringVar(&p.DNSServer, "acme-dns-server", "10.0.0.16", "DNS server for ACME DNS01 tests to run against using RFC2136")
+	fs.StringVar(&p.IngressIP, "acme-ingress-ip", "10.0.0.15", "IP of the ingress server that solves HTTP01 ACME challenges")
 }
 
 func (p *ACMEServer) Validate() []error {
diff --git a/test/e2e/suite/issuers/acme/certificate/http01.go b/test/e2e/suite/issuers/acme/certificate/http01.go
index efe408d85..df8150e3c 100644
--- a/test/e2e/suite/issuers/acme/certificate/http01.go
+++ b/test/e2e/suite/issuers/acme/certificate/http01.go
@@ -469,4 +469,80 @@ var _ = framework.CertManagerDescribe("ACME Certificate (HTTP01)", func() {
 		Expect(err).NotTo(HaveOccurred())
 	})
 
+	It("should obtain a signed certificate with a single IP Address from the ACME server", func() {
+		certClient := f.CertManagerClientSet.CertmanagerV1().Certificates(f.Namespace.Name)
+
+		By("Creating a Certificate")
+		cert := gen.Certificate(certificateName,
+			gen.SetCertificateSecretName(certificateSecretName),
+			gen.SetCertificateIssuer(cmmeta.ObjectReference{Name: issuerName}),
+			gen.SetCertificateIPs(f.Config.Addons.ACMEServer.IngressIP),
+		)
+		cert.Namespace = f.Namespace.Name
+
+		_, err := certClient.Create(context.TODO(), cert, metav1.CreateOptions{})
+		Expect(err).NotTo(HaveOccurred())
+		By("Verifying the Certificate is valid")
+		err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5)
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	It("should obtain a signed certificate with an IP and DNS names from the ACME server", func() {
+		certClient := f.CertManagerClientSet.CertmanagerV1().Certificates(f.Namespace.Name)
+
+		By("Creating a Certificate")
+		cert := gen.Certificate(certificateName,
+			gen.SetCertificateSecretName(certificateSecretName),
+			gen.SetCertificateIssuer(cmmeta.ObjectReference{Name: issuerName}),
+			gen.SetCertificateDNSNames(fmt.Sprintf("%s.%s", cmutil.RandStringRunes(2), acmeIngressDomain)),
+			gen.SetCertificateIPs(f.Config.Addons.ACMEServer.IngressIP),
+		)
+		cert.Namespace = f.Namespace.Name
+
+		_, err := certClient.Create(context.TODO(), cert, metav1.CreateOptions{})
+		Expect(err).NotTo(HaveOccurred())
+		By("Verifying the Certificate is valid")
+		err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5)
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	It("should allow updating an existing certificate with a new dns name", func() {
+		certClient := f.CertManagerClientSet.CertmanagerV1().Certificates(f.Namespace.Name)
+
+		By("Creating a Certificate")
+		cert := gen.Certificate(certificateName,
+			gen.SetCertificateSecretName(certificateSecretName),
+			gen.SetCertificateIssuer(cmmeta.ObjectReference{Name: issuerName}),
+			gen.SetCertificateDNSNames(fmt.Sprintf("%s.%s", cmutil.RandStringRunes(5), acmeIngressDomain)),
+		)
+		cert.Namespace = f.Namespace.Name
+
+		_, err := certClient.Create(context.TODO(), cert, metav1.CreateOptions{})
+		Expect(err).NotTo(HaveOccurred())
+
+		By("Verifying the Certificate is valid")
+		err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5)
+		Expect(err).NotTo(HaveOccurred())
+
+		By("Getting the latest version of the Certificate")
+		cert, err = certClient.Get(context.TODO(), certificateName, metav1.GetOptions{})
+		Expect(err).NotTo(HaveOccurred())
+
+		By("Adding an additional dnsName to the Certificate")
+		newDNSName := fmt.Sprintf("%s.%s", cmutil.RandStringRunes(5), acmeIngressDomain)
+		cert.Spec.DNSNames = append(cert.Spec.DNSNames, newDNSName)
+
+		By("Updating the Certificate in the apiserver")
+		cert, err = certClient.Update(context.TODO(), cert, metav1.UpdateOptions{})
+		Expect(err).NotTo(HaveOccurred())
+
+		By("Waiting for the Certificate to be not ready")
+		_, err = h.WaitForCertificateNotReady(f.Namespace.Name, certificateName, time.Minute*5)
+		Expect(err).NotTo(HaveOccurred())
+
+		By("Waiting for the Certificate to become ready & valid")
+		err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5)
+		Expect(err).NotTo(HaveOccurred())
+	})
+
 })