test: Verify certificates issued by the ca issuer

Use the standard X509 certificate validation to check that generated certificates can be validated by clients Signed-off-by: Mike Bryant <m@ocado.com>
2018-11-14 21:52:38 +00:00 · 2018-11-14 21:52:38 +00:00 · 92d30c60c2
commit 92d30c60c2
parent 70b3470b96
2 changed files with 38 additions and 13 deletions
--- a/test/e2e/suite/issuers/ca/certificate.go
+++ b/test/e2e/suite/issuers/ca/certificate.go
@ -68,7 +68,7 @@ var _ = framework.CertManagerDescribe("CA Certificate", func() {
 		_, err := certClient.Create(util.NewCertManagerBasicCertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, nil, nil))
 		Expect(err).NotTo(HaveOccurred())
 		By("Verifying the Certificate is valid")
-		err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Second*30)
+		err = util.WaitCertificateIssuedValidTLS(certClient, secretClient, certificateName, time.Second*30, true)
 		Expect(err).NotTo(HaveOccurred())
 	})

@ -85,7 +85,7 @@ var _ = framework.CertManagerDescribe("CA Certificate", func() {
 		Expect(err).NotTo(HaveOccurred())

 		By("Verifying the Certificate is valid")
-		err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Second*30)
+		err = util.WaitCertificateIssuedValidTLS(certClient, secretClient, certificateName, time.Second*30, true)
 		Expect(err).NotTo(HaveOccurred())
 	})

--- a/test/e2e/util/util.go
+++ b/test/e2e/util/util.go
@ -203,7 +203,7 @@ func wrapErrorWithCertificateStatusCondition(client clientset.CertificateInterfa
 // WaitCertificateIssuedValid waits for the given Certificate to be
 // 'Ready' and ensures the stored certificate is valid for the specified
 // domains.
-func WaitCertificateIssuedValid(certClient clientset.CertificateInterface, secretClient corecs.SecretInterface, name string, timeout time.Duration) error {
+func WaitCertificateIssuedValidTLS(certClient clientset.CertificateInterface, secretClient corecs.SecretInterface, name string, timeout time.Duration, validateTLS bool) error {
 	return wait.PollImmediate(time.Second, timeout,
 		func() (bool, error) {
 			log.Logf("Waiting for Certificate %v to be ready", name)
@ -301,11 +301,32 @@ func WaitCertificateIssuedValid(certClient clientset.CertificateInterface, secre
 				return false, fmt.Errorf("Expected secret to have certificate-name label with a value of %q, but got %q", certificate.Name, label)
 			}

+			// Run TLS Verification
+			if validateTLS {
+				rootCertPool := x509.NewCertPool()
+				rootCertPool.AppendCertsFromPEM([]byte(rootCert))
+				intermediateCertPool := x509.NewCertPool()
+				intermediateCertPool.AppendCertsFromPEM(certBytes)
+				opts := x509.VerifyOptions{
+					DNSName:       expectedDNSNames[0],
+					Intermediates: intermediateCertPool,
+					Roots:         rootCertPool,
+				}
+
+				if _, err := cert.Verify(opts); err != nil {
+					return false, err
+				}
+			}
+
 			return true, nil
 		},
 	)
 }

+func WaitCertificateIssuedValid(certClient clientset.CertificateInterface, secretClient corecs.SecretInterface, name string, timeout time.Duration) error {
+	return WaitCertificateIssuedValidTLS(certClient, secretClient, name, timeout, false)
+}
+
 // WaitForCertificateToExist waits for the named certificate to exist
 func WaitForCertificateToExist(client clientset.CertificateInterface, name string, timeout time.Duration) error {
 	return wait.PollImmediate(500*time.Millisecond, timeout,
@ -567,13 +588,7 @@ func NewCertManagerVaultIssuerAppRole(name, vaultURL, vaultPath, roleId, vaultSe
 	}
 }

-func NewSigningKeypairSecret(name string) *v1.Secret {
-	return &v1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: name,
-		},
-		StringData: map[string]string{
-			v1.TLSCertKey: `-----BEGIN CERTIFICATE-----
+const rootCert = `-----BEGIN CERTIFICATE-----
 MIID4DCCAsigAwIBAgIJAJzTROInmDkQMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV
 BAYTAlVLMQswCQYDVQQIEwJOQTEVMBMGA1UEChMMY2VydC1tYW5hZ2VyMSAwHgYD
 VQQDExdjZXJ0LW1hbmFnZXIgdGVzdGluZyBDQTAeFw0xNzA5MTAxODMzNDNaFw0y
@ -595,8 +610,9 @@ H4/uvJps4SpVCB7+T/orcTjZ2ewT23mQAQg+B+iwX9VCof+fadkYOg1XD9/eaj6E
 9McXID3iuCXg02RmEOwVMrTggHPwHrOGAilSaZc58cJZHmMYlT5rGrJcWS/AyXnH
 VOodKC004yjh7w9aSbCCbAL0tDEnhm4Jrb8cxt7pDWbdEVUeuk9LZRQtluYBnmJU
 kQ7ALfUfUh/RUpCV4uI6sEI3NDX2YqQbOtsBD/hNaL1F85FA
-----END CERTIFICATE-----`,
-			v1.TLSPrivateKeyKey: `-----BEGIN RSA PRIVATE KEY-----
+-----END CERTIFICATE-----`
+
+const rootKey = `-----BEGIN RSA PRIVATE KEY-----
 MIIEpAIBAAKCAQEAz5DYA7iEBFq/SrCOTsjiYSHlHbTUdLyzselos5cE2++Huon3
 InPqMupiDoS8/Qr9srnoKnah7aKB3sY7GlXdg85zcIbQIKocymsRy/GPbEEpfTRG
 1yfihUuEM+EBvQFX9Hs0Ut5bHOH6CC88jVebWotpZiphkQnlsGxhcPe091LgYYg1
@ -622,7 +638,16 @@ jKQvgbUk9SBSBaRrvLNJ8csCgYAYnrZEnGo+ZcEHRxl+ZdSCwRkSl3SCTRiphJtD
 ThS+sQKBgQDh0+cVo1mfYiCkp3IQPB8QYiJ/g2/UBk6pH8ZZDZ+A5td6NveiWO1y
 wTEUWkX2qyz9SLxWDGOhdKqxNrLCUSYSOV/5/JQEtBm6K50ArFtrY40JP/T/5KvM
 tSK2ayFX1wQ3PuEmewAogy/20tWo80cr556AXA62Utl2PzLK30Db8w==
-----END RSA PRIVATE KEY-----`,
+-----END RSA PRIVATE KEY-----`
+
+func NewSigningKeypairSecret(name string) *v1.Secret {
+	return &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		StringData: map[string]string{
+			v1.TLSCertKey: rootCert,
+			v1.TLSPrivateKeyKey: rootKey,
 		},
 	}
 }