From d6248d20bdc27e5bc97b7ebde906c46005aa1509 Mon Sep 17 00:00:00 2001 From: JoshVanL Date: Mon, 11 Nov 2019 12:08:15 +0000 Subject: [PATCH] Make vault issuer to point to resource namespace over certificaterequest Signed-off-by: JoshVanL --- .../certificaterequests/vault/vault.go | 6 +- .../issuers/vault/certificate/approle.go | 99 ++++++++++++++----- .../vault/certificate/approle_custom_mount.go | 65 +++++++++--- .../vault/certificaterequest/approle.go | 90 ++++++++++++----- .../approle_custom_mount.go | 65 +++++++++--- test/e2e/util/util.go | 43 +++++--- 6 files changed, 279 insertions(+), 89 deletions(-) diff --git a/pkg/controller/certificaterequests/vault/vault.go b/pkg/controller/certificaterequests/vault/vault.go index 8276b9152..920448b1c 100644 --- a/pkg/controller/certificaterequests/vault/vault.go +++ b/pkg/controller/certificaterequests/vault/vault.go @@ -37,6 +37,7 @@ const ( ) type Vault struct { + issuerOptions controllerpkg.IssuerOptions secretsLister corelisters.SecretLister reporter *crutil.Reporter @@ -54,6 +55,7 @@ func init() { func NewVault(ctx *controllerpkg.Context) *Vault { return &Vault{ + issuerOptions: ctx.IssuerOptions, secretsLister: ctx.KubeSharedInformerFactory.Core().V1().Secrets().Lister(), reporter: crutil.NewReporter(ctx.Clock, ctx.Recorder), vaultClientBuilder: vaultinternal.New, @@ -64,7 +66,9 @@ func (v *Vault) Sign(ctx context.Context, cr *v1alpha2.CertificateRequest, issue log := logf.FromContext(ctx, "sign") log = logf.WithRelatedResource(log, issuerObj) - client, err := v.vaultClientBuilder(cr.Namespace, v.secretsLister, issuerObj) + resourceNamespace := v.issuerOptions.ResourceNamespace(issuerObj) + + client, err := v.vaultClientBuilder(resourceNamespace, v.secretsLister, issuerObj) if k8sErrors.IsNotFound(err) { message := "Required secret resource not found" diff --git a/test/e2e/suite/issuers/vault/certificate/approle.go b/test/e2e/suite/issuers/vault/certificate/approle.go index 81e8fd505..dfc616728 100644 --- a/test/e2e/suite/issuers/vault/certificate/approle.go +++ b/test/e2e/suite/issuers/vault/certificate/approle.go @@ -23,7 +23,7 @@ import ( . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" - "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2" + cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2" cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1" "github.com/jetstack/cert-manager/test/e2e/framework" "github.com/jetstack/cert-manager/test/e2e/framework/addon/tiller" @@ -32,7 +32,15 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -var _ = framework.CertManagerDescribe("Vault Certificate (AppRole)", func() { +var _ = framework.CertManagerDescribe("Vault Issuer Certificate (AppRole)", func() { + runVaultAppRoleTests(cmapi.IssuerKind) +}) + +var _ = framework.CertManagerDescribe("Vault ClusterIssuer Certificate (AppRole)", func() { + runVaultAppRoleTests(cmapi.ClusterIssuerKind) +}) + +func runVaultAppRoleTests(issuerKind string) { f := framework.NewDefaultFramework("create-vault-certificate") h := f.Helper() @@ -68,6 +76,14 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole)", func() { var secretId string var vaultInit *vaultaddon.VaultInitializer + var vaultSecretNamespace string + + if issuerKind == cmapi.IssuerKind { + vaultSecretNamespace = f.Namespace.Name + } else { + vaultSecretNamespace = "kube-system" + } + BeforeEach(func() { By("Configuring the Vault server") vaultInit = &vaultaddon.VaultInitializer{ @@ -83,15 +99,21 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole)", func() { Expect(err).NotTo(HaveOccurred()) roleId, secretId, err = vaultInit.CreateAppRole() Expect(err).NotTo(HaveOccurred()) - _, err = f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(vaultaddon.NewVaultAppRoleSecret(vaultSecretAppRoleName, secretId)) + _, err = f.KubeClientSet.CoreV1().Secrets(vaultSecretNamespace).Create(vaultaddon.NewVaultAppRoleSecret(vaultSecretAppRoleName, secretId)) Expect(err).NotTo(HaveOccurred()) }) JustAfterEach(func() { By("Cleaning up") Expect(vaultInit.Clean()).NotTo(HaveOccurred()) - f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Delete(issuerName, nil) - f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Delete(vaultSecretAppRoleName, nil) + + if issuerKind == cmapi.IssuerKind { + f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Delete(issuerName, nil) + } else { + f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Delete(issuerName, nil) + } + + f.KubeClientSet.CoreV1().Secrets(vaultSecretNamespace).Delete(vaultSecretAppRoleName, nil) }) It("should generate a new valid certificate", func() { @@ -100,21 +122,37 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole)", func() { certClient := f.CertManagerClientSet.CertmanagerV1alpha2().Certificates(f.Namespace.Name) - _, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA)) + var err error + if issuerKind == cmapi.IssuerKind { + _, err = f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA)) + } else { + _, err = f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Create(util.NewCertManagerVaultClusterIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA)) + } Expect(err).NotTo(HaveOccurred()) By("Waiting for Issuer to become Ready") - err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name), - issuerName, - v1alpha2.IssuerCondition{ - Type: v1alpha2.IssuerConditionReady, - Status: cmmeta.ConditionTrue, - }) + + if issuerKind == cmapi.IssuerKind { + err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name), + issuerName, + cmapi.IssuerCondition{ + Type: cmapi.IssuerConditionReady, + Status: cmmeta.ConditionTrue, + }) + } else { + err = util.WaitForClusterIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers(), + issuerName, + cmapi.IssuerCondition{ + Type: cmapi.IssuerConditionReady, + Status: cmmeta.ConditionTrue, + }) + } + Expect(err).NotTo(HaveOccurred()) By("Creating a Certificate") - _, err = certClient.Create(util.NewCertManagerVaultCertificate(certificateName, certificateSecretName, issuerName, v1alpha2.IssuerKind, nil, nil)) + _, err = certClient.Create(util.NewCertManagerVaultCertificate(certificateName, certificateSecretName, issuerName, issuerKind, nil, nil)) Expect(err).NotTo(HaveOccurred()) err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5) @@ -159,20 +197,37 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole)", func() { v := v It("should generate a new certificate "+v.label, func() { By("Creating an Issuer") - _, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vault.Details().Host, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA)) + + var err error + if issuerKind == cmapi.IssuerKind { + _, err = f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vault.Details().Host, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA)) + } else { + _, err = f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Create(util.NewCertManagerVaultClusterIssuerAppRole(issuerName, vault.Details().Host, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA)) + } Expect(err).NotTo(HaveOccurred()) By("Waiting for Issuer to become Ready") - err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name), - issuerName, - v1alpha2.IssuerCondition{ - Type: v1alpha2.IssuerConditionReady, - Status: cmmeta.ConditionTrue, - }) + + if issuerKind == cmapi.IssuerKind { + err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name), + issuerName, + cmapi.IssuerCondition{ + Type: cmapi.IssuerConditionReady, + Status: cmmeta.ConditionTrue, + }) + } else { + err = util.WaitForClusterIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers(), + issuerName, + cmapi.IssuerCondition{ + Type: cmapi.IssuerConditionReady, + Status: cmmeta.ConditionTrue, + }) + } + Expect(err).NotTo(HaveOccurred()) By("Creating a Certificate") - cert, err := f.CertManagerClientSet.CertmanagerV1alpha2().Certificates(f.Namespace.Name).Create(util.NewCertManagerVaultCertificate(certificateName, certificateSecretName, issuerName, v1alpha2.IssuerKind, v.inputDuration, v.inputRenewBefore)) + cert, err := f.CertManagerClientSet.CertmanagerV1alpha2().Certificates(f.Namespace.Name).Create(util.NewCertManagerVaultCertificate(certificateName, certificateSecretName, issuerName, issuerKind, v.inputDuration, v.inputRenewBefore)) Expect(err).NotTo(HaveOccurred()) err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5) @@ -182,4 +237,4 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole)", func() { f.CertificateDurationValid(cert, v.expectedDuration, time.Second*30) }) } -}) +} diff --git a/test/e2e/suite/issuers/vault/certificate/approle_custom_mount.go b/test/e2e/suite/issuers/vault/certificate/approle_custom_mount.go index eb7fd55b8..67b1ceb7f 100644 --- a/test/e2e/suite/issuers/vault/certificate/approle_custom_mount.go +++ b/test/e2e/suite/issuers/vault/certificate/approle_custom_mount.go @@ -23,7 +23,7 @@ import ( . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" - "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2" + cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2" cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1" "github.com/jetstack/cert-manager/test/e2e/framework" "github.com/jetstack/cert-manager/test/e2e/framework/addon/tiller" @@ -31,7 +31,15 @@ import ( "github.com/jetstack/cert-manager/test/e2e/util" ) -var _ = framework.CertManagerDescribe("Vault Certificate (AppRole with a custom mount path)", func() { +var _ = framework.CertManagerDescribe("Vault Issuer Certificate (AppRole with a custom mount path)", func() { + runVaultCustomAppRoleTests(cmapi.IssuerKind) +}) + +var _ = framework.CertManagerDescribe("Vault ClusterIssuer Certificate (AppRole with a custom mount path)", func() { + runVaultCustomAppRoleTests(cmapi.ClusterIssuerKind) +}) + +func runVaultCustomAppRoleTests(issuerKind string) { f := framework.NewDefaultFramework("create-vault-certificate") h := f.Helper() @@ -68,6 +76,13 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole with a custom var vaultInit *vaultaddon.VaultInitializer + var vaultSecretNamespace string + if issuerKind == cmapi.IssuerKind { + vaultSecretNamespace = f.Namespace.Name + } else { + vaultSecretNamespace = "kube-system" + } + BeforeEach(func() { By("Configuring the Vault server") vaultInit = &vaultaddon.VaultInitializer{ @@ -83,15 +98,21 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole with a custom Expect(err).NotTo(HaveOccurred()) roleId, secretId, err = vaultInit.CreateAppRole() Expect(err).NotTo(HaveOccurred()) - _, err = f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(vaultaddon.NewVaultAppRoleSecret(vaultSecretAppRoleName, secretId)) + _, err = f.KubeClientSet.CoreV1().Secrets(vaultSecretNamespace).Create(vaultaddon.NewVaultAppRoleSecret(vaultSecretAppRoleName, secretId)) Expect(err).NotTo(HaveOccurred()) }) JustAfterEach(func() { By("Cleaning up") Expect(vaultInit.Clean()).NotTo(HaveOccurred()) - f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Delete(issuerName, nil) - f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Delete(vaultSecretAppRoleName, nil) + + if issuerKind == cmapi.IssuerKind { + f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Delete(issuerName, nil) + } else { + f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Delete(issuerName, nil) + } + + f.KubeClientSet.CoreV1().Secrets(vaultSecretNamespace).Delete(vaultSecretAppRoleName, nil) }) It("should generate a new valid certificate", func() { @@ -100,23 +121,39 @@ var _ = framework.CertManagerDescribe("Vault Certificate (AppRole with a custom certClient := f.CertManagerClientSet.CertmanagerV1alpha2().Certificates(f.Namespace.Name) - _, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA)) + var err error + if issuerKind == cmapi.IssuerKind { + _, err = f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA)) + } else { + _, err = f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Create(util.NewCertManagerVaultClusterIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA)) + } + Expect(err).NotTo(HaveOccurred()) By("Waiting for Issuer to become Ready") - err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name), - issuerName, - v1alpha2.IssuerCondition{ - Type: v1alpha2.IssuerConditionReady, - Status: cmmeta.ConditionTrue, - }) + if issuerKind == cmapi.IssuerKind { + err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name), + issuerName, + cmapi.IssuerCondition{ + Type: cmapi.IssuerConditionReady, + Status: cmmeta.ConditionTrue, + }) + } else { + err = util.WaitForClusterIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers(), + issuerName, + cmapi.IssuerCondition{ + Type: cmapi.IssuerConditionReady, + Status: cmmeta.ConditionTrue, + }) + } + Expect(err).NotTo(HaveOccurred()) By("Creating a Certificate") - _, err = certClient.Create(util.NewCertManagerVaultCertificate(certificateName, certificateSecretName, issuerName, v1alpha2.IssuerKind, nil, nil)) + _, err = certClient.Create(util.NewCertManagerVaultCertificate(certificateName, certificateSecretName, issuerName, issuerKind, nil, nil)) Expect(err).NotTo(HaveOccurred()) err = h.WaitCertificateIssuedValid(f.Namespace.Name, certificateName, time.Minute*5) Expect(err).NotTo(HaveOccurred()) }) -}) +} diff --git a/test/e2e/suite/issuers/vault/certificaterequest/approle.go b/test/e2e/suite/issuers/vault/certificaterequest/approle.go index e3a387f39..721514323 100644 --- a/test/e2e/suite/issuers/vault/certificaterequest/approle.go +++ b/test/e2e/suite/issuers/vault/certificaterequest/approle.go @@ -26,7 +26,7 @@ import ( . "github.com/onsi/gomega" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2" + cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2" cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1" "github.com/jetstack/cert-manager/test/e2e/framework" "github.com/jetstack/cert-manager/test/e2e/framework/addon/tiller" @@ -34,7 +34,15 @@ import ( "github.com/jetstack/cert-manager/test/e2e/util" ) -var _ = framework.CertManagerDescribe("Vault CertificateRequest (AppRole)", func() { +var _ = framework.CertManagerDescribe("Vault Issuer CertificateRequest (AppRole)", func() { + runVaultAppRoleTests(cmapi.IssuerKind) +}) + +var _ = framework.CertManagerDescribe("Vault ClusterIssuer CertificateRequest (AppRole)", func() { + runVaultAppRoleTests(cmapi.ClusterIssuerKind) +}) + +func runVaultAppRoleTests(issuerKind string) { f := framework.NewDefaultFramework("create-vault-certificaterequest") h := f.Helper() @@ -75,6 +83,13 @@ var _ = framework.CertManagerDescribe("Vault CertificateRequest (AppRole)", func var secretId string var vaultInit *vaultaddon.VaultInitializer + var vaultSecretNamespace string + if issuerKind == cmapi.IssuerKind { + vaultSecretNamespace = f.Namespace.Name + } else { + vaultSecretNamespace = "kube-system" + } + BeforeEach(func() { By("Configuring the Vault server") vaultInit = &vaultaddon.VaultInitializer{ @@ -90,15 +105,21 @@ var _ = framework.CertManagerDescribe("Vault CertificateRequest (AppRole)", func Expect(err).NotTo(HaveOccurred()) roleId, secretId, err = vaultInit.CreateAppRole() Expect(err).NotTo(HaveOccurred()) - _, err = f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(vaultaddon.NewVaultAppRoleSecret(vaultSecretAppRoleName, secretId)) + _, err = f.KubeClientSet.CoreV1().Secrets(vaultSecretNamespace).Create(vaultaddon.NewVaultAppRoleSecret(vaultSecretAppRoleName, secretId)) Expect(err).NotTo(HaveOccurred()) }) JustAfterEach(func() { By("Cleaning up") Expect(vaultInit.Clean()).NotTo(HaveOccurred()) - f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Delete(issuerName, nil) - f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Delete(vaultSecretAppRoleName, nil) + + if issuerKind == cmapi.IssuerKind { + f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Delete(issuerName, nil) + } else { + f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Delete(issuerName, nil) + } + + f.KubeClientSet.CoreV1().Secrets(vaultSecretNamespace).Delete(vaultSecretAppRoleName, nil) }) It("should generate a new valid certificate", func() { @@ -107,21 +128,35 @@ var _ = framework.CertManagerDescribe("Vault CertificateRequest (AppRole)", func crClient := f.CertManagerClientSet.CertmanagerV1alpha2().CertificateRequests(f.Namespace.Name) - _, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA)) - + var err error + if issuerKind == cmapi.IssuerKind { + _, err = f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA)) + } else { + _, err = f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Create(util.NewCertManagerVaultClusterIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA)) + } Expect(err).NotTo(HaveOccurred()) By("Waiting for Issuer to become Ready") - err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name), - issuerName, - v1alpha2.IssuerCondition{ - Type: v1alpha2.IssuerConditionReady, - Status: cmmeta.ConditionTrue, - }) + if issuerKind == cmapi.IssuerKind { + err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name), + issuerName, + cmapi.IssuerCondition{ + Type: cmapi.IssuerConditionReady, + Status: cmmeta.ConditionTrue, + }) + } else { + err = util.WaitForClusterIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers(), + issuerName, + cmapi.IssuerCondition{ + Type: cmapi.IssuerConditionReady, + Status: cmmeta.ConditionTrue, + }) + } + Expect(err).NotTo(HaveOccurred()) By("Creating a CertificateRequest") - cr, key, err := util.NewCertManagerBasicCertificateRequest(certificateRequestName, issuerName, v1alpha2.IssuerKind, + cr, key, err := util.NewCertManagerBasicCertificateRequest(certificateRequestName, issuerName, issuerKind, &metav1.Duration{ Duration: time.Hour * 24 * 90, }, @@ -167,23 +202,32 @@ var _ = framework.CertManagerDescribe("Vault CertificateRequest (AppRole)", func v := v It("should generate a new certificate "+v.label, func() { By("Creating an Issuer") - _, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vault.Details().Host, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA)) + + var err error + if issuerKind == cmapi.IssuerKind { + _, err = f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vault.Details().Host, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA)) + } else { + _, err = f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Create(util.NewCertManagerVaultClusterIssuerAppRole(issuerName, vault.Details().Host, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA)) + } Expect(err).NotTo(HaveOccurred()) By("Waiting for Issuer to become Ready") - err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name), - issuerName, - v1alpha2.IssuerCondition{ - Type: v1alpha2.IssuerConditionReady, - Status: cmmeta.ConditionTrue, - }) + if issuerKind == cmapi.IssuerKind { + err = util.WaitForClusterIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers(), + issuerName, + cmapi.IssuerCondition{ + Type: cmapi.IssuerConditionReady, + Status: cmmeta.ConditionTrue, + }) + } else { + } Expect(err).NotTo(HaveOccurred()) By("Creating a CertificateRequest") crClient := f.CertManagerClientSet.CertmanagerV1alpha2().CertificateRequests(f.Namespace.Name) cr, key, err := util.NewCertManagerBasicCertificateRequest(certificateRequestName, issuerName, - v1alpha2.IssuerKind, v.inputDuration, crDNSNames, crIPAddresses, nil, x509.RSA) + issuerKind, v.inputDuration, crDNSNames, crIPAddresses, nil, x509.RSA) Expect(err).NotTo(HaveOccurred()) _, err = crClient.Create(cr) Expect(err).NotTo(HaveOccurred()) @@ -197,4 +241,4 @@ var _ = framework.CertManagerDescribe("Vault CertificateRequest (AppRole)", func f.CertificateRequestDurationValid(cr, v.expectedDuration+(30*time.Second)) }) } -}) +} diff --git a/test/e2e/suite/issuers/vault/certificaterequest/approle_custom_mount.go b/test/e2e/suite/issuers/vault/certificaterequest/approle_custom_mount.go index 1939f8701..6214a96bd 100644 --- a/test/e2e/suite/issuers/vault/certificaterequest/approle_custom_mount.go +++ b/test/e2e/suite/issuers/vault/certificaterequest/approle_custom_mount.go @@ -26,7 +26,7 @@ import ( . "github.com/onsi/gomega" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2" + cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2" cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1" "github.com/jetstack/cert-manager/test/e2e/framework" "github.com/jetstack/cert-manager/test/e2e/framework/addon/tiller" @@ -34,7 +34,15 @@ import ( "github.com/jetstack/cert-manager/test/e2e/util" ) -var _ = framework.CertManagerDescribe("Vault CertificateRequest (AppRole with a custom mount path)", func() { +var _ = framework.CertManagerDescribe("Vault Issuer CertificateRequest (AppRole with a custom mount path)", func() { + runVaultCustomAppRoleTests(cmapi.IssuerKind) +}) + +var _ = framework.CertManagerDescribe("Vault ClusterIssuer CertificateRequest (AppRole with a custom mount path)", func() { + runVaultCustomAppRoleTests(cmapi.ClusterIssuerKind) +}) + +func runVaultCustomAppRoleTests(issuerKind string) { f := framework.NewDefaultFramework("create-vault-certificaterequest") h := f.Helper() @@ -76,6 +84,13 @@ var _ = framework.CertManagerDescribe("Vault CertificateRequest (AppRole with a var vaultInit *vaultaddon.VaultInitializer + var vaultSecretNamespace string + if issuerKind == cmapi.IssuerKind { + vaultSecretNamespace = f.Namespace.Name + } else { + vaultSecretNamespace = "kube-system" + } + BeforeEach(func() { By("Configuring the Vault server") vaultInit = &vaultaddon.VaultInitializer{ @@ -91,15 +106,21 @@ var _ = framework.CertManagerDescribe("Vault CertificateRequest (AppRole with a Expect(err).NotTo(HaveOccurred()) roleId, secretId, err = vaultInit.CreateAppRole() Expect(err).NotTo(HaveOccurred()) - _, err = f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(vaultaddon.NewVaultAppRoleSecret(vaultSecretAppRoleName, secretId)) + _, err = f.KubeClientSet.CoreV1().Secrets(vaultSecretNamespace).Create(vaultaddon.NewVaultAppRoleSecret(vaultSecretAppRoleName, secretId)) Expect(err).NotTo(HaveOccurred()) }) JustAfterEach(func() { By("Cleaning up") Expect(vaultInit.Clean()).NotTo(HaveOccurred()) - f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Delete(issuerName, nil) - f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Delete(vaultSecretAppRoleName, nil) + + if issuerKind == cmapi.IssuerKind { + f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Delete(issuerName, nil) + } else { + f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Delete(issuerName, nil) + } + + f.KubeClientSet.CoreV1().Secrets(vaultSecretNamespace).Delete(vaultSecretAppRoleName, nil) }) It("should generate a new valid certificate", func() { @@ -108,21 +129,37 @@ var _ = framework.CertManagerDescribe("Vault CertificateRequest (AppRole with a crClient := f.CertManagerClientSet.CertmanagerV1alpha2().CertificateRequests(f.Namespace.Name) - _, err := f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA)) + var err error + if issuerKind == cmapi.IssuerKind { + _, err = f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA)) + } else { + _, err = f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers().Create(util.NewCertManagerVaultClusterIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA)) + } + Expect(err).NotTo(HaveOccurred()) By("Waiting for Issuer to become Ready") - err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name), - issuerName, - v1alpha2.IssuerCondition{ - Type: v1alpha2.IssuerConditionReady, - Status: cmmeta.ConditionTrue, - }) + if issuerKind == cmapi.IssuerKind { + err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().Issuers(f.Namespace.Name), + issuerName, + cmapi.IssuerCondition{ + Type: cmapi.IssuerConditionReady, + Status: cmmeta.ConditionTrue, + }) + } else { + err = util.WaitForClusterIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha2().ClusterIssuers(), + issuerName, + cmapi.IssuerCondition{ + Type: cmapi.IssuerConditionReady, + Status: cmmeta.ConditionTrue, + }) + } + Expect(err).NotTo(HaveOccurred()) By("Creating a CertificateRequest") cr, key, err := util.NewCertManagerBasicCertificateRequest(certificateRequestName, issuerName, - v1alpha2.IssuerKind, &metav1.Duration{ + issuerKind, &metav1.Duration{ Duration: time.Hour * 24 * 90, }, crDNSNames, crIPAddresses, nil, x509.RSA) @@ -133,4 +170,4 @@ var _ = framework.CertManagerDescribe("Vault CertificateRequest (AppRole with a err = h.WaitCertificateRequestIssuedValid(f.Namespace.Name, certificateRequestName, time.Minute*5, key) Expect(err).NotTo(HaveOccurred()) }) -}) +} diff --git a/test/e2e/util/util.go b/test/e2e/util/util.go index ef14f19ff..140680121 100644 --- a/test/e2e/util/util.go +++ b/test/e2e/util/util.go @@ -490,21 +490,34 @@ func NewCertManagerVaultIssuerAppRole(name, vaultURL, vaultPath, roleId, vaultSe ObjectMeta: metav1.ObjectMeta{ Name: name, }, - Spec: v1alpha2.IssuerSpec{ - IssuerConfig: v1alpha2.IssuerConfig{ - Vault: &v1alpha2.VaultIssuer{ - Server: vaultURL, - Path: vaultPath, - CABundle: caBundle, - Auth: v1alpha2.VaultAuth{ - AppRole: &v1alpha2.VaultAppRole{ - Path: authPath, - RoleId: roleId, - SecretRef: cmmeta.SecretKeySelector{ - Key: "secretkey", - LocalObjectReference: cmmeta.LocalObjectReference{ - Name: vaultSecretAppRole, - }, + Spec: newCertManagerVaultIssuerSpecAppRole(vaultURL, vaultPath, roleId, vaultSecretAppRole, authPath, caBundle), + } +} + +func NewCertManagerVaultClusterIssuerAppRole(name, vaultURL, vaultPath, roleId, vaultSecretAppRole string, authPath string, caBundle []byte) *v1alpha2.ClusterIssuer { + return &v1alpha2.ClusterIssuer{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + }, + Spec: newCertManagerVaultIssuerSpecAppRole(vaultURL, vaultPath, roleId, vaultSecretAppRole, authPath, caBundle), + } +} + +func newCertManagerVaultIssuerSpecAppRole(vaultURL, vaultPath, roleId, vaultSecretAppRole string, authPath string, caBundle []byte) v1alpha2.IssuerSpec { + return v1alpha2.IssuerSpec{ + IssuerConfig: v1alpha2.IssuerConfig{ + Vault: &v1alpha2.VaultIssuer{ + Server: vaultURL, + Path: vaultPath, + CABundle: caBundle, + Auth: v1alpha2.VaultAuth{ + AppRole: &v1alpha2.VaultAppRole{ + Path: authPath, + RoleId: roleId, + SecretRef: cmmeta.SecretKeySelector{ + Key: "secretkey", + LocalObjectReference: cmmeta.LocalObjectReference{ + Name: vaultSecretAppRole, }, }, },