Adds selfsigned certificaterequest e2e tests

Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
2019-07-22 15:44:23 +01:00 · 2019-07-22 15:44:23 +01:00 · f26ea8dfb6
commit f26ea8dfb6
parent 0ce8aab9d2
8 changed files with 251 additions and 11 deletions
--- a/pkg/controller/certificaterequests/selfsigned/selfsigned.go
+++ b/pkg/controller/certificaterequests/selfsigned/selfsigned.go
@ -1,10 +1,13 @@
 /*
 Copyright 2019 The Jetstack cert-manager contributors.
- Licensed under the Apache License, Version 2.0 (the "License");
+
+Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
-     http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
--- a/pkg/controller/certificaterequests/selfsigned/selfsigned_test.go
+++ b/pkg/controller/certificaterequests/selfsigned/selfsigned_test.go
@ -1,10 +1,13 @@
 /*
 Copyright 2019 The Jetstack cert-manager contributors.
- Licensed under the Apache License, Version 2.0 (the "License");
+
+Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
-     http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
--- a/pkg/controller/certificaterequests/selfsigned/util_test.go
+++ b/pkg/controller/certificaterequests/selfsigned/util_test.go
@ -1,10 +1,13 @@
 /*
 Copyright 2019 The Jetstack cert-manager contributors.
- Licensed under the Apache License, Version 2.0 (the "License");
+
+Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
-     http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
--- a/test/e2e/suite/issuers/selfsigned/BUILD.bazel
+++ b/test/e2e/suite/issuers/selfsigned/BUILD.bazel
@ -2,7 +2,11 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library")

 go_library(
    name = "go_default_library",
-    srcs = ["certificate.go"],
+    srcs = [
+        "certificate.go",
+        "certificaterequest.go",
+        "fixtures.go",
+    ],
    importpath = "github.com/jetstack/cert-manager/test/e2e/suite/issuers/selfsigned",
    tags = ["manual"],
    visibility = ["//visibility:public"],
@ -12,6 +16,7 @@ go_library(
        "//test/e2e/util:go_default_library",
        "//vendor/github.com/onsi/ginkgo:go_default_library",
        "//vendor/github.com/onsi/gomega:go_default_library",
+        "//vendor/k8s.io/api/core/v1:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
    ],
 )
--- a/test/e2e/suite/issuers/selfsigned/certificate.go
+++ b/test/e2e/suite/issuers/selfsigned/certificate.go
@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-package certificate
+package selfsigned

 import (
 	"fmt"
--- a/test/e2e/suite/issuers/selfsigned/certificaterequest.go
+++ b/test/e2e/suite/issuers/selfsigned/certificaterequest.go
@ -0,0 +1,151 @@
+/*
+Copyright 2019 The Jetstack cert-manager contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package selfsigned
+
+import (
+	"crypto/x509"
+	"net"
+	"time"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1"
+	"github.com/jetstack/cert-manager/test/e2e/framework"
+	"github.com/jetstack/cert-manager/test/e2e/util"
+)
+
+var _ = framework.CertManagerDescribe("SelfSigned CertificateRequest", func() {
+	f := framework.NewDefaultFramework("create-selfsigned-certificaterequest")
+	h := f.Helper()
+
+	issuerName := "test-selfsigned-issuer"
+	certificateRequestName := "test-selfsigned-certificaterequest"
+	certificateRequestSecretName := "test-selfsigned-private-key"
+
+	exampleDNSNames := []string{"dnsName1.co", "dnsName2.ninja"}
+	exampleIPAddresses := []net.IP{
+		[]byte{8, 8, 8, 8},
+		[]byte{1, 1, 1, 1},
+	}
+	exampleURIs := []string{"spiffe://foo.foo.example.net", "spiffe://foo.bar.example.net"}
+
+	JustBeforeEach(func() {
+		By("Creating an Issuer")
+		_, err := f.CertManagerClientSet.CertmanagerV1alpha1().Issuers(f.Namespace.Name).Create(util.NewCertManagerSelfSignedIssuer(issuerName))
+		Expect(err).NotTo(HaveOccurred())
+		By("Waiting for Issuer to become Ready")
+		err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha1().Issuers(f.Namespace.Name),
+			issuerName,
+			v1alpha1.IssuerCondition{
+				Type:   v1alpha1.IssuerConditionReady,
+				Status: v1alpha1.ConditionTrue,
+			})
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	AfterEach(func() {
+		By("Cleaning up")
+		f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Delete(certificateRequestSecretName, nil)
+		f.CertManagerClientSet.CertmanagerV1alpha1().Issuers(f.Namespace.Name).Delete(issuerName, nil)
+	})
+
+	Context("Self Signed and private key", func() {
+
+		BeforeEach(func() {
+			By("Creating a signing keypair fixture")
+			_, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(newPrivateKeySecret(certificateRequestSecretName))
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("should generate a valid certificate from CSR", func() {
+			certRequestClient := f.CertManagerClientSet.CertmanagerV1alpha1().CertificateRequests(f.Namespace.Name)
+
+			By("Creating a CertificateRequest")
+			cr, key, err := util.NewCertManagerBasicCertificateRequest(certificateRequestName, issuerName, v1alpha1.IssuerKind,
+				&metav1.Duration{
+					Duration: time.Hour * 24 * 90,
+				},
+				exampleDNSNames, exampleIPAddresses, exampleURIs, x509.RSA)
+			Expect(err).NotTo(HaveOccurred())
+			cr.Annotations[v1alpha1.CRPrivateKeyAnnotationKey] = certificateRequestSecretName
+			_, err = certRequestClient.Create(cr)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Verifying the Certificate is valid")
+			err = h.WaitCertificateRequestIssuedValid(f.Namespace.Name, certificateRequestName, time.Second*30, key)
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("should be able to obtain an ECDSA key from a RSA backed issuer", func() {
+			certRequestClient := f.CertManagerClientSet.CertmanagerV1alpha1().CertificateRequests(f.Namespace.Name)
+
+			By("Creating a CertificateRequest")
+			cr, key, err := util.NewCertManagerBasicCertificateRequest(certificateRequestName, issuerName, v1alpha1.IssuerKind,
+				&metav1.Duration{
+					Duration: time.Hour * 24 * 90,
+				},
+				exampleDNSNames, exampleIPAddresses, exampleURIs, x509.ECDSA)
+			Expect(err).NotTo(HaveOccurred())
+			cr.Annotations[v1alpha1.CRPrivateKeyAnnotationKey] = certificateRequestSecretName
+			_, err = certRequestClient.Create(cr)
+			Expect(err).NotTo(HaveOccurred())
+
+			By("Verifying the Certificate is valid")
+			err = h.WaitCertificateRequestIssuedValid(f.Namespace.Name, certificateRequestName, time.Second*30, key)
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		cases := []struct {
+			inputDuration    *metav1.Duration
+			expectedDuration time.Duration
+			label            string
+		}{
+			{
+				inputDuration:    &metav1.Duration{time.Hour * 24 * 35},
+				expectedDuration: time.Hour * 24 * 35,
+				label:            "35 days",
+			},
+			{
+				inputDuration:    nil,
+				expectedDuration: time.Hour * 24 * 90,
+				label:            "the default duration (90 days)",
+			},
+		}
+		for _, v := range cases {
+			It("should generate a signed certificate valid for "+v.label, func() {
+				crClient := f.CertManagerClientSet.CertmanagerV1alpha1().CertificateRequests(f.Namespace.Name)
+
+				By("Creating a CertificateRequest")
+				cr, key, err := util.NewCertManagerBasicCertificateRequest(certificateRequestName, issuerName, v1alpha1.IssuerKind, v.inputDuration,
+					exampleDNSNames, exampleIPAddresses, exampleURIs, x509.RSA)
+				Expect(err).NotTo(HaveOccurred())
+				cr.Annotations[v1alpha1.CRPrivateKeyAnnotationKey] = certificateRequestSecretName
+				cr, err = crClient.Create(cr)
+				Expect(err).NotTo(HaveOccurred())
+
+				By("Verifying the CertificateRequest is valid")
+				err = h.WaitCertificateRequestIssuedValid(f.Namespace.Name, certificateRequestName, time.Second*30, key)
+				Expect(err).NotTo(HaveOccurred())
+				cr, err = crClient.Get(cr.Name, metav1.GetOptions{})
+				Expect(err).NotTo(HaveOccurred())
+				f.CertificateRequestDurationValid(cr, v.expectedDuration)
+			})
+		}
+	})
+})
--- a/test/e2e/suite/issuers/selfsigned/fixtures.go
+++ b/test/e2e/suite/issuers/selfsigned/fixtures.go
@ -0,0 +1,61 @@
+/*
+Copyright 2019 The Jetstack cert-manager contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package selfsigned
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const rootKey = `-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAz5DYA7iEBFq/SrCOTsjiYSHlHbTUdLyzselos5cE2++Huon3
+InPqMupiDoS8/Qr9srnoKnah7aKB3sY7GlXdg85zcIbQIKocymsRy/GPbEEpfTRG
+1yfihUuEM+EBvQFX9Hs0Ut5bHOH6CC88jVebWotpZiphkQnlsGxhcPe091LgYYg1
+HPxm+KHjp/RnbBWQIahOmxtfwc7vixrYNrJSPMCxYaU7ltkaIxIeMMSd/3J6TZNy
+MTJWiiGg4tpCD+eDbVPlFbN5kpOXVzOfC4ZWv21l8cWrFDmp5oh37UgK3E2+QSNt
+OdmXpbL0K2GfR3HA55LlOowntIU1fLWCniN/8wIDAQABAoIBAQCYvGvIKSG0FpbG
+vi6pmLbEZO20s1jW4fiUxT2PUWR49sR4pocdahB/EOvA5TowNcNDnftSK+Ox+q/4
+HwRkt6R+Fg/qULmcH7F53dnFqeYw8a42/J3YOvg7v7rzdfISg4eWVobFJ+wBz+Nt
+3FyBYWLm+MlBLZSH5rGG5em59/zJNHWIhH+oQPfCxAkYEvd8tXOTUzjhqvEfjaJy
+FZghnT9xto4MwDdNCPbtzdNjTMhiv0AHkcZGGtRJfkehXX2qhXOQ2UzzO9XrMZnv
+5KgYf+bXKJsyS3SPl6TTl7vg2gKBciRvsdFhMy5I5GyIADrEDJnNNmXQRtiaFLfd
+k/aqfPT5AoGBAPquMouZUbVS/Qh+qbls7G4zAuznfCiqdctcKmUGPRP4sTTjWdUp
+fjI+UTt1e8hncmr4RY7Oa9kUV/kDwzS5spUZZ+u0PczS3XKxOwNOleoH00dfc9vt
+cxctHdPdDTndRi8Z4k3m931jIX7jB/Pyx8qeNYB3pj0k3ThktwMbAVLnAoGBANP4
+beI5zpbvtAdExJcuxx2mRDGF0lIdKC0bvQaeqM3Lwqnmc0Fz1dbP7KXDa+SdJWPd
+res+NHPZoEPeEJuDTSngXOLNECZe4Ja9frn1TeY858vMJBwIkyc8zu+sgXxjQUM+
+TWUlTUhtXyybkRnxAEny4OT2TTgmXITJaKOmV1UVAoGAHaXSlo4YitB42rNYUXTf
+dZ0U4H30Qj7+1YFeBjq5qI4GL1IgQsS4hyq1osmfTTFm593bJCunt7HfQbU/NhIs
+W9P4ZXkYwgvCYxkw+JAnzNkGFO/mHQG1Ve1hFLiVIt3XuiRejoYdiTfbM02YmDKD
+jKQvgbUk9SBSBaRrvLNJ8csCgYAYnrZEnGo+ZcEHRxl+ZdSCwRkSl3SCTRiphJtD
+9ZGttYj6quWgKJAhzyyxZC1X9FivbMQSmrsE6bYPq+9J4MpJnuGrBh5mFocHeyMI
+/lD5+QEDTsay6twMpqdydxrjE7Q01zuuD9MWIn33dGo6FR/vduJgNatqZipA0hPx
+ThS+sQKBgQDh0+cVo1mfYiCkp3IQPB8QYiJ/g2/UBk6pH8ZZDZ+A5td6NveiWO1y
+wTEUWkX2qyz9SLxWDGOhdKqxNrLCUSYSOV/5/JQEtBm6K50ArFtrY40JP/T/5KvM
+tSK2ayFX1wQ3PuEmewAogy/20tWo80cr556AXA62Utl2PzLK30Db8w==
+-----END RSA PRIVATE KEY-----`
+
+func newPrivateKeySecret(name string) *corev1.Secret {
+	return &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		StringData: map[string]string{
+			corev1.TLSPrivateKeyKey: rootKey,
+		},
+	}
+}
--- a/test/unit/gen/certificaterequest.go
+++ b/test/unit/gen/certificaterequest.go
@ -106,3 +106,17 @@ func SetCertificateRequestName(name string) CertificateRequestModifier {
 		cr.ObjectMeta.Name = name
 	}
 }
+
+func AddCertificateRequestAnnotations(annotations map[string]string) CertificateRequestModifier {
+	return func(cr *v1alpha1.CertificateRequest) {
+		// Make sure to do a merge here with new annotations overriding.
+		annotationsNew := cr.GetAnnotations()
+		if annotationsNew == nil {
+			annotationsNew = make(map[string]string)
+		}
+		for k, v := range annotations {
+			annotationsNew[k] = v
+		}
+		cr.SetAnnotations(annotationsNew)
+	}
+}