diff --git a/test/e2e/suite/conformance/certificatesigningrequests/vault/approle_custom_mount.go b/test/e2e/suite/conformance/certificatesigningrequests/vault/approle_custom_mount.go deleted file mode 100644 index 8fdd3911f..000000000 --- a/test/e2e/suite/conformance/certificatesigningrequests/vault/approle_custom_mount.go +++ /dev/null @@ -1,77 +0,0 @@ -/* -Copyright 2021 The cert-manager Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package vault - -import ( - "github.com/cert-manager/cert-manager/e2e-tests/framework" - "github.com/cert-manager/cert-manager/e2e-tests/framework/helper/featureset" - "github.com/cert-manager/cert-manager/e2e-tests/suite/conformance/certificatesigningrequests" -) - -var _ = framework.ConformanceDescribe("CertificateSigningRequests", func() { - issuer := &approle{ - testWithRootCA: true, - } - (&certificatesigningrequests.Suite{ - Name: "Vault AppRole Custom Auth Path Issuer With Root CA", - CreateIssuerFunc: issuer.createIssuer, - DeleteIssuerFunc: issuer.delete, - UnsupportedFeatures: featureset.NewFeatureSet( - featureset.KeyUsagesFeature, - featureset.Ed25519FeatureSet, - ), - }).Define() - - issuerNoRoot := &approle{ - testWithRootCA: false, - } - (&certificatesigningrequests.Suite{ - Name: "Vault AppRole Custom Auth Path Issuer Without Root CA", - CreateIssuerFunc: issuerNoRoot.createIssuer, - DeleteIssuerFunc: issuerNoRoot.delete, - UnsupportedFeatures: featureset.NewFeatureSet( - featureset.KeyUsagesFeature, - featureset.Ed25519FeatureSet, - ), - }).Define() - - clusterIssuer := &approle{ - testWithRootCA: true, - } - (&certificatesigningrequests.Suite{ - Name: "Vault AppRole Custom Auth Path ClusterIssuer With Root CA", - CreateIssuerFunc: clusterIssuer.createClusterIssuer, - DeleteIssuerFunc: clusterIssuer.delete, - UnsupportedFeatures: featureset.NewFeatureSet( - featureset.KeyUsagesFeature, - featureset.Ed25519FeatureSet, - ), - }).Define() - - clusterIssuerNoRoot := &approle{ - testWithRootCA: false, - } - (&certificatesigningrequests.Suite{ - Name: "Vault AppRole Custom Auth Path ClusterIssuer Without Root CA", - CreateIssuerFunc: clusterIssuerNoRoot.createClusterIssuer, - DeleteIssuerFunc: clusterIssuerNoRoot.delete, - UnsupportedFeatures: featureset.NewFeatureSet( - featureset.KeyUsagesFeature, - featureset.Ed25519FeatureSet, - ), - }).Define() -}) diff --git a/test/e2e/suite/issuers/vault/certificate/approle_custom_mount.go b/test/e2e/suite/issuers/vault/certificate/approle_custom_mount.go deleted file mode 100644 index 695c4ead5..000000000 --- a/test/e2e/suite/issuers/vault/certificate/approle_custom_mount.go +++ /dev/null @@ -1,168 +0,0 @@ -/* -Copyright 2020 The cert-manager Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package certificate - -import ( - "context" - "time" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - "github.com/cert-manager/cert-manager/e2e-tests/framework" - "github.com/cert-manager/cert-manager/e2e-tests/framework/addon" - vaultaddon "github.com/cert-manager/cert-manager/e2e-tests/framework/addon/vault" - "github.com/cert-manager/cert-manager/e2e-tests/framework/helper/featureset" - "github.com/cert-manager/cert-manager/e2e-tests/framework/helper/validation" - "github.com/cert-manager/cert-manager/e2e-tests/util" - cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" - cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" - "github.com/cert-manager/cert-manager/test/unit/gen" -) - -var _ = framework.CertManagerDescribe("Vault Issuer Certificate (AppRole with a custom mount path, CA without root)", func() { - fs := featureset.NewFeatureSet(featureset.SaveRootCAToSecret) - runVaultCustomAppRoleTests(cmapi.IssuerKind, false, fs) -}) - -var _ = framework.CertManagerDescribe("Vault Issuer Certificate (AppRole with a custom mount path, CA with root)", func() { - fs := featureset.NewFeatureSet() - runVaultCustomAppRoleTests(cmapi.IssuerKind, true, fs) -}) -var _ = framework.CertManagerDescribe("Vault ClusterIssuer Certificate (AppRole with a custom mount path, CA without root)", func() { - fs := featureset.NewFeatureSet(featureset.SaveRootCAToSecret) - runVaultCustomAppRoleTests(cmapi.ClusterIssuerKind, false, fs) -}) -var _ = framework.CertManagerDescribe("Vault ClusterIssuer Certificate (AppRole with a custom mount path, CA with root)", func() { - fs := featureset.NewFeatureSet() - runVaultCustomAppRoleTests(cmapi.ClusterIssuerKind, true, fs) -}) - -func runVaultCustomAppRoleTests(issuerKind string, testWithRoot bool, unsupportedFeatures featureset.FeatureSet) { - f := framework.NewDefaultFramework("create-vault-certificate") - - certificateName := "test-vault-certificate" - certificateSecretName := "test-vault-certificate" - var vaultIssuerName string - - appRoleSecretGeneratorName := "vault-approle-secret-" - var roleId, secretId string - var vaultSecretName, vaultSecretNamespace string - - var setup *vaultaddon.VaultInitializer - - BeforeEach(func() { - By("Configuring the Vault server") - if issuerKind == cmapi.IssuerKind { - vaultSecretNamespace = f.Namespace.Name - } else { - vaultSecretNamespace = f.Config.Addons.CertManager.ClusterResourceNamespace - } - - setup = vaultaddon.NewVaultInitializerAppRole( - addon.Base.Details().KubeClient, - *addon.Vault.Details(), - testWithRoot, - ) - Expect(setup.Init()).NotTo(HaveOccurred(), "failed to init vault") - Expect(setup.Setup()).NotTo(HaveOccurred(), "failed to setup vault") - - var err error - roleId, secretId, err = setup.CreateAppRole() - Expect(err).NotTo(HaveOccurred()) - - sec, err := f.KubeClientSet.CoreV1().Secrets(vaultSecretNamespace).Create(context.TODO(), vaultaddon.NewVaultAppRoleSecret(appRoleSecretGeneratorName, secretId), metav1.CreateOptions{}) - Expect(err).NotTo(HaveOccurred()) - vaultSecretName = sec.Name - }) - - JustAfterEach(func() { - By("Cleaning up") - Expect(setup.Clean()).NotTo(HaveOccurred()) - - if issuerKind == cmapi.IssuerKind { - f.CertManagerClientSet.CertmanagerV1().Issuers(f.Namespace.Name).Delete(context.TODO(), vaultIssuerName, metav1.DeleteOptions{}) - } else { - f.CertManagerClientSet.CertmanagerV1().ClusterIssuers().Delete(context.TODO(), vaultIssuerName, metav1.DeleteOptions{}) - } - - f.KubeClientSet.CoreV1().Secrets(vaultSecretNamespace).Delete(context.TODO(), vaultSecretName, metav1.DeleteOptions{}) - }) - - It("should generate a new valid certificate", func() { - By("Creating an Issuer") - vaultURL := addon.Vault.Details().URL - - certClient := f.CertManagerClientSet.CertmanagerV1().Certificates(f.Namespace.Name) - - var err error - if issuerKind == cmapi.IssuerKind { - vaultIssuer := gen.IssuerWithRandomName("test-vault-issuer-", - gen.SetIssuerNamespace(f.Namespace.Name), - gen.SetIssuerVaultURL(vaultURL), - gen.SetIssuerVaultPath(setup.IntermediateSignPath()), - gen.SetIssuerVaultCABundle(addon.Vault.Details().VaultCA), - gen.SetIssuerVaultAppRoleAuth("secretkey", vaultSecretName, roleId, setup.AppRoleAuthPath())) - iss, err := f.CertManagerClientSet.CertmanagerV1().Issuers(f.Namespace.Name).Create(context.TODO(), vaultIssuer, metav1.CreateOptions{}) - Expect(err).NotTo(HaveOccurred()) - - vaultIssuerName = iss.Name - } else { - vaultIssuer := gen.ClusterIssuerWithRandomName("test-vault-issuer-", - gen.SetIssuerVaultURL(vaultURL), - gen.SetIssuerVaultPath(setup.IntermediateSignPath()), - gen.SetIssuerVaultCABundle(addon.Vault.Details().VaultCA), - gen.SetIssuerVaultAppRoleAuth("secretkey", vaultSecretName, roleId, setup.AppRoleAuthPath())) - iss, err := f.CertManagerClientSet.CertmanagerV1().ClusterIssuers().Create(context.TODO(), vaultIssuer, metav1.CreateOptions{}) - Expect(err).NotTo(HaveOccurred()) - - vaultIssuerName = iss.Name - } - - By("Waiting for Issuer to become Ready") - if issuerKind == cmapi.IssuerKind { - err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1().Issuers(f.Namespace.Name), - vaultIssuerName, - cmapi.IssuerCondition{ - Type: cmapi.IssuerConditionReady, - Status: cmmeta.ConditionTrue, - }) - } else { - err = util.WaitForClusterIssuerCondition(f.CertManagerClientSet.CertmanagerV1().ClusterIssuers(), - vaultIssuerName, - cmapi.IssuerCondition{ - Type: cmapi.IssuerConditionReady, - Status: cmmeta.ConditionTrue, - }) - } - - Expect(err).NotTo(HaveOccurred()) - - By("Creating a Certificate") - cert, err := certClient.Create(context.TODO(), util.NewCertManagerVaultCertificate(certificateName, certificateSecretName, vaultIssuerName, issuerKind, nil, nil), metav1.CreateOptions{}) - Expect(err).NotTo(HaveOccurred()) - - By("Waiting for the Certificate to be issued...") - cert, err = f.Helper().WaitForCertificateReadyAndDoneIssuing(cert, time.Minute*5) - Expect(err).NotTo(HaveOccurred()) - - By("Validating the issued Certificate...") - err = f.Helper().ValidateCertificate(cert, validation.CertificateSetForUnsupportedFeatureSet(unsupportedFeatures)...) - Expect(err).NotTo(HaveOccurred()) - }) -} diff --git a/test/e2e/suite/issuers/vault/certificaterequest/approle_custom_mount.go b/test/e2e/suite/issuers/vault/certificaterequest/approle_custom_mount.go deleted file mode 100644 index fdf968d2d..000000000 --- a/test/e2e/suite/issuers/vault/certificaterequest/approle_custom_mount.go +++ /dev/null @@ -1,168 +0,0 @@ -/* -Copyright 2020 The cert-manager Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package certificaterequest - -import ( - "context" - "crypto/x509" - "net" - "time" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - "github.com/cert-manager/cert-manager/e2e-tests/framework" - "github.com/cert-manager/cert-manager/e2e-tests/framework/addon" - vaultaddon "github.com/cert-manager/cert-manager/e2e-tests/framework/addon/vault" - "github.com/cert-manager/cert-manager/e2e-tests/util" - cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" - cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" - "github.com/cert-manager/cert-manager/test/unit/gen" -) - -var _ = framework.CertManagerDescribe("Vault Issuer CertificateRequest (AppRole with a custom mount path)", func() { - runVaultCustomAppRoleTests(cmapi.IssuerKind) -}) - -var _ = framework.CertManagerDescribe("Vault ClusterIssuer CertificateRequest (AppRole with a custom mount path)", func() { - runVaultCustomAppRoleTests(cmapi.ClusterIssuerKind) -}) - -func runVaultCustomAppRoleTests(issuerKind string) { - f := framework.NewDefaultFramework("create-vault-certificaterequest") - h := f.Helper() - - var ( - crDNSNames = []string{"dnsName1.co", "dnsName2.ninja"} - crIPAddresses = []net.IP{ - []byte{8, 8, 8, 8}, - []byte{1, 1, 1, 1}, - } - ) - - certificateRequestName := "test-vault-certificaterequest" - var vaultIssuerName string - - appRoleSecretGeneratorName := "vault-approle-secret-" - var roleId, secretId string - var vaultSecretName, vaultSecretNamespace string - - var setup *vaultaddon.VaultInitializer - - BeforeEach(func() { - By("Configuring the Vault server") - - if issuerKind == cmapi.IssuerKind { - vaultSecretNamespace = f.Namespace.Name - } else { - vaultSecretNamespace = f.Config.Addons.CertManager.ClusterResourceNamespace - } - - setup = vaultaddon.NewVaultInitializerAppRole( - addon.Base.Details().KubeClient, - *addon.Vault.Details(), - false, - ) - Expect(setup.Init()).NotTo(HaveOccurred(), "failed to init vault") - Expect(setup.Setup()).NotTo(HaveOccurred(), "failed to setup vault") - - var err error - roleId, secretId, err = setup.CreateAppRole() - Expect(err).NotTo(HaveOccurred()) - - sec, err := f.KubeClientSet.CoreV1().Secrets(vaultSecretNamespace).Create(context.TODO(), vaultaddon.NewVaultAppRoleSecret(appRoleSecretGeneratorName, secretId), metav1.CreateOptions{}) - Expect(err).NotTo(HaveOccurred()) - vaultSecretName = sec.Name - }) - - JustAfterEach(func() { - By("Cleaning up") - Expect(setup.Clean()).NotTo(HaveOccurred()) - - if issuerKind == cmapi.IssuerKind { - f.CertManagerClientSet.CertmanagerV1().Issuers(f.Namespace.Name).Delete(context.TODO(), vaultIssuerName, metav1.DeleteOptions{}) - } else { - f.CertManagerClientSet.CertmanagerV1().ClusterIssuers().Delete(context.TODO(), vaultIssuerName, metav1.DeleteOptions{}) - } - - f.KubeClientSet.CoreV1().Secrets(vaultSecretNamespace).Delete(context.TODO(), vaultSecretName, metav1.DeleteOptions{}) - }) - - It("should generate a new valid certificate", func() { - By("Creating an Issuer") - vaultURL := addon.Vault.Details().URL - - crClient := f.CertManagerClientSet.CertmanagerV1().CertificateRequests(f.Namespace.Name) - - var err error - if issuerKind == cmapi.IssuerKind { - vaultIssuer := gen.IssuerWithRandomName("test-vault-issuer-", - gen.SetIssuerNamespace(f.Namespace.Name), - gen.SetIssuerVaultURL(vaultURL), - gen.SetIssuerVaultPath(setup.IntermediateSignPath()), - gen.SetIssuerVaultCABundle(addon.Vault.Details().VaultCA), - gen.SetIssuerVaultAppRoleAuth("secretkey", vaultSecretName, roleId, setup.AppRoleAuthPath())) - iss, err := f.CertManagerClientSet.CertmanagerV1().Issuers(f.Namespace.Name).Create(context.TODO(), vaultIssuer, metav1.CreateOptions{}) - Expect(err).NotTo(HaveOccurred()) - - vaultIssuerName = iss.Name - } else { - vaultIssuer := gen.ClusterIssuerWithRandomName("test-vault-issuer-", - gen.SetIssuerVaultURL(vaultURL), - gen.SetIssuerVaultPath(setup.IntermediateSignPath()), - gen.SetIssuerVaultCABundle(addon.Vault.Details().VaultCA), - gen.SetIssuerVaultAppRoleAuth("secretkey", vaultSecretName, roleId, setup.AppRoleAuthPath())) - iss, err := f.CertManagerClientSet.CertmanagerV1().ClusterIssuers().Create(context.TODO(), vaultIssuer, metav1.CreateOptions{}) - Expect(err).NotTo(HaveOccurred()) - - vaultIssuerName = iss.Name - } - - By("Waiting for Issuer to become Ready") - if issuerKind == cmapi.IssuerKind { - err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1().Issuers(f.Namespace.Name), - vaultIssuerName, - cmapi.IssuerCondition{ - Type: cmapi.IssuerConditionReady, - Status: cmmeta.ConditionTrue, - }) - } else { - err = util.WaitForClusterIssuerCondition(f.CertManagerClientSet.CertmanagerV1().ClusterIssuers(), - vaultIssuerName, - cmapi.IssuerCondition{ - Type: cmapi.IssuerConditionReady, - Status: cmmeta.ConditionTrue, - }) - } - - Expect(err).NotTo(HaveOccurred()) - - By("Creating a CertificateRequest") - cr, key, err := util.NewCertManagerBasicCertificateRequest(certificateRequestName, vaultIssuerName, - issuerKind, &metav1.Duration{ - Duration: time.Hour * 24 * 90, - }, - crDNSNames, crIPAddresses, nil, x509.RSA) - Expect(err).NotTo(HaveOccurred()) - _, err = crClient.Create(context.TODO(), cr, metav1.CreateOptions{}) - Expect(err).NotTo(HaveOccurred()) - - err = h.WaitCertificateRequestIssuedValid(f.Namespace.Name, certificateRequestName, time.Minute*5, key) - Expect(err).NotTo(HaveOccurred()) - }) -}