138 lines
5.3 KiB
Go
138 lines
5.3 KiB
Go
package certificate
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
. "github.com/onsi/ginkgo"
|
|
. "github.com/onsi/gomega"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
|
|
"github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1"
|
|
"github.com/jetstack/cert-manager/test/e2e/framework"
|
|
"github.com/jetstack/cert-manager/test/util"
|
|
"github.com/jetstack/cert-manager/test/util/vault"
|
|
)
|
|
|
|
var _ = framework.CertManagerDescribe("Vault Certificate (AppRole)", func() {
|
|
f := framework.NewDefaultFramework("create-vault-certificate")
|
|
|
|
rootMount := "root-ca"
|
|
intermediateMount := "intermediate-ca"
|
|
role := "kubernetes-vault"
|
|
issuerName := "test-vault-issuer"
|
|
certificateName := "test-vault-certificate"
|
|
certificateSecretName := "test-vault-certificate"
|
|
vaultSecretAppRoleName := "vault-role"
|
|
vaultPath := fmt.Sprintf("%s/sign/%s", intermediateMount, role)
|
|
var vaultInit *vault.VaultInitializer
|
|
var roleId string
|
|
var secretId string
|
|
|
|
BeforeEach(func() {
|
|
By("Configuring the Vault server")
|
|
podList, err := f.KubeClientSet.CoreV1().Pods("vault").List(metav1.ListOptions{})
|
|
Expect(err).NotTo(HaveOccurred())
|
|
vaultPodName := podList.Items[0].Name
|
|
vaultInit, err = vault.NewVaultInitializer(vaultPodName, rootMount, intermediateMount, role, "")
|
|
Expect(err).NotTo(HaveOccurred())
|
|
err = vaultInit.Setup()
|
|
Expect(err).NotTo(HaveOccurred())
|
|
roleId, secretId, err = vaultInit.CreateAppRole()
|
|
Expect(err).NotTo(HaveOccurred())
|
|
_, err = f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(vault.NewVaultAppRoleSecret(vaultSecretAppRoleName, secretId))
|
|
Expect(err).NotTo(HaveOccurred())
|
|
})
|
|
|
|
AfterEach(func() {
|
|
By("Cleaning up")
|
|
f.CertManagerClientSet.CertmanagerV1alpha1().Issuers(f.Namespace.Name).Delete(issuerName, nil)
|
|
f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Delete(vaultSecretAppRoleName, nil)
|
|
vaultInit.CleanAppRole()
|
|
vaultInit.Clean()
|
|
})
|
|
|
|
vaultURL := "http://vault.vault:8200"
|
|
It("should generate a new valid certificate", func() {
|
|
By("Creating an Issuer")
|
|
_, err := f.CertManagerClientSet.CertmanagerV1alpha1().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, ""))
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
By("Waiting for Issuer to become Ready")
|
|
err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha1().Issuers(f.Namespace.Name),
|
|
issuerName,
|
|
v1alpha1.IssuerCondition{
|
|
Type: v1alpha1.IssuerConditionReady,
|
|
Status: v1alpha1.ConditionTrue,
|
|
})
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
By("Creating a Certificate")
|
|
cert, err := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name).Create(util.NewCertManagerVaultCertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind))
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
f.WaitCertificateIssuedValid(cert)
|
|
})
|
|
})
|
|
|
|
var _ = framework.CertManagerDescribe("Vault Certificate (AppRole with a custom mount path)", func() {
|
|
f := framework.NewDefaultFramework("create-vault-certificate")
|
|
|
|
rootMount := "root-ca"
|
|
intermediateMount := "intermediate-ca"
|
|
roleMount := "custom/path"
|
|
role := "kubernetes-vault"
|
|
issuerName := "test-vault-issuer"
|
|
certificateName := "test-vault-certificate"
|
|
certificateSecretName := "test-vault-certificate"
|
|
vaultSecretAppRoleName := "vault-role"
|
|
vaultPath := fmt.Sprintf("%s/sign/%s", intermediateMount, role)
|
|
var vaultInit *vault.VaultInitializer
|
|
var roleId string
|
|
var secretId string
|
|
|
|
BeforeEach(func() {
|
|
By("Configuring the Vault server")
|
|
podList, err := f.KubeClientSet.CoreV1().Pods("vault").List(metav1.ListOptions{})
|
|
Expect(err).NotTo(HaveOccurred())
|
|
vaultPodName := podList.Items[0].Name
|
|
vaultInit, err = vault.NewVaultInitializer(vaultPodName, rootMount, intermediateMount, role, roleMount)
|
|
Expect(err).NotTo(HaveOccurred())
|
|
err = vaultInit.Setup()
|
|
Expect(err).NotTo(HaveOccurred())
|
|
roleId, secretId, err = vaultInit.CreateAppRole()
|
|
Expect(err).NotTo(HaveOccurred())
|
|
_, err = f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(vault.NewVaultAppRoleSecret(vaultSecretAppRoleName, secretId))
|
|
Expect(err).NotTo(HaveOccurred())
|
|
})
|
|
|
|
AfterEach(func() {
|
|
By("Cleaning up")
|
|
f.CertManagerClientSet.CertmanagerV1alpha1().Issuers(f.Namespace.Name).Delete(issuerName, nil)
|
|
f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Delete(vaultSecretAppRoleName, nil)
|
|
vaultInit.CleanAppRole()
|
|
vaultInit.Clean()
|
|
})
|
|
|
|
vaultURL := "http://vault.vault:8200"
|
|
It("should generate a new valid certificate", func() {
|
|
By("Creating an Issuer")
|
|
_, err := f.CertManagerClientSet.CertmanagerV1alpha1().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, roleMount))
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
By("Waiting for Issuer to become Ready")
|
|
err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha1().Issuers(f.Namespace.Name),
|
|
issuerName,
|
|
v1alpha1.IssuerCondition{
|
|
Type: v1alpha1.IssuerConditionReady,
|
|
Status: v1alpha1.ConditionTrue,
|
|
})
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
By("Creating a Certificate")
|
|
cert, err := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name).Create(util.NewCertManagerVaultCertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind))
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
f.WaitCertificateIssuedValid(cert)
|
|
})
|
|
})
|