187 lines
6.5 KiB
Go
187 lines
6.5 KiB
Go
/*
|
|
Copyright 2019 The Jetstack cert-manager contributors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package certificate
|
|
|
|
import (
|
|
"path"
|
|
"time"
|
|
|
|
. "github.com/onsi/ginkgo"
|
|
. "github.com/onsi/gomega"
|
|
|
|
"github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1"
|
|
"github.com/jetstack/cert-manager/test/e2e/framework"
|
|
"github.com/jetstack/cert-manager/test/e2e/framework/addon/tiller"
|
|
vaultaddon "github.com/jetstack/cert-manager/test/e2e/framework/addon/vault"
|
|
"github.com/jetstack/cert-manager/test/e2e/util"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
)
|
|
|
|
var _ = framework.CertManagerDescribe("Vault Certificate (AppRole)", func() {
|
|
f := framework.NewDefaultFramework("create-vault-certificate")
|
|
|
|
var (
|
|
tiller = &tiller.Tiller{
|
|
Name: "tiller-deploy",
|
|
ClusterPermissions: false,
|
|
}
|
|
vault = &vaultaddon.Vault{
|
|
Tiller: tiller,
|
|
Name: "cm-e2e-create-vault-certificate",
|
|
}
|
|
)
|
|
|
|
BeforeEach(func() {
|
|
tiller.Namespace = f.Namespace.Name
|
|
vault.Namespace = f.Namespace.Name
|
|
})
|
|
|
|
f.RequireAddon(tiller)
|
|
f.RequireAddon(vault)
|
|
|
|
rootMount := "root-ca"
|
|
intermediateMount := "intermediate-ca"
|
|
role := "kubernetes-vault"
|
|
issuerName := "test-vault-issuer"
|
|
certificateName := "test-vault-certificate"
|
|
certificateSecretName := "test-vault-certificate"
|
|
vaultSecretAppRoleName := "vault-role"
|
|
vaultPath := path.Join(intermediateMount, "sign", role)
|
|
authPath := "approle"
|
|
var roleId string
|
|
var secretId string
|
|
var vaultInit *vaultaddon.VaultInitializer
|
|
|
|
BeforeEach(func() {
|
|
By("Configuring the Vault server")
|
|
vaultInit = &vaultaddon.VaultInitializer{
|
|
Details: *vault.Details(),
|
|
RootMount: rootMount,
|
|
IntermediateMount: intermediateMount,
|
|
Role: role,
|
|
AuthPath: authPath,
|
|
}
|
|
err := vaultInit.Init()
|
|
Expect(err).NotTo(HaveOccurred())
|
|
err = vaultInit.Setup()
|
|
Expect(err).NotTo(HaveOccurred())
|
|
roleId, secretId, err = vaultInit.CreateAppRole()
|
|
Expect(err).NotTo(HaveOccurred())
|
|
_, err = f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(vaultaddon.NewVaultAppRoleSecret(vaultSecretAppRoleName, secretId))
|
|
Expect(err).NotTo(HaveOccurred())
|
|
})
|
|
|
|
AfterEach(func() {
|
|
By("Cleaning up")
|
|
f.CertManagerClientSet.CertmanagerV1alpha1().Issuers(f.Namespace.Name).Delete(issuerName, nil)
|
|
f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Delete(vaultSecretAppRoleName, nil)
|
|
})
|
|
|
|
It("should generate a new valid certificate", func() {
|
|
By("Creating an Issuer")
|
|
vaultURL := vault.Details().Host
|
|
|
|
certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name)
|
|
secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name)
|
|
|
|
_, err := f.CertManagerClientSet.CertmanagerV1alpha1().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vaultURL, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA))
|
|
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
By("Waiting for Issuer to become Ready")
|
|
err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha1().Issuers(f.Namespace.Name),
|
|
issuerName,
|
|
v1alpha1.IssuerCondition{
|
|
Type: v1alpha1.IssuerConditionReady,
|
|
Status: v1alpha1.ConditionTrue,
|
|
})
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
By("Creating a Certificate")
|
|
_, err = certClient.Create(util.NewCertManagerVaultCertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, nil, nil))
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5)
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
})
|
|
|
|
cases := []struct {
|
|
inputDuration *metav1.Duration
|
|
inputRenewBefore *metav1.Duration
|
|
expectedDuration time.Duration
|
|
label string
|
|
event string
|
|
}{
|
|
{
|
|
inputDuration: &metav1.Duration{time.Hour * 24 * 35},
|
|
inputRenewBefore: nil,
|
|
expectedDuration: time.Hour * 24 * 35,
|
|
label: "valid for 35 days",
|
|
},
|
|
{
|
|
inputDuration: nil,
|
|
inputRenewBefore: nil,
|
|
expectedDuration: time.Hour * 24 * 90,
|
|
label: "valid for the default value (90 days)",
|
|
},
|
|
{
|
|
inputDuration: &metav1.Duration{time.Hour * 24 * 365},
|
|
inputRenewBefore: nil,
|
|
expectedDuration: time.Hour * 24 * 90,
|
|
label: "with Vault configured maximum TTL duration (90 days) when requested duration is greater than TTL",
|
|
},
|
|
{
|
|
inputDuration: &metav1.Duration{time.Hour * 24 * 240},
|
|
inputRenewBefore: &metav1.Duration{time.Hour * 24 * 120},
|
|
expectedDuration: time.Hour * 24 * 90,
|
|
label: "with a warning event when renewBefore is bigger than the duration",
|
|
},
|
|
}
|
|
|
|
for _, v := range cases {
|
|
v := v
|
|
It("should generate a new certificate "+v.label, func() {
|
|
By("Creating an Issuer")
|
|
certClient := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name)
|
|
secretClient := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name)
|
|
|
|
_, err := f.CertManagerClientSet.CertmanagerV1alpha1().Issuers(f.Namespace.Name).Create(util.NewCertManagerVaultIssuerAppRole(issuerName, vault.Details().Host, vaultPath, roleId, vaultSecretAppRoleName, authPath, vault.Details().VaultCA))
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
By("Waiting for Issuer to become Ready")
|
|
err = util.WaitForIssuerCondition(f.CertManagerClientSet.CertmanagerV1alpha1().Issuers(f.Namespace.Name),
|
|
issuerName,
|
|
v1alpha1.IssuerCondition{
|
|
Type: v1alpha1.IssuerConditionReady,
|
|
Status: v1alpha1.ConditionTrue,
|
|
})
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
By("Creating a Certificate")
|
|
cert, err := f.CertManagerClientSet.CertmanagerV1alpha1().Certificates(f.Namespace.Name).Create(util.NewCertManagerVaultCertificate(certificateName, certificateSecretName, issuerName, v1alpha1.IssuerKind, v.inputDuration, v.inputRenewBefore))
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
err = util.WaitCertificateIssuedValid(certClient, secretClient, certificateName, time.Minute*5)
|
|
Expect(err).NotTo(HaveOccurred())
|
|
|
|
// Vault substract 30 seconds to the NotBefore date.
|
|
f.CertificateDurationValid(cert, v.expectedDuration+(30*time.Second))
|
|
})
|
|
}
|
|
})
|