Skip to content

Commit

Permalink
enable more conformance tests
Browse files Browse the repository at this point in the history
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
  • Loading branch information
inteon committed Jun 26, 2023
1 parent 1376db3 commit a9c55ba
Show file tree
Hide file tree
Showing 6 changed files with 31 additions and 51 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,23 @@ func ExpectCertificateOrganizationToMatch(certificate *cmapi.Certificate, secret
}

expectedOrganization := pki.OrganizationForCertificate(certificate)
if certificate.Spec.LiteralSubject != "" {
sequence, err := pki.UnmarshalSubjectStringToRDNSequence(certificate.Spec.LiteralSubject)
if err != nil {
return err
}

for _, rdns := range sequence {
for _, atv := range rdns {
if atv.Type.Equal(pki.OIDConstants.Organization) {
if str, ok := atv.Value.(string); ok {
expectedOrganization = append(expectedOrganization, str)
}
}
}
}
}

if !util.EqualUnsorted(cert.Subject.Organization, expectedOrganization) {
return fmt.Errorf("Expected certificate valid for O %v, but got a certificate valid for O %v", expectedOrganization, cert.Subject.Organization)
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -323,21 +323,13 @@ func ExpectValidBasicConstraints(csr *certificatesv1.CertificateSigningRequest,
return err
}

markedIsCA := false
if csr.Annotations[experimentalapi.CertificateSigningRequestIsCAAnnotationKey] == "true" {
markedIsCA = true
}
markedIsCA := csr.Annotations[experimentalapi.CertificateSigningRequestIsCAAnnotationKey] == "true"

if cert.IsCA != markedIsCA {
return fmt.Errorf("requested certificate does not match expected IsCA, exp=%t got=%t",
markedIsCA, cert.IsCA)
}

hasCertSign := (cert.KeyUsage & x509.KeyUsageCertSign) == x509.KeyUsageCertSign
if hasCertSign != markedIsCA {
return fmt.Errorf("Expected certificate to have KeyUsageCertSign=%t, but got=%t", markedIsCA, hasCertSign)
}

return nil
}

Expand Down
8 changes: 3 additions & 5 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,12 @@ require (
k8s.io/apiextensions-apiserver v0.27.3
k8s.io/apimachinery v0.27.3
k8s.io/client-go v0.27.3
k8s.io/component-base v0.27.3
k8s.io/klog/v2 v2.100.1
k8s.io/kube-aggregator v0.27.1
k8s.io/kube-aggregator v0.27.2
k8s.io/utils v0.0.0-20230505201702-9f6742963106
sigs.k8s.io/controller-runtime v0.15.0
sigs.k8s.io/gateway-api v0.6.2
sigs.k8s.io/gateway-api v0.7.0
)

require (
Expand Down Expand Up @@ -82,10 +83,7 @@ require (
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/component-base v0.27.3 // indirect
k8s.io/kube-aggregator v0.27.2 // indirect
k8s.io/kube-openapi v0.0.0-20230515203736-54b630e78af5 // indirect
sigs.k8s.io/gateway-api v0.7.0 // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
sigs.k8s.io/yaml v1.3.0 // indirect
Expand Down
3 changes: 1 addition & 2 deletions internal/testsetups/simple/controller/signer.go
Original file line number Diff line number Diff line change
Expand Up @@ -82,8 +82,7 @@ func (Signer) Sign(ctx context.Context, cr signer.CertificateRequestObject, issu
NotBefore: time.Now(),
NotAfter: time.Now().Add(time.Hour * 24 * 180),

KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
}

Expand Down
41 changes: 7 additions & 34 deletions internal/testsetups/simple/e2e/conformance/conformance.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,7 @@ var _ = framework.ConformanceDescribe("Certificates", func() {
kubeClients := testresource.KubeClients(t, ctx)

unsupportedFeatures := featureset.NewFeatureSet(
featureset.DurationFeature,
featureset.KeyUsagesFeature,
featureset.SaveCAToSecret,
featureset.Ed25519FeatureSet,
featureset.IssueCAFeature,
featureset.LiteralSubjectFeature,
)

issuerBuilder := newIssuerBuilder("SimpleIssuer")
Expand Down Expand Up @@ -59,12 +54,7 @@ var _ = framework.ConformanceDescribe("CertificateSigningRequests", func() {
kubeClients := testresource.KubeClients(t, ctx)

unsupportedFeatures := featureset.NewFeatureSet(
featureset.DurationFeature,
featureset.KeyUsagesFeature,
featureset.SaveCAToSecret,
featureset.Ed25519FeatureSet,
featureset.IssueCAFeature,
featureset.LiteralSubjectFeature,
)

clusterIssuerBuilder := newIssuerBuilder("SimpleClusterIssuer")
Expand All @@ -87,35 +77,18 @@ var _ = framework.ConformanceDescribe("CertificateSigningRequests", func() {
}).Define()
})

/*
var _ = framework.ConformanceDescribe("RBAC", func() {
t := &mockTest{}
ctx := testresource.EnsureTestDependencies(t, context.TODO(), testresource.EndToEndTest)
kubeClients := testresource.KubeClients(t, ctx)
unsupportedFeatures := featureset.NewFeatureSet(
featureset.DurationFeature,
featureset.KeyUsagesFeature,
featureset.SaveCAToSecret,
featureset.Ed25519FeatureSet,
featureset.IssueCAFeature,
featureset.LiteralSubjectFeature,
)
kubeConfig := rest.CopyConfig(kubeClients.Rest)
kubeConfig.Impersonate.UserName = "system:serviceaccount:my-namespace:simple-issuer-controller-manager"
kubeConfig.Impersonate.Groups = []string{"system:authenticated"}
issuerBuilder := newIssuerBuilder("SimpleIssuer")
(&certificates.Suite{
KubeClientConfig: kubeClients.Rest,
Name: "External Issuer",
CreateIssuerFunc: issuerBuilder.create,
DeleteIssuerFunc: issuerBuilder.delete,
UnsupportedFeatures: unsupportedFeatures,
}).Define()

clusterIssuerBuilder := newIssuerBuilder("SimpleClusterIssuer")
(&certificates.Suite{
KubeClientConfig: kubeClients.Rest,
Name: "External ClusterIssuer",
CreateIssuerFunc: clusterIssuerBuilder.create,
DeleteIssuerFunc: clusterIssuerBuilder.delete,
UnsupportedFeatures: unsupportedFeatures,
(&rbac.Suite{
KubeClientConfig: kubeConfig,
}).Define()
})
*/
3 changes: 2 additions & 1 deletion make/e2e-setup.mk
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,8 @@ e2e-setup-cert-manager: | kind-cluster images $(NEEDS_HELM) $(NEEDS_KUBECTL)
--namespace cert-manager \
--repo https://charts.jetstack.io \
--set installCRDs=true \
--set featureGates=ServerSideApply=true \
--set featureGates="ServerSideApply=true\,LiteralCertificateSubject=true" \
--set webhook.featureGates="ServerSideApply=true\,LiteralCertificateSubject=true" \
--set image.repository=$(quay.io/jetstack/cert-manager-controller.REPO) \
--set image.tag=$(quay.io/jetstack/cert-manager-controller.TAG) \
--set image.pullPolicy=Never \
Expand Down

0 comments on commit a9c55ba

Please sign in to comment.