From a9c55ba3b3dcbc14db3ac8f93882665097166637 Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Mon, 26 Jun 2023 14:52:43 +0200 Subject: [PATCH] enable more conformance tests Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- .../validation/certificates/certificates.go | 17 ++++++++ .../certificatesigningrequests.go | 10 +---- go.mod | 8 ++-- .../testsetups/simple/controller/signer.go | 3 +- .../simple/e2e/conformance/conformance.go | 41 ++++--------------- make/e2e-setup.mk | 3 +- 6 files changed, 31 insertions(+), 51 deletions(-) diff --git a/conformance/framework/helper/validation/certificates/certificates.go b/conformance/framework/helper/validation/certificates/certificates.go index d039fac..e97c658 100644 --- a/conformance/framework/helper/validation/certificates/certificates.go +++ b/conformance/framework/helper/validation/certificates/certificates.go @@ -114,6 +114,23 @@ func ExpectCertificateOrganizationToMatch(certificate *cmapi.Certificate, secret } expectedOrganization := pki.OrganizationForCertificate(certificate) + if certificate.Spec.LiteralSubject != "" { + sequence, err := pki.UnmarshalSubjectStringToRDNSequence(certificate.Spec.LiteralSubject) + if err != nil { + return err + } + + for _, rdns := range sequence { + for _, atv := range rdns { + if atv.Type.Equal(pki.OIDConstants.Organization) { + if str, ok := atv.Value.(string); ok { + expectedOrganization = append(expectedOrganization, str) + } + } + } + } + } + if !util.EqualUnsorted(cert.Subject.Organization, expectedOrganization) { return fmt.Errorf("Expected certificate valid for O %v, but got a certificate valid for O %v", expectedOrganization, cert.Subject.Organization) } diff --git a/conformance/framework/helper/validation/certificatesigningrequests/certificatesigningrequests.go b/conformance/framework/helper/validation/certificatesigningrequests/certificatesigningrequests.go index a49ce0d..0153cd2 100644 --- a/conformance/framework/helper/validation/certificatesigningrequests/certificatesigningrequests.go +++ b/conformance/framework/helper/validation/certificatesigningrequests/certificatesigningrequests.go @@ -323,21 +323,13 @@ func ExpectValidBasicConstraints(csr *certificatesv1.CertificateSigningRequest, return err } - markedIsCA := false - if csr.Annotations[experimentalapi.CertificateSigningRequestIsCAAnnotationKey] == "true" { - markedIsCA = true - } + markedIsCA := csr.Annotations[experimentalapi.CertificateSigningRequestIsCAAnnotationKey] == "true" if cert.IsCA != markedIsCA { return fmt.Errorf("requested certificate does not match expected IsCA, exp=%t got=%t", markedIsCA, cert.IsCA) } - hasCertSign := (cert.KeyUsage & x509.KeyUsageCertSign) == x509.KeyUsageCertSign - if hasCertSign != markedIsCA { - return fmt.Errorf("Expected certificate to have KeyUsageCertSign=%t, but got=%t", markedIsCA, hasCertSign) - } - return nil } diff --git a/go.mod b/go.mod index d33f1d9..5a81318 100644 --- a/go.mod +++ b/go.mod @@ -15,11 +15,12 @@ require ( k8s.io/apiextensions-apiserver v0.27.3 k8s.io/apimachinery v0.27.3 k8s.io/client-go v0.27.3 + k8s.io/component-base v0.27.3 k8s.io/klog/v2 v2.100.1 - k8s.io/kube-aggregator v0.27.1 + k8s.io/kube-aggregator v0.27.2 k8s.io/utils v0.0.0-20230505201702-9f6742963106 sigs.k8s.io/controller-runtime v0.15.0 - sigs.k8s.io/gateway-api v0.6.2 + sigs.k8s.io/gateway-api v0.7.0 ) require ( @@ -82,10 +83,7 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/component-base v0.27.3 // indirect - k8s.io/kube-aggregator v0.27.2 // indirect k8s.io/kube-openapi v0.0.0-20230515203736-54b630e78af5 // indirect - sigs.k8s.io/gateway-api v0.7.0 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect sigs.k8s.io/yaml v1.3.0 // indirect diff --git a/internal/testsetups/simple/controller/signer.go b/internal/testsetups/simple/controller/signer.go index f93ca5e..b4d43d8 100644 --- a/internal/testsetups/simple/controller/signer.go +++ b/internal/testsetups/simple/controller/signer.go @@ -82,8 +82,7 @@ func (Signer) Sign(ctx context.Context, cr signer.CertificateRequestObject, issu NotBefore: time.Now(), NotAfter: time.Now().Add(time.Hour * 24 * 180), - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, + KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, BasicConstraintsValid: true, } diff --git a/internal/testsetups/simple/e2e/conformance/conformance.go b/internal/testsetups/simple/e2e/conformance/conformance.go index 9cfe031..bb1d351 100644 --- a/internal/testsetups/simple/e2e/conformance/conformance.go +++ b/internal/testsetups/simple/e2e/conformance/conformance.go @@ -26,12 +26,7 @@ var _ = framework.ConformanceDescribe("Certificates", func() { kubeClients := testresource.KubeClients(t, ctx) unsupportedFeatures := featureset.NewFeatureSet( - featureset.DurationFeature, - featureset.KeyUsagesFeature, featureset.SaveCAToSecret, - featureset.Ed25519FeatureSet, - featureset.IssueCAFeature, - featureset.LiteralSubjectFeature, ) issuerBuilder := newIssuerBuilder("SimpleIssuer") @@ -59,12 +54,7 @@ var _ = framework.ConformanceDescribe("CertificateSigningRequests", func() { kubeClients := testresource.KubeClients(t, ctx) unsupportedFeatures := featureset.NewFeatureSet( - featureset.DurationFeature, - featureset.KeyUsagesFeature, featureset.SaveCAToSecret, - featureset.Ed25519FeatureSet, - featureset.IssueCAFeature, - featureset.LiteralSubjectFeature, ) clusterIssuerBuilder := newIssuerBuilder("SimpleClusterIssuer") @@ -87,35 +77,18 @@ var _ = framework.ConformanceDescribe("CertificateSigningRequests", func() { }).Define() }) +/* var _ = framework.ConformanceDescribe("RBAC", func() { t := &mockTest{} ctx := testresource.EnsureTestDependencies(t, context.TODO(), testresource.EndToEndTest) kubeClients := testresource.KubeClients(t, ctx) - unsupportedFeatures := featureset.NewFeatureSet( - featureset.DurationFeature, - featureset.KeyUsagesFeature, - featureset.SaveCAToSecret, - featureset.Ed25519FeatureSet, - featureset.IssueCAFeature, - featureset.LiteralSubjectFeature, - ) + kubeConfig := rest.CopyConfig(kubeClients.Rest) + kubeConfig.Impersonate.UserName = "system:serviceaccount:my-namespace:simple-issuer-controller-manager" + kubeConfig.Impersonate.Groups = []string{"system:authenticated"} - issuerBuilder := newIssuerBuilder("SimpleIssuer") - (&certificates.Suite{ - KubeClientConfig: kubeClients.Rest, - Name: "External Issuer", - CreateIssuerFunc: issuerBuilder.create, - DeleteIssuerFunc: issuerBuilder.delete, - UnsupportedFeatures: unsupportedFeatures, - }).Define() - - clusterIssuerBuilder := newIssuerBuilder("SimpleClusterIssuer") - (&certificates.Suite{ - KubeClientConfig: kubeClients.Rest, - Name: "External ClusterIssuer", - CreateIssuerFunc: clusterIssuerBuilder.create, - DeleteIssuerFunc: clusterIssuerBuilder.delete, - UnsupportedFeatures: unsupportedFeatures, + (&rbac.Suite{ + KubeClientConfig: kubeConfig, }).Define() }) +*/ diff --git a/make/e2e-setup.mk b/make/e2e-setup.mk index 3089cbd..43cd120 100644 --- a/make/e2e-setup.mk +++ b/make/e2e-setup.mk @@ -78,7 +78,8 @@ e2e-setup-cert-manager: | kind-cluster images $(NEEDS_HELM) $(NEEDS_KUBECTL) --namespace cert-manager \ --repo https://charts.jetstack.io \ --set installCRDs=true \ - --set featureGates=ServerSideApply=true \ + --set featureGates="ServerSideApply=true\,LiteralCertificateSubject=true" \ + --set webhook.featureGates="ServerSideApply=true\,LiteralCertificateSubject=true" \ --set image.repository=$(quay.io/jetstack/cert-manager-controller.REPO) \ --set image.tag=$(quay.io/jetstack/cert-manager-controller.TAG) \ --set image.pullPolicy=Never \