Adding cert-manager test (#1844)

minio · Nov 2, 2023 · fc3d3f4 · fc3d3f4
1 parent 50b2f3b
commit fc3d3f4
Show file tree

Hide file tree

Showing 4 changed files with 101 additions and 1 deletion.
diff --git a/.github/workflows/kubernetes-tests.yml b/.github/workflows/kubernetes-tests.yml
@@ -199,7 +199,29 @@ jobs:
       - name: Tenant KES
         run: |
           "${GITHUB_WORKSPACE}/testing/console-tenant+kes.sh"
-
+  test-cert-manager:
+    timeout-minutes: 30
+    runs-on: ${{ matrix.os }}
+    needs:
+      - operator
+    strategy:
+      matrix:
+        go-version: [ 1.21.x ]
+        os: [ ubuntu-latest ]
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
+        with:
+          go-version: ${{ matrix.go-version }}
+      - uses: actions/cache@v3
+        name: Operator Binary Cache
+        with:
+          path: |
+            ./minio-operator
+          key: ${{ runner.os }}-binary-${{ github.run_id }}
+      - name: Deploy Tenant with cert-manager
+        run: |
+          "${GITHUB_WORKSPACE}/testing/deploy-cert-manager-tenant.sh"
   test-policy-binding:
     timeout-minutes: 30
     runs-on: ${{ matrix.os }}

diff --git a/shared-functions/shared-code.sh b/shared-functions/shared-code.sh
@@ -59,6 +59,7 @@ function wait_for_resource_field_selector() {
   fi
 
   echo "Waiting for $resourcetype \"$fieldselector\" for \"$condition\" ($timeout timeout)"
+  echo "namespace: ${namespace}"
   kubectl wait -n "$namespace" "$resourcetype" \
     --for=$condition \
     --field-selector $fieldselector \

diff --git a/testing/common.sh b/testing/common.sh
@@ -56,6 +56,17 @@ function setup_kind() {
   try kubectl get nodes
 }
 
+# Function Intended to Test cert-manager for Tenant's certificate.
+function install_cert_manager() {
+    # https://cert-manager.io/docs/installation/
+    try kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.yaml
+
+    echo "Wait until cert-manager pods are running:"
+    try kubectl wait -n cert-manager --for=condition=ready pod -l app=cert-manager --timeout=120s
+    try kubectl wait -n cert-manager --for=condition=ready pod -l app=cainjector --timeout=120s
+    try kubectl wait -n cert-manager --for=condition=ready pod -l app=webhook --timeout=120s
+}
+
 function install_operator() {
 
   # To compile current branch
@@ -244,6 +255,31 @@ function check_tenant_status() {
   echo "Done."
 }
 
+# To install tenant with cert-manager from our example provided.
+function install_cert_manager_tenant() {
+
+    echo "Install cert-manager tenant from our example:"
+    try kubectl apply -k github.com/minio/operator/examples/kustomization/tenant-certmanager
+
+    echo "Wait until tenant-certmanager-tls secret is generated by cert-manager..."
+    while ! kubectl get secret tenant-certmanager-tls --namespace tenant-certmanager
+    do
+      echo "Waiting for my secret. Current secrets are:"
+      kubectl get secrets -n tenant-certmanager
+      sleep 1
+    done
+
+    # https://github.com/minio/operator/blob/master/docs/cert-manager.md
+    echo "# Pass the CA cert to our Operator to trust the tenant:"
+    echo "## First get the CA from cert-manager secret..."
+    try kubectl get secrets -n tenant-certmanager tenant-certmanager-tls -o=jsonpath='{.data.ca\.crt}' | base64 -d > public.crt
+    echo "## Then create the secret in operator's namespace..."
+    try kubectl create secret generic operator-ca-tls --from-file=public.crt -n minio-operator
+    echo "## Finally restart minio operator pods to catch up and trust tenant..."
+    try kubectl rollout restart deployment.apps/minio-operator -n minio-operator
+
+}
+
 # Install tenant function is being used by deploy-tenant and check-prometheus
 function install_tenant() {
   # Check if we are going to install helm, latest in this branch or a particular version

diff --git a/testing/deploy-cert-manager-tenant.sh b/testing/deploy-cert-manager-tenant.sh
@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+# Copyright (C) 2023, MinIO, Inc.
+#
+# This code is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License, version 3,
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License, version 3,
+# along with this program.  If not, see <http://www.gnu.org/licenses/>
+
+# This script requires: kubectl, kind
+
+SCRIPT_DIR=$(dirname "$0")
+export SCRIPT_DIR
+
+source "${SCRIPT_DIR}/common.sh"
+
+# This test is intended to validate the creation of certificates for the tenant
+# through cert-manager and ensure that our Operator can trust the tenant using this certificate.
+function main() {
+    destroy_kind
+
+    setup_kind
+
+    install_cert_manager
+
+    install_operator
+
+    install_cert_manager_tenant
+
+    check_tenant_status tenant-certmanager myminio
+
+    destroy_kind
+}
+
+main "$@"