From 06920e9c342fe57f1dcd4807ca5ce88a1fc77088 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Fri, 15 Mar 2024 10:50:12 +0100 Subject: [PATCH 1/3] First implementation --- rust/operator-binary/src/format/convert.rs | 55 +++++++++++++++---- rust/operator-binary/src/format/well_known.rs | 20 +++++++ 2 files changed, 63 insertions(+), 12 deletions(-) diff --git a/rust/operator-binary/src/format/convert.rs b/rust/operator-binary/src/format/convert.rs index 2679b7d9..b9bb557b 100644 --- a/rust/operator-binary/src/format/convert.rs +++ b/rust/operator-binary/src/format/convert.rs @@ -10,7 +10,7 @@ use snafu::{OptionExt, ResultExt, Snafu}; use crate::format::utils::split_pem_certificates; use super::{ - well_known::{CompatibilityOptions, TlsPem, TlsPkcs12}, + well_known::{CompatibilityOptions, TlsCaPem, TlsPem, TlsPkcs12, TlsPkcs12Truststore}, SecretFormat, WellKnownSecretData, }; @@ -29,6 +29,35 @@ pub fn convert( compat.tls_pkcs12_password.as_deref().unwrap_or_default(), )?)) } + (WellKnownSecretData::TlsPem(pem), SecretFormat::TlsCaPem) => { + Ok(WellKnownSecretData::TlsCaPem(TlsCaPem { + ca_pem: pem.ca_pem, + })) + } + (WellKnownSecretData::TlsPem(pem), SecretFormat::TlsPkcs12Truststore) => { + let ca_stack = ca_pem_to_ca_stack(&pem.ca_pem)?; + + Ok(WellKnownSecretData::TlsPkcs12Truststore( + TlsPkcs12Truststore { + truststore: pkcs12_truststore( + &ca_stack, + compat.tls_pkcs12_password.as_deref().unwrap_or_default(), + )?, + }, + )) + } + (WellKnownSecretData::TlsCaPem(pem), SecretFormat::TlsPkcs12Truststore) => { + let ca_stack = ca_pem_to_ca_stack(&pem.ca_pem)?; + + Ok(WellKnownSecretData::TlsPkcs12Truststore( + TlsPkcs12Truststore { + truststore: pkcs12_truststore( + &ca_stack, + compat.tls_pkcs12_password.as_deref().unwrap_or_default(), + )?, + }, + )) + } (from, to) => NoValidConversionSnafu { from, to }.fail(), } @@ -49,20 +78,11 @@ pub enum ConvertError { TlsToPkcs12 { source: TlsToPkcs12Error }, } -pub fn convert_tls_to_pkcs12( - pem: TlsPem, - p12_password: &str, -) -> Result { +fn convert_tls_to_pkcs12(pem: TlsPem, p12_password: &str) -> Result { use tls_to_pkcs12_error::*; let cert = X509::from_pem(&pem.certificate_pem).context(LoadCertSnafu)?; let key = PKey::private_key_from_pem(&pem.key_pem).context(LoadKeySnafu)?; - - let mut ca_stack = Stack::::new().context(LoadCaSnafu)?; - for ca in split_pem_certificates(&pem.ca_pem) { - X509::from_pem(ca) - .and_then(|ca| ca_stack.push(ca)) - .context(LoadCertSnafu)?; - } + let ca_stack = ca_pem_to_ca_stack(&pem.ca_pem)?; Ok(TlsPkcs12 { truststore: pkcs12_truststore(&ca_stack, p12_password)?, @@ -76,6 +96,17 @@ pub fn convert_tls_to_pkcs12( }) } +fn ca_pem_to_ca_stack(ca_pem: &[u8]) -> Result, TlsToPkcs12Error> { + use tls_to_pkcs12_error::*; + let mut ca_stack = Stack::::new().context(LoadCaSnafu)?; + for ca in split_pem_certificates(ca_pem) { + X509::from_pem(ca) + .and_then(|ca| ca_stack.push(ca)) + .context(LoadCertSnafu)?; + } + Ok(ca_stack) +} + fn bmp_string(s: &str) -> Vec { s.encode_utf16() .chain([0]) // null-termination character diff --git a/rust/operator-binary/src/format/well_known.rs b/rust/operator-binary/src/format/well_known.rs index 0e3c0e0d..663a87b1 100644 --- a/rust/operator-binary/src/format/well_known.rs +++ b/rust/operator-binary/src/format/well_known.rs @@ -21,12 +21,22 @@ pub struct TlsPem { pub ca_pem: Vec, } +#[derive(Debug)] +pub struct TlsCaPem { + pub ca_pem: Vec, +} + #[derive(Debug)] pub struct TlsPkcs12 { pub keystore: Vec, pub truststore: Vec, } +#[derive(Debug)] +pub struct TlsPkcs12Truststore { + pub truststore: Vec, +} + #[derive(Debug)] pub struct Kerberos { pub keytab: Vec, @@ -41,7 +51,9 @@ pub struct Kerberos { )] pub enum WellKnownSecretData { TlsPem(TlsPem), + TlsCaPem(TlsCaPem), TlsPkcs12(TlsPkcs12), + TlsPkcs12Truststore(TlsPkcs12Truststore), Kerberos(Kerberos), } @@ -58,6 +70,9 @@ impl WellKnownSecretData { (FILE_PEM_CERT_CA.to_string(), ca_pem), ] .into(), + WellKnownSecretData::TlsCaPem(TlsCaPem { ca_pem }) => { + [(FILE_PEM_CERT_CA.to_string(), ca_pem)].into() + } WellKnownSecretData::TlsPkcs12(TlsPkcs12 { keystore, truststore, @@ -66,6 +81,9 @@ impl WellKnownSecretData { (FILE_PKCS12_CERT_TRUSTSTORE.to_string(), truststore), ] .into(), + WellKnownSecretData::TlsPkcs12Truststore(TlsPkcs12Truststore { truststore }) => { + [(FILE_PKCS12_CERT_TRUSTSTORE.to_string(), truststore)].into() + } WellKnownSecretData::Kerberos(Kerberos { keytab, krb5_conf }) => [ (FILE_KERBEROS_KEYTAB_KEYTAB.to_string(), keytab), (FILE_KERBEROS_KEYTAB_KRB5_CONF.to_string(), krb5_conf), @@ -88,6 +106,8 @@ impl WellKnownSecretData { key_pem: take_file(FILE_PEM_CERT_KEY)?, ca_pem: take_file(FILE_PEM_CERT_CA)?, })) + } else if let Ok(ca_pem) = take_file(SecretFormat::TlsCaPem, FILE_PEM_CERT_CA) { + Ok(WellKnownSecretData::TlsCaPem(TlsCaPem { ca_pem })) } else if let Ok(keystore) = take_file(SecretFormat::TlsPkcs12, FILE_PKCS12_CERT_KEYSTORE) { Ok(WellKnownSecretData::TlsPkcs12(TlsPkcs12 { keystore, From 92ac424c244b5727fe5aa025ae296f6f0a9f22f6 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Fri, 15 Mar 2024 10:52:41 +0100 Subject: [PATCH 2/3] fix typo in docs --- docs/modules/secret-operator/pages/secretclass.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/modules/secret-operator/pages/secretclass.adoc b/docs/modules/secret-operator/pages/secretclass.adoc index 88bd2f5d..17b6ba34 100644 --- a/docs/modules/secret-operator/pages/secretclass.adoc +++ b/docs/modules/secret-operator/pages/secretclass.adoc @@ -206,7 +206,7 @@ metadata: name: admin-credentials-class spec: backend: - k8sSearch: + k8sSearch: searchNamespace: pod: {} --- From f57eb76275a5a912a572849b24a836d5433651dc Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Fri, 15 Mar 2024 11:52:08 +0100 Subject: [PATCH 3/3] Add tests --- .../{tls => auto-tls}/01-secretclass.yaml | 0 .../kuttl/{tls => auto-tls}/02-rbac.yaml.j2 | 0 .../kuttl/{tls => auto-tls}/10-assert.yaml | 2 +- .../kuttl/auto-tls/10-consumer-pem.yaml | 5 ++ tests/templates/kuttl/auto-tls/11-assert.yaml | 11 +++++ .../kuttl/auto-tls/11-consumer-pkcs12.yaml | 5 ++ tests/templates/kuttl/auto-tls/12-assert.yaml | 11 +++++ .../12-consumer-pkcs12-truststore.yaml | 5 ++ .../consumer-pem.yaml} | 2 +- .../auto-tls/consumer-pkcs12-truststore.yaml | 48 ++++++++++++++++++ .../kuttl/auto-tls/consumer-pkcs12.yaml | 48 ++++++++++++++++++ .../kuttl/{tls => auto-tls}/secretclass.yaml | 0 tests/templates/kuttl/tls/10-consumer.yaml | 5 -- .../user-provided-tls/01-secretclass.yaml | 5 ++ .../kuttl/user-provided-tls/02-rbac.yaml.j2 | 30 ++++++++++++ .../kuttl/user-provided-tls/10-assert.yaml | 11 +++++ .../user-provided-tls/10-consumer-ca-pem.yaml | 5 ++ .../kuttl/user-provided-tls/11-assert.yaml | 11 +++++ .../11-consumer-pkcs12-truststore.yaml | 5 ++ .../user-provided-tls/consumer-ca-pem.yaml | 48 ++++++++++++++++++ .../consumer-pkcs12-truststore.yaml | 49 +++++++++++++++++++ .../kuttl/user-provided-tls/secretclass.yaml | 41 ++++++++++++++++ tests/test-definition.yaml | 5 +- 23 files changed, 344 insertions(+), 8 deletions(-) rename tests/templates/kuttl/{tls => auto-tls}/01-secretclass.yaml (100%) rename tests/templates/kuttl/{tls => auto-tls}/02-rbac.yaml.j2 (100%) rename tests/templates/kuttl/{tls => auto-tls}/10-assert.yaml (84%) create mode 100644 tests/templates/kuttl/auto-tls/10-consumer-pem.yaml create mode 100644 tests/templates/kuttl/auto-tls/11-assert.yaml create mode 100644 tests/templates/kuttl/auto-tls/11-consumer-pkcs12.yaml create mode 100644 tests/templates/kuttl/auto-tls/12-assert.yaml create mode 100644 tests/templates/kuttl/auto-tls/12-consumer-pkcs12-truststore.yaml rename tests/templates/kuttl/{tls/consumer.yaml => auto-tls/consumer-pem.yaml} (99%) create mode 100644 tests/templates/kuttl/auto-tls/consumer-pkcs12-truststore.yaml create mode 100644 tests/templates/kuttl/auto-tls/consumer-pkcs12.yaml rename tests/templates/kuttl/{tls => auto-tls}/secretclass.yaml (100%) delete mode 100644 tests/templates/kuttl/tls/10-consumer.yaml create mode 100644 tests/templates/kuttl/user-provided-tls/01-secretclass.yaml create mode 100644 tests/templates/kuttl/user-provided-tls/02-rbac.yaml.j2 create mode 100644 tests/templates/kuttl/user-provided-tls/10-assert.yaml create mode 100644 tests/templates/kuttl/user-provided-tls/10-consumer-ca-pem.yaml create mode 100644 tests/templates/kuttl/user-provided-tls/11-assert.yaml create mode 100644 tests/templates/kuttl/user-provided-tls/11-consumer-pkcs12-truststore.yaml create mode 100644 tests/templates/kuttl/user-provided-tls/consumer-ca-pem.yaml create mode 100644 tests/templates/kuttl/user-provided-tls/consumer-pkcs12-truststore.yaml create mode 100644 tests/templates/kuttl/user-provided-tls/secretclass.yaml diff --git a/tests/templates/kuttl/tls/01-secretclass.yaml b/tests/templates/kuttl/auto-tls/01-secretclass.yaml similarity index 100% rename from tests/templates/kuttl/tls/01-secretclass.yaml rename to tests/templates/kuttl/auto-tls/01-secretclass.yaml diff --git a/tests/templates/kuttl/tls/02-rbac.yaml.j2 b/tests/templates/kuttl/auto-tls/02-rbac.yaml.j2 similarity index 100% rename from tests/templates/kuttl/tls/02-rbac.yaml.j2 rename to tests/templates/kuttl/auto-tls/02-rbac.yaml.j2 diff --git a/tests/templates/kuttl/tls/10-assert.yaml b/tests/templates/kuttl/auto-tls/10-assert.yaml similarity index 84% rename from tests/templates/kuttl/tls/10-assert.yaml rename to tests/templates/kuttl/auto-tls/10-assert.yaml index 1eaca5b2..cdc2dcfb 100644 --- a/tests/templates/kuttl/tls/10-assert.yaml +++ b/tests/templates/kuttl/auto-tls/10-assert.yaml @@ -6,6 +6,6 @@ timeout: 300 apiVersion: batch/v1 kind: Job metadata: - name: tls-consumer + name: tls-consumer-pem status: succeeded: 1 diff --git a/tests/templates/kuttl/auto-tls/10-consumer-pem.yaml b/tests/templates/kuttl/auto-tls/10-consumer-pem.yaml new file mode 100644 index 00000000..2b74bf34 --- /dev/null +++ b/tests/templates/kuttl/auto-tls/10-consumer-pem.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: envsubst '$NAMESPACE' < consumer-pem.yaml | kubectl apply -n $NAMESPACE -f - diff --git a/tests/templates/kuttl/auto-tls/11-assert.yaml b/tests/templates/kuttl/auto-tls/11-assert.yaml new file mode 100644 index 00000000..4775ead0 --- /dev/null +++ b/tests/templates/kuttl/auto-tls/11-assert.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 300 +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: tls-consumer-pkcs12 +status: + succeeded: 1 diff --git a/tests/templates/kuttl/auto-tls/11-consumer-pkcs12.yaml b/tests/templates/kuttl/auto-tls/11-consumer-pkcs12.yaml new file mode 100644 index 00000000..6ed6baa4 --- /dev/null +++ b/tests/templates/kuttl/auto-tls/11-consumer-pkcs12.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: envsubst '$NAMESPACE' < consumer-pkcs12.yaml | kubectl apply -n $NAMESPACE -f - diff --git a/tests/templates/kuttl/auto-tls/12-assert.yaml b/tests/templates/kuttl/auto-tls/12-assert.yaml new file mode 100644 index 00000000..aeaf555c --- /dev/null +++ b/tests/templates/kuttl/auto-tls/12-assert.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 300 +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: tls-consumer-pkcs12-truststore +status: + succeeded: 1 diff --git a/tests/templates/kuttl/auto-tls/12-consumer-pkcs12-truststore.yaml b/tests/templates/kuttl/auto-tls/12-consumer-pkcs12-truststore.yaml new file mode 100644 index 00000000..49635325 --- /dev/null +++ b/tests/templates/kuttl/auto-tls/12-consumer-pkcs12-truststore.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: envsubst '$NAMESPACE' < consumer-pkcs12-truststore.yaml | kubectl apply -n $NAMESPACE -f - diff --git a/tests/templates/kuttl/tls/consumer.yaml b/tests/templates/kuttl/auto-tls/consumer-pem.yaml similarity index 99% rename from tests/templates/kuttl/tls/consumer.yaml rename to tests/templates/kuttl/auto-tls/consumer-pem.yaml index 1b168f6e..1712cc7c 100644 --- a/tests/templates/kuttl/tls/consumer.yaml +++ b/tests/templates/kuttl/auto-tls/consumer-pem.yaml @@ -3,7 +3,7 @@ apiVersion: batch/v1 kind: Job metadata: - name: tls-consumer + name: tls-consumer-pem spec: template: spec: diff --git a/tests/templates/kuttl/auto-tls/consumer-pkcs12-truststore.yaml b/tests/templates/kuttl/auto-tls/consumer-pkcs12-truststore.yaml new file mode 100644 index 00000000..14108882 --- /dev/null +++ b/tests/templates/kuttl/auto-tls/consumer-pkcs12-truststore.yaml @@ -0,0 +1,48 @@ +# $NAMESPACE will be replaced with the namespace of the test case. +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: tls-consumer-pkcs12-truststore +spec: + template: + spec: + containers: + - name: consumer + image: docker.stackable.tech/stackable/testing-tools:0.2.0-stackable0.0.0-dev + command: + - bash + args: + - -c + - | + set -euo pipefail + ls -la /stackable/tls + + if ! test -f /stackable/tls/truststore.p12; then echo "Truststore missing!" && exit 1; fi + if test -f /stackable/tls/keystore.p12; then echo "Keystore is present, but should be absent!" && exit 1; fi + volumeMounts: + - mountPath: /stackable/tls + name: tls + volumes: + - name: tls + ephemeral: + volumeClaimTemplate: + metadata: + annotations: + secrets.stackable.tech/class: tls-$NAMESPACE + secrets.stackable.tech/scope: pod + secrets.stackable.tech/format: tls-pkcs12-truststore + spec: + storageClassName: secrets.stackable.tech + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "1" + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + restartPolicy: Never + terminationGracePeriodSeconds: 0 + serviceAccount: integration-tests-sa diff --git a/tests/templates/kuttl/auto-tls/consumer-pkcs12.yaml b/tests/templates/kuttl/auto-tls/consumer-pkcs12.yaml new file mode 100644 index 00000000..58d30afb --- /dev/null +++ b/tests/templates/kuttl/auto-tls/consumer-pkcs12.yaml @@ -0,0 +1,48 @@ +# $NAMESPACE will be replaced with the namespace of the test case. +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: tls-consumer-pkcs12 +spec: + template: + spec: + containers: + - name: consumer + image: docker.stackable.tech/stackable/testing-tools:0.2.0-stackable0.0.0-dev + command: + - bash + args: + - -c + - | + set -euo pipefail + ls -la /stackable/tls + + if ! test -f /stackable/tls/truststore.p12; then echo "Truststore missing!" && exit 1; fi + if ! test -f /stackable/tls/keystore.p12; then echo "Keystore missing!" && exit 1; fi + volumeMounts: + - mountPath: /stackable/tls + name: tls + volumes: + - name: tls + ephemeral: + volumeClaimTemplate: + metadata: + annotations: + secrets.stackable.tech/class: tls-$NAMESPACE + secrets.stackable.tech/scope: pod + secrets.stackable.tech/format: tls-pkcs12 + spec: + storageClassName: secrets.stackable.tech + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "1" + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + restartPolicy: Never + terminationGracePeriodSeconds: 0 + serviceAccount: integration-tests-sa diff --git a/tests/templates/kuttl/tls/secretclass.yaml b/tests/templates/kuttl/auto-tls/secretclass.yaml similarity index 100% rename from tests/templates/kuttl/tls/secretclass.yaml rename to tests/templates/kuttl/auto-tls/secretclass.yaml diff --git a/tests/templates/kuttl/tls/10-consumer.yaml b/tests/templates/kuttl/tls/10-consumer.yaml deleted file mode 100644 index a2388abe..00000000 --- a/tests/templates/kuttl/tls/10-consumer.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: - - script: envsubst '$NAMESPACE' < consumer.yaml | kubectl apply -n $NAMESPACE -f - diff --git a/tests/templates/kuttl/user-provided-tls/01-secretclass.yaml b/tests/templates/kuttl/user-provided-tls/01-secretclass.yaml new file mode 100644 index 00000000..bbb9c8b2 --- /dev/null +++ b/tests/templates/kuttl/user-provided-tls/01-secretclass.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: envsubst '$NAMESPACE' < secretclass.yaml | kubectl apply -n "$NAMESPACE" -f - diff --git a/tests/templates/kuttl/user-provided-tls/02-rbac.yaml.j2 b/tests/templates/kuttl/user-provided-tls/02-rbac.yaml.j2 new file mode 100644 index 00000000..1f8813bc --- /dev/null +++ b/tests/templates/kuttl/user-provided-tls/02-rbac.yaml.j2 @@ -0,0 +1,30 @@ +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: use-integration-tests-scc +rules: +{% if test_scenario['values']['openshift'] == "true" %} + - apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +{% endif %} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: integration-tests-sa +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: use-integration-tests-scc +subjects: + - kind: ServiceAccount + name: integration-tests-sa +roleRef: + kind: Role + name: use-integration-tests-scc + apiGroup: rbac.authorization.k8s.io + diff --git a/tests/templates/kuttl/user-provided-tls/10-assert.yaml b/tests/templates/kuttl/user-provided-tls/10-assert.yaml new file mode 100644 index 00000000..8e0d2548 --- /dev/null +++ b/tests/templates/kuttl/user-provided-tls/10-assert.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 300 +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: tls-consumer-ca-pem +status: + succeeded: 1 diff --git a/tests/templates/kuttl/user-provided-tls/10-consumer-ca-pem.yaml b/tests/templates/kuttl/user-provided-tls/10-consumer-ca-pem.yaml new file mode 100644 index 00000000..0ab859e2 --- /dev/null +++ b/tests/templates/kuttl/user-provided-tls/10-consumer-ca-pem.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: envsubst '$NAMESPACE' < consumer-ca-pem.yaml | kubectl apply -n $NAMESPACE -f - diff --git a/tests/templates/kuttl/user-provided-tls/11-assert.yaml b/tests/templates/kuttl/user-provided-tls/11-assert.yaml new file mode 100644 index 00000000..aeaf555c --- /dev/null +++ b/tests/templates/kuttl/user-provided-tls/11-assert.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestAssert +timeout: 300 +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: tls-consumer-pkcs12-truststore +status: + succeeded: 1 diff --git a/tests/templates/kuttl/user-provided-tls/11-consumer-pkcs12-truststore.yaml b/tests/templates/kuttl/user-provided-tls/11-consumer-pkcs12-truststore.yaml new file mode 100644 index 00000000..49635325 --- /dev/null +++ b/tests/templates/kuttl/user-provided-tls/11-consumer-pkcs12-truststore.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: envsubst '$NAMESPACE' < consumer-pkcs12-truststore.yaml | kubectl apply -n $NAMESPACE -f - diff --git a/tests/templates/kuttl/user-provided-tls/consumer-ca-pem.yaml b/tests/templates/kuttl/user-provided-tls/consumer-ca-pem.yaml new file mode 100644 index 00000000..66e1e1fc --- /dev/null +++ b/tests/templates/kuttl/user-provided-tls/consumer-ca-pem.yaml @@ -0,0 +1,48 @@ +# $NAMESPACE will be replaced with the namespace of the test case. +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: tls-consumer-ca-pem +spec: + template: + spec: + containers: + - name: consumer + image: docker.stackable.tech/stackable/testing-tools:0.2.0-stackable0.0.0-dev + command: + - bash + args: + - -c + - | + set -euo pipefail + ls -la /stackable/tls + + if ! test -f /stackable/tls/ca.crt; then echo "ca.crt missing!" && exit 1; fi + if test -f /stackable/tls/tls.crt; then echo "tls.crt is present, but should be absent!" && exit 1; fi + if test -f /stackable/tls/tls.key; then echo "tls.key is present, but should be absent!" && exit 1; fi + volumeMounts: + - mountPath: /stackable/tls + name: tls + volumes: + - name: tls + ephemeral: + volumeClaimTemplate: + metadata: + annotations: + secrets.stackable.tech/class: custom-ca-$NAMESPACE + secrets.stackable.tech/format: tls-ca-pem + spec: + storageClassName: secrets.stackable.tech + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "1" + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + restartPolicy: Never + terminationGracePeriodSeconds: 0 + serviceAccount: integration-tests-sa diff --git a/tests/templates/kuttl/user-provided-tls/consumer-pkcs12-truststore.yaml b/tests/templates/kuttl/user-provided-tls/consumer-pkcs12-truststore.yaml new file mode 100644 index 00000000..d8ecec36 --- /dev/null +++ b/tests/templates/kuttl/user-provided-tls/consumer-pkcs12-truststore.yaml @@ -0,0 +1,49 @@ +# $NAMESPACE will be replaced with the namespace of the test case. +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: tls-consumer-pkcs12-truststore +spec: + template: + spec: + containers: + - name: consumer + image: docker.stackable.tech/stackable/testing-tools:0.2.0-stackable0.0.0-dev + command: + - bash + args: + - -c + - | + set -euo pipefail + ls -la /stackable/tls + + if ! test -f /stackable/tls/truststore.p12; then echo "truststore.p12 missing!" && exit 1; fi + if test -f /stackable/tls/ca.crt; then echo "ca.crt is present, but should be absent!" && exit 1; fi + if test -f /stackable/tls/tls.crt; then echo "tls.crt is present, but should be absent!" && exit 1; fi + if test -f /stackable/tls/tls.key; then echo "tls.key is present, but should be absent!" && exit 1; fi + volumeMounts: + - mountPath: /stackable/tls + name: tls + volumes: + - name: tls + ephemeral: + volumeClaimTemplate: + metadata: + annotations: + secrets.stackable.tech/class: custom-ca-$NAMESPACE + secrets.stackable.tech/format: tls-pkcs12-truststore + spec: + storageClassName: secrets.stackable.tech + accessModes: + - ReadWriteOnce + resources: + requests: + storage: "1" + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + restartPolicy: Never + terminationGracePeriodSeconds: 0 + serviceAccount: integration-tests-sa diff --git a/tests/templates/kuttl/user-provided-tls/secretclass.yaml b/tests/templates/kuttl/user-provided-tls/secretclass.yaml new file mode 100644 index 00000000..088704c2 --- /dev/null +++ b/tests/templates/kuttl/user-provided-tls/secretclass.yaml @@ -0,0 +1,41 @@ +# $NAMESPACE will be replaced with the namespace of the test case. +--- +apiVersion: secrets.stackable.tech/v1alpha1 +kind: SecretClass +metadata: + name: custom-ca-$NAMESPACE +spec: + backend: + k8sSearch: + searchNamespace: + pod: {} +--- +apiVersion: v1 +kind: Secret +metadata: + name: custom-ca + labels: + secrets.stackable.tech/class: custom-ca-$NAMESPACE +stringData: + ca.crt: | + -----BEGIN CERTIFICATE----- + MIIDazCCAlOgAwIBAgIQO7eOmc5HFIBOjSAkCI0SODANBgkqhkiG9w0BAQsFADBI + MRQwEgYKCZImiZPyLGQBGRYEdGVzdDEUMBIGCgmSJomT8ixkARkWBHNibGUxGjAY + BgNVBAMTEXNibGUtU0JMRS1BRERTLUNBMB4XDTIzMDMyNzEyMzgwN1oXDTI4MDMy + NzEyNDgwN1owSDEUMBIGCgmSJomT8ixkARkWBHRlc3QxFDASBgoJkiaJk/IsZAEZ + FgRzYmxlMRowGAYDVQQDExFzYmxlLVNCTEUtQUREUy1DQTCCASIwDQYJKoZIhvcN + AQEBBQADggEPADCCAQoCggEBAM1sskWrUPrVIQ0Ulwq2XLhcSthHbnCSCeqrlT+z + GPSeMd5QbL9hzo0iP1a1NBxNCbkG1xQ6otDYEGH7I7soV2YjafPJ34qalsejXeQb + HPB56ZQ9ue0QKq5I8STAkewYNdE9NLD9O4wc0r0gU3WqDXQumwMvDSGgMoJ5oCJ8 + pZaJyF8HP6v1FRK0h9BHf+pau0ZC9a/2yhPGX/y4tuka4SFE/4RSc5K2xDdCLTEf + EfHovT4zDIx6ErDmVTgLJ0e/UXWoO1v+WJz3gBcrvbwZrKnBs7CUqza26RCApgtd + tlCX0zplT3LjmFENTZO+nN1KOoCCtE3/xOAqgZsLtof4NAUCAwEAAaNRME8wCwYD + VR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFC7kiVMA8eKGHp8/ + Mozb9c1JYunUMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBCwUAA4IBAQCQ + 6oL/8jA6ie39dAyJLMIv8U3+pDokAUCkJplc6COf537kchLrF24evFvZi8+aA3/s + PFntxXJsahcUXi8hBbZLHj+ZdmN2fjq0CE/0sRiHS2C/LRuskLTcVISELLxoiynn + SOR/zeC6mUgFdGhnV1w84cxoeZV8YD3cdrlmFcD0b2kjm3i2t8ifapJENLFllzRW + spnQeRVimyvwH1s4U8qZ/OcR4c3P37kczEuQ165tpjFVfmw7a/OCMFa+olP4bP18 + AojYiwU57w90WTveuE76qjK8Q9BGj9C1vjk6xPXM4aS6ga5kwQVmiAYlPmogooyz + EToGeyp1QmS66b5Se18l + -----END CERTIFICATE----- diff --git a/tests/test-definition.yaml b/tests/test-definition.yaml index 0eeb3390..48c2c68f 100644 --- a/tests/test-definition.yaml +++ b/tests/test-definition.yaml @@ -13,7 +13,10 @@ tests: - name: listener dimensions: - openshift - - name: tls + - name: auto-tls + dimensions: + - openshift + - name: user-provided-tls dimensions: - openshift suites: