-
Notifications
You must be signed in to change notification settings - Fork 9
196 lines (163 loc) · 7.45 KB
/
tests-smoke.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
name: Smoke Test
on:
pull_request: {}
push:
branches:
- main
jobs:
test:
runs-on: ubuntu-latest
name: Build and test
steps:
- name: Create the target kind cluster
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: Install Go
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed
with:
go-version-file: 'go.mod'
- name: Build the certgen binary
run: |
go build -o certgen .
- name: Create the configuration file
run: |
cat <<EOF > config.yaml
certs:
- name: foo
namespace: ladybird
commonName: foo.cilium.io
hosts:
- foo.cilium.io
- qux.cilium.io
- 192.0.2.237
usage:
- signing
- key encipherment
- server auth
validity: 24h
- name: bar
namespace: ladybird
commonName: bar.cilium.io
usage:
- signing
- key encipherment
- client auth
validity: 3h
EOF
- name: Run and test
run: |
assert_equal() {
local got=$1
local expected=$2
if [[ "$got" != "$expected" ]]; then
echo "Equality assertion failed:"
echo "- expected: $expected"
echo "- got: $got"
return 1
fi
return 0
}
assert_not_equal() {
local first="$1"
local second="$2"
if [[ "$first" == "$second" ]]; then
echo "Inequality assertion failed:"
echo "- first: $first"
echo "- second: $second"
return 1
fi
return 0
}
assert_foo_cert() {
local crt="$1"
local ca="$2"
openssl verify -CAfile ${ca} ${crt}
assert_equal "$(openssl x509 -subject -noout -in ${crt})" "subject=CN = foo.cilium.io"
assert_equal "$(openssl x509 -ext subjectAltName -noout -in ${crt} | tail -n 1 | sed 's/^ *//')" "DNS:foo.cilium.io, DNS:qux.cilium.io, IP Address:192.0.2.237"
assert_equal "$(openssl x509 -ext keyUsage -noout -in ${crt} | tail -n 1 | sed 's/^ *//' )" "Digital Signature, Key Encipherment"
assert_equal "$(openssl x509 -ext extendedKeyUsage -noout -in ${crt} | tail -n 1 | sed 's/^ *//' )" "TLS Web Server Authentication"
openssl x509 -checkend 85800 -noout -in ${crt} # 25h50m
openssl x509 -checkend 87000 -noout -in ${crt} && exit 1 # 24h10m
return 0
}
assert_bar_cert() {
local crt="$1"
local ca="$2"
openssl verify -CAfile ${ca} ${crt}
assert_equal "$(openssl x509 -subject -noout -in ${crt})" "subject=CN = bar.cilium.io"
assert_equal "$(openssl x509 -ext subjectAltName -noout -in ${crt})" ""
assert_equal "$(openssl x509 -ext keyUsage -noout -in ${crt} | tail -n 1 | sed 's/^ *//' )" "Digital Signature, Key Encipherment"
assert_equal "$(openssl x509 -ext extendedKeyUsage -noout -in ${crt} | tail -n 1 | sed 's/^ *//' )" "TLS Web Client Authentication"
openssl x509 -checkend 10200 -noout -in ${crt} # 2h50m
openssl x509 -checkend 11400 -noout -in ${crt} && exit 1 # 3h10m
return 0
}
# Create the target namespaces
kubectl create namespace weasel
kubectl create namespace ladybird
echo
echo "Generating certificates"
./certgen \
--k8s-kubeconfig-path=${HOME}/.kube/config \
--ca-generate --ca-reuse-secret \
--ca-secret-namespace=weasel \
--ca-secret-name=the-ca \
--ca-common-name="The CA" \
--ca-validity-duration=48h \
--config-file=config.yaml
echo
echo "Retrieving and verifying CA certificate"
kubectl get secret -n weasel the-ca --template='{{ index .data "ca.crt" }}' | base64 -d > ca.crt
openssl x509 -text -noout -in ca.crt
openssl verify -CAfile ca.crt ca.crt
assert_equal "$(openssl x509 -subject -noout -in ca.crt)" "subject=CN = The CA"
openssl x509 -checkend 172200 -noout -in ca.crt # 47h50m
openssl x509 -checkend 173400 -noout -in ca.crt && exit 1 # 48h10m
echo
echo "Retrieving and verifying 'foo' certificate"
kubectl get secret -n ladybird foo --template='{{ index .data "tls.crt" }}' | base64 -d > foo.crt
kubectl get secret -n ladybird foo --template='{{ index .data "ca.crt" }}' | base64 -d > foo.ca.crt
openssl x509 -text -noout -in foo.crt
assert_foo_cert foo.crt ca.crt
assert_equal "$(cat foo.ca.crt)" "$(cat ca.crt)"
echo
echo "Retrieving and verifying 'bar' certificate"
kubectl get secret -n ladybird bar --template='{{ index .data "tls.crt" }}' | base64 -d > bar.crt
kubectl get secret -n ladybird bar --template='{{ index .data "ca.crt" }}' | base64 -d > bar.ca.crt
openssl x509 -text -noout -in bar.crt
assert_bar_cert bar.crt ca.crt
assert_equal "$(cat bar.ca.crt)" "$(cat ca.crt)"
echo
echo "Regenerating certificates"
CILIUM_CERTGEN_CONFIG="$(cat config.yaml)" ./certgen \
--k8s-kubeconfig-path=${HOME}/.kube/config \
--ca-generate --ca-reuse-secret \
--ca-secret-namespace=weasel \
--ca-secret-name=the-ca \
--ca-common-name="The CA" \
--ca-validity-duration=48h
echo
echo "Retrieving and verifying CA certificate"
kubectl get secret -n weasel the-ca --template='{{ index .data "ca.crt" }}' | base64 -d > ca.new.crt
openssl x509 -text -noout -in ca.new.crt
# The CA certificate should not have been regenerated
assert_equal "$(cat ca.new.crt)" "$(cat ca.crt)"
echo
echo "Retrieving and verifying 'foo' certificate"
kubectl get secret -n ladybird foo --template='{{ index .data "tls.crt" }}' | base64 -d > foo.new.crt
kubectl get secret -n ladybird foo --template='{{ index .data "ca.crt" }}' | base64 -d > bar.ca.crt
openssl x509 -text -noout -in foo.new.crt
# The foo certificate should have been regenerated
assert_not_equal "$(openssl x509 -serial -noout -in foo.crt)" "$(openssl x509 -serial -noout -in foo.new.crt)"
assert_foo_cert foo.new.crt ca.crt
assert_equal "$(cat foo.ca.crt)" "$(cat ca.crt)"
echo
echo "Retrieving and verifying 'bar' certificate"
kubectl get secret -n ladybird bar --template='{{ index .data "tls.crt" }}' | base64 -d > bar.new.crt
kubectl get secret -n ladybird bar --template='{{ index .data "ca.crt" }}' | base64 -d > bar.ca.crt
openssl x509 -text -noout -in bar.new.crt
# The bar certificate should have been regenerated
assert_not_equal "$(openssl x509 -serial -noout -in bar.crt)" "$(openssl x509 -serial -noout -in bar.new.crt)"
assert_bar_cert bar.new.crt ca.crt
assert_equal "$(cat bar.ca.crt)" "$(cat ca.crt)"