From 0800ab92fb0e306e66ef694214c06e9f02d7721e Mon Sep 17 00:00:00 2001 From: Mike Danese Date: Thu, 23 Mar 2017 15:23:02 -0700 Subject: [PATCH] e2e test client creation using the certificates API --- test/e2e/BUILD | 4 ++ test/e2e/certificates.go | 121 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 125 insertions(+) create mode 100644 test/e2e/certificates.go diff --git a/test/e2e/BUILD b/test/e2e/BUILD index c32e8aba42f..450617a8a08 100644 --- a/test/e2e/BUILD +++ b/test/e2e/BUILD @@ -45,6 +45,7 @@ go_library( "addon_update.go", "apparmor.go", "cadvisor.go", + "certificates.go", "cluster_upgrade.go", "cronjob.go", "daemon_restart.go", @@ -118,11 +119,13 @@ go_library( "//pkg/apis/batch:go_default_library", "//pkg/apis/batch/v1:go_default_library", "//pkg/apis/batch/v2alpha1:go_default_library", + "//pkg/apis/certificates/v1beta1:go_default_library", "//pkg/apis/extensions:go_default_library", "//pkg/apis/extensions/v1beta1:go_default_library", "//pkg/apis/rbac/v1beta1:go_default_library", "//pkg/apis/settings/v1alpha1:go_default_library", "//pkg/client/clientset_generated/clientset:go_default_library", + "//pkg/client/clientset_generated/clientset/typed/certificates/v1beta1:go_default_library", "//pkg/client/clientset_generated/clientset/typed/extensions/v1beta1:go_default_library", "//pkg/client/clientset_generated/internalclientset:go_default_library", "//pkg/cloudprovider:go_default_library", @@ -194,6 +197,7 @@ go_library( "//vendor/k8s.io/client-go/pkg/apis/policy/v1beta1:go_default_library", "//vendor/k8s.io/client-go/rest:go_default_library", "//vendor/k8s.io/client-go/tools/cache:go_default_library", + "//vendor/k8s.io/client-go/util/cert:go_default_library", "//vendor/k8s.io/client-go/util/flowcontrol:go_default_library", ], ) diff --git a/test/e2e/certificates.go b/test/e2e/certificates.go new file mode 100644 index 00000000000..95e19a347bf --- /dev/null +++ b/test/e2e/certificates.go @@ -0,0 +1,121 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package e2e + +import ( + "crypto/x509" + "crypto/x509/pkix" + "encoding/pem" + "time" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/wait" + "k8s.io/client-go/util/cert" + "k8s.io/kubernetes/pkg/apis/certificates/v1beta1" + v1beta1client "k8s.io/kubernetes/pkg/client/clientset_generated/clientset/typed/certificates/v1beta1" + "k8s.io/kubernetes/test/e2e/framework" + + . "github.com/onsi/ginkgo" +) + +var _ = framework.KubeDescribe("Certificates API", func() { + f := framework.NewDefaultFramework("certificates") + + It("should support building a client with a CSR", func() { + const commonName = "tester-csr" + + pk, err := cert.NewPrivateKey() + framework.ExpectNoError(err) + + pkder := x509.MarshalPKCS1PrivateKey(pk) + pkpem := pem.EncodeToMemory(&pem.Block{ + Type: "RSA PRIVATE KEY", + Bytes: pkder, + }) + + csrb, err := cert.MakeCSR(pk, &pkix.Name{CommonName: commonName, Organization: []string{"system:masters"}}, nil, nil) + framework.ExpectNoError(err) + + csr := &v1beta1.CertificateSigningRequest{ + ObjectMeta: metav1.ObjectMeta{ + GenerateName: commonName + "-", + }, + Spec: v1beta1.CertificateSigningRequestSpec{ + Request: csrb, + Usages: []v1beta1.KeyUsage{ + v1beta1.UsageSigning, + v1beta1.UsageKeyEncipherment, + v1beta1.UsageClientAuth, + }, + }, + } + csrs := f.ClientSet.CertificatesV1beta1().CertificateSigningRequests() + + framework.Logf("creating CSR") + csr, err = csrs.Create(csr) + framework.ExpectNoError(err) + + csrName := csr.Name + + framework.Logf("approving CSR") + framework.ExpectNoError(wait.Poll(5*time.Second, time.Minute, func() (bool, error) { + csr.Status.Conditions = []v1beta1.CertificateSigningRequestCondition{ + { + Type: v1beta1.CertificateApproved, + Reason: "E2E", + Message: "Set from an e2e test", + }, + } + csr, err = csrs.UpdateApproval(csr) + if err != nil { + csr, _ = csrs.Get(csrName, metav1.GetOptions{}) + framework.Logf("err updating approval: %v", err) + return false, nil + } + return true, nil + })) + + framework.Logf("waiting for CSR to be signed") + framework.ExpectNoError(wait.Poll(5*time.Second, time.Minute, func() (bool, error) { + csr, _ = csrs.Get(csrName, metav1.GetOptions{}) + if err != nil { + return false, err + } + if len(csr.Status.Certificate) == 0 { + framework.Logf("csr not signed yet") + return false, nil + } + return true, nil + })) + + framework.Logf("testing the client") + rcfg, err := framework.LoadConfig() + framework.ExpectNoError(err) + + rcfg.TLSClientConfig.CertData = csr.Status.Certificate + rcfg.TLSClientConfig.KeyData = pkpem + rcfg.TLSClientConfig.CertFile = "" + rcfg.BearerToken = "" + rcfg.AuthProvider = nil + rcfg.Username = "" + rcfg.Password = "" + + newClient, err := v1beta1client.NewForConfig(rcfg) + framework.ExpectNoError(err) + framework.ExpectNoError(newClient.CertificateSigningRequests().Delete(csrName, nil)) + }) +})