diff --git a/test/e2e/auth/certificates.go b/test/e2e/auth/certificates.go index bf49dd8d395..aff700e585b 100644 --- a/test/e2e/auth/certificates.go +++ b/test/e2e/auth/certificates.go @@ -25,21 +25,23 @@ import ( "fmt" "time" + "github.com/onsi/ginkgo" + certificatesv1 "k8s.io/api/certificates/v1" v1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - types "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/apimachinery/pkg/watch" + "k8s.io/apiserver/pkg/server/dynamiccertificates" certificatesclient "k8s.io/client-go/kubernetes/typed/certificates/v1" "k8s.io/client-go/rest" "k8s.io/client-go/util/cert" + "k8s.io/client-go/util/certificate/csr" "k8s.io/kubernetes/test/e2e/framework" "k8s.io/kubernetes/test/utils" - - "github.com/onsi/ginkgo" ) var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() { @@ -80,7 +82,8 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() { certificatesv1.UsageKeyEncipherment, certificatesv1.UsageClientAuth, }, - SignerName: certificatesv1.KubeAPIServerClientSignerName, + SignerName: certificatesv1.KubeAPIServerClientSignerName, + ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour), }, } @@ -159,6 +162,12 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() { rcfg.TLSClientConfig.CertData = csr.Status.Certificate rcfg.TLSClientConfig.KeyData = pkpem + certs, err := cert.ParseCertsPEM(csr.Status.Certificate) + framework.ExpectNoError(err) + framework.ExpectEqual(len(certs), 1, "expected a single cert, got %#v", certs) + cert := certs[0] + framework.ExpectEqual(cert.NotAfter.Sub(cert.NotBefore), time.Hour+5*time.Minute, "unexpected cert duration: %s", dynamiccertificates.GetHumanCertDetail(cert)) + newClient, err := certificatesclient.NewForConfig(rcfg) framework.ExpectNoError(err) @@ -207,7 +216,9 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() { Spec: certificatesv1.CertificateSigningRequestSpec{ Request: csrData, SignerName: signerName, - Usages: []certificatesv1.KeyUsage{certificatesv1.UsageDigitalSignature, certificatesv1.UsageKeyEncipherment, certificatesv1.UsageServerAuth}, + // TODO(enj): check for expirationSeconds field persistence once the feature is GA + // ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour), + Usages: []certificatesv1.KeyUsage{certificatesv1.UsageDigitalSignature, certificatesv1.UsageKeyEncipherment, certificatesv1.UsageServerAuth}, }, } @@ -280,6 +291,8 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() { gottenCSR, err := csrClient.Get(context.TODO(), createdCSR.Name, metav1.GetOptions{}) framework.ExpectNoError(err) framework.ExpectEqual(gottenCSR.UID, createdCSR.UID) + // TODO(enj): check for expirationSeconds field persistence once the feature is GA + // framework.ExpectEqual(gottenCSR.Spec.ExpirationSeconds, csr.DurationToExpirationSeconds(time.Hour)) ginkgo.By("listing") csrs, err := csrClient.List(context.TODO(), metav1.ListOptions{FieldSelector: "spec.signerName=" + signerName})