From 8d49502fcd498777e84c8b4da5141ffd2c25b0f0 Mon Sep 17 00:00:00 2001
From: Monis Khan <i@monis.app>
Date: Fri, 25 Jun 2021 22:08:59 -0400
Subject: [PATCH] csr: update e2e conformance test with expirationSeconds usage

Signed-off-by: Monis Khan <mok@vmware.com>
---
 test/e2e/auth/certificates.go | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/test/e2e/auth/certificates.go b/test/e2e/auth/certificates.go
index bf49dd8d395..aff700e585b 100644
--- a/test/e2e/auth/certificates.go
+++ b/test/e2e/auth/certificates.go
@@ -25,21 +25,23 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/onsi/ginkgo"
+
 	certificatesv1 "k8s.io/api/certificates/v1"
 	v1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	types "k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/apiserver/pkg/server/dynamiccertificates"
 	certificatesclient "k8s.io/client-go/kubernetes/typed/certificates/v1"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/util/cert"
+	"k8s.io/client-go/util/certificate/csr"
 	"k8s.io/kubernetes/test/e2e/framework"
 	"k8s.io/kubernetes/test/utils"
-
-	"github.com/onsi/ginkgo"
 )
 
 var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() {
@@ -80,7 +82,8 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() {
 					certificatesv1.UsageKeyEncipherment,
 					certificatesv1.UsageClientAuth,
 				},
-				SignerName: certificatesv1.KubeAPIServerClientSignerName,
+				SignerName:        certificatesv1.KubeAPIServerClientSignerName,
+				ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
 			},
 		}
 
@@ -159,6 +162,12 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() {
 		rcfg.TLSClientConfig.CertData = csr.Status.Certificate
 		rcfg.TLSClientConfig.KeyData = pkpem
 
+		certs, err := cert.ParseCertsPEM(csr.Status.Certificate)
+		framework.ExpectNoError(err)
+		framework.ExpectEqual(len(certs), 1, "expected a single cert, got %#v", certs)
+		cert := certs[0]
+		framework.ExpectEqual(cert.NotAfter.Sub(cert.NotBefore), time.Hour+5*time.Minute, "unexpected cert duration: %s", dynamiccertificates.GetHumanCertDetail(cert))
+
 		newClient, err := certificatesclient.NewForConfig(rcfg)
 		framework.ExpectNoError(err)
 
@@ -207,7 +216,9 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() {
 			Spec: certificatesv1.CertificateSigningRequestSpec{
 				Request:    csrData,
 				SignerName: signerName,
-				Usages:     []certificatesv1.KeyUsage{certificatesv1.UsageDigitalSignature, certificatesv1.UsageKeyEncipherment, certificatesv1.UsageServerAuth},
+				// TODO(enj): check for expirationSeconds field persistence once the feature is GA
+				//  ExpirationSeconds: csr.DurationToExpirationSeconds(time.Hour),
+				Usages: []certificatesv1.KeyUsage{certificatesv1.UsageDigitalSignature, certificatesv1.UsageKeyEncipherment, certificatesv1.UsageServerAuth},
 			},
 		}
 
@@ -280,6 +291,8 @@ var _ = SIGDescribe("Certificates API [Privileged:ClusterAdmin]", func() {
 		gottenCSR, err := csrClient.Get(context.TODO(), createdCSR.Name, metav1.GetOptions{})
 		framework.ExpectNoError(err)
 		framework.ExpectEqual(gottenCSR.UID, createdCSR.UID)
+		// TODO(enj): check for expirationSeconds field persistence once the feature is GA
+		//  framework.ExpectEqual(gottenCSR.Spec.ExpirationSeconds, csr.DurationToExpirationSeconds(time.Hour))
 
 		ginkgo.By("listing")
 		csrs, err := csrClient.List(context.TODO(), metav1.ListOptions{FieldSelector: "spec.signerName=" + signerName})