Merge pull request #102224 from liggitt/fixup-test-certs

Fix expired unit test certs

staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy_test.go

@@ -723,15 +723,15 @@ func TestNewRequestForProxyWithAuditID(t *testing.T) {
 // instead it manually calls to updateAPIService and RunOnce to reload the certificate
 func TestProxyCertReload(t *testing.T) {
 	// STEP 1: set up a backend server that will require the client certificate
-	//         this server uses clientCaCrt to validate the client certificate
+	//         this server uses clientCaCrt() to validate the client certificate
 	backendHandler := &targetHTTPHandler{}
 	backendServer := httptest.NewUnstartedServer(backendHandler)
-	if cert, err := tls.X509KeyPair(backendCertificate, backendKey); err != nil {
+	if cert, err := tls.X509KeyPair(backendCertificate(), backendKey()); err != nil {
 		t.Fatal(err)
 	} else {
 		caCertPool := x509.NewCertPool()
 		// we're testing this while enabling MTLS
-		caCertPool.AppendCertsFromPEM(clientCaCrt)
+		caCertPool.AppendCertsFromPEM(clientCaCrt())
 		backendServer.TLS = &tls.Config{Certificates: []tls.Certificate{cert}, ClientAuth: tls.RequireAndVerifyClientCert, ClientCAs: caCertPool}
 	}
 	backendServer.StartTLS()
@@ -743,7 +743,7 @@ func TestProxyCertReload(t *testing.T) {
 		serviceResolver: &mockedRouter{destinationHost: backendServer.Listener.Addr().String()},
 	}
 	certFile, keyFile, dir := getCertAndKeyPaths(t)
-	writeCerts(certFile, keyFile, backendCertificate, backendKey, t)
+	writeCerts(certFile, keyFile, backendCertificate(), backendKey(), t)
 
 	defer func() {
 		if err := os.RemoveAll(dir); err != nil {
@@ -767,7 +767,7 @@ func TestProxyCertReload(t *testing.T) {
 			Service:  &apiregistration.ServiceReference{Name: "test-service2", Namespace: "test-ns", Port: pointer.Int32Ptr(443)},
 			Group:    "foo",
 			Version:  "v1",
-			CABundle: backendCaCertificate, // used to validate backendCertificate
+			CABundle: backendCaCertificate(), // used to validate backendCertificate()
 		},
 		Status: apiregistration.APIServiceStatus{
 			Conditions: []apiregistration.APIServiceCondition{
@@ -792,8 +792,8 @@ func TestProxyCertReload(t *testing.T) {
 	}
 
 	// STEP 3: swap the certificate used by the aggregator to auth against the backend server and verify the request passes
-	//         note that this step uses the certificate that can be validated by the backend server with clientCaCrt
-	writeCerts(certFile, keyFile, clientCert, clientKey, t)
+	//         note that this step uses the certificate that can be validated by the backend server with clientCaCrt()
+	writeCerts(certFile, keyFile, clientCert(), clientKey(), t)
 	err = certProvider.RunOnce()
 	if err != nil {
 		t.Fatalf("Expected no error when refreshing dynamic certs, got %v", err)
@@ -849,186 +849,23 @@ func getSingleCounterValueFromRegistry(t *testing.T, r metrics.Gatherer, name st
 	return -1
 }
 
+func readTestFile(filename string) []byte {
+	data, err := ioutil.ReadFile("testdata/" + filename)
+	if err != nil {
+		panic(err)
+	}
+	return data
+}
+
 // cert and ca for client auth
-var clientCert = []byte(`-----BEGIN CERTIFICATE-----
-MIIFaDCCA1ACAWUwDQYJKoZIhvcNAQEFBQAwejELMAkGA1UEBhMCVVMxEzARBgNV
-BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxGDAWBgNVBAoM
-D015IG9yZ2FuaXphdGlvbjEQMA4GA1UECwwHTXkgdW5pdDESMBAGA1UEAwwJbG9j
-YWxob3N0MB4XDTIwMDUyMjA4MTA1MVoXDTIxMDUyMjA4MTA1MVowejELMAkGA1UE
-BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZp
-ZXcxGDAWBgNVBAoMD015IG9yZ2FuaXphdGlvbjEQMA4GA1UECwwHTXkgdW5pdDES
-MBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
-AgEAwdDdguS2eVb950cmuyK/fTEBy+I1OFwPSg6S2zF5v/98Sva87Y/qFBrv1EzY
-usU+OWuH0nnyk14bOGl+imbvk+tdiXr4i8tIY8QnBrUbyNvPwemcRejQQb1P5YX0
-An3BS8vckt1e1zahhyb+Uch/ApLFzv3nOEGg7OTA5vfyNs/OUcaz7XuKrFQipxLA
-wEpPbukI8ThH2uLwiRxWUrLGmOeWocM4JFCk6LaQLWkTzl9WgKTYwzrI24LaUgb6
-0urlUi0bmE8AJRZBdmVCiEapxiHDre8c3CaLh8aF1LQ95ZraF8NZAvMxJvSK0R7I
-05V+eZH+xdBH2n5naLjVuvm96VPbDGlcWRwi+ZKZXAvi6YMNJ5g564u2Nl+eACtd
-9Kg6C9AIU8vSX9WrX4UcwaohQVjxUmHNL6YqHXhltyPdN3coFxDSPyp46x8Y2BIW
-s1x1qnlor5xOOQhYPoIQzMgrgJw6wRLWdIkyP/NOazSwet2i4cpeLD3wgXpuylQp
-Of06WChGN7NRx9JQSA7y6JKJq38jyB4+iNpU7NfkCQQndwvowPUBOSXNAUOgv2Qt
-QEiODhNPsHhSHM6L4xSpwFzh7dDywpPCeb6Fzyp/EslaLiFoEQr2Wc0xM/Xssqa6
-yBjSpATBqP1exQVr7LQn50lf9penN4FOQRZ9k/49DLX1RFUCAwEAATANBgkqhkiG
-9w0BAQUFAAOCAgEAVyFuPhtyDMi8FxD00fqnAxwnr7IyNBwYuQivu7gXKwQ2U9v1
-LSqDxvUft6sDWNUl/2f+Lga3CaVJ7FJL/rOwU5APkD4lcc43UcUv8pN2QAVFUs2h
-8MPEZnM2oHEA3M77Yr1RZUHE24pHsv3Bi0u7w8kPhFb7ebAbfXAHIWkekPejroso
-fOC2W8PXGqCJcpuIrAzIRvu/Ia0Cu4bmSZp4pK4lilgmUCr5LTc3YeNuAvbqco8f
-mhXJ+qR4PYWkldgOdhz7eajKF0JP6R8pQacCTZ5OM1y9tg3yN6BEKus3EojpDtqs
-5cTegj914lnNXI/bod6kqnuMT1sfnt2y8AmUcgD+NMhw6dG6zJI1Jf+01G2q3HCn
-wtB0jPntk1hRepVkLfSvxoMofkjESHSVstYiGRQWQziFq98ei59uW1ZNpP/yVJGb
-I7eM/b3vnFUBX2eypfVyY7+vBCxvgRjmpKnOuhCgm2bla1Ho7XUz1OvGkYfnHM3u
-lUiTnAdNXQEf1Y2OjWeHeQeoeJ7gJiwJhMH8yZIierLHDP7FbBSLZ+VZW4Wfe6vT
-WJ4no8kkD5ROWBNf0c0dt2uip6dZ5L2zMrqeUrhpy59ZhoZoMP5cmY/sfTzpRzNO
-KitvR2SwVL12T6pAkwq3ItdiGZ16x5XrYv22H0jP8R6MCd59Sfnz9wWdY1Q=
------END CERTIFICATE-----`)
-var clientKey = []byte(`-----BEGIN RSA PRIVATE KEY-----
-MIIJKQIBAAKCAgEAwdDdguS2eVb950cmuyK/fTEBy+I1OFwPSg6S2zF5v/98Sva8
-7Y/qFBrv1EzYusU+OWuH0nnyk14bOGl+imbvk+tdiXr4i8tIY8QnBrUbyNvPwemc
-RejQQb1P5YX0An3BS8vckt1e1zahhyb+Uch/ApLFzv3nOEGg7OTA5vfyNs/OUcaz
-7XuKrFQipxLAwEpPbukI8ThH2uLwiRxWUrLGmOeWocM4JFCk6LaQLWkTzl9WgKTY
-wzrI24LaUgb60urlUi0bmE8AJRZBdmVCiEapxiHDre8c3CaLh8aF1LQ95ZraF8NZ
-AvMxJvSK0R7I05V+eZH+xdBH2n5naLjVuvm96VPbDGlcWRwi+ZKZXAvi6YMNJ5g5
-64u2Nl+eACtd9Kg6C9AIU8vSX9WrX4UcwaohQVjxUmHNL6YqHXhltyPdN3coFxDS
-Pyp46x8Y2BIWs1x1qnlor5xOOQhYPoIQzMgrgJw6wRLWdIkyP/NOazSwet2i4cpe
-LD3wgXpuylQpOf06WChGN7NRx9JQSA7y6JKJq38jyB4+iNpU7NfkCQQndwvowPUB
-OSXNAUOgv2QtQEiODhNPsHhSHM6L4xSpwFzh7dDywpPCeb6Fzyp/EslaLiFoEQr2
-Wc0xM/Xssqa6yBjSpATBqP1exQVr7LQn50lf9penN4FOQRZ9k/49DLX1RFUCAwEA
-AQKCAgEAvDSuZaTi7QFknWmiWqZrfI5SSEHpnEkJL8jnIqLwr1jQwZrH64iMrela
-arYU34kZ23hn9CMnQ6Nmm2kV0CAVFXbA5ffb0yQbr4WSwBiuWmXZYVwQvHJPiQbk
-xuVFBgZH5eqYzqTYq/QI9s0OuSwQ6dbM7yvvk9lnA6M/DwpG0qMInrBtmHcXOjCZ
-VdQICLIgYHs6i8MzQ4KMQRibWsLvxxtcUsjXg6wr9y8Q4offC8/YmCN7ulkjIsX2
-ayEMADTJavsSiNxuL5VlDCtYaCz2P8gZ1JUVWVK0u6wz2VENqiCtF9ZCYXL2j/V3
-t4pFSfEpV7RFyqFupOWKVU7nfSF3H6QDTq/3XAm3So8MwaD4Ft/tdMNpOz6+lqC0
-7ukgP2SCzDoEnHzPI5bmRtyTvf3QivedIj+/3Z4hOjiPj1XwUXUitIUFSMg/qW8o
-Vctw6uZq4z/p8s/RpE8eR3HYcDx0WrOIsfuI7JpEYV8rHW6qrrkbrBmmjnCwiQcW
-2H5HmEixa9DtQxvACESaxgjYvATQVq1vCrCQZNKh52DX0QNT8iCEga1EYtzouO/h
-g039+aFtPlFgL4zPjqweGBXjpPOCKM7kznwM4yiuHL5aEc6IQLGSVuQY4Be4X4kp
-44VV/c5DDBuxIoqh6kru8gItRNBTZ6AKu9olQjZYXjAq1w0ELAECggEBAOFSaqIm
-9ahfIQlj3zvXztqwmW/QHzoFDPoFOpiGJoMHEREJqvWtnoFcmHFhWFjIDQJALsfN
-kJc7oDOqUY9STqvkpp4CdwdvLMUJUPC1+rFOQTOv6hADCIe9l34bGQ43x52aEgFr
-znwJFYuGzLPRJUdxtWGQbSXppQaua+AdRUSDw2aLp4ngVL57IB2bl4UFo1Qbs22Q
-WzvD3+T4QggHBPm+ebypkWS8zs+W19HNwTvgJ23CB1EkN/QXKl7KIMuXdH9/XMxn
-WULgjGtmIoNIr4a3jgBZrOfnLQU06/fPpVaIVGsl1b45PQmFGSR+Z/uQXx8z4czm
-xF69TNg4TRUW9jUCggEBANw0Tot9Ch0GFuCVSadsjIOX6RDVKM61OiJCfvnsE8QR
-aWWwZrshDYJ63+jKyJl41dKGK3+aARb7Q4dOsJJzxgx6ROBheV4e4TVmPFvS38Vs
-LOO1q9xHHjhxoJxm15apxig5XFBJX3cxfGNq0qEmRZPVTtJYxKHMQKpUuaI54lAV
-+ssWz1RDclnQajBbQVu682uYinlpxZkiFRRkexbho3Nr82ngdM5vp5b6ODgqHAfr
-yT0hyUgi38EDhiNWnga5GEnE4/UB3CPqPCng+aLORYH+lMeMNsn3Mje0FrA7WbT+
-/3EzTu9yz2gGYEjFLVD+9lvEi0Q3fN07SagO0wi8WaECggEAYwp+Eq57VroR5HXA
-3yYaJ6humWZrA27K6G859WcqMHf/uXR9cCYTwRr5awT193hft3iM14h1IPS1k2Av
-H4d3SzljP5snxN3KWQWiTVxASIV0RYryoH0k172vhF/W4JgGJzFc7sD7byvzC3SC
-MBwjfcbuimcYgwyzXD947XcQRnCAiGekigdQWLX4ROtqa68xvru6X9OPNrL/jD7P
-j4W+WyStkA8c+KHBaiAM14zQfkgmLKmX28PG0IUKO8YvKi51p8FNAg//fVUEhATN
-8NUXSmkOgvrn9Lt534sGmdPtAh9EtCBaVpYETVXy2kax4DLyjN2aSB27fUVKLNR6
-lWWVbQKCAQAMHbyspCaoTit4E/7HfYuFuhgS2wexx/r445vE+J5lzWd1Nu2QIlNx
-+HzVfELpXuK1ALjn/ntM3mpqyYOhq0kcaqXbisF40k4l+AgeLU4uuLMHnHlmV2ts
-Q6RItsfp/FFw6ScRK9ha4JgtiDUqtMZjSftaS5QWKvzr4lmMeY7gRTVVc13ZDxT9
-qCAPpRXFjFXUd8I2yAEdWei7BIRZT/UEZs4v5y/GJBKelgn93SNJtEmQWYmPtIuH
-PUBmNV/gktKpTHIWixGn0D2bOEvED4F3k6BwEmD5X+addgVBkSJweQ9pFR+kwTZ0
-TNWDa4YAzOaVSg03pa3zJk35N0eZVXPBAoIBAQCQNH0bvCY0L5Lq+UnNi/PLES54
-8CCY5UjQ7wzEny50aILlkHzHi/zm1u1M2sWtrPUYMt+Hiwo/Np+Zu77P+zdRZeLR
-C/ngI7FRQi2SvarptxVzFg5w8hO63dga7tVO+kQ3nENivgxtPEkrF2WLCJXzx8uy
-d3t0IfoOsKMLLR9UwvyzrEf2Z3c75WIIn/ii51zcEuoqttZ82Wdz+O7WZGK5XG3o
-lVVu0HK225ml5vsKZjdAUHwS/M6cTnQcN+YxfGWFy+6o9pG9L9hjfpNxXbB0iNsR
-crX83p28+Mnq5TGs0Kbvr9lnCNe9bGrqbl85rBvKRFRoDlfB2feo5hk02Bpe
------END RSA PRIVATE KEY-----`)
-var backendCertificate = []byte(`-----BEGIN CERTIFICATE-----
-MIIDiDCCAnCgAwIBAgIUJgFO0eypsogvehekMVrJ/eXj1MYwDQYJKoZIhvcNAQEL
-BQAwXDELMAkGA1UEBhMCeHgxCjAIBgNVBAgMAXgxCjAIBgNVBAcMAXgxCjAIBgNV
-BAoMAXgxCjAIBgNVBAsMAXgxCzAJBgNVBAMMAmNhMRAwDgYJKoZIhvcNAQkBFgF4
-MB4XDTIwMDcyMzE5NTEwMFoXDTI1MDcyMjE5NTEwMFowJDEiMCAGA1UEAxMZdGVz
-dC1zZXJ2aWNlMi50ZXN0LW5zLnN2YzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBAPSmCdoH7RzBeGaGBGqBOV1I4Ex2Da2kUCPVeNfW3mPpJTUVi+QLwSDS
-YTLnyw9tHRQgwV+rU1GTJSpcEk6CpiYdMavGnyH0C0iXKqXeJDfbU19ioUIInMxG
-OkfcL98fWgj/mih52zjBIh5f9Q7gCmzH6di4zXMQODTiDhrcjPzmMtMPvRJs+kol
-4Hh+tWH3s/hOeqiaWpw01UKis181SdEgX2uwNJYdHBbKF390vVIx/qpcFKUAw9to
-CviyRMKv+DAK0jBoAsQVIU1Kt4reUrWyzonyO2wUrJmmFs997O04exkNlmFKa+bV
-cA8DtBhX4hTMKRFIAaYb4Kh5v5Pg0l0CAwEAAaN6MHgwDgYDVR0PAQH/BAQDAgWg
-MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFIe3
-Cry9ZA6zIWMvikdBZwBVprNzMCQGA1UdEQQdMBuCGXRlc3Qtc2VydmljZTIudGVz
-dC1ucy5zdmMwDQYJKoZIhvcNAQELBQADggEBACg/8So7bv3e2UxL6TDAK43IV7lR
-N+fIdkrxboiJY9XH7lPK4Cm7gNmxjzzlBeCbBRBNRrcbk4BoBRrDXMi2W13dtLE4
-jmGPke7MFu6C9J26GrfiIchMyZAgFTGOucs1SOXr5hoaOnLkm9H3ZlkhWgIf/EUX
-B4WEHdxKZCYTlUoPFsfcZ3vImo2zhelo5RyG+P8aACc1V7cSaDbZ6CHEdTsP2E70
-9DKQHfkRr4MgrngoYiIZyj3IHK2kWnavLo0/XxBeoNVeenOrfmZAJ6QDSFAvTpMN
-wWcx3Aj9jkGT+Cam2dvHFA+QaCni2uzOXlTyjLWwTjhc+Ml7FAL2Lc7U07c=
------END CERTIFICATE-----`)
-var backendKey = []byte(`-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA9KYJ2gftHMF4ZoYEaoE5XUjgTHYNraRQI9V419beY+klNRWL
-5AvBINJhMufLD20dFCDBX6tTUZMlKlwSToKmJh0xq8afIfQLSJcqpd4kN9tTX2Kh
-QgiczEY6R9wv3x9aCP+aKHnbOMEiHl/1DuAKbMfp2LjNcxA4NOIOGtyM/OYy0w+9
-Emz6SiXgeH61Yfez+E56qJpanDTVQqKzXzVJ0SBfa7A0lh0cFsoXf3S9UjH+qlwU
-pQDD22gK+LJEwq/4MArSMGgCxBUhTUq3it5StbLOifI7bBSsmaYWz33s7Th7GQ2W
-YUpr5tVwDwO0GFfiFMwpEUgBphvgqHm/k+DSXQIDAQABAoIBAGzU2BkX4ZEjN85T
-2+8NIVmwK6eX9KnEKKpoMmPCABhuBNFCjoKaAAX70KV2m8x2+7KSh7NpYZ0uWiAn
-6TTnxcW6wvfpWa0fBU37gUtcMLxwYvxRwe7AKhBtRUvmVZ1qMwFBw3AyFSWANQ9S
-HI/LdpfBrvNr8mk3U+mijifA6S8u0co/QwlHmh1fRzLruP6VrTIAVs67+JvkKMBw
-O3hxF/ImTIR8YwlPx4ckP4OXSftLTYKFVxDZBHtxyT5ED5GLx7nCPossL9mRpAYU
-XLje+5K4UNoLSFu9SaSZbBUDqbsSUsyJTWX1J+AYEThPUywV9lVBBtUj8JKOQ9kr
-i+Nt8HkCgYEA9o0WH97Orn/iyxe6KgbIGKPS46tcFGYAIgNTMEaeegfBIrg7kah3
-NV84d/Im3lYShCjGrnuoOHY2Wz4/a0DCbf+bgJWB/ZHpE00z+gBjfPE94as7wxC2
-TO4HYg5kiy3b1RKaXWvOBrQ5fpZvdYo5WjWweNF6rTCanVPH5g7fenMCgYEA/gZJ
-THt54MJdUOTBR1GS3l3da4yYJPNgRAFBdp8FRc8u0CTYTfLo0oNFfJHu+F/Ph5dj
-VWxhA+as+4rqJi+w8KZCCp/8LKjlJKzcCpv93E2UxM7e6WTa7Z/TmLi97i8FI39c
-62B8XJTVW/IRTqojW0noY62FqYrIWZ8ymrWnO+8CgYBVp044ZD+JgARaajPSxehe
-Jwvs7Gtg6s7BAka0TtRfsLH4TejkAZLoh9wmT4oRU/W61C+yDmOyud7IdCe0Kxtg
-+5waX9Z5MWe3vOqBwADQNz84VzS73+J1d3w5JKbpc1UcAQp/yiQZUCNpRvoR66Nh
-I6XbU2s7H9eXMLQRyLj64QKBgQCSZfkUdQ0Wta2mE1A41BB6y0ny08JTeVf/mWGr
-BZa6Vt854iIvOlFoEXOYiVpaFo26LUt4Tc/Tubvz9GlhvJaS+p6RFQb2jhgRfPYL
-vz8dGjElA7yAcjmiPTxrhf0gKkUh4iMhHChQCw6zwNyso21hDUU7PSQNRAiXbiJx
-+0L4TQKBgQDyAry0K7dTbEmsacFpHsxqE/F0O2tmFE0WzrDkKkjVu38jshMhDu5D
-1X179FWkKL6dYrFdig5SHBM2T3Yjha6VF7o1apYqj5HoVhS/mz80xXCqUBVrg88v
-aOz9qqvSZQDZYwbOfr/vLMvJMp4M5gWWdxgaqoteLo1dQU20cYwlqA==
------END RSA PRIVATE KEY-----`)
-var backendCaCertificate = []byte(`-----BEGIN CERTIFICATE-----
-MIIDNDCCAhwCCQD9J4txHjsBLTANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJ4
-eDEKMAgGA1UECAwBeDEKMAgGA1UEBwwBeDEKMAgGA1UECgwBeDEKMAgGA1UECwwB
-eDELMAkGA1UEAwwCY2ExEDAOBgkqhkiG9w0BCQEWAXgwHhcNMjAwNzIzMTk1NjA3
-WhcNMjEwNzIzMTk1NjA3WjBcMQswCQYDVQQGEwJ4eDEKMAgGA1UECAwBeDEKMAgG
-A1UEBwwBeDEKMAgGA1UECgwBeDEKMAgGA1UECwwBeDELMAkGA1UEAwwCY2ExEDAO
-BgkqhkiG9w0BCQEWAXgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDu
-lMNXqY4D9EhgkDrKYcQD+Qai0rSWXSx2u28NCsQ36oR+J6UocSA1+0aFnZHo2s2P
-sRndP1/AqEELpYl4XtAqrDUrhgH0KuvlIIp0LLDGLoJaOvv89VnNyuqSg4KtkGNZ
-leiEBOUk7vITQkWtt3+QNVZPx/lMWUjI8QCvtaVKNcd7C9P6HCTuSbfkkHUdLLwM
-Ud1zp6T/YHFxGGNtN0XDMapQJid4pfQF4vj89H5JT4GArOgUTEDfkVy7Go5/1F8I
-X5sG9WbCLcClfPAHFZNM1igTMVEau0uF6wkL3UIBImyExFEwgN3HT88kIVN+tZSZ
-n7bEnx9uWQKExZNOwf6TAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAH5dU7u4+RRD
-C3nodTMJjd4UD7kdO2Stp9sLsPsbFhWQGpW10J0v+m7+ISgxOfbpNU9NI3dlDsCo
-h4sG4MYfJio28r7ohkbzgBc3xKpLKK54XvPFhmrUiHccJT0PV6F3MJyBCn1Bxdya
-+phcQapwRda/ytrqV5Xf55Od1n9plPnl+eV89teBV8qpd/cufIiFPeO8zhHI3wfh
-AUbPo2yBwdFXKZxLo5rR3yTlJBkRjfodHNTcJffio2fEzPQumP+qCkHWx37aR3kW
-9iRvhus3UcCluc76CrV2XJvXzgbXjU0YBDqRmiShVCGm+eTftq1v9wDLRhgadxPu
-RzFJLb91brg=
------END CERTIFICATE-----`)
-var clientCaCrt = []byte(`-----BEGIN CERTIFICATE-----
-MIIFcDCCA1gCCQDgTBDe5gjLSDANBgkqhkiG9w0BAQsFADB6MQswCQYDVQQGEwJV
-UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEY
-MBYGA1UECgwPTXkgb3JnYW5pemF0aW9uMRAwDgYDVQQLDAdNeSB1bml0MRIwEAYD
-VQQDDAlsb2NhbGhvc3QwHhcNMjAwNTIyMDczNTQxWhcNMzAwNTIwMDczNTQxWjB6
-MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91
-bnRhaW4gVmlldzEYMBYGA1UECgwPTXkgb3JnYW5pemF0aW9uMRAwDgYDVQQLDAdN
-eSB1bml0MRIwEAYDVQQDDAlsb2NhbGhvc3QwggIiMA0GCSqGSIb3DQEBAQUAA4IC
-DwAwggIKAoICAQCj89Np0QeBHn6pyDUrzd45Ow9oHTBgvrDAmhND0i+WkcoDAOrX
-V4W6aNLibM/5stR7PRwl93cwkLawE84YHevH7/69EeTjYqIUUTF/Otxh+qTZMDUu
-Z3hcW7Pu/JnfHbmliR+ci4kr7KkVAYHJtT9DcyWAs5KUudPGKpQprVKtnJ04J/hV
-gDrZbBVKU/N7Ik0ta0MWy97LegbRaGrcY/h7ICoaeMDL0UGU8b61tUCVObmhAnM6
-jK6xk/PtMk2d4we3yIWhowrGbp8vxN25WtFXIvJfyrrLFvpsl1f/dLwOzxU8RIt0
-soXkF5ig6BkjzXtG+WM8ZHBGgL1salP6B0IhLjIjsyZVNORyRJEn0SxDnVKtYLuO
-tjcDZb1Ij/KzWdyXCMD8uJECO9z1Zt2kCfsZDjCal+nyas9Otn3djERaGaaQZd1q
-oL/ioQSTgRhHO3Jx721YaetfM5Bf4h/xGIZlR0wsUPM86rN3s5LcN01C8MLMt3op
-l5ECQE4zlCq2j7EZwlTcq7B5onwUDqQYImD/AHIaOMAeAxHCfeGAl9t+84pnd9iU
-BG3XnaSdrhJJApK7Pa7peu7FDaeAkl71VQW0URHjCedCHNdqk1pbsCJMKfpMuRWp
-LldTG83/bCyuNsku8rkKmkY25MSt80EpyYxg0ZfP2GqSX9+wbH67EJlEfQIDAQAB
-MA0GCSqGSIb3DQEBCwUAA4ICAQAqaCc/LkDdJq/QS27qhCKEI885ZYOHuk8N64G6
-7Mfk6YhkSf5/Ln4qwP0f4HJCgupRMRLFs96qIh2HeEvytQk/xd8j111BHBUmjx3E
-tS271x6PTkwkHa5j7kxE85b/wnUjVZ58NKccstp/Ub/ajssPdS7Ohzm0DGTjktja
-Bavju5Q3fyBl4OmICOVDqIVBqNUfszesBtW9QcSgW7VcL2X+5/H/tu2YYnJG8IXp
-v4uJRZ2rimhQZFFvcihCMN6wR7M5hqDPyffloHy+tFYFNd+Wc+RHU/DU2i83ySa/
-BwRD5J8iTHplDFosCo1u6EoALWQx/WM/l4E9P895LFFoF/8tvHUeLAQXjUbqEPUq
-sbHlhZK18vxYUu/n+OtRdHDimjjoEWZHgoUNnNardukcLdGvk2dbmWltd8NA+kjh
-e88NQn5x5mKUfENtK/GYKN4duguR6mOKlKBuobLcjeplnrHcRoWsvYOPJr0L9Ki3
-F1XEUPu0NgZyx5kTX3znm+7UV/W1rZeRppHSeqVfwHE+N2FEds65rMF1sEvw3fZv
-mwAA1eyVJXIGum9MHf9XAgjjyubtwzPdCE6NQ9nYBuXr6sAqZx6irTHrtHl7zmbJ
-St3GLAs3qHVMa6Va1imhvInbV6m9CauCbt4vAs6xVtR/jIaq1NKHP63f+bHp8hhK
-4ulSKQ==
------END CERTIFICATE-----`)
+func clientCert() []byte { return readTestFile("client.pem") }
+
+func clientKey() []byte { return readTestFile("client-key.pem") }
+
+func backendCertificate() []byte { return readTestFile("server.pem") }
+
+func backendKey() []byte { return readTestFile("server-key.pem") }
+
+func backendCaCertificate() []byte { return readTestFile("server-ca.pem") }
+
+func clientCaCrt() []byte { return readTestFile("client-ca.pem") }

staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/README.md

@@ -0,0 +1 @@
+Keys in this directory are generated for testing purposes only.

staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/client-ca-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIHM3EPGDat3kZv4DmyI6X0k6gHGP9JSS3R9t0sCvcj1coAoGCCqGSM49
+AwEHoUQDQgAEA4QqivypLZVLaoFYAS0UWyfyNRSXRtgMWEabvsoHO31CRa2ZS3m8
+glOQ21aLysVdF6vAP31O9fqysuGMm0UI7w==
+-----END EC PRIVATE KEY-----

staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/client-ca.pem

@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBbTCCARSgAwIBAgIUDMmq4/Gw2N1o5TWBLWsm65RiVkIwCgYIKoZIzj0EAwIw
+FDESMBAGA1UEAxMJQ2xpZW50LUNBMCAXDTIxMDUyMjIzNTIwMFoYDzIxMjEwNDI4
+MjM1MjAwWjAUMRIwEAYDVQQDEwlDbGllbnQtQ0EwWTATBgcqhkjOPQIBBggqhkjO
+PQMBBwNCAAQDhCqK/KktlUtqgVgBLRRbJ/I1FJdG2AxYRpu+ygc7fUJFrZlLebyC
+U5DbVovKxV0Xq8A/fU71+rKy4YybRQjvo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYD
+VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUaDl2pG6N7NoORQjpHprKDSOL8+0wCgYI
+KoZIzj0EAwIDRwAwRAIgbS1tdj6El37kUwF9yZDXKfjLUlRBBLmIYhP0mdui6/AC
+IB4F/weuM/6IjCdcPJRxvdC7qjCdV0xnFqvQ+BhuUGSF
+-----END CERTIFICATE-----

staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/client-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIJVbghSTWVClgCMEMWHf4Z5QRHplGl3OZzNvvYVc1hVLoAoGCCqGSM49
+AwEHoUQDQgAEI7HyyXMDVAU8o3kQpInG+Ec1mCELWJrKz2owv0jONgc7dkDjKHuP
+7UkDuKGrUpS2MW0UkqajJAODEUwSF1wH5A==
+-----END EC PRIVATE KEY-----

staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/client.pem

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBoTCCAUegAwIBAgIUci8u0GG5LGSaykYqdgYL9ZIO/v4wCgYIKoZIzj0EAwIw
+FDESMBAGA1UEAxMJQ2xpZW50LUNBMCAXDTIxMDUyMjIzNTIwMFoYDzIxMjEwNDI4
+MjM1MjAwWjAUMRIwEAYDVQQDEwlNeSBDbGllbnQwWTATBgcqhkjOPQIBBggqhkjO
+PQMBBwNCAAQjsfLJcwNUBTyjeRCkicb4RzWYIQtYmsrPajC/SM42Bzt2QOMoe4/t
+SQO4oatSlLYxbRSSpqMkA4MRTBIXXAfko3UwczAOBgNVHQ8BAf8EBAMCBaAwEwYD
+VR0lBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUaS3acr6g
+cfHE/zty3M0nd9aDo30wHwYDVR0jBBgwFoAUaDl2pG6N7NoORQjpHprKDSOL8+0w
+CgYIKoZIzj0EAwIDSAAwRQIhAPjuVM2rWOhyzfRqAAdn8a/LJxjLf1+bjrb/cyT4
+h0LbAiBE8MY0gARwVYoRgYmVMXyewwjW+SVu+y8+kQv7uCFJzg==
+-----END CERTIFICATE-----

staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.client-ca.json

@@ -0,0 +1,6 @@
+{
+    "CN": "Client-CA",
+    "ca": {
+        "expiry": "876000h"
+    }
+}

staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.client.json

@@ -0,0 +1,3 @@
+{
+    "CN": "My Client"
+}

staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.profiles.json

@@ -0,0 +1,22 @@
+{
+    "signing": {
+        "profiles": {
+            "client": {
+                "expiry": "876000h",
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "client auth"
+                ]
+            },
+            "server": {
+                "expiry": "876000h",
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "server auth"
+                ]
+            }
+        }
+    }
+}

staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.server-ca.json

@@ -0,0 +1,6 @@
+{
+    "CN": "Server-CA",
+    "ca": {
+        "expiry": "876000h"
+    }
+}

staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.server.json

@@ -0,0 +1,4 @@
+{
+    "CN": "test-service2.test-ns.svc",
+    "hosts": ["test-service2.test-ns.svc"]
+}

staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+# Copyright 2021 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+cfssl gencert -initca generate.client-ca.json | cfssljson -bare client-ca
+cfssl gencert -initca generate.server-ca.json | cfssljson -bare server-ca
+
+cfssl gencert -ca client-ca.pem -ca-key client-ca-key.pem -config generate.profiles.json --profile=client generate.client.json | cfssljson -bare client
+cfssl gencert -ca server-ca.pem -ca-key server-ca-key.pem -config generate.profiles.json --profile=server generate.server.json | cfssljson -bare server
+
+rm ./*.csr

staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/server-ca-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIBoMWQC4K4Vp/wKA7yHBVWgjV69lpGhAZZAAcsf8osUVoAoGCCqGSM49
+AwEHoUQDQgAEPwxv8IjkfU5AivcK0IiurHL9H6EiGh+zZ0S8r+PBW0DXFPXcAjQc
+tE8gVHu3fp90y1JVTriaxriU/x8Lbrp8ZA==
+-----END EC PRIVATE KEY-----

staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/server-ca.pem

@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBbzCCARSgAwIBAgIUf0aG2C1P7KaDGobg9oeN3uhQlu4wCgYIKoZIzj0EAwIw
+FDESMBAGA1UEAxMJU2VydmVyLUNBMCAXDTIxMDUyMjIzNTIwMFoYDzIxMjEwNDI4
+MjM1MjAwWjAUMRIwEAYDVQQDEwlTZXJ2ZXItQ0EwWTATBgcqhkjOPQIBBggqhkjO
+PQMBBwNCAAQ/DG/wiOR9TkCK9wrQiK6scv0foSIaH7NnRLyv48FbQNcU9dwCNBy0
+TyBUe7d+n3TLUlVOuJrGuJT/Hwtuunxko0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYD
+VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUjcdIlU1vGLSUWBcSqCEJTgqlSacwCgYI
+KoZIzj0EAwIDSQAwRgIhAIujFeJKprddp+9aCZZUv05jCS5JiopW2bn/FJJRQ6OK
+AiEA1NS6trAbfgk6vYS2D2vamuF4XC9LggyxbcoaMf+GAn4=
+-----END CERTIFICATE-----

staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/server-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIFizWdUWI/ggduZByisCOjPljfUq/f++RwQl0scxeOU/oAoGCCqGSM49
+AwEHoUQDQgAEvw23SM/msE+rsXx919gkNM+A7HBJ99YXqvsV0zRd6ykiQV5rszGw
+DHF/3sKTbb38eLcF/sORWVEFc4+QqnZLkw==
+-----END EC PRIVATE KEY-----

staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/server.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB2jCCAX+gAwIBAgIUKcO5RlFpX+/7Ed5WR/kqFtuOjJswCgYIKoZIzj0EAwIw
+FDESMBAGA1UEAxMJU2VydmVyLUNBMCAXDTIxMDUyMjIzNTIwMFoYDzIxMjEwNDI4
+MjM1MjAwWjAkMSIwIAYDVQQDExl0ZXN0LXNlcnZpY2UyLnRlc3QtbnMuc3ZjMFkw
+EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvw23SM/msE+rsXx919gkNM+A7HBJ99YX
+qvsV0zRd6ykiQV5rszGwDHF/3sKTbb38eLcF/sORWVEFc4+QqnZLk6OBnDCBmTAO
+BgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIw
+ADAdBgNVHQ4EFgQUkDkrXrpDB9jRA2CnWRAbb4GZWdgwHwYDVR0jBBgwFoAUjcdI
+lU1vGLSUWBcSqCEJTgqlSacwJAYDVR0RBB0wG4IZdGVzdC1zZXJ2aWNlMi50ZXN0
+LW5zLnN2YzAKBggqhkjOPQQDAgNJADBGAiEAt/gcJpu0+whAUjTvkcS1zwnaLjuY
+nij9Q+UNkxle7UICIQDmyixha4e/2gufANiSeYKu9IzSJ6vyRgvbAlZ0ihAsOA==
+-----END CERTIFICATE-----