kairos/kcrypt-challenger
1
0
Fork 0
mirror of https://github.com/kairos-io/kcrypt-challenger.git synced 2025-04-28 03:41:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

[WIP] Implement failing test for pinned cert

Browse Source 
Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
This commit is contained in:
Dimitris Karakasilis 2023-02-07 19:28:11 +02:00
parent e9433d2ba7
commit 2967fb0a6c
No known key found for this signature in database
GPG Key ID: 286DCAFD2C97DDE3
1 changed files with 51 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
tests/encryption_test.go
View File

@ -236,23 +236,64 @@ kcrypt:
}) })
When("the key management server is listening on https", func() { When("the key management server is listening on https", func() {
BeforeEach(func() { var tpmHash string
// TODO: var err error
// - Create and ExternalNames service that points to 10.0.2.2.sslip.io (the server)
// - Create an ingress for the above service with a certificate generated
// by cert-manager
// Create a service that points to the server running j BeforeEach(func() {
// https://github.com/traefik/traefik/issues/1816#issuecomment-322543677 tpmHash, err = vm.Sudo("/system/discovery/kcrypt-discovery-challenger")
Expect(err).ToNot(HaveOccurred(), tpmHash)
kubectlApplyYaml(fmt.Sprintf(`---
apiVersion: keyserver.kairos.io/v1alpha1
kind: SealedVolume
metadata:
name: "%[1]s"
namespace: default
spec:
TPMHash: "%[1]s"
partitions:
- label: COS_PERSISTENT
quarantined: false
`, strings.TrimSpace(tpmHash)))
}) })
When("the certificate is pinned on the configuration", func() {
FWhen("the certificate is pinned on the configuration", func() {
BeforeEach(func() {
// TODO: Pin the certificate here
config = fmt.Sprintf(`#cloud-config
hostname: metal-{{ trunc 4 .MachineID }}
users:
- name: kairos
passwd: kairos
install:
encrypted_partitions:
- COS_PERSISTENT
grub_options:
extra_cmdline: "rd.neednet=1"
reboot: false # we will reboot manually
kcrypt:
challenger:
challenger_server: "https://%s"
nv_index: ""
c_index: ""
tpm_device: ""
`, os.Getenv("KMS_ADDRESS"))
})
It("successfully talks to the server", func() { It("successfully talks to the server", func() {
// TODO: Maybe do something simpler than installation to keep things fast? // TODO: Maybe do something simpler than installation to keep things fast?
// Something that proves we talked to the server. // Something that proves we talked to the server.
// Cert should be valid for a magic domain (e.g. sslip.io). We can use vm.EventuallyConnects(1200)
// cert-manager to issue one. out, err := vm.Sudo("blkid")
Expect(err).ToNot(HaveOccurred(), out)
Expect(out).To(MatchRegexp("TYPE=\"crypto_LUKS\" PARTLABEL=\"persistent\""), out)
Expect(out).To(MatchRegexp("/dev/mapper.*LABEL=\"COS_PERSISTENT\""), out)
}) })
}) })
When("the certificate signed by a well known CA (system certs)", func() { When("the certificate signed by a well known CA (system certs)", func() {
It("successfully talks to the server", func() { It("successfully talks to the server", func() {
// TODO: How do we get a properly signed cert? Maybe do that once, // TODO: How do we get a properly signed cert? Maybe do that once,