Implement pinned certs

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>

tests/encryption_test.go

@@ -12,6 +12,9 @@ import (
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	. "github.com/spectrocloud/peg/matcher"
+	"gopkg.in/yaml.v3"
+
+	client "github.com/kairos-io/kairos-challenger/cmd/discovery/client"
 )
 
 var installationOutput string
@@ -257,30 +260,29 @@ spec:
 `, strings.TrimSpace(tpmHash)))
 		})
 
-		FWhen("the certificate is pinned on the configuration", func() {
+		When("the certificate is pinned on the configuration", func() {
 			BeforeEach(func() {
-				// TODO: Pin the certificate here
+				cert := getChallengerServerCert()
+				kcryptConfig := createConfigWithCert(fmt.Sprintf("https://%s", os.Getenv("KMS_ADDRESS")), cert)
+				kcryptConfigBytes, err := yaml.Marshal(kcryptConfig)
+				Expect(err).ToNot(HaveOccurred())
 				config = fmt.Sprintf(`#cloud-config
 
-	hostname: metal-{{ trunc 4 .MachineID }}
-	users:
-	- name: kairos
-		passwd: kairos
+hostname: metal-{{ trunc 4 .MachineID }}
+users:
+- name: kairos
+  passwd: kairos
 
-	install:
-		encrypted_partitions:
-		- COS_PERSISTENT
-		grub_options:
-			extra_cmdline: "rd.neednet=1"
-		reboot: false # we will reboot manually
+install:
+  encrypted_partitions:
+  - COS_PERSISTENT
+  grub_options:
+    extra_cmdline: "rd.neednet=1"
+  reboot: false # we will reboot manually
 
-	kcrypt:
-		challenger:
-			challenger_server: "https://%s"
-			nv_index: ""
-			c_index: ""
-			tpm_device: ""
-	`, os.Getenv("KMS_ADDRESS"))
+%s
+
+`, string(kcryptConfigBytes))
 			})
 
 			It("successfully talks to the server", func() {
@@ -294,6 +296,43 @@ spec:
 			})
 		})
 
+		When("the no certificate is set in the configuration", func() {
+			BeforeEach(func() {
+				config = fmt.Sprintf(`#cloud-config
+
+hostname: metal-{{ trunc 4 .MachineID }}
+users:
+- name: kairos
+  passwd: kairos
+
+install:
+  encrypted_partitions:
+  - COS_PERSISTENT
+  grub_options:
+    extra_cmdline: "rd.neednet=1"
+  reboot: false # we will reboot manually
+
+kcrypt:
+  challenger:
+    challenger_server: "https://%s"
+    nv_index: ""
+    c_index: ""
+    tpm_device: ""
+`, os.Getenv("KMS_ADDRESS"))
+			})
+
+			// TODO:
+			It("fails to talk to the server", func() {
+				// TODO: Maybe do something simpler than installation to keep things fast?
+				// Something that proves we talked to the server.
+				//vm.EventuallyConnects(1200)
+				// out, err := vm.Sudo("blkid")
+				// Expect(err).ToNot(HaveOccurred(), out)
+				// Expect(out).To(MatchRegexp("TYPE=\"crypto_LUKS\" PARTLABEL=\"persistent\""), out)
+				// Expect(out).To(MatchRegexp("/dev/mapper.*LABEL=\"COS_PERSISTENT\""), out)
+			})
+		})
+
 		When("the certificate signed by a well known CA (system certs)", func() {
 			It("successfully talks to the server", func() {
 				// TODO: How do we get a properly signed cert? Maybe do that once,
@@ -323,3 +362,41 @@ func kubectlApplyYaml(yamlData string) {
 	out, err := cmd.CombinedOutput()
 	Expect(err).ToNot(HaveOccurred(), out)
 }
+
+func getChallengerServerCert() string {
+	cmd := exec.Command(
+		"kubectl", "get", "secret", "-n", "default", "kms-tls",
+		"-o", `go-template={{ index .data "ca.crt" | base64decode }}`)
+	out, err := cmd.CombinedOutput()
+	Expect(err).ToNot(HaveOccurred(), string(out))
+
+	return string(out)
+}
+
+func createConfigWithCert(server, cert string) client.Config {
+	return client.Config{
+		Kcrypt: struct {
+			Challenger struct {
+				Server      string "yaml:\"challenger_server,omitempty\""
+				NVIndex     string "yaml:\"nv_index,omitempty\""
+				CIndex      string "yaml:\"c_index,omitempty\""
+				TPMDevice   string "yaml:\"tpm_device,omitempty\""
+				Certificate string "yaml:\"certificate,omitempty\""
+			}
+		}{
+			Challenger: struct {
+				Server      string "yaml:\"challenger_server,omitempty\""
+				NVIndex     string "yaml:\"nv_index,omitempty\""
+				CIndex      string "yaml:\"c_index,omitempty\""
+				TPMDevice   string "yaml:\"tpm_device,omitempty\""
+				Certificate string "yaml:\"certificate,omitempty\""
+			}{
+				Server:      server,
+				NVIndex:     "",
+				CIndex:      "",
+				TPMDevice:   "",
+				Certificate: cert,
+			},
+		},
+	}
+}