enable more conformance tests

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
cert-manager · Jun 26, 2023 · a9c55ba · a9c55ba
1 parent 1376db3
commit a9c55ba
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 51 deletions.
diff --git a/conformance/framework/helper/validation/certificates/certificates.go b/conformance/framework/helper/validation/certificates/certificates.go
@@ -114,6 +114,23 @@ func ExpectCertificateOrganizationToMatch(certificate *cmapi.Certificate, secret
  }
 
  expectedOrganization := pki.OrganizationForCertificate(certificate)
+ if certificate.Spec.LiteralSubject != "" {
+ sequence, err := pki.UnmarshalSubjectStringToRDNSequence(certificate.Spec.LiteralSubject)
+ if err != nil {
+ return err
+ }
+
+ for _, rdns := range sequence {
+ for _, atv := range rdns {
+ if atv.Type.Equal(pki.OIDConstants.Organization) {
+ if str, ok := atv.Value.(string); ok {
+ expectedOrganization = append(expectedOrganization, str)
+ }
+ }
+ }
+ }
+ }
+
  if !util.EqualUnsorted(cert.Subject.Organization, expectedOrganization) {
  return fmt.Errorf("Expected certificate valid for O %v, but got a certificate valid for O %v", expectedOrganization, cert.Subject.Organization)
  }

diff --git a/...ance/framework/helper/validation/certificatesigningrequests/certificatesigningrequests.go b/...ance/framework/helper/validation/certificatesigningrequests/certificatesigningrequests.go
@@ -323,21 +323,13 @@ func ExpectValidBasicConstraints(csr *certificatesv1.CertificateSigningRequest,
  return err
  }
 
- markedIsCA := false
- if csr.Annotations[experimentalapi.CertificateSigningRequestIsCAAnnotationKey] == "true" {
- markedIsCA = true
- }
+ markedIsCA := csr.Annotations[experimentalapi.CertificateSigningRequestIsCAAnnotationKey] == "true"
 
  if cert.IsCA != markedIsCA {
  return fmt.Errorf("requested certificate does not match expected IsCA, exp=%t got=%t",
  markedIsCA, cert.IsCA)
  }
 
- hasCertSign := (cert.KeyUsage & x509.KeyUsageCertSign) == x509.KeyUsageCertSign
- if hasCertSign != markedIsCA {
- return fmt.Errorf("Expected certificate to have KeyUsageCertSign=%t, but got=%t", markedIsCA, hasCertSign)
- }
-
  return nil
 }
 

diff --git a/go.mod b/go.mod
@@ -15,11 +15,12 @@ require (
  k8s.io/apiextensions-apiserver v0.27.3
  k8s.io/apimachinery v0.27.3
  k8s.io/client-go v0.27.3
+ k8s.io/component-base v0.27.3
  k8s.io/klog/v2 v2.100.1
- k8s.io/kube-aggregator v0.27.1
+ k8s.io/kube-aggregator v0.27.2
  k8s.io/utils v0.0.0-20230505201702-9f6742963106
  sigs.k8s.io/controller-runtime v0.15.0
- sigs.k8s.io/gateway-api v0.6.2
+ sigs.k8s.io/gateway-api v0.7.0
 )
 
 require (
@@ -82,10 +83,7 @@ require (
  gopkg.in/inf.v0 v0.9.1 // indirect
  gopkg.in/yaml.v2 v2.4.0 // indirect
  gopkg.in/yaml.v3 v3.0.1 // indirect
- k8s.io/component-base v0.27.3 // indirect
- k8s.io/kube-aggregator v0.27.2 // indirect
  k8s.io/kube-openapi v0.0.0-20230515203736-54b630e78af5 // indirect
- sigs.k8s.io/gateway-api v0.7.0 // indirect
  sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
  sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
  sigs.k8s.io/yaml v1.3.0 // indirect

diff --git a/internal/testsetups/simple/controller/signer.go b/internal/testsetups/simple/controller/signer.go
@@ -82,8 +82,7 @@ func (Signer) Sign(ctx context.Context, cr signer.CertificateRequestObject, issu
  NotBefore: time.Now(),
  NotAfter: time.Now().Add(time.Hour * 24 * 180),
 
- KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
- ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+ KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
  BasicConstraintsValid: true,
  }
 

diff --git a/internal/testsetups/simple/e2e/conformance/conformance.go b/internal/testsetups/simple/e2e/conformance/conformance.go
@@ -26,12 +26,7 @@ var _ = framework.ConformanceDescribe("Certificates", func() {
  kubeClients := testresource.KubeClients(t, ctx)
 
  unsupportedFeatures := featureset.NewFeatureSet(
- featureset.DurationFeature,
- featureset.KeyUsagesFeature,
  featureset.SaveCAToSecret,
- featureset.Ed25519FeatureSet,
- featureset.IssueCAFeature,
- featureset.LiteralSubjectFeature,
  )
 
  issuerBuilder := newIssuerBuilder("SimpleIssuer")
@@ -59,12 +54,7 @@ var _ = framework.ConformanceDescribe("CertificateSigningRequests", func() {
  kubeClients := testresource.KubeClients(t, ctx)
 
  unsupportedFeatures := featureset.NewFeatureSet(
- featureset.DurationFeature,
- featureset.KeyUsagesFeature,
  featureset.SaveCAToSecret,
- featureset.Ed25519FeatureSet,
- featureset.IssueCAFeature,
- featureset.LiteralSubjectFeature,
  )
 
  clusterIssuerBuilder := newIssuerBuilder("SimpleClusterIssuer")
@@ -87,35 +77,18 @@ var _ = framework.ConformanceDescribe("CertificateSigningRequests", func() {
  }).Define()
 })
 
+/*
 var _ = framework.ConformanceDescribe("RBAC", func() {
  t := &mockTest{}
  ctx := testresource.EnsureTestDependencies(t, context.TODO(), testresource.EndToEndTest)
  kubeClients := testresource.KubeClients(t, ctx)
 
- unsupportedFeatures := featureset.NewFeatureSet(
- featureset.DurationFeature,
- featureset.KeyUsagesFeature,
- featureset.SaveCAToSecret,
- featureset.Ed25519FeatureSet,
- featureset.IssueCAFeature,
- featureset.LiteralSubjectFeature,
- )
+ kubeConfig := rest.CopyConfig(kubeClients.Rest)
+ kubeConfig.Impersonate.UserName = "system:serviceaccount:my-namespace:simple-issuer-controller-manager"
+ kubeConfig.Impersonate.Groups = []string{"system:authenticated"}
 
- issuerBuilder := newIssuerBuilder("SimpleIssuer")
- (&certificates.Suite{
- KubeClientConfig: kubeClients.Rest,
- Name: "External Issuer",
- CreateIssuerFunc: issuerBuilder.create,
- DeleteIssuerFunc: issuerBuilder.delete,
- UnsupportedFeatures: unsupportedFeatures,
- }).Define()
-
- clusterIssuerBuilder := newIssuerBuilder("SimpleClusterIssuer")
- (&certificates.Suite{
- KubeClientConfig: kubeClients.Rest,
- Name: "External ClusterIssuer",
- CreateIssuerFunc: clusterIssuerBuilder.create,
- DeleteIssuerFunc: clusterIssuerBuilder.delete,
- UnsupportedFeatures: unsupportedFeatures,
+ (&rbac.Suite{
+ KubeClientConfig: kubeConfig,
  }).Define()
 })
+*/
diff --git a/make/e2e-setup.mk b/make/e2e-setup.mk
@@ -78,7 +78,8 @@ e2e-setup-cert-manager: | kind-cluster images $(NEEDS_HELM) $(NEEDS_KUBECTL)
  --namespace cert-manager \
  --repo https://charts.jetstack.io \
  --set installCRDs=true \
- --set featureGates=ServerSideApply=true \
+ --set featureGates="ServerSideApply=true\,LiteralCertificateSubject=true" \
+ --set webhook.featureGates="ServerSideApply=true\,LiteralCertificateSubject=true" \
  --set image.repository=$(quay.io/jetstack/cert-manager-controller.REPO) \
  --set image.tag=$(quay.io/jetstack/cert-manager-controller.TAG) \
  --set image.pullPolicy=Never \