-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Ensure docker registry CA is trusted in e2e tests #377
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -20,6 +20,7 @@ spec: | |
matchLabels: | ||
control-plane: catalogd-controller-manager | ||
replicas: 1 | ||
minReadySeconds: 5 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Added this, because of frequent timing issues with webhooks coming online:
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That does seem like a similar problem... |
||
template: | ||
metadata: | ||
annotations: | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
package httputil | ||
|
||
import ( | ||
"crypto/x509" | ||
"fmt" | ||
"os" | ||
"path/filepath" | ||
|
||
"github.com/go-logr/logr" | ||
) | ||
|
||
// Should share code from operator-controller. | ||
// see: https://issues.redhat.com/browse/OPRUN-3535 | ||
func NewCertPool(caDir string, log logr.Logger) (*x509.CertPool, error) { | ||
caCertPool, err := x509.SystemCertPool() | ||
if err != nil { | ||
return nil, err | ||
} | ||
if caDir == "" { | ||
return caCertPool, nil | ||
} | ||
|
||
dirEntries, err := os.ReadDir(caDir) | ||
if err != nil { | ||
return nil, err | ||
} | ||
count := 0 | ||
|
||
for _, e := range dirEntries { | ||
file := filepath.Join(caDir, e.Name()) | ||
// These might be symlinks pointing to directories, so use Stat() to resolve | ||
fi, err := os.Stat(file) | ||
if err != nil { | ||
return nil, err | ||
} | ||
if fi.IsDir() { | ||
log.Info("skip directory", "name", e.Name()) | ||
continue | ||
} | ||
log.Info("load certificate", "name", e.Name()) | ||
data, err := os.ReadFile(file) | ||
if err != nil { | ||
return nil, fmt.Errorf("error reading cert file %q: %w", file, err) | ||
} | ||
|
||
if ok := caCertPool.AppendCertsFromPEM(data); ok { | ||
count++ | ||
} | ||
} | ||
|
||
// Found no certs! | ||
if count == 0 { | ||
return nil, fmt.Errorf("no certificates found in %q", caDir) | ||
} | ||
|
||
return caCertPool, nil | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
package httputil | ||
|
||
import ( | ||
"crypto/rand" | ||
"crypto/rsa" | ||
"crypto/x509" | ||
"crypto/x509/pkix" | ||
"encoding/pem" | ||
"math/big" | ||
"os" | ||
"testing" | ||
"time" | ||
|
||
"github.com/go-logr/logr/testr" | ||
"github.com/stretchr/testify/require" | ||
) | ||
|
||
func TestNewCertPool(t *testing.T) { | ||
t.Parallel() | ||
|
||
// set up our CA certificate | ||
ca := &x509.Certificate{ | ||
SerialNumber: big.NewInt(2019), | ||
Subject: pkix.Name{ | ||
Organization: []string{"Company, INC."}, | ||
Country: []string{"US"}, | ||
Province: []string{""}, | ||
Locality: []string{"San Francisco"}, | ||
StreetAddress: []string{"Golden Gate Bridge"}, | ||
PostalCode: []string{"94016"}, | ||
}, | ||
NotBefore: time.Now(), | ||
NotAfter: time.Now().AddDate(10, 0, 0), | ||
IsCA: true, | ||
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, | ||
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, | ||
BasicConstraintsValid: true, | ||
} | ||
|
||
// create our private and public key | ||
caPrivKey, err := rsa.GenerateKey(rand.Reader, 4096) | ||
require.NoError(t, err) | ||
|
||
// create the CA | ||
caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey) | ||
require.NoError(t, err) | ||
|
||
// pem encode | ||
err = os.MkdirAll("testdata/newCertPool/subfolder", 0700) | ||
require.NoError(t, err) | ||
t.Cleanup(func() { | ||
require.NoError(t, os.RemoveAll("testdata/newCertPool")) | ||
}) | ||
|
||
caPEM, err := os.Create("testdata/newCertPool/my.pem") | ||
require.NoError(t, err) | ||
err = pem.Encode(caPEM, &pem.Block{ | ||
Type: "CERTIFICATE", | ||
Bytes: caBytes, | ||
}) | ||
require.NoError(t, err) | ||
|
||
_, err = NewCertPool("testdata/newCertPool", testr.New(t)) | ||
require.NoError(t, err) | ||
} | ||
|
||
func Test_newCertPool_empty(t *testing.T) { | ||
err := os.MkdirAll("testdata/newCertPoolEmpty", 0700) | ||
require.NoError(t, err) | ||
|
||
_, err = NewCertPool("testdata/newCertPoolEmpty", testr.New(t)) | ||
require.EqualError(t, err, `no certificates found in "testdata/newCertPoolEmpty"`) | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,14 +4,6 @@ metadata: | |
name: catalogd-e2e | ||
--- | ||
apiVersion: cert-manager.io/v1 | ||
kind: Issuer | ||
metadata: | ||
name: selfsigned-issuer | ||
namespace: catalogd-e2e | ||
spec: | ||
selfSigned: {} | ||
--- | ||
apiVersion: cert-manager.io/v1 | ||
kind: Certificate | ||
metadata: | ||
name: catalogd-e2e-registry | ||
|
@@ -25,8 +17,8 @@ spec: | |
algorithm: ECDSA | ||
size: 256 | ||
issuerRef: | ||
name: selfsigned-issuer | ||
kind: Issuer | ||
name: olmv1-ca | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 👍 |
||
kind: ClusterIssuer | ||
group: cert-manager.io | ||
--- | ||
apiVersion: apps/v1 | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: reordering the targets just seems like churn?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The image-registry now depends on the OLM-ca Issuer being created before.
Otherwise the image-registry cert can't be created, which means the secret is missing, which means the image-registry Deployment never gets ready and the installation timeouts while waiting:
see:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah, maybe we could use a comment about these target ordering needs then?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added.