Fix #1582 by not double-decoding the ca.crt field in external TLS secrets for the impersonation proxy

2026-01-05 21:15:26 +00:00 · 2023-08-08 20:17:21 -05:00
parent f24f82b25b
commit 1707995378
4 changed files with 101 additions and 46 deletions
--- a/test/integration/concierge_impersonation_proxy_test.go
+++ b/test/integration/concierge_impersonation_proxy_test.go
@@ -1793,6 +1793,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 			"external-tls-cert-secret-name",
 			corev1.SecretTypeTLS,
 			map[string]string{
+				"ca.crt":            string(externallyProvidedTLSServingCertPEM),
 				v1.TLSCertKey:       string(externallyProvidedTLSServingCertPEM),
 				v1.TLSPrivateKeyKey: string(externallyProvidedTLSServingKeyPEM),
 			})
@@ -1847,6 +1848,76 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl
 		}, 2*time.Minute, 500*time.Millisecond)
 	})

+	t.Run("using externally provided TLS serving cert with byte arrays", func(t *testing.T) {
+		var externallyProvidedCA *certauthority.CA
+		externallyProvidedCA, err = certauthority.New("Impersonation Proxy Integration Test CA", 1*time.Hour)
+		require.NoError(t, err)
+
+		var externallyProvidedTLSServingCertPEM, externallyProvidedTLSServingKeyPEM []byte
+		externallyProvidedTLSServingCertPEM, externallyProvidedTLSServingKeyPEM, err = externallyProvidedCA.IssueServerCertPEM([]string{proxyServiceEndpoint}, nil, 1*time.Hour)
+		require.NoError(t, err)
+
+		externallyProvidedTLSServingCertSecret := testlib.CreateTestSecretBytes(
+			t,
+			env.ConciergeNamespace,
+			"external-tls-cert-secret-name-integration-tests",
+			corev1.SecretTypeTLS,
+			map[string][]byte{
+				"ca.crt":            externallyProvidedCA.Bundle(),
+				v1.TLSCertKey:       externallyProvidedTLSServingCertPEM,
+				v1.TLSPrivateKeyKey: externallyProvidedTLSServingKeyPEM,
+			})
+
+		_, originalInternallyGeneratedCAPEM := performImpersonatorDiscoveryURL(ctx, t, env, adminConciergeClient)
+
+		t.Cleanup(func() {
+			// Remove the TLS block from the CredentialIssuer, which should revert the ImpersonationProxy to using an
+			// internally generated TLS serving cert derived from the original CA.
+			updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{
+				ImpersonationProxy: &conciergev1alpha.ImpersonationProxySpec{
+					Mode:             conciergev1alpha.ImpersonationProxyModeEnabled,
+					ExternalEndpoint: proxyServiceEndpoint,
+					Service: conciergev1alpha.ImpersonationProxyServiceSpec{
+						Type: conciergev1alpha.ImpersonationProxyServiceTypeClusterIP,
+					},
+				},
+			})
+
+			// Wait for the CredentialIssuer's impersonation proxy frontend strategy to be updated to the original CA bundle
+			testlib.RequireEventuallyWithoutError(t, func() (bool, error) {
+				_, impersonationProxyCACertPEM = performImpersonatorDiscoveryURL(ctx, t, env, adminConciergeClient)
+
+				return bytes.Equal(impersonationProxyCACertPEM, originalInternallyGeneratedCAPEM), nil
+			}, 2*time.Minute, 500*time.Millisecond)
+		})
+
+		updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{
+			ImpersonationProxy: &conciergev1alpha.ImpersonationProxySpec{
+				Mode:             conciergev1alpha.ImpersonationProxyModeEnabled,
+				ExternalEndpoint: proxyServiceEndpoint,
+				Service: conciergev1alpha.ImpersonationProxyServiceSpec{
+					Type: conciergev1alpha.ImpersonationProxyServiceTypeClusterIP,
+				},
+				TLS: &conciergev1alpha.ImpersonationProxyTLSSpec{
+					CertificateAuthorityData: base64.StdEncoding.EncodeToString(externallyProvidedCA.Bundle()),
+					SecretName:               externallyProvidedTLSServingCertSecret.Name,
+				},
+			},
+		})
+
+		// Wait for the CredentialIssuer's impersonation proxy frontend strategy to be updated with the right CA bundle
+		testlib.RequireEventuallyWithoutError(t, func() (bool, error) {
+			_, impersonationProxyCACertPEM = performImpersonatorDiscoveryURL(ctx, t, env, adminConciergeClient)
+			return bytes.Equal(impersonationProxyCACertPEM, externallyProvidedCA.Bundle()), nil
+		}, 2*time.Minute, 500*time.Millisecond)
+
+		// Do a login via performImpersonatorDiscovery
+		testlib.RequireEventuallyWithoutError(t, func() (bool, error) {
+			_, newImpersonationProxyCACertPEM := performImpersonatorDiscovery(ctx, t, env, adminClient, adminConciergeClient, refreshCredential)
+			return bytes.Equal(newImpersonationProxyCACertPEM, externallyProvidedCA.Bundle()), err
+		}, 2*time.Minute, 500*time.Millisecond)
+	})
+
 	t.Run("manually disabling the impersonation proxy feature", func(t *testing.T) {
 		// Update configuration to force the proxy to disabled mode
 		updateCredentialIssuer(ctx, t, env, adminConciergeClient, conciergev1alpha.CredentialIssuerSpec{
--- a/test/testlib/client.go
+++ b/test/testlib/client.go
@@ -364,6 +364,28 @@ func CreateTestSecret(t *testing.T, namespace string, baseName string, secretTyp
 	return created
 }

+func CreateTestSecretBytes(t *testing.T, namespace string, baseName string, secretType corev1.SecretType, data map[string][]byte) *corev1.Secret {
+	t.Helper()
+	client := NewKubernetesClientset(t)
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+	defer cancel()
+
+	created, err := client.CoreV1().Secrets(namespace).Create(ctx, &corev1.Secret{
+		ObjectMeta: testObjectMeta(t, baseName),
+		Type:       secretType,
+		Data:       data,
+	}, metav1.CreateOptions{})
+	require.NoError(t, err)
+
+	t.Cleanup(func() {
+		t.Logf("cleaning up test Secret %s/%s", created.Namespace, created.Name)
+		err := client.CoreV1().Secrets(namespace).Delete(context.Background(), created.Name, metav1.DeleteOptions{})
+		require.NoError(t, err)
+	})
+	t.Logf("created test Secret %s", created.Name)
+	return created
+}
+
 func CreateClientCredsSecret(t *testing.T, clientID string, clientSecret string) *corev1.Secret {
 	t.Helper()
 	env := IntegrationEnv(t)