mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-07 14:05:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Switch back to an exec-based approach to grab the controller-manager CA. (#65)

Browse Source 
This switches us back to an approach where we use the Pod "exec" API to grab the keys we need, rather than forcing our code to run on the control plane node. It will help us fail gracefully (or dynamically switch to alternate implementations) when the cluster is not self-hosted.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
Co-authored-by: Ryan Richard <richardry@vmware.com>
This commit is contained in:
Matt Moyer
2020-08-19 13:21:07 -05:00
committed by GitHub
parent 40d1360b74
commit 1b9a70d089
20 changed files with 842 additions and 106 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
internal/controller/apicerts/certs_manager_test.go
View File

@@ -7,9 +7,6 @@ package apicerts
import (
"context"
"crypto/tls"
"crypto/x509"
"encoding/pem"
"errors"
"testing"
"time"
@@ -222,29 +219,10 @@ func TestManagerControllerSync(t *testing.T) {
r.NotEmpty(actualCertChain)
// Validate the created cert using the CA, and also validate the cert's hostname
roots := x509.NewCertPool()
ok := roots.AppendCertsFromPEM([]byte(actualCACert))
r.True(ok)
block, _ := pem.Decode([]byte(actualCertChain))
r.NotNil(block)
parsedCert, err := x509.ParseCertificate(block.Bytes)
r.NoError(err)
serviceEndpoint := "placeholder-name-api." + installedInNamespace + ".svc"
opts := x509.VerifyOptions{
DNSName: serviceEndpoint,
Roots: roots,
}
_, err = parsedCert.Verify(opts)
r.NoError(err)
r.Contains(parsedCert.DNSNames, serviceEndpoint, "expected an explicit DNS SAN, not just Common Name")
// Check the created cert's validity bounds
r.WithinDuration(time.Now(), parsedCert.NotBefore, time.Minute*2)
r.WithinDuration(time.Now().Add(24*365*time.Hour), parsedCert.NotAfter, time.Minute*2)
// Check that the private key and cert chain match
_, err = tls.X509KeyPair([]byte(actualCertChain), []byte(actualPrivateKey))
r.NoError(err)
validCert := testutil.ValidateCertificate(t, actualCACert, actualCertChain)
validCert.RequireDNSName("placeholder-name-api." + installedInNamespace + ".svc")
validCert.RequireLifetime(time.Now(), time.Now().Add(24*365*time.Hour), 2*time.Minute)
validCert.RequireMatchesPrivateKey(actualPrivateKey)
// Make sure we updated the APIService caBundle and left it otherwise unchanged
r.Len(aggregatorAPIClient.Actions(), 2)